WEBVTT - Unified Entity Context 0:00:18.987 --> 0:00:21.146 So for around ten years now, I've been trying to 0:00:21.147 --> 0:00:24.227 figure out where all this AI stuff is going, and 0:00:24.227 --> 0:00:25.947 I want to talk about what I figured out so 0:00:25.947 --> 0:00:29.667 far and what brought me to this conclusion. And I'm 0:00:29.667 --> 0:00:31.707 going to do that by sort of taking you through 0:00:31.707 --> 0:00:35.387 how I drunk stumbled my way along to this idea. 0:00:36.906 --> 0:00:41.267 So background wise, I'm a security person going back to 1999, 0:00:41.707 --> 0:00:45.547 spent my whole career doing that offensive security Pentesting web 0:00:45.587 --> 0:00:49.066 Appsec threat modeling Vuln management. But I would say my 0:00:49.107 --> 0:00:56.187 overall container is essentially security assessment. And going back like 0:00:56.187 --> 0:00:59.467 15 years, when I do a security assessment for a customer, 0:00:59.467 --> 0:01:02.386 I do it in an unconventional way. And this is 0:01:02.387 --> 0:01:05.027 how I still do it today. I start with like 0:01:05.027 --> 0:01:07.587 the CEO and the CEO and like the head of 0:01:07.587 --> 0:01:10.667 legal and basically all the top people who like, run 0:01:10.667 --> 0:01:14.747 the company, uh, from the very top level. And I 0:01:14.747 --> 0:01:17.816 asked them essentially, what is the business? How do they 0:01:17.817 --> 0:01:21.577 think about the business? What fundamentally do they do? If 0:01:21.577 --> 0:01:24.057 they had to strip everything away? Like what would that 0:01:24.057 --> 0:01:27.297 be like? What is the core of it? Right. And 0:01:27.297 --> 0:01:29.697 I started getting into like what data comes in, what 0:01:29.697 --> 0:01:32.817 comes out, what are their primary outputs. And then I 0:01:32.817 --> 0:01:35.137 moved on to the next level of like senior management. 0:01:35.137 --> 0:01:37.097 Then I moved through management. Then I talked to the 0:01:37.097 --> 0:01:40.617 people on the actual ground who are like actually doing things. 0:01:40.617 --> 0:01:44.217 And I start to hear discrepancies. I start to see overlaps, 0:01:44.217 --> 0:01:47.177 I start to find all the patterns and I adjust 0:01:47.177 --> 0:01:51.297 my questions accordingly. So I basically moved through the whole 0:01:51.297 --> 0:01:54.257 structure in that way and try to figure out exactly 0:01:54.257 --> 0:01:56.457 what that company is doing and how they're doing it. 0:01:57.497 --> 0:02:00.097 So as I keep gathering more and more of this information, 0:02:00.097 --> 0:02:03.617 I start filling in like this elaborate diagram for the company. 0:02:03.617 --> 0:02:07.337 All their information flows, all their vendors where they're storing data. 0:02:07.337 --> 0:02:10.217 And I start to notice things right. And ultimately I'm 0:02:10.216 --> 0:02:13.656 figuring out like, what is this company actually look like? 0:02:13.776 --> 0:02:16.527 And what's really fun is to have people come in 0:02:16.526 --> 0:02:20.007 and so they modify the screen. They say, oh, that 0:02:20.007 --> 0:02:23.687 actually doesn't exist anymore. Oh, you forgot this piece. And 0:02:23.686 --> 0:02:26.806 invariably after, like the first day, people come in and 0:02:26.806 --> 0:02:28.727 they start taking pictures. I'm like, what are you taking 0:02:28.727 --> 0:02:30.846 a picture for? And they're like, this is the best 0:02:30.846 --> 0:02:34.087 view of the company. I've never seen a clearer understanding 0:02:34.087 --> 0:02:37.886 of what we actually do than this diagram here. Like 0:02:37.887 --> 0:02:40.727 all the other ones are incomplete, so that's always fun 0:02:40.727 --> 0:02:44.166 to see. So after a week or two of this, 0:02:44.167 --> 0:02:46.526 I then do the technical assessment, and then I start 0:02:46.526 --> 0:02:49.007 asking more and more questions to figure out, hey, so 0:02:49.047 --> 0:02:51.286 isn't this a problem? They're like, oh yeah, that actually 0:02:51.286 --> 0:02:54.486 is a problem. But the key idea is taking all 0:02:54.487 --> 0:02:57.487 this content from all these interviews, including from the highest 0:02:57.487 --> 0:03:01.207 level and the lowest level, and getting all that into 0:03:01.207 --> 0:03:04.687 a single context so I can start asking questions. So 0:03:04.686 --> 0:03:06.886 speaking of security, if you have a company or any 0:03:06.887 --> 0:03:10.286 digital assets that you're responsible for protecting, I recommend you 0:03:10.286 --> 0:03:12.846 check out one of my favorite companies ever going back, like, 0:03:12.887 --> 0:03:16.197 I don't know, 10 or 15 years, which is Project Discovery. 