May 30, 2024
Deciphering the 2024 RSA Conference Keynote(s)
A review of the core keynote speeches at the 2024 RSA Conference and what they mean for IT defenders.
I Didn’t Go To The RSA Conference So You Don’t Have To
Didn’t make it to the 2024 RSA Conference? Well neither did Ned and Chris, but that’s not going to stop them from talking about it. This year’s theme was “The Art Of The Possible,” highlighting tech’s potential and the threats it faces. AI was a big topic with lots of talk about how both attackers and defenders are using it. The "Secure By Design" pledge was also a key initiative, focusing on better product security. Interestingly, Zero Trust, which was a hot topic in past years, didn’t get much attention this time around since deep engineering concepts aren’t top-of-mind once past the first wave of publicity.
Links
- Full agenda of the 2024 RSA Conference: https://www.rsaconference.com/usa/agenda/full-agenda#t=agenda-full-catalog-tab&sort=%40eventstart%20ascending%3B%40parenttitle%20ascending&numberOfResults=25
- RSA Conference YouTube Channel: https://www.youtube.com/@RSAConference
- 2024 Verizon Data Breach Report: https://www.verizon.com/business/resources/reports/dbir/
- CISA’s Secure by Design Pledge: https://www.cisa.gov/securebydesign
- CL episode “The Reality of 'Secure by Design' and the Future of Cybersecurity”: https://podcasts.apple.com/us/podcast/the-reality-of-secure-by-design/id1614000252?i=1000648350807
Transcript
1
00:00:00,550 --> 00:00:04,430
Ned: Once again, I spent 30-plus minutes
2
00:00:04,440 --> 00:00:08,240
fighting with my webcam and microphone setup.
3
00:00:08,610 --> 00:00:11,129
Chris: You mean the webcam that you bought because it was going to be easier?
4
00:00:11,670 --> 00:00:12,400
Ned: That’s the one, yeah.
5
00:00:12,570 --> 00:00:12,800
Chris: Yeah.
6
00:00:13,639 --> 00:00:14,349
It’s going good, then?
7
00:00:14,900 --> 00:00:15,590
Ned: Going great.
8
00:00:16,090 --> 00:00:18,259
There was a firmware upgrade that failed.
9
00:00:18,510 --> 00:00:22,330
So, then I had to look it up, and what I discovered is that the
10
00:00:22,330 --> 00:00:26,290
cable they ship you is a USB-C to USB-C, which I happen to have
11
00:00:26,480 --> 00:00:30,320
a USB-C port on my computer, so that’s what I plugged it into.
12
00:00:30,809 --> 00:00:33,919
If you try to do the firmware upgrade across that cable, it will fail.
13
00:00:34,389 --> 00:00:37,940
Because everything is awful, and burn it with fire [laugh]
14
00:00:38,310 --> 00:00:38,730
.
Chris: Cool.
15
00:00:47,460 --> 00:00:51,669
Ned: Oh hello, alleged human, and welcome to the Chaos Lever podcast.
16
00:00:51,719 --> 00:00:54,509
My name is Ned, and I’m definitely not a robot.
17
00:00:55,059 --> 00:01:00,230
I’m a real human person who has roots, and sentience, and
18
00:01:00,230 --> 00:01:03,840
gets jokes, and sometimes I even go for a long strolls
19
00:01:04,059 --> 00:01:10,380
with my canine companion who is also not a robot, for real.
20
00:01:10,940 --> 00:01:12,630
With me as Chris, who’s also here.
21
00:01:13,049 --> 00:01:13,540
Hi, Chris.
22
00:01:14,200 --> 00:01:15,449
Chris: I really thought you were going to say
23
00:01:15,470 --> 00:01:18,350
that the dog is here and is now the new co-host.
24
00:01:18,360 --> 00:01:20,620
Ned: [laugh] . Don’t tempt me [laugh]
25
00:01:20,940 --> 00:01:22,339
.
Chris: Hard decisions have been made.
26
00:01:23,030 --> 00:01:24,600
Kibble bribery has happened.
27
00:01:25,410 --> 00:01:26,460
Ned: Ah yes.
28
00:01:26,539 --> 00:01:27,779
Bark-a-tron 3000.
29
00:01:27,789 --> 00:01:30,409
Has opinions, and he wants you to hear about them.
30
00:01:31,099 --> 00:01:33,550
Chris: Especially about the mailman.
31
00:01:33,560 --> 00:01:35,980
Ned: [laugh] . Mostly the UPS guy.
32
00:01:36,440 --> 00:01:38,860
Just loses his goddamn mind over that.
33
00:01:39,559 --> 00:01:41,179
That and a woman pushing a stroller.
34
00:01:41,259 --> 00:01:43,380
That’s just, like, Threat Level Midnight.
35
00:01:43,770 --> 00:01:47,159
Chris: Can you imagine if there was just a number of packages in the stroller?
36
00:01:47,850 --> 00:01:49,089
Ned: His brain would explode.
37
00:01:49,809 --> 00:01:51,910
Central Processing Unit just, pop.
38
00:01:51,920 --> 00:01:55,250
[I had] a really weird experience walking the dog this morning.
39
00:01:55,280 --> 00:01:58,530
Like the actual real dog… and not my fake
40
00:01:58,530 --> 00:02:00,650
robot dog that we used for the sake of a bit.
41
00:02:01,469 --> 00:02:04,789
We’re walking, and we look across the street, and there’s a fox.
42
00:02:05,180 --> 00:02:07,310
Now that, in and of itself, is not odd.
43
00:02:07,920 --> 00:02:09,840
We see foxes all the time.
44
00:02:10,620 --> 00:02:16,720
But the fox stopped and stared at us, and then started mewling.
45
00:02:16,720 --> 00:02:21,350
I learned what the fox says, and it sounds kind of like a dying baby.
46
00:02:21,790 --> 00:02:23,730
Chris: Mmm, yeah, that sounds about right.
47
00:02:24,289 --> 00:02:26,710
Ned: And it just continued to do that, looking at us.
48
00:02:26,740 --> 00:02:30,079
And my dog was very disturbed by this, as was I.
49
00:02:30,300 --> 00:02:32,800
It’s also, like, 5:30 a.m.
50
00:02:32,809 --> 00:02:34,370
so it’s barely light outside.
51
00:02:34,929 --> 00:02:38,220
So, we walk slowly in the other direction, keeping an eye
52
00:02:38,220 --> 00:02:41,210
on that fox, and now I’m a little scared to go outside.
53
00:02:41,719 --> 00:02:45,630
Chris: Well, that’s a useful and fun PSA, that if you’re
54
00:02:45,630 --> 00:02:47,910
out in the woods, and you hear what sounds like a baby
55
00:02:47,910 --> 00:02:52,170
crying, do not try to find it because it’s not a baby.
56
00:02:53,020 --> 00:02:56,460
It’s an animal with teeth, and probably rabies, and maybe a knife.
57
00:02:57,570 --> 00:02:58,919
Ned: [laugh] . They are tricksie.
58
00:02:59,359 --> 00:03:02,950
That’s one thing I’ve learned from Aesop’s Fables: you can’t trust a fox.
59
00:03:03,690 --> 00:03:05,060
Chris: A gift that keeps on giving.
60
00:03:05,810 --> 00:03:06,980
Ned: Every day of my life.
61
00:03:07,870 --> 00:03:11,440
Anyhow, you did a thing, or you wrote a thing about a thing you didn’t do.
62
00:03:11,820 --> 00:03:13,279
Chris: Hey, hey, hey.