0:03:16.316 --> 0:03:18.596 So I've been using their open source security tools like 0:03:18.596 --> 0:03:22.677 Sub finder, DNS, HTTP nuclei, and a bunch of other 0:03:22.677 --> 0:03:25.436 tools from them for like ten years now. And they 0:03:25.436 --> 0:03:28.436 just recently released a cloud solution that takes what I 0:03:28.436 --> 0:03:31.157 was doing, like chaining all these commands together on the 0:03:31.156 --> 0:03:33.797 command line. And it does it automatically for you. So 0:03:33.797 --> 0:03:35.997 you come over here, you put in a domain that 0:03:35.997 --> 0:03:37.916 you want to start with. We'll go with like Tesla 0:03:37.957 --> 0:03:40.957 because they have an open security program. And you start 0:03:40.957 --> 0:03:43.837 that and you start collecting tons of stuff on whatever 0:03:43.837 --> 0:03:45.677 target you put in there. So in the background, it's 0:03:45.677 --> 0:03:48.437 doing a whole bunch of discovery stuff on the target. 0:03:48.437 --> 0:03:52.796 It's finding domains, sub domains, making sure those domains are valid. 0:03:53.077 --> 0:03:56.077 It's finding the web applications. It's taking screenshots of those 0:03:56.117 --> 0:03:59.877 like login pages. It's finding open ports. It's even getting 0:03:59.877 --> 0:04:02.916 the tech stack for every service that you find. So 0:04:02.917 --> 0:04:04.717 here are the type of results that you get from 0:04:04.717 --> 0:04:06.917 the discovery. And from here you can actually launch a 0:04:06.917 --> 0:04:10.117 full scan using nuclei and other tools. Okay. From here 0:04:10.117 --> 0:04:13.397 we can actually go into remediation and start actually fixing 0:04:13.397 --> 0:04:16.307 these things. So basically they started all these years ago 0:04:16.347 --> 0:04:19.307 as Pentester and bug bounty and command line focused, and 0:04:19.307 --> 0:04:22.827 now they brought all that functionality together into a full 0:04:22.827 --> 0:04:26.027 vulnerability management platform. So definitely go check them out. It's 0:04:26.027 --> 0:04:31.787 cloud CIO and thanks to Project Discovery for sponsoring today's video. 0:04:32.547 --> 0:04:36.747 So separate from that in a completely different thread on 0:04:36.747 --> 0:04:40.227 the consumer side, in 2013, I started to get a 0:04:40.227 --> 0:04:43.787 picture of where I thought all this AI tech was going. 0:04:43.827 --> 0:04:46.187 At the time I called it IoT, so I wrote 0:04:46.187 --> 0:04:48.667 this book in 2016. It's kind of a crappy book. 0:04:49.307 --> 0:04:52.546 I don't recommend you read it. Honestly. There's a blog 0:04:52.547 --> 0:04:55.467 version of it online on my site, which you should 0:04:55.467 --> 0:04:58.627 go check out. It's much better. Typography is much better 0:04:58.627 --> 0:05:01.187 as well, so definitely go check it out there. But 0:05:01.187 --> 0:05:05.507 the ideas are pretty decent. So the basic concept first 0:05:05.507 --> 0:05:09.427 idea is you have digital assistants that know everything about 0:05:09.427 --> 0:05:12.747 you and they advocate for you. Then the second piece 0:05:12.747 --> 0:05:17.177 is everything gets an API, including people and objects and businesses, 0:05:17.737 --> 0:05:21.976 and our digital assistants will also have that. And your 0:05:22.377 --> 0:05:26.497 Da basically uses those services to interact with the world 0:05:26.497 --> 0:05:30.217 on your behalf and then your Da. The third piece 0:05:30.217 --> 0:05:34.577 is augmented reality. It will use all those different services, 0:05:34.577 --> 0:05:38.257 all the data from those different APIs, to present to 0:05:38.257 --> 0:05:40.977 you inside of your glasses or your lenses or whatever. 0:05:40.977 --> 0:05:45.417 It is, the proper context for whatever you're doing, right? 0:05:45.817 --> 0:05:49.497 And finally, the last piece is once you have a 0:05:49.497 --> 0:05:52.017 company or a business or an individual or family or 0:05:52.017 --> 0:05:57.617 whatever with sort of information about them presented at as APIs, 0:05:57.937 --> 0:06:01.817 you could then take your AI, whatever the smartest AI 0:06:01.857 --> 0:06:05.177 you have with the largest context, and sort of look 0:06:05.177 --> 0:06:08.017 down at that entity that you're trying to manage, and 0:06:08.017 --> 0:06:10.017 you could give it goals. You could say, I am 0:06:10.057 --> 0:06:13.647 trying to achieve this in my family, in my business, 0:06:13.647 --> 0:06:17.727 for my county, for my city, for my country. And 0:06:17.727 --> 0:06:20.487 then your. I can sort of help you manage that. 0:06:20.487 --> 0:06:24.527 So those are the concepts from the book. Then in 2018, 0:06:24.527 --> 0:06:26.967 I got a job at Apple doing information security stuff. 0:06:26.967 --> 0:06:29.207 But the team I came in with was actually a 0:06:29.207 --> 0:06:32.407 machine learning team. So I had to refresh my horrible math, 0:06:32.927 --> 0:06:37.087 and I went and did the full Andrew Ng machine 0:06:37.087 --> 0:06:40.727 Learning course, which was on YouTube at the time, and 0:06:40.807 --> 0:06:45.127 I ended up spending multiple years there at Apple building 0:06:45.127 --> 0:06:47.487 out a security product, which they still use today. Pretty 0:06:47.527 --> 0:06:52.607 happy about that. But, um, lots of practical experience of 0:06:52.847 --> 0:06:57.727 using the ML stuff in the context of security. Um, 0:06:57.727 --> 0:07:00.167 so really happy to have come in for that team 0:07:00.167 --> 0:07:03.847 at Apple. Then in early 21, I left to go 0:07:03.887 --> 0:07:08.287 build Appsec and Vulnerability Management at Robinhood with Caleb Sima. 0:07:09.007 --> 0:07:11.887 And there I did a talk at Blackhat about building 0:07:11.997 --> 0:07:17.877 vulnerability management based on company context and specifically asset management, 0:07:18.357 --> 0:07:20.797 which turned out to be another sort of brick in 0:07:20.797 --> 0:07:25.557 this path towards context. So after doing that, I decided 0:07:25.557 --> 0:07:29.157 it was time to build things on my own and 0:07:29.197 --> 0:07:33.157 do consulting stuff independently. So I went independent with unsupervised 0:07:33.157 --> 0:07:36.477 learning in like August of 22. And that was just 0:07:36.477 --> 0:07:39.997 a few months before ChatGPT came out. So obviously I 0:07:39.997 --> 0:07:44.197 go absolutely insane when I see ChatGPT and I start 0:07:44.197 --> 0:07:47.077 calling everyone I know. All my friends got that call, 0:07:47.077 --> 0:07:50.437 my mom got that call, everyone got this call multiple times. 0:07:50.437 --> 0:07:53.997 I was freaking out, basically saying drop everything, go do AI. 0:07:55.517 --> 0:07:57.437 And the first place that my head went with all 0:07:57.437 --> 0:07:59.837 this was thinking about the context that I would gather 0:07:59.837 --> 0:08:02.517 in these security assessments and thinking about how I could 0:08:02.517 --> 0:08:06.037 use this for security, obviously, because that's my background. But 0:08:06.037 --> 0:08:10.157 I pretty quickly realized that this was bigger than just security. 0:08:10.397 --> 0:08:14.547 It's actually more about the context first. So in March 0:08:14.547 --> 0:08:18.707 of 23, I wrote this post called Sspca, which says 0:08:18.707 --> 0:08:23.707 everything is about state policy questions and actions. Basically, you 0:08:23.707 --> 0:08:26.907 have the current context for the company or the program 0:08:26.907 --> 0:08:29.467 or the department, whatever it is you're trying to manage, 0:08:29.907 --> 0:08:33.707 you have that current context. Then you have the policy, 0:08:33.707 --> 0:08:37.187 which is what you're trying to accomplish. Then you have 0:08:37.187 --> 0:08:41.867 the questions that you continuously want the answers to, and 0:08:41.867 --> 0:08:45.506 then you have actions or what you know, what we 0:08:45.506 --> 0:08:49.786 as people or I could take what we could do 0:08:50.026 --> 0:08:53.667 to make that policy happen, make the desired state come true. 0:08:54.467 --> 0:08:57.227 So with this, I start feeling like, okay, now I'm 0:08:57.227 --> 0:09:00.186 starting to lock this thing in and make it more solid. 0:09:01.067 --> 0:09:03.266 So that got decent traction, but I wanted to actually 0:09:03.307 --> 0:09:07.066 demonstrate this. So I started working immediately on something more 0:09:07.067 --> 0:09:11.456 practical as like a demo. So I did a talk 0:09:11.497 --> 0:09:15.017 at Black Hat. I think the following year maybe, and 0:09:15.016 --> 0:09:18.337 I put together this fake company called alma. And I 0:09:18.377 --> 0:09:21.896 gave it tons of context for, like, everything about the company. 0:09:22.016 --> 0:09:25.377 So its mission, how they differentiate from competitors, all their 0:09:25.377 --> 0:09:29.217 different products, their goals, where they do business, the risk 0:09:29.217 --> 0:09:33.577 register security team and its members and all their skill sets. Right. 0:09:33.617 --> 0:09:36.296 The projects that they're working on, the list of applications 0:09:36.296 --> 0:09:39.817 are it stack the dev teams, how they push code 0:09:39.817 --> 0:09:43.177 like everything about this company. I put it into this file. 0:09:44.217 --> 0:09:46.977 So now I can ask questions just like I do 0:09:46.977 --> 0:09:49.456 in security assessments. And I was doing this using an 0:09:49.457 --> 0:09:53.656 agent back in 23 to basically call this thing. And 0:09:53.656 --> 0:09:56.057 the agent would look up all this different tools or whatever, 0:09:56.057 --> 0:09:59.536 look at the context. And I could do planning for this. 0:09:59.536 --> 0:10:03.817 I could do threat modeling, actually output reports. I could 0:10:03.817 --> 0:10:07.177 write emails to auditors, I could respond to one off 0:10:07.176 --> 0:10:11.367 security questionnaire questions because, you know, you have a problem 0:10:11.367 --> 0:10:14.087 of like you have this database of security answers, but 0:10:14.087 --> 0:10:18.326 the question always comes in different. This solves that. So 0:10:18.327 --> 0:10:21.167 here's an example of a CISO making a statement about 0:10:21.207 --> 0:10:24.367 no more connections to a particular resource. And we're asking 0:10:24.367 --> 0:10:27.687 the question should this connection be allowed. And the AI 0:10:27.727 --> 0:10:31.167 responds back that, no, this connection should not be allowed, 0:10:31.766 --> 0:10:34.807 because the CISO said a minute ago that no more 0:10:34.807 --> 0:10:37.727 connections to that particular resource. So you could do really 0:10:37.727 --> 0:10:43.006 cool stuff when you have context. And throughout 23, 24 0:10:43.006 --> 0:10:45.727 and now into 25, I've been building more and more 0:10:45.727 --> 0:10:52.487 stuff that circulates around this central theme of context plus AI. 0:10:53.646 --> 0:10:57.886 So later in 23, I built this thing called threshold. 