63
00:03:13,280 --> 00:03:13,390
Ned: [laugh]
64
00:03:14,030 --> 00:03:14,840
.
Chris: You settle down.
65
00:03:15,589 --> 00:03:20,860
This is a long-standing tradition on this show, where I don’t go
66
00:03:20,860 --> 00:03:24,690
to various conferences, tell you about it, so you don’t have to go.
67
00:03:24,800 --> 00:03:25,110
Ned: Yay.
68
00:03:25,290 --> 00:03:26,880
Chris: I’m helping.
69
00:03:27,240 --> 00:03:27,580
Ned: Sure.
70
00:03:28,590 --> 00:03:32,439
Chris: In particular, in this instance, we will be talking about the RSA
71
00:03:32,450 --> 00:03:37,430
conference, or RSAC as they insist on calling it, which I absolutely will not.
72
00:03:38,200 --> 00:03:40,380
Ned: That makes me really uncomfortable.
73
00:03:41,200 --> 00:03:41,230
Chris: [laugh]
74
00:03:41,240 --> 00:03:43,980
.
Ned: Like, I shifted around in my seat a little bit when you said that.
75
00:03:45,460 --> 00:03:49,410
Chris: Now, for those who aren’t a hundred percent familiar, the RSA Conference
76
00:03:49,410 --> 00:03:53,400
is one of the premier security conferences that comes along every year.
77
00:03:54,039 --> 00:03:56,950
This year, it was held in San Francisco, which is not
78
00:03:56,950 --> 00:03:59,640
a surprise because it’s always held in San Francisco.
79
00:04:00,210 --> 00:04:00,600
Duh.
80
00:04:00,610 --> 00:04:01,510
Ned: Of course.
81
00:04:02,290 --> 00:04:04,519
Chris: Now, in another long-standing tradition, as
82
00:04:04,520 --> 00:04:07,859
discussed before, I didn’t go, but I heard about it.
83
00:04:08,280 --> 00:04:08,690
Ned: Yay.
84
00:04:09,429 --> 00:04:14,140
Chris: So, as usual, the sessions did all get recorded, and if you
85
00:04:14,190 --> 00:04:19,399
bought the remote attendees On-Demand Pass, you can watch them all now.
86
00:04:19,800 --> 00:04:22,070
And you can in fact, still buy the On-Demand
87
00:04:22,070 --> 00:04:24,200
Pass if this stuff is all interesting to you.
88
00:04:25,110 --> 00:04:27,689
There are already some sessions available for
89
00:04:27,690 --> 00:04:31,780
free, especially the keynote-y type sessions.
90
00:04:32,550 --> 00:04:35,210
Now, their official statement on the matter is that this
91
00:04:35,210 --> 00:04:38,840
stuff starts to become available approximately 30 days after
92
00:04:38,840 --> 00:04:42,350
the conference, but they’re actually already sharing them.
93
00:04:42,540 --> 00:04:43,790
There’s a good amount out there, and
94
00:04:43,790 --> 00:04:45,469
they’re going to just keep on trickling out.
95
00:04:45,490 --> 00:04:49,060
So, keep an eye on the RSA Conference’s YouTube channel if you’re
96
00:04:49,070 --> 00:04:52,880
interested in what you can see from this conference for free.
97
00:04:54,340 --> 00:05:00,829
Now, I said keynote-y type sessions and I said that for a reason.
98
00:05:01,540 --> 00:05:03,390
There are 36 keynotes.
99
00:05:04,030 --> 00:05:05,650
Ned: Uh— [sigh] —I—
100
00:05:05,959 --> 00:05:09,630
Chris: Which, if you’re doing the math at home, is a lot.
101
00:05:10,180 --> 00:05:12,690
Ned: It ceases to be a keynote at that point.
102
00:05:13,180 --> 00:05:13,550
Right?
103
00:05:13,810 --> 00:05:14,070
Chris: Right.
104
00:05:14,429 --> 00:05:14,759
Ned: Right.
105
00:05:14,980 --> 00:05:15,570
Chris: Correct.
106
00:05:15,639 --> 00:05:16,089
Ned: Okay.
107
00:05:16,510 --> 00:05:19,880
Chris: Because if you look up the definition for keynote,
108
00:05:20,910 --> 00:05:24,970
it’s a quote, “Talk that establishes a main underlying
109
00:05:25,000 --> 00:05:28,900
theme.” One would assume from this that there’s one.
110
00:05:29,950 --> 00:05:33,460
This has stopped being a thing for way too long now.
111
00:05:34,740 --> 00:05:36,830
Now, before we even talk about the conference, I want to
112
00:05:36,840 --> 00:05:40,439
start a change.org petition to call it something else.
113
00:05:40,969 --> 00:05:41,309
Ned: Okay.
114
00:05:41,690 --> 00:05:44,890
Chris: How about we’ve got ‘sessions,’ of which there are an
115
00:05:44,890 --> 00:05:50,940
infinite amount, “The keynote,” of which there is one, and the
116
00:05:50,940 --> 00:05:55,930
super-duper, fancy special speeches, of which there can be 36.
117
00:05:55,940 --> 00:05:56,500
Ned: Sure.
118
00:05:56,880 --> 00:05:59,510
Chris: Longer name, sounds way more important that way.
119
00:06:00,090 --> 00:06:00,680
Who says no?
120
00:06:01,960 --> 00:06:03,810
Ned: Can’t we just call them, like, ‘Premier Sessions?’
121
00:06:04,330 --> 00:06:05,380
Chris: Oh, that’s good, too.
122
00:06:05,500 --> 00:06:07,219
I think mine’s better, but that’s good, too.
123
00:06:07,650 --> 00:06:08,020
Ned: All right.
124
00:06:08,090 --> 00:06:08,849
Chris: We’ll workshop it.
125
00:06:09,520 --> 00:06:10,090
Ned: Of course.
126
00:06:10,260 --> 00:06:13,230
And, you know, if listeners have suggestions, write them in.
127
00:06:13,410 --> 00:06:13,889
Let us know.
128
00:06:14,280 --> 00:06:14,599
Chris: Yeah.
129
00:06:15,440 --> 00:06:15,740
Okay.
130
00:06:16,609 --> 00:06:18,609
So, on to more serious topics.
131
00:06:19,040 --> 00:06:19,290
Ned: Okay.
132
00:06:19,700 --> 00:06:22,590
Chris: Let’s start with the obvious question that a lot of people probably
133
00:06:22,600 --> 00:06:27,890
don’t know: what the hell does RSA stand for in the name RSA Conference?
134
00:06:28,730 --> 00:06:30,719
I’m not going to lie, I have probably looked this up ten
135
00:06:30,719 --> 00:06:33,450
times, found out about it, and then forgot it ten times.
136
00:06:34,170 --> 00:06:35,839
So, I had to look it up again.
137
00:06:36,660 --> 00:06:39,010
And it’s not as exciting as you might think.
138
00:06:39,040 --> 00:06:43,140
It’s actually just made up of last name initials of the cofounders of RSA.
139
00:06:44,020 --> 00:06:47,939
That would be Ron Rivest, Adi Shamir, and Leonard Adelman.
140
00:06:48,259 --> 00:06:48,590
Get it?
141
00:06:48,860 --> 00:06:49,250
R.
142
00:06:49,590 --> 00:06:49,979
S.
143
00:06:50,309 --> 00:06:50,609
A.
144
00:06:51,110 --> 00:06:51,719
Ned: I get things.
145
00:06:51,719 --> 00:06:52,869
I’m smart [laugh]
146
00:06:53,670 --> 00:06:54,259
.
Chris: So, there you have it.
147
00:06:54,380 --> 00:06:55,520
One mystery solved.
148
00:06:55,530 --> 00:06:58,270
[singing] And we’ve only just begun.
149
00:06:59,030 --> 00:06:59,479
Ned: Oh.
150
00:06:59,770 --> 00:07:00,460
Chris: And we’re sued.
151
00:07:01,040 --> 00:07:01,830
Ned: Eh, always.
152
00:07:02,110 --> 00:07:02,610
Always.
153
00:07:02,970 --> 00:07:06,700
Folks may be familiar with RSA if they look at different encryption
154
00:07:06,780 --> 00:07:11,830
types because RSA is one of the encipherment types, I think.
155
00:07:12,090 --> 00:07:12,599
Chris: Encipherment?
156
00:07:13,440 --> 00:07:13,860
Ned: Yes.
157
00:07:13,860 --> 00:07:14,392
It’s a word I use.
158
00:07:14,392 --> 00:07:15,580
Chris: That is absolutely not a word.
159
00:07:15,940 --> 00:07:17,450
Ned: [laugh] . It is now [laugh]
160
00:07:17,450 --> 00:07:20,640
.
Chris: It sounds like something you get six months in jail for.
161
00:07:22,200 --> 00:07:23,620
Ned: [laugh] . Encipherment, right next to embezzling?
162
00:07:24,330 --> 00:07:24,359
Chris: [laugh]
163
00:07:24,919 --> 00:07:27,039
.
Ned: He enciphered the company for thousands of dollars.
164
00:07:27,690 --> 00:07:29,049
I think it is a cipher type.
165
00:07:29,410 --> 00:07:29,870
Chris: Yes.
166
00:07:30,129 --> 00:07:31,620
Ned: So, you may have seen it there.
167
00:07:32,510 --> 00:07:35,490
Chris: Anyway, the theme of the conference—and they actually did have
168
00:07:35,490 --> 00:07:41,609
a theme—was ‘The Art of the Possible,’ which sounds wishy-washy, and
169
00:07:41,620 --> 00:07:46,019
more like you know the title of an airport self-help book than something
170
00:07:46,020 --> 00:07:51,099
that would be around relevant topics in technology, but in the way
171
00:07:51,100 --> 00:07:55,210
of the old blessing slash curse, “May you live in interesting times,”
172
00:07:55,890 --> 00:07:58,650
get to think a little deeper about ‘The Art of the Possible’ name.
173
00:07:59,210 --> 00:08:03,809
Kind of, the idea here is, not only what we as
174
00:08:04,000 --> 00:08:07,370
technologists can do, as you know, security professionals
175
00:08:07,370 --> 00:08:11,500
can do, what is possible that our adversaries can do.
176
00:08:11,970 --> 00:08:12,070
Ehhh?
177
00:08:15,160 --> 00:08:15,170
Ehhhh?
178
00:08:15,170 --> 00:08:15,640
Anyway.
179
00:08:17,090 --> 00:08:21,249
Ned: As a response to whether or not this is a self-help book, it is.
180
00:08:21,429 --> 00:08:23,320
It’s called The Art of the Possible: Create An
181
00:08:23,330 --> 00:08:26,150
Organization With no Limits, written by Daniel M.
182
00:08:26,150 --> 00:08:29,450
Jacobs in 2010, and it is, quote, “An integrated
183
00:08:29,480 --> 00:08:32,080
leadership and management guide to success.”
184
00:08:32,860 --> 00:08:34,959
Chris: Why do you insist on putting the audience to sleep?
185
00:08:35,400 --> 00:08:38,610
Ned: [laugh] . Well, I didn’t actually try to read it to you, though,
186
00:08:38,650 --> 00:08:42,309
that would absolutely put everyone to sleep, probably me included.
187
00:08:42,570 --> 00:08:43,970
Chris: That’s on the Patreon page.
188
00:08:45,360 --> 00:08:46,550
Ned: [laugh] . We should have one of those.
189
00:08:47,610 --> 00:08:52,329
Chris: So, with 36 sessions listed as a keynote, it was
190
00:08:52,330 --> 00:08:55,530
a little difficult to pin down where to start [laugh] and
191
00:08:55,549 --> 00:08:59,119
what the main mission of this year was supposed to be.
192
00:09:00,320 --> 00:09:04,620
But if you look at the schedule—and that is also available on
193
00:09:04,620 --> 00:09:11,329
their website—the first one that was not weird, was put on by Hugh
194
00:09:11,330 --> 00:09:16,679
Thompson, who is a big-wig at RSA, and did a number of keynotes.
195
00:09:16,680 --> 00:09:20,970
But this one, I think, got as close to a main topic or a main
196
00:09:21,340 --> 00:09:24,360
overarching theme speech type of thing that we’re going to get.
197
00:09:25,060 --> 00:09:27,750
It was titled “The Power of Community”, and is
198
00:09:27,750 --> 00:09:30,060
available for streaming on their YouTube channel.
199
00:09:30,809 --> 00:09:31,910
It’s only 18 minutes.
200
00:09:31,980 --> 00:09:33,429
It’s worth the watch, actually.
201
00:09:33,429 --> 00:09:34,150
It’s very entertaining.
202
00:09:34,160 --> 00:09:34,760
The guy’s good.
203
00:09:36,240 --> 00:09:38,540
The main theme of the speech was basically
204
00:09:39,210 --> 00:09:42,610
that none of us is smarter than all of us.
205
00:09:43,460 --> 00:09:46,100
Now, on the one hand, you might think this is a cynical
206
00:09:46,100 --> 00:09:49,120
message that only serves to reiterate the importance of
207
00:09:49,380 --> 00:09:51,449
paying a lot of money to go to a security conference.
208
00:09:52,209 --> 00:09:52,579
Ned: Fair.
209
00:09:53,070 --> 00:09:54,710
Chris: But on the other hand, he’s kind of right.
210
00:09:56,010 --> 00:10:00,630
These conferences are, in fact, a sharing of knowledge enabling every security
211
00:10:00,630 --> 00:10:05,059
practitioner to learn just a little bit more about their own areas of expertise,
212
00:10:05,450 --> 00:10:10,870
and the ones they need to know, but never had any type of experience with.
213
00:10:11,780 --> 00:10:16,849
And to that end, he talked about two things that are really good life
214
00:10:16,850 --> 00:10:20,270
lessons for conference-going that we’ve actually discussed before.
215
00:10:21,260 --> 00:10:24,689
The first one is to attend sessions outside of your wheelhouse
216
00:10:25,389 --> 00:10:29,340
because sometimes it might not help, but often it actually will.
217
00:10:29,730 --> 00:10:33,349
It’s fairly surprising to hear other subject-matter experts
218
00:10:33,350 --> 00:10:36,380
talk about what they’re passionate about, and then be able
219
00:10:36,380 --> 00:10:39,790
to kind of think about your own stuff in a different way.
220
00:10:40,440 --> 00:10:40,890
Ned: Mm-hm.
221
00:10:40,990 --> 00:10:43,920
Chris: External perspectives on other technologies
222
00:10:44,360 --> 00:10:46,640
opening up little neural pathways in your brain.
223
00:10:47,430 --> 00:10:48,740
It does actually help.
224
00:10:49,370 --> 00:10:49,790
Ned: It does.
225
00:10:50,030 --> 00:10:50,460
I agree.
226
00:10:51,120 --> 00:10:54,079
Chris: And the second one is a stupid thing.