0:10:57.886 --> 0:11:00.886 It's an app that takes over 3000 sources on the internet, 0:11:01.166 --> 0:11:05.006 tells me how good the context is independent of the source. 0:11:05.286 --> 0:11:09.477 And it basically uses context about me It so it 0:11:09.477 --> 0:11:12.997 knows what I like. And it's using that as the 0:11:12.997 --> 0:11:17.516 level of quality of the ideas, right? The novelty of 0:11:17.516 --> 0:11:20.717 the ideas, the number of ideas and having them being 0:11:20.717 --> 0:11:24.396 shaped in a particular direction. Right. And I could slide 0:11:24.396 --> 0:11:27.436 this lever and it only shows me content that exceeds 0:11:28.036 --> 0:11:32.717 a certain threshold of quality. Currently about to launch another 0:11:32.916 --> 0:11:35.836 product called Same Page, which is an enterprise product that 0:11:35.837 --> 0:11:40.717 helps companies manage pretty much anything based on their company context. Um, 0:11:40.997 --> 0:11:43.957 doing a lot of stuff with security programs here. Another 0:11:43.957 --> 0:11:46.757 thing I've had for like nine years now, or maybe longer, 0:11:46.756 --> 0:11:51.556 is my attack service monitoring system called Helios. And it 0:11:51.557 --> 0:11:54.357 started off as basically pure automations, right? This is like 0:11:54.357 --> 0:11:58.197 directory stuff, Linux stuff, using a bunch of tools, mostly 0:11:58.197 --> 0:12:02.477 from project Discovery and a bunch of custom tooling and 0:12:02.477 --> 0:12:05.237 Python and Bash and stuff. So it was very kind 0:12:05.237 --> 0:12:09.467 of like a dumb system, very effective. Very fast. Very good. 0:12:09.506 --> 0:12:12.587 But what I've done now is I'm turning this into 0:12:12.707 --> 0:12:15.586 a complete AI model, and I'm rewriting it to be 0:12:15.587 --> 0:12:20.187 context central. So everything goes into a particular location and 0:12:20.187 --> 0:12:22.867 I start operating on it from there. So once again, 0:12:23.107 --> 0:12:28.066 it's actions running against context. And the last one I'll 0:12:28.067 --> 0:12:31.066 mention is like a daily brief for myself. So basically 0:12:31.067 --> 0:12:33.107 looks at all these different sources that I have for 0:12:33.146 --> 0:12:38.227 like open source intelligence, national security, like really smart people 0:12:38.227 --> 0:12:40.067 who could, like, tell what's in the back of a 0:12:40.067 --> 0:12:43.067 truck looking at a satellite photo based on the fact 0:12:43.067 --> 0:12:46.106 of like the tire treads that are in the grass. 0:12:46.467 --> 0:12:49.747 So I follow, you know, hundreds of people like that, 0:12:49.747 --> 0:12:51.427 and I know they have good signal. So what I 0:12:51.426 --> 0:12:54.187 do is I bring that all together, I do analysis 0:12:54.187 --> 0:12:57.386 on it using a bunch of AI, and then it 0:12:57.386 --> 0:13:01.587 gives me like the President's Daily Brief. So now I 0:13:01.587 --> 0:13:04.787 could say, oh, it looks like this might be happening, um, 0:13:04.947 --> 0:13:07.816 which I can start thinking about. I could talk about whatever. 0:13:09.896 --> 0:13:13.816 So all these separate areas are kind of loosely revolving 0:13:13.817 --> 0:13:18.296 around this concept of context. And I so I feel 0:13:18.296 --> 0:13:21.656 like or have felt like for a long time that 0:13:21.896 --> 0:13:26.256 this is congealing. It's coalescing into this single theme. Right. 0:13:26.497 --> 0:13:29.016 But a couple of weeks ago I'm like, this is 0:13:29.016 --> 0:13:33.497 not quite it. This is not quite it. I'm close, 0:13:33.497 --> 0:13:36.937 but not not quite there. And I think I have 0:13:36.937 --> 0:13:39.737 a much simpler way of describing this now. And that's 0:13:39.737 --> 0:13:43.256 what I'm calling this unified entity context. And of course, 0:13:43.256 --> 0:13:45.016 that won't be the real name that gets used because 0:13:45.057 --> 0:13:48.416 Gartner will name it something and that'll be the new name. 0:13:48.817 --> 0:13:53.577 No big deal. If we look at security specifically and 0:13:53.577 --> 0:13:55.617 we look at some use cases, we find some really 0:13:55.617 --> 0:13:59.617 interesting patterns. So for like a SOC analyst you got 0:13:59.617 --> 0:14:01.937 tons of different logs, you got threat Intel reports, you 0:14:01.977 --> 0:14:07.766 got identity stuff, endpoint data, all these different sources for 0:14:07.766 --> 0:14:09.847 incident response. You've got the same stuff you have to 0:14:09.847 --> 0:14:12.486 look at, but it's more focused around, like the narrative, 0:14:12.487 --> 0:14:16.326 determining the scope, the timeline, stuff like that. With Pentesting, 0:14:16.327 --> 0:14:18.646 you're also gathering tons of data and then trying to 0:14:18.646 --> 0:14:20.767 put the pieces together and figure out like what to 0:14:20.807 --> 0:14:23.847 go after. Same with Red team, but you're even more 0:14:23.847 --> 0:14:27.767 focused on a larger scope, more interested in like the 0:14:27.767 --> 0:14:31.247 context of everything and the impact that you can generate. 