227
00:10:55,380 --> 00:10:58,169
He thinks that you should talk to people.
228
00:10:58,940 --> 00:10:59,919
Ned: Bah, no.
229
00:11:00,949 --> 00:11:00,979
Chris: What?
230
00:11:00,979 --> 00:11:01,489
Ned: Thumbs down.
231
00:11:01,879 --> 00:11:02,099
Chris: You fool.
232
00:11:04,319 --> 00:11:04,349
Ned: [laugh]
233
00:11:04,359 --> 00:11:08,050
.
Chris: No, he enjoined the audience to, quote, “Meet at least three
234
00:11:08,050 --> 00:11:12,190
new people.” Which, to me, sounds terrifying and counterproductive.
235
00:11:12,880 --> 00:11:16,080
As all security practitioners know, new people
236
00:11:16,110 --> 00:11:18,060
have cooties, and they’re all out to get me.
237
00:11:18,410 --> 00:11:18,700
Ned: Uh-huh.
238
00:11:18,710 --> 00:11:19,480
Chris: I mean us.
239
00:11:20,049 --> 00:11:20,429
Ned: Yes.
240
00:11:20,730 --> 00:11:24,160
Chris: But if you wanted to get cooties, there was something
241
00:11:24,160 --> 00:11:27,500
like 42,000 people wandering around the halls of the RSA
242
00:11:27,500 --> 00:11:29,700
Conference, drinking stale coffee to give it a shot with.
243
00:11:30,760 --> 00:11:33,350
Ned: Wow, I did not realize it was 42,000 people.
244
00:11:33,980 --> 00:11:36,390
That’s getting up there with, like, re:Invent numbers.
245
00:11:36,840 --> 00:11:38,909
Chris: It is creeping up there, and it is a bit of a surprise.
246
00:11:38,990 --> 00:11:43,189
It also explains perhaps why there were 36 keynotes, but probably not.
247
00:11:43,760 --> 00:11:44,640
Ned: [laugh] . Still, no.
248
00:11:45,140 --> 00:11:50,179
Chris: Now, all of that being said, let’s talk about some of the themes of the
249
00:11:50,179 --> 00:11:54,740
conference, based on the material that they actually shared in the sessions.
250
00:11:55,630 --> 00:12:00,600
So first, with a bullet, you’re not going to believe this.
251
00:12:01,090 --> 00:12:02,660
Ned, I hope you’re sitting down.
252
00:12:03,230 --> 00:12:05,150
Ned: Can I sit down lower?
253
00:12:05,300 --> 00:12:05,670
Would that help?
254
00:12:05,670 --> 00:12:08,110
Chris: Can you put a chair on a chair, and then sit on that chair?
255
00:12:08,340 --> 00:12:08,530
Ned: Okay.
256
00:12:08,530 --> 00:12:09,710
Chris: Because that’s the kind of sitting down
257
00:12:09,710 --> 00:12:11,539
you’re going to need because this is a shocker.
258
00:12:12,200 --> 00:12:13,960
AI was a big old topic.
259
00:12:15,350 --> 00:12:15,460
Ned: [big silly gasp]
260
00:12:15,809 --> 00:12:16,690
.
Chris: I warned you.
261
00:12:17,289 --> 00:12:17,720
Ned: Damn it.
262
00:12:17,750 --> 00:12:19,310
I should have been sitting on a milk crate.
263
00:12:19,960 --> 00:12:20,590
[I need stability]
264
00:12:21,240 --> 00:12:22,730
.
Chris: I mean, good God, man.
265
00:12:23,290 --> 00:12:27,100
Of the 36 keynotes, 13 of them were directly AI-related.
266
00:12:27,660 --> 00:12:30,840
Of the regular sessions, it was 82 out of 298,
267
00:12:30,880 --> 00:12:33,610
and that is just ones that had AI in the title.
268
00:12:34,240 --> 00:12:35,530
Ned: Frankly, that seems low.
269
00:12:36,289 --> 00:12:41,400
Chris: [laugh] . So, what did they actually have to say about AI?
270
00:12:42,160 --> 00:12:45,320
A lot of what they had to say was not really that surprising.
271
00:12:46,260 --> 00:12:50,190
Main themes: AI is going to be more and more utilized by both attackers
272
00:12:50,429 --> 00:12:54,079
and defenders, and it’s an open question if there’s any way to
273
00:12:54,230 --> 00:12:58,860
guarantee that the defenders will maintain an upper hand going forward.
274
00:12:59,420 --> 00:13:00,740
Ned: Almost certainly not.
275
00:13:01,470 --> 00:13:02,270
Chris: Hold that thought.
276
00:13:02,610 --> 00:13:04,319
Because there is one piece of it that
277
00:13:04,320 --> 00:13:07,540
might be just the faintest glimmer of hope.
278
00:13:07,759 --> 00:13:08,469
Ned: Oh, okay.
279
00:13:08,750 --> 00:13:11,860
Chris: So, before we get to that, there are two things that attackers
280
00:13:11,860 --> 00:13:15,840
can do now that were just flat out harder for them before AI.
281
00:13:16,570 --> 00:13:23,060
The first one is, hackers attacking from all over the globe have a problem, and
282
00:13:23,060 --> 00:13:26,849
that problem is, generally speaking, they don’t speak every language on Earth.
283
00:13:27,330 --> 00:13:27,760
Ned: True.
284
00:13:28,039 --> 00:13:30,069
Chris: But they would like to attack everybody on Earth.
285
00:13:30,490 --> 00:13:35,700
So, what you used to end up with was hilariously poorly
286
00:13:35,700 --> 00:13:42,790
Google-translated emails that were obvious scams, or attacks, or
287
00:13:43,349 --> 00:13:48,389
just loaded with malware, and grammatically incorrect things, right?
288
00:13:49,130 --> 00:13:55,550
AI can help just rewrite communications into natural-sounding language
289
00:13:55,750 --> 00:13:58,319
for whatever they are trying—whomever they are trying to attack.
290
00:13:58,960 --> 00:14:02,390
You can do that with ChatGPT, for free, right now, indefinitely.
291
00:14:03,040 --> 00:14:07,939
Now admittedly, ChatGPT still has an extremely heavy English language
292
00:14:07,959 --> 00:14:12,370
bias, but they are working on including more and more sources from
293
00:14:12,390 --> 00:14:15,819
other languages, so it’s going to continue to get better and expand.
294
00:14:16,590 --> 00:14:22,339
Ned: There’s an interesting theory that I’ve heard proposed before that the
295
00:14:22,639 --> 00:14:28,850
poor wording syntax and English usage in those emails is somewhat intentional.
296
00:14:29,250 --> 00:14:32,430
Could they get someone to write it in a more natural-sounding way?
297
00:14:32,430 --> 00:14:37,190
Yes, but they’re using it as a filter to only capture those people
298
00:14:37,259 --> 00:14:40,229
who would read that email and think it’s perfectly fine because
299
00:14:40,379 --> 00:14:44,600
in order for their scam to work, they need someone who will read
300
00:14:44,600 --> 00:14:47,550
that email and think that it’s perfectly fine, and that also they
301
00:14:47,550 --> 00:14:51,120
should click on the link and transfer $1,000 to a bank account.
302
00:14:51,770 --> 00:14:52,880
Chris: Interesting theory.
303
00:14:53,690 --> 00:14:54,750
Ned: I don’t know if it’s a hundred percent
304
00:14:54,750 --> 00:14:57,039
accurate, but I have heard it proposed.