0:14:32.407 --> 0:14:36.247 And with vulnerability management, we need to understand the organization 0:14:36.247 --> 0:14:39.927 really well. Otherwise, it's really hard to do remediation, which 0:14:39.927 --> 0:14:43.806 is kind of the whole point, program management. You got 0:14:43.847 --> 0:14:47.527 to have project management, budgeting strategy, time management, all those 0:14:47.527 --> 0:14:51.247 things combined. GRC you have to know what we need 0:14:51.247 --> 0:14:53.767 to be compliant with and why. And we have to 0:14:53.767 --> 0:14:55.487 know what our gaps are in terms of like the 0:14:55.487 --> 0:14:59.887 risk register vulnerabilities, stuff like that. So the common issue 0:15:00.767 --> 0:15:04.927 with most of these, really all of these is that 0:15:04.927 --> 0:15:07.397 you have to be able to see multiple parts of 0:15:07.397 --> 0:15:11.197 the organization all at once in context at the same time, 0:15:11.197 --> 0:15:14.277 and then connect those pieces together. This is why security 0:15:14.277 --> 0:15:18.717 analysts and incident responders and red teamers are so valuable. 0:15:19.037 --> 0:15:22.717 It's not the single task in the problem that's hard. 0:15:22.957 --> 0:15:26.597 It's integrating all the different sources to be able to 0:15:26.837 --> 0:15:31.717 actually do that task. And I'm going to go a 0:15:31.717 --> 0:15:35.517 little deeper into vulnerability management to illustrate this point. Since 0:15:35.517 --> 0:15:39.397 I've lived in that hellscape for so long. What is 0:15:39.397 --> 0:15:43.956 it that's actually hard about vulnerability management? Is it that 0:15:43.957 --> 0:15:46.957 we don't have enough vulnerabilities? Is it that our dashboards 0:15:46.957 --> 0:15:50.317 aren't pretty enough? That is not the problem. The problem 0:15:50.317 --> 0:15:54.997 is when you have a given vulnerability, what application is 0:15:54.997 --> 0:15:59.037 it part of? What engineering team is responsible for that application? 0:15:59.037 --> 0:16:03.077 What repo do they work from? What DevOps workflows do 0:16:03.077 --> 0:16:06.316 they use? Like how do they actually push code? How 0:16:06.317 --> 0:16:08.717 do they fix things day to day? What is the 0:16:08.717 --> 0:16:11.397 best way to get a really good fix to the 0:16:11.397 --> 0:16:15.117 right person that doesn't annoy them, which causes their manager 0:16:15.117 --> 0:16:18.997 to call over security and say stop bothering me. You 0:16:18.997 --> 0:16:21.477 might think this is easy to find that person, but 0:16:21.477 --> 0:16:26.237 keep in mind things are changing constantly. Reorgs team changes. 0:16:26.957 --> 0:16:30.477 Tools are changing like the whole company is constantly in motion. 0:16:31.997 --> 0:16:35.997 So here's the question how much of our inability to 0:16:36.037 --> 0:16:38.597 do a great job at vulnerability management for the last 0:16:38.597 --> 0:16:42.797 15 years is a security problem, and how much of 0:16:42.797 --> 0:16:48.237 it is actually an organizational knowledge problem? And now ask 0:16:48.237 --> 0:16:53.277 that for other areas of security. Even crazier, it's not 0:16:53.277 --> 0:16:57.757 just security. The software and services industries in general are 0:16:57.997 --> 0:17:03.197 all based on asking specific questions to a specific set 0:17:03.197 --> 0:17:06.307 of data and giving you an output in like a 0:17:06.347 --> 0:17:10.147 kind of a specific type of UI, right? You have 0:17:10.147 --> 0:17:14.307 HR data, right? You ask HR questions to the HR 0:17:14.347 --> 0:17:18.467 data and they put that in an HR interface. Right. 0:17:18.507 --> 0:17:22.186 Same with project management. Right. You have project management data. 0:17:22.547 --> 0:17:24.987 You ask those questions. You put it into some sort 0:17:24.986 --> 0:17:28.387 of PM UI. Do we really think that these things 0:17:28.627 --> 0:17:31.186 are going to need their own separate databases and their 0:17:31.186 --> 0:17:34.947 own separate APIs, their own separate tools, their own separate UIs? 0:17:35.907 --> 0:17:39.986 I don't think so. I think that all goes away. 0:17:40.147 --> 0:17:43.987 And what we end up with is this thing which 0:17:43.986 --> 0:17:49.186 I'm calling unified entity context. So if you're an individual, 0:17:49.186 --> 0:17:52.186 your history, your belief system, your aspirations, your favorite books 0:17:52.186 --> 0:17:56.506 