305
00:14:57,860 --> 00:14:58,880
Chris: Well, they didn’t talk about that.
306
00:14:59,320 --> 00:14:59,760
Ned: Well fine.
307
00:15:00,000 --> 00:15:00,970
Chris: So, stop helping.
308
00:15:01,340 --> 00:15:02,490
Ned: [laugh] . Okay.
309
00:15:03,290 --> 00:15:08,069
Chris: So, the second thing that AI can do to help attackers is research.
310
00:15:08,690 --> 00:15:12,629
Thanks to the careless, wide-open way that people use the
311
00:15:12,630 --> 00:15:15,989
internet, and the total lack of data sovereignty laws that matter
312
00:15:15,990 --> 00:15:20,240
at all, there is—and I looked this up—it’s a quatro-bajillion
313
00:15:20,700 --> 00:15:23,290
data points out there about everyone and every company.
314
00:15:24,189 --> 00:15:24,449
Ned: [laugh] . Okay.
315
00:15:25,160 --> 00:15:27,079
Chris: Now, in terms of corporate research,
316
00:15:27,220 --> 00:15:30,459
previously, you would have to rely on paid services.
317
00:15:30,799 --> 00:15:34,379
The most famous one that I know of is ZoomInfo, and what they do is collate
318
00:15:34,379 --> 00:15:38,260
all this information from LinkedIn, from blog posts, from 10-Ks, from
319
00:15:38,260 --> 00:15:42,189
wherever they can find it, to figure out, how is it company structured?
320
00:15:42,480 --> 00:15:43,870
What are they up to lately?
321
00:15:43,970 --> 00:15:45,459
How many employees do they have?
322
00:15:45,460 --> 00:15:46,419
What are their markets?
323
00:15:46,450 --> 00:15:47,560
Blahdy, blahdy, blahdy, blah.
324
00:15:48,230 --> 00:15:52,800
This may not sound like much, but remember, the human element
325
00:15:52,820 --> 00:15:57,340
is and probably will always be the biggest security risk.
326
00:15:58,130 --> 00:16:01,730
Figuring out who works where, what they’re responsible
327
00:16:01,740 --> 00:16:05,880
for, and how a company is structured, both from a personnel
328
00:16:05,880 --> 00:16:08,760
perspective and potentially from a security perspective—IT
329
00:16:09,840 --> 00:16:13,209
infrastructure, et cetera—often makes its way into press releases.
330
00:16:14,190 --> 00:16:19,620
This helps fine-tune long-running attacks, right?
331
00:16:19,620 --> 00:16:22,420
This is not the fly-by-night scams we were talking about before.
332
00:16:22,420 --> 00:16:25,280
This is APTs and state-level actors.
333
00:16:25,950 --> 00:16:29,229
But it makes it so much easier to do this research with AI.
334
00:16:29,229 --> 00:16:33,970
Now, in terms of people being the worst—just a little side to jaunt
335
00:16:33,990 --> 00:16:40,470
here, a little venture—the 2024 Verizon Data Breach Investigation
336
00:16:40,470 --> 00:16:45,400
Report, or DBIR—came out around the same time as the RSA Conference.
337
00:16:46,080 --> 00:16:50,650
And one of the main numbers to pay attention to from this report was 68%.
338
00:16:51,870 --> 00:16:55,690
68% of breaches involve a non-malicious human element like
339
00:16:55,690 --> 00:16:58,800
a person falling victim to a social engineering attack,
340
00:16:59,230 --> 00:17:02,590
making an error in configuration, et cetera, et cetera.
341
00:17:03,360 --> 00:17:05,949
Meaning people make mistakes.
342
00:17:06,969 --> 00:17:10,050
Now, if you want more info about the report, there is a link to it in the
343
00:17:10,050 --> 00:17:14,310
[show notes] . The report is free, it is informative, and it is depressing.
344
00:17:14,920 --> 00:17:16,999
Ned: Well, you and I have both read at least
345
00:17:17,000 --> 00:17:19,670
one Kevin Mitnick book about social engineering.
346
00:17:19,799 --> 00:17:23,800
And the general way that he got into anything was to figure out
347
00:17:23,930 --> 00:17:26,939
the organizational structure, and then find a weak point in it.
348
00:17:27,589 --> 00:17:31,940
And often that weak point is going to be the personal assistant for any of
349
00:17:31,940 --> 00:17:38,449
the muckety-mucks at a company because they have a vast amount of access—much,
350
00:17:38,469 --> 00:17:43,580
much more than they’re getting paid to have—and they know where all the
351
00:17:43,580 --> 00:17:47,230
bodies are buried, all the secrets are, and if you can compromise them,
352
00:17:47,310 --> 00:17:50,330
then it’s relatively straightforward to compromise the rest of the company.
353
00:17:51,290 --> 00:17:51,510
Chris: Right.
354
00:17:52,290 --> 00:17:54,179
Also people that are new to the company.
355
00:17:54,809 --> 00:17:56,240
Ned: That’s a good one, too, because they don’t
356
00:17:56,259 --> 00:17:58,441
know the proper procedures, and they’re report—
357
00:17:58,441 --> 00:17:59,780
Chris: And don’t they know everybody.
358
00:18:00,129 --> 00:18:00,509
Ned: Right.
359
00:18:00,810 --> 00:18:02,370
Chris: And they’re probably very stressed out
360
00:18:02,370 --> 00:18:04,820
to do a good job and to keep everybody happy.
361
00:18:05,280 --> 00:18:05,629
Ned: Right.
362
00:18:05,640 --> 00:18:10,660
So, you get a request from Angela over in HR to send over some
363
00:18:10,780 --> 00:18:14,370
very important information that they need to complete your benefits
364
00:18:14,370 --> 00:18:17,029
package, and you’d be like, “Sure, I’ll get right on that, Angela.”
365
00:18:17,350 --> 00:18:18,360
Chris: I like benefits.
366
00:18:18,600 --> 00:18:19,679
Ned: I—who doesn’t?
367
00:18:19,930 --> 00:18:22,740
You know, “Participate in our employee bonus
368
00:18:22,740 --> 00:18:25,020
program.” Like, yeah, I’m responding to that.
369
00:18:25,020 --> 00:18:27,115
Except Angela doesn’t work for the company [laugh]
370
00:18:27,320 --> 00:18:27,610
.
Chris: Right.
371
00:18:27,610 --> 00:18:29,280
Ned: And now they have all of your personal
372
00:18:29,280 --> 00:18:31,760
information and your password for some reason.
373
00:18:32,610 --> 00:18:36,379
Chris: So, let’s pivot, and we’ll talk about what they had to say about
374
00:18:36,389 --> 00:18:40,830
things from the defenders’ point of view because it’s not all a nightmare.
375
00:18:41,520 --> 00:18:41,780
Ned: Okay.
376
00:18:42,390 --> 00:18:46,289
Chris: One thing that could help tilt the balance in favor of defenders
377
00:18:46,960 --> 00:18:50,020
ties back to the whole, “We’re all in it together,” point from earlier.
378
00:18:50,799 --> 00:18:54,889
Defenders have a hell of a lot more data than attackers do.
379
00:18:55,830 --> 00:19:01,860
Bruce Schneier, IT security technology guy extraordinaire, stated it plainly.
380
00:19:02,150 --> 00:19:03,440
“We have more data than they do.
381
00:19:04,130 --> 00:19:09,990
LLMs and AI, they be trained on data, therefore, our data stuff
382
00:19:10,100 --> 00:19:15,870
is going to make our AI stuff better than their AI stuff.” Now,
383
00:19:15,870 --> 00:19:18,060
he said it a little better than that, but I’m paraphrasing.
384
00:19:18,800 --> 00:19:19,900
Actually no, I take that back.
385
00:19:19,900 --> 00:19:20,679
It was an exact quote.
386
00:19:21,170 --> 00:19:21,749
Ned: All right, fair.
387
00:19:22,230 --> 00:19:25,720
Chris: So, if you step back and think about it, it does make sense.
388
00:19:26,670 --> 00:19:31,570
Pick any random EDR company that’s large, like say, SentinelOne—whomever;
389
00:19:31,590 --> 00:19:36,530
doesn’t matter—now, these companies, they don’t release precise specifics
390
00:19:36,550 --> 00:19:39,850
on their deployments of the field, but SentinelOne proudly states that
391
00:19:39,850 --> 00:19:43,329
they have quote, “Tens of millions,” of protected endpoints out there,
392
00:19:43,880 --> 00:19:49,209
all of which report back about attacks, SentinelOne vulnerability
393
00:19:49,210 --> 00:19:53,410
researchers can then take that data and turn it into protections.
394
00:19:53,950 --> 00:19:57,580
Thus, you have areas of security where you didn’t have
395
00:19:57,580 --> 00:20:00,139
anything before because you can see what people are doing.
396
00:20:01,399 --> 00:20:05,100
And there are even areas of security where researchers from
397
00:20:05,100 --> 00:20:07,920
multiple different companies will pool their resources to
398
00:20:07,930 --> 00:20:12,139
help increase the overall security posture of everybody.
399
00:20:12,910 --> 00:20:13,580
So, that’s good.
400
00:20:14,410 --> 00:20:17,340
Attackers, on the other hand, don’t do that.
401
00:20:18,350 --> 00:20:19,000
Ned: [laugh] . Yeah.
402
00:20:19,309 --> 00:20:21,230
Chris: They all work, more or less, alone.
403
00:20:22,170 --> 00:20:25,730
And I don’t care how popular a given piece of malware is.
404
00:20:26,050 --> 00:20:29,470
It’s, one, probably not phoning home like that because that would
405
00:20:29,480 --> 00:20:33,530
be immediately discovered by network trackers, and two, they’re not
406
00:20:33,530 --> 00:20:37,140
hitting tens of millions of anything, except maybe dollars they get
407
00:20:37,140 --> 00:20:39,669
from ransomware payments that are never disclosed to the public.
408
00:20:40,219 --> 00:20:40,400
Ned: Wa-wah.
409
00:20:40,690 --> 00:20:46,290
Chris: Quote, “We have a very rich data source which, uncommonly, is
410
00:20:46,290 --> 00:20:50,370
an asymmetry in favor of the defender that we don’t see very often,”
411
00:20:50,460 --> 00:20:56,630
unquote, stated Daniel Rohrer, VP of Software Product Security at Nvidia.
412
00:20:57,610 --> 00:20:58,890
So, what does all this add up to?
413
00:20:59,180 --> 00:21:04,670
From the AI perspective, what it adds up to is finely tuned LLMs.
414
00:21:05,520 --> 00:21:09,899
Not general stuff like ChatGPT, but we’re talking about very focused
415
00:21:09,900 --> 00:21:15,009
things based on security, trained on that huge amount of data to
416
00:21:15,009 --> 00:21:19,860
help with things like identifying adversarial behavior, zero-day
417
00:21:19,860 --> 00:21:24,310
protections, and eventually, even things like auto-remediation.
418
00:21:25,030 --> 00:21:28,820
You can have a listener on each endpoint that tracks for all this stuff;
419
00:21:28,849 --> 00:21:33,220
if it sees something nightmarish, it could just turn off the network.
420
00:21:34,219 --> 00:21:36,800
Now, it’s going to take a long time for people to be comfortable
421
00:21:36,800 --> 00:21:41,000
with auto remediation based on AI, but if we look far enough
422
00:21:41,000 --> 00:21:43,810
into the future, and I’m thinking probably less than five
423
00:21:43,810 --> 00:21:46,180
years, my guess is that this is going to become the norm.
424
00:21:46,870 --> 00:21:53,499
Ned: We’ve already seen a flood of security vendors adding AI into all
425
00:21:53,500 --> 00:21:57,930
their marketing materials, which some of that is, you know, just marketing,
426
00:21:57,990 --> 00:22:02,989
marketecture—vaporware, if you will—but a lot of it is we’re bolting on a
427
00:22:02,990 --> 00:22:08,050
new feature to our existing offering that makes use of a trained LLM that we
428
00:22:08,080 --> 00:22:13,360
trained on our giant pool of data we’ve collected from all of our clients.
429
00:22:13,910 --> 00:22:14,150
Chris: Right.
430
00:22:14,310 --> 00:22:18,730
Ned: So, I think, from a security perspective, that could happen pretty rapidly.
431
00:22:19,350 --> 00:22:22,449
What’s a little more difficult is putting in the detection portion that
432
00:22:22,450 --> 00:22:25,379
you’re talking about because that needs to be closer to the endpoint.
433
00:22:25,870 --> 00:22:29,669
So, we’re going to have to wait for, probably, some specialized hardware to be
434
00:22:29,680 --> 00:22:36,879
available—the sort of TPUs, GPUs, XPUs—to be available on these endpoint devices
435
00:22:36,890 --> 00:22:40,470
to do that real-time scanning if you’re looking for that level of protection.
436
00:22:41,020 --> 00:22:43,450
Chris: TPU, of course, as everyone knows, is the Toilet Paper Unit.
437
00:22:44,030 --> 00:22:44,829
Ned: Yes [sigh]
438
00:22:45,490 --> 00:22:46,549
.
Chris: I got jokes, man.
439
00:22:47,139 --> 00:22:48,209
I got jokes.
440
00:22:48,629 --> 00:22:49,470
Ned: It’s fantastic.
441
00:22:49,720 --> 00:22:49,970
No notes.
442
00:22:49,970 --> 00:22:54,990
Chris: [laugh] . Oh, Bark-a-tron 3000 looks so disappointed in me.
443
00:22:56,650 --> 00:22:59,169
Ned: [laugh] . He’s kind of licking his own ass, but whatever.
444
00:23:00,509 --> 00:23:00,859
Chris: Okay.
445
00:23:01,340 --> 00:23:01,940
Moving on.
446
00:23:02,440 --> 00:23:04,300
Something else that was a big topic.
447
00:23:04,730 --> 00:23:08,430
Everybody’s favorite four letter word: regulations.
448
00:23:09,140 --> 00:23:10,370
These are a— [mouth noises]
449
00:23:10,370 --> 00:23:10,857
—
Ned: [laugh]
450
00:23:10,857 --> 00:23:12,830
.
Chris: That is not important.
451
00:23:12,950 --> 00:23:14,929
Just… doing the thing over here.
452
00:23:15,270 --> 00:23:15,680
Ned: All right.
453
00:23:16,300 --> 00:23:18,610
Chris: So, it was a big concern at the conference.
454
00:23:19,090 --> 00:23:20,910
Honestly, it’s a big concern all over the
455
00:23:20,910 --> 00:23:24,310
world, and it does have relations to AI.
456
00:23:24,770 --> 00:23:28,220
But first, one thing that came out at the conference
457
00:23:28,220 --> 00:23:31,240
was the quote, “Secure by Design,” pledge.