and music, past traumas, salary, high blood pressure, your friends, 0:17:56.507 --> 0:18:03.096 your job, your career, family goals, upbringing, medical history. Your agenda, 0:18:03.097 --> 0:18:07.976 your calendar, right, your financial goals for that particular day, 0:18:08.257 --> 0:18:10.897 like what you're trying to do for this particular year, 0:18:11.017 --> 0:18:14.456 getting ready for, you know, a half marathon, whatever it is. 0:18:14.777 --> 0:18:17.217 But then, just like with the security program, you can 0:18:17.216 --> 0:18:20.337 ask all sorts of questions. Why is my relationship with 0:18:20.337 --> 0:18:22.977 my mother in law not working? What can I do 0:18:22.976 --> 0:18:26.217 to improve my health? Right. Different questions you can ask. 0:18:27.017 --> 0:18:28.897 If you're a company. It's back to the same thing 0:18:28.897 --> 0:18:32.976 that we collected with the Alma context goals. The state 0:18:32.976 --> 0:18:36.657 of all IT systems. What are my Kubernetes pods doing? 0:18:36.657 --> 0:18:41.097 What are all my EC2 instances doing? What's going on GCP? 0:18:41.617 --> 0:18:46.216 I want all slack messages, current projects, team members, the 0:18:46.216 --> 0:18:48.657 state of HR. How many people are we hiring? How 0:18:48.657 --> 0:18:53.057 many people just left? Why did they leave? Desired IRR 0:18:53.097 --> 0:18:56.337 for the company. All products that we have, our current 0:18:56.337 --> 0:19:00.936 marketing campaigns, all of our competitors, marketing campaigns for their products. 0:19:01.417 --> 0:19:05.367 This becomes the baseline for everything. Once you have that, 0:19:05.847 --> 0:19:08.326 then you have the smartest AI you have with the 0:19:08.327 --> 0:19:13.767 largest context. Look down at the entire thing and soak 0:19:13.807 --> 0:19:21.087 it in all at once. Let's think about this from 0:19:21.087 --> 0:19:23.887 the attacker defender perspective, because this is another way that 0:19:23.887 --> 0:19:27.007 I came at this and I came up with this 0:19:27.007 --> 0:19:31.527 thing called Acad, which is AI capabilities for attackers and defenders. 0:19:31.726 --> 0:19:35.087 And the basic idea was figure out what the attackers 0:19:35.087 --> 0:19:37.127 want to do to us, and let's just make a 0:19:37.127 --> 0:19:39.686 list of those so we can defend against them. So 0:19:39.686 --> 0:19:42.527 the number one question I get asked is essentially where 0:19:42.527 --> 0:19:45.686 do I spend money for cybersecurity. And this Acad thing 0:19:45.686 --> 0:19:49.167 is basically a way to answer that is you give 0:19:49.167 --> 0:19:51.686 the answer of, well, you think about what they're about 0:19:51.686 --> 0:19:53.407 to do to you and you make sure you can 0:19:53.407 --> 0:19:56.607 respond to it. So that turned into this project where 0:19:56.607 --> 0:20:00.726 I'm gathering tons of these attacker capabilities, and I'm building 0:20:00.877 --> 0:20:05.316 a corresponding set of defender capabilities. And we're trying to 0:20:05.317 --> 0:20:07.397 figure out like, how do these play off of each other? 0:20:08.917 --> 0:20:13.517 So basically the attacker capabilities will be gathering a whole 0:20:13.517 --> 0:20:15.837 bunch of data, right? The idea is that when you 0:20:15.837 --> 0:20:19.077 run these attacker capabilities or when they run them against you, 0:20:19.077 --> 0:20:22.077 they're going to put them into their own version of 0:20:22.077 --> 0:20:26.277 your context. They're going to have a target unified entity 0:20:26.277 --> 0:20:29.157 context for you, for you as the target, which is 0:20:29.157 --> 0:20:33.117 you as a company. Right. And I thought it would 0:20:33.117 --> 0:20:35.557 look like this. I thought the most important thing was 0:20:35.557 --> 0:20:40.997 actually these capabilities are like the most important. And I'm like, well, 0:20:40.997 --> 0:20:44.397 we obviously want to maintain that inside of a state bucket, right. 0:20:44.397 --> 0:20:48.477 The unified entity context. So I thought that was that. 0:20:48.917 --> 0:20:50.956 But after thinking about it a lot more, I think 0:20:50.956 --> 0:20:55.836 it's actually this the accuracy and the freshness of the 0:20:55.837 --> 0:20:59.877 target context is actually the most important thing because the 0:20:59.986 --> 0:21:03.507 ability to attack and pivot and hinge off of all 0:21:03.507 --> 0:21:06.746 this different stuff and, you know, go a different route, 0:21:06.986 --> 0:21:12.427 be dynamic, do attacker things and defender things. It all 0:21:12.466 --> 0:21:19.107 hinges off the quality of this context. So where this 0:21:19.107 --> 0:21:22.827 all takes us is that the top priority of attackers 0:21:23.226 --> 0:21:27.747 will be having better USC models of your organization than 0:21:27.747 --> 0:21:32.466 you do. So it'll be a competition between your attacker 0:21:32.466 --> 0:21:36.987 and you, between who has the most accurate and up 0:21:37.027 --> 0:21:44.226 to date context for your company. And this is absolutely insane, 0:21:44.226 --> 0:21:48.266 because the very next step is realizing that we have 0:21:48.267 --> 0:21:55.267 this entire thing completely backwards. Instead of cybersecurity or finance 0:21:55.267 --> 0:21:58.227 or whatever, being at the center, like in this diagram 0:21:58.226 --> 0:22:01.336 with context and I being like, oh, how do you 0:22:01.337 --> 0:22:05.657 add AI to cybersecurity? Oh, we should gather more context, 0:22:05.936 --> 0:22:10.297 you know, so we could do cybersecurity better. Nope. It's 0:22:10.337 --> 0:22:16.177 actually the opposite. The context of the entity is everything. 