458
00:23:32,200 --> 00:23:37,420
Now, this was created by CISA, and is intended to ensure that quote, “Products
459
00:23:37,530 --> 00:23:42,039
should be secure to use out of the box, with secure configurations enabled
460
00:23:42,049 --> 00:23:46,310
by default, and security features such as multifactor authentication,
461
00:23:46,570 --> 00:23:53,449
logging, and single sign on available at no additional cost.” So, this
462
00:23:53,450 --> 00:23:57,320
pledge is super great, and I hope that it gets a ton of attention.
463
00:23:57,929 --> 00:24:04,060
It is disappointing and more than a little galling that it has to exist,
464
00:24:04,830 --> 00:24:10,570
but as the SSO, Wall of Shame website clearly shows, plenty of vendors have
465
00:24:10,719 --> 00:24:15,340
no qualms whatsoever charging extra to enable features like single sign-on.
466
00:24:15,900 --> 00:24:16,130
Ned: Yeah.
467
00:24:16,500 --> 00:24:20,790
Chris: Now, at the conference, 68 companies, including big-wigs
468
00:24:20,790 --> 00:24:26,610
like AWS, Google, Cisco, Microsoft, and IBM, signed the pledge.
469
00:24:27,420 --> 00:24:28,370
Kind of a big deal.
470
00:24:28,950 --> 00:24:30,450
Except, of course, that it’s not binding.
471
00:24:30,910 --> 00:24:32,249
It’s not a law.
472
00:24:33,469 --> 00:24:33,579
Ned: [laugh] . That’s true.
473
00:24:33,579 --> 00:24:38,689
Chris: But it does at least commit these companies from a PR perspective to work
474
00:24:38,720 --> 00:24:42,790
towards the increased product security goals over the course of the next year.
475
00:24:43,660 --> 00:24:44,950
So, why was this important?
476
00:24:45,580 --> 00:24:50,610
In my opinion, it’s one of those ‘which way is the wind blowing’ kind of moves.
477
00:24:51,330 --> 00:24:55,130
To wit, it is likely that these companies are trying to self-regulate to
478
00:24:55,140 --> 00:24:59,929
get ahead of the world’s various governing bodies regulating for them.
479
00:25:00,770 --> 00:25:03,989
To that end, other regulations are already happening.
480
00:25:04,510 --> 00:25:05,009
Ned: Mm-hm.
481
00:25:05,240 --> 00:25:06,550
Chris: There was a lot of discussion about these.
482
00:25:06,559 --> 00:25:11,180
In Europe, there is NIS2 and DORA, which focus on cybersecurity
483
00:25:11,190 --> 00:25:15,040
mandates and operational resilience requirements respectively.
484
00:25:15,450 --> 00:25:16,630
Ned: And also finding the map.
485
00:25:17,280 --> 00:25:17,440
Chris: Ugh.
486
00:25:17,440 --> 00:25:18,980
Ned: I’m sorry.
487
00:25:19,850 --> 00:25:20,310
So, sorry.
488
00:25:21,179 --> 00:25:24,250
[laugh] . I can’t tell if you’re frozen or just mad at me [laugh]
489
00:25:25,509 --> 00:25:28,609
.
Chris: [laugh] . For whatever reason, America continues to
490
00:25:28,609 --> 00:25:31,909
trail behind Europe on things like this, but it does stand
491
00:25:31,910 --> 00:25:34,610
to reason that we will have them sooner rather than later.
492
00:25:35,210 --> 00:25:39,129
Now, we already know about the cybersecurity mandate and the AI
493
00:25:39,130 --> 00:25:43,959
mandate, all basically just things that were executive-summarized.
494
00:25:44,429 --> 00:25:47,239
My assumption is that we will get a law at some point.
495
00:25:47,619 --> 00:25:48,580
Ned: It seems likely, yeah.
496
00:25:48,859 --> 00:25:54,630
Chris: Along the AI footpath to this issue, AI regulation and governments were
497
00:25:54,640 --> 00:26:03,360
big talking points, not just from regulating and governing AI, but using AI to
498
00:26:03,360 --> 00:26:08,060
make sure that your company stays compliant with regulations and governance.
499
00:26:09,090 --> 00:26:14,350
So, if you’ve ever looked into any of these regulations, you will know
500
00:26:14,360 --> 00:26:21,530
that there are, I think, six times eleventy-bajillion attestations and data
501
00:26:21,530 --> 00:26:26,980
points that have to be collected in order to prove evidence of compliance.
502
00:26:27,830 --> 00:26:31,230
There’s actually a huge subcomponent of the consulting world that
503
00:26:31,230 --> 00:26:34,790
is based exclusively around helping companies prove this compliance.
504
00:26:35,759 --> 00:26:38,250
A subcomponent of the consulting world that might be a little
505
00:26:38,250 --> 00:26:41,230
worried that AI tools are going to come around and do that.
506
00:26:42,190 --> 00:26:42,710
Ned: Yeah.
507
00:26:43,270 --> 00:26:48,260
And they’re almost necessary at this point because of all the security
508
00:26:48,260 --> 00:26:54,150
frameworks that we’ve baked into various deployments of compute and whatnot.
509
00:26:54,849 --> 00:26:58,409
They all have a virtual TPM now, they all are doing attestation
510
00:26:58,410 --> 00:27:01,820
of boot—not all, but a lot of them are doing that—and something
511
00:27:01,820 --> 00:27:04,620
needs to verify all of that and keep up to date with that.
512
00:27:04,630 --> 00:27:08,970
We’re generating so many more data points, as you said, there’s no
513
00:27:08,970 --> 00:27:12,870
way a human, even a consultant that’s getting paid thousands and
514
00:27:12,870 --> 00:27:16,840
thousands of dollars an hour, can comb through all of that and prove it.
515
00:27:16,910 --> 00:27:21,800
We need something to do, sort of, just gather it all up and look
516
00:27:21,800 --> 00:27:24,850
through it and then give us back a thumbs up or a thumbs down.
517
00:27:25,550 --> 00:27:25,830
Chris: Right.
518
00:27:26,860 --> 00:27:31,279
There were tons of other AI notes in dribs and drabs.
519
00:27:31,790 --> 00:27:35,880
Things like utilizing AI for data protection, utilizing AI for
520
00:27:35,889 --> 00:27:40,140
micro-segmentation, utilizing AI for log management and observability,
521
00:27:40,200 --> 00:27:45,680
using AI to make you a sandwich, et cetera, et cetera, [big gasp] et cetera.
522
00:27:47,040 --> 00:27:49,440
There’s a lot of AI, I guess is what I’m saying.
523
00:27:49,940 --> 00:27:50,559
Ned: It’s what I’m hearing.
524
00:27:51,139 --> 00:27:53,630
Chris: One thing that was notable for its
525
00:27:53,670 --> 00:27:57,550
absence, was the concept of zero trust.
526
00:27:57,960 --> 00:27:58,370
Ned: Oh.
527
00:27:58,490 --> 00:28:01,399
Chris: In previous years, zero trust was
528
00:28:01,410 --> 00:28:04,850
the belle of the ball at these conferences.
529
00:28:05,500 --> 00:28:11,149
This year, it showed up in a mere two sessions, and zero keynotes.
530
00:28:11,899 --> 00:28:14,970
Ned: That is a significant drop-off from, like, two years ago.
531
00:28:15,490 --> 00:28:16,870
Chris: Even last year, yeah.
532
00:28:16,940 --> 00:28:17,610
It’s crazy.
533
00:28:18,210 --> 00:28:23,160
So, the absence is probably down to a few things.