0:22:16.297 --> 0:22:21.216 It becomes primary along with the AI that operates. Looking 0:22:21.216 --> 0:22:26.417 down at that context, software verticals kind of go away. 0:22:27.257 --> 0:22:32.817 Software and service verticals just become use cases. They become 0:22:32.817 --> 0:22:38.977 modules on top of unified context. And here's a completely 0:22:38.976 --> 0:22:42.977 crazy question to think about. And this is currently like 0:22:42.976 --> 0:22:46.377 blowing my mind. It has not stopped freaking me out 0:22:46.377 --> 0:22:49.856 since I started thinking about this. What if all of 0:22:49.857 --> 0:22:55.177 our decisions are only hard because we actually lack context? 0:22:55.577 --> 0:22:59.007 What if the fog of war Is the thing that 0:22:59.007 --> 0:23:04.086 makes things difficult. Think about a junior analyst being asked 0:23:04.087 --> 0:23:07.767 if some connection is malicious or not, and they've got 0:23:07.807 --> 0:23:11.327 like 27 different sources they can pull from all these 0:23:11.327 --> 0:23:15.967 different repositories Google Docs, slack or whatever, and you're just like, 0:23:16.847 --> 0:23:18.806 have at it. Good luck. I need to know if 0:23:18.807 --> 0:23:21.887 this is dangerous or not. This is going to be really, 0:23:21.887 --> 0:23:25.257 really hard for a junior analyst, you know, with 1 0:23:25.257 --> 0:23:29.847 or 2 years experience, even three years experience. But now 0:23:29.887 --> 0:23:35.327 imagine a principal analyst comes along to assist the junior analyst, 0:23:35.327 --> 0:23:40.167 and they build them this elaborate timeline of everything that happened. 0:23:40.407 --> 0:23:45.927 They take all the logs, they study them for 27 hours, 0:23:46.087 --> 0:23:50.887 and they build this giant, complex visual map. Then this happened, 0:23:50.927 --> 0:23:54.287 then this, this log in CrowdStrike that maps to this 0:23:54.287 --> 0:23:57.957 log in Palo Alto, blah, blah, blah. Connect all the dots. Oh, 0:23:57.997 --> 0:23:59.637 this is when the attacker did this. This is when 0:23:59.637 --> 0:24:02.236 the attacker did this. That's when this happened. So it 0:24:02.236 --> 0:24:04.277 looks like this person is actually the same person as 0:24:04.317 --> 0:24:08.917 that person. And you could see it clearly. Now can 0:24:08.956 --> 0:24:13.756 the junior analyst answer this question. Yes they can. They 0:24:13.757 --> 0:24:16.436 could probably just be like, what are you talking about? 0:24:16.476 --> 0:24:20.997 Oh that's obvious. I mean, yeah, look, obviously it's malicious 0:24:20.997 --> 0:24:24.677 because you see the story right here. It's a narrative. 0:24:24.677 --> 0:24:29.397 It's a story because of the context. Now watch this. 0:24:29.837 --> 0:24:32.596 Maybe that doesn't even require a junior SOC analyst to 0:24:32.597 --> 0:24:35.397 answer that. That could be an intern. That could be 0:24:35.397 --> 0:24:40.157 somebody still in college who's barely learned any security at all. 0:24:40.677 --> 0:24:43.436 And you're like, hey, so you're vaguely aware that there's 0:24:43.476 --> 0:24:47.397 a security like concept and like, bad things are bad. 0:24:47.436 --> 0:24:50.197 They're like, yeah, I guess it's like, well, what if 0:24:50.196 --> 0:24:54.237 I showed you this diagram here and all these are 0:24:54.236 --> 0:24:57.186 different logs that happened? Do you think that connection right 0:24:57.186 --> 0:25:04.667 there is actually malicious? They're like yeah, obviously. So maybe 0:25:04.667 --> 0:25:09.387 the problem isn't the difficulty of the task, but the 0:25:09.387 --> 0:25:13.707 difficulty of filling in the context that paints the picture. 0:25:16.627 --> 0:25:19.907 I think this is absolutely true. And it's why I 0:25:19.907 --> 0:25:24.026 think unified entity context actually ends up being the most 0:25:24.027 --> 0:25:30.267 important thing for the management of anything. An ice cream 0:25:30.307 --> 0:25:41.746 truck business, the local city council group, right? A gardening collective, right. 0:25:42.067 --> 0:25:48.347 A city government, a state, a country, a federation of planets. Basically, 0:25:48.387 --> 0:25:51.826 I can use its understanding of the entity of the 0:25:51.827 --> 0:25:55.307 thing that you care about to lower the difficulty of 0:25:55.307 --> 0:25:59.857 most decisions because it can take snapshots of the current 0:25:59.857 --> 0:26:02.817 state that's relevant to the decision that needs to be made, 0:26:03.657 --> 0:26:06.537 and put it in context, in a timeline, in a 0:26:06.537 --> 0:26:12.377 narrative that makes it obvious what you should do right. 0:26:12.577 --> 0:26:15.217 If you think about the fog of war for like 0:26:15.216 --> 0:26:21.417 a genius general. Oh, where's the enemy attacking? We don't know, sir. Okay. 0:26:21.456 --> 0:26:23.137 How many troops do we have? We're not sure. We're 0:26:23.137 --> 0:26:27.577 cut off from, uh, communication lines. How many troops do 0:26:27.577 --> 0:26:31.777 the enemy have? We're not exactly sure. Somewhere between 10,000 0:26:31.777 --> 0:26:37.577 and 100,000. Okay, cool. That requires genius of that, general. 0:26:38.537 --> 0:26:42.216 That requires genius because they're operating in so much uncertainty. 0:26:42.497 --> 0:26:46.696 When you bring that uncertainty down, you could pull a 0:26:46.696 --> 0:26:49.737 private into that room and be like, okay, we know 0:26:49.736 --> 0:26:53.576 the exact current state of everyone. What should we do? 0:26:53.617 --> 0:26:57.847 And the private walks in is like, shouldn't we just 0:26:57.847 --> 0:27:00.407 blow up that truck? Since that's the most important thing 0:27:01.407 --> 0:27:03.447 and it has all the special plans in it, and 0:27:03.446 --> 0:27:06.647 it has the special device in it. Should we just 0:27:06.647 --> 0:27:09.367 blow that up? And everyone's like, yeah, exactly. That's exactly 0:27:09.367 --> 0:27:13.367 what we should do. It requires genius. If you don't 0:27:13.367 --> 0:27:16.567 have the information, it does not require genius if you do. 0:27:18.206 --> 0:27:20.966 So the natural question is what does this mean if 0:27:20.966 --> 0:27:25.247 this is correct? Well, if you're building a company, I 0:27:25.247 --> 0:27:29.247 think you need to be thinking very carefully about how 0:27:29.247 --> 0:27:32.687 to get access to unique data for your customers. You 0:27:32.686 --> 0:27:35.446 might have the best phone management scanner, but if your 0:27:35.446 --> 0:27:39.967 competitor partners with someone who provides unique data, or they 0:27:39.966 --> 0:27:44.007 have unique data themselves for some other reason and they 0:27:44.007 --> 0:27:47.487 have access to the customer's team structure, their GitHub repos, 0:27:48.127 --> 0:27:52.247 their HR, you know, workday, they know employees coming, they 0:27:52.247 --> 0:27:55.957 know all the org changes. They know all the dev pipelines. 0:27:56.196 --> 0:28:00.757 They know which application corresponds to which dev team and 0:28:00.757 --> 0:28:06.677 which developer. You are going to lose. It doesn't matter 0:28:06.677 --> 0:28:09.157 how good your scanner is, if they know more about 0:28:09.157 --> 0:28:12.196 the customer than you do, you're going to lose. So basically, 0:28:12.196 --> 0:28:15.276 avoid getting beat by someone who knows more about the 0:28:15.277 --> 0:28:20.197 customer's organization than you do. If you're in VC or 0:28:20.236 --> 0:28:23.837 you're really any kind of investor, I'd be looking at 0:28:25.037 --> 0:28:28.877 companies that are thinking deeper into this context and are 0:28:28.877 --> 0:28:33.117 thinking about USC early, how to make it themselves if 0:28:33.117 --> 0:28:35.517 they have to, how to partner with someone who's making 0:28:35.517 --> 0:28:39.197 it up. I don't think you should look for people 0:28:39.197 --> 0:28:41.197 who are trying to build the actual USC, because I 0:28:41.197 --> 0:28:43.556 think that is so big, it's going to be most 0:28:43.557 --> 0:28:47.477 likely the giant players that are doing it. But I 0:28:47.477 --> 0:28:50.357 would say avoid betting on companies that ignore this deep 0:28:50.357 --> 0:28:54.747 context threat and are probably going to lose as a result. 0:28:56.387 --> 0:28:59.106 And if you're a defender and you're trying to figure out, 0:28:59.147 --> 0:29:03.507 like what I do, I build. To improve my cybersecurity program, 0:29:04.227 --> 0:29:08.227 you should start building your own unique context for your company. 0:29:08.587 --> 0:29:13.827 Your attackers are going to have a version of context 0:29:13.827 --> 0:29:16.546 for your company. They are going to have a unique 0:29:16.747 --> 0:29:21.227 world model of you, and your version of that unique 0:29:21.267 --> 0:29:26.187 world model needs to be better than theirs. And finally, 0:29:26.587 --> 0:29:28.867 if you're just trying to figure out where things are going, 0:29:29.187 --> 0:29:34.547 just imagine this whole AI state management, unified entity context 0:29:34.587 --> 0:29:36.747 thing as a lens that you could use or not 0:29:36.747 --> 0:29:41.586 use to interpret new AI developments. Basically, one way of 0:29:41.587 --> 0:29:45.227 interpreting the news about AI that hopefully makes some sense. 0:29:46.627 --> 0:29:48.066 Thanks for your time and I'll see you in the 0:29:48.067 --> 0:29:48.587 next one.