534
00:28:24,320 --> 00:28:29,179
First of all, companies that have embraced ZT are already
535
00:28:29,190 --> 00:28:32,709
doing it, and there’s really not anything to chat about.
536
00:28:33,830 --> 00:28:37,200
It’s an understood topic, philosophically and designalophically.
537
00:28:39,300 --> 00:28:40,490
Ned: Who’s making up words now?
538
00:28:41,320 --> 00:28:45,049
Chris: [laugh] . I mean, I think that’s really the problem is that it’s gone
539
00:28:45,059 --> 00:28:52,370
from marketing buzzword-y razzle-dazzle, to just a standard operating procedure.
540
00:28:52,870 --> 00:28:53,370
Ned: Yeah.
541
00:28:53,860 --> 00:28:57,129
That jives with what I’ve been hearing is, the companies
542
00:28:57,130 --> 00:28:59,720
that are actually doing it are now doing it, and the ones
543
00:28:59,720 --> 00:29:02,939
that it was all just fluff, they are no longer in business—
544
00:29:03,099 --> 00:29:03,379
Chris: Right.
545
00:29:03,660 --> 00:29:05,099
Ned: Or got bought by other companies.
546
00:29:05,949 --> 00:29:09,460
Chris: I mean, and the other thing is, it’s not the new hotness anymore.
547
00:29:10,130 --> 00:29:13,890
So, it’s really hard for its QScore to stay high.
548
00:29:14,650 --> 00:29:18,070
This is the downside of deep engineering concepts like zero trust.
549
00:29:18,799 --> 00:29:22,479
Once you get past that first wave of publicity,
550
00:29:22,830 --> 00:29:24,990
it’s just really hard to keep it top-of-mind.
551
00:29:25,540 --> 00:29:28,910
And since it is such a challenge to, you know, sit down and explain
552
00:29:28,910 --> 00:29:32,500
to somebody, things like zero trust just don’t get nearly as many
553
00:29:32,510 --> 00:29:36,450
influencers keeping up with it as whatever the latest new hotness is.
554
00:29:37,480 --> 00:29:38,770
Ned: But we’re better than that.
555
00:29:38,809 --> 00:29:40,660
Check out our previous episode on Zero Trust DNS.
556
00:29:42,170 --> 00:29:42,330
Ehh?
557
00:29:42,330 --> 00:29:42,360
Chris: [laugh]
558
00:29:43,890 --> 00:29:44,629
.
Ned: I worked it in there.
559
00:29:44,629 --> 00:29:45,200
That was good.
560
00:29:45,760 --> 00:29:46,629
I’m good at this [laugh]
561
00:29:47,110 --> 00:29:49,139
.
Chris: So, those were all the major things,
562
00:29:49,140 --> 00:29:51,260
and I could go on a little bit, but I won’t.
563
00:29:51,679 --> 00:29:55,849
One thing that was talked about that was interesting and was not necessarily
564
00:29:55,870 --> 00:30:01,780
technical in nature is the pernicious and not-talked about issue of burnout
565
00:30:01,800 --> 00:30:06,580
in IT, particularly in security, and it was boiled down to a couple of
566
00:30:06,600 --> 00:30:10,679
things: number one, there’s not enough people doing it; number two, the
567
00:30:10,679 --> 00:30:16,160
ones that are doing it are overworked and underpaid; number three, the
568
00:30:16,160 --> 00:30:20,959
budgets are just not there for what is required to keep modern IT security
569
00:30:21,260 --> 00:30:25,810
up to date in almost any company; and number four, whenever anything goes
570
00:30:25,820 --> 00:30:32,060
bad, it gets dumped on IT security’s shoulders with basically no support.
571
00:30:32,630 --> 00:30:34,690
Ned: Yeah, that all stacks up for me.
572
00:30:34,690 --> 00:30:40,490
I mean, burnout is a well known issue in IT, writ large.
573
00:30:41,360 --> 00:30:43,209
Security might even be worse.
574
00:30:43,950 --> 00:30:49,069
And we need more people to get into the field, which means
575
00:30:49,070 --> 00:30:52,809
the field needs to be more inviting, which is another issue
576
00:30:52,809 --> 00:30:57,560
with InfoSec as a whole, is it can be rather hostile to new
577
00:30:57,560 --> 00:31:01,639
people, especially ones that don’t fit a particular stereotype.
578
00:31:02,030 --> 00:31:03,439
Chris: That’s because new people have cooties.
579
00:31:03,460 --> 00:31:04,409
We talked about this.
580
00:31:04,620 --> 00:31:04,939
Ned: Yeah.
581
00:31:04,969 --> 00:31:05,640
And they smell.
582
00:31:06,300 --> 00:31:07,799
They smell good, which we don’t like.
583
00:31:08,290 --> 00:31:10,279
No, no good smelling people in InfoSec.
584
00:31:10,420 --> 00:31:11,669
Chris: That’s how you know it’s a trap.
585
00:31:11,719 --> 00:31:14,370
Ned: [laugh] . You’re probably right.
586
00:31:14,970 --> 00:31:15,530
Oh, dear.
587
00:31:15,990 --> 00:31:19,900
If anybody is interested in learning more about the
588
00:31:19,910 --> 00:31:23,280
Secure by Design proposal, we did a whole episode on that.
589
00:31:23,360 --> 00:31:24,389
Do you remember that, Chris?
590
00:31:24,469 --> 00:31:26,670
Chris: Nope, sure don’t [sigh]
591
00:31:26,670 --> 00:31:30,469
.
Ned: In March, we did a whole episode on Secure by Design and analysis
592
00:31:30,480 --> 00:31:35,679
of the proposal by CISA, and also some reactions to that proposal.
593
00:31:35,810 --> 00:31:38,879
So, if you’re interested, definitely worth checking out that episode.
594
00:31:38,889 --> 00:31:41,190
But hey, thanks for listening or something.
595
00:31:41,190 --> 00:31:43,730
I guess you found it worthwhile enough if you made it all
596
00:31:43,740 --> 00:31:46,110
the way to the end, so congratulations to you, friend.
597
00:31:46,459 --> 00:31:47,829
You accomplished something today.
598
00:31:47,850 --> 00:31:49,770
Now, you can sit on the couch, fire up
599
00:31:49,790 --> 00:31:52,520
your AI prompt and ask it about zero trust.
600
00:31:52,570 --> 00:31:53,740
You’ve earned it.
601
00:31:54,310 --> 00:31:57,910
You can find more about this show by visiting our LinkedIn page, just
602
00:31:57,910 --> 00:32:03,220
search ‘Chaos Lever,’ or go to our newish website, pod.chaoslever.com.
603
00:32:03,799 --> 00:32:06,400
You’ll find show notes, blog posts, and general tomfoolery.
604
00:32:06,620 --> 00:32:10,770
If we got something wrong, we did something you hated, you can leave
605
00:32:10,770 --> 00:32:16,149
us a comment or leave us a voicemail, which we will proudly read, or
606
00:32:16,150 --> 00:32:20,179
maybe even play during our tech news segments [laugh] , so enjoy that.
607
00:32:20,400 --> 00:32:23,249
If you want to be heard on tech news, leave us a voicemail.
608
00:32:23,430 --> 00:32:23,970
Go for it.
609
00:32:24,549 --> 00:32:27,070
We’ll be back next week to see what fresh hell is upon us.
610
00:32:27,390 --> 00:32:28,120
Ta-ta for now.
611
00:32:36,389 --> 00:32:39,650
Chris: We’re also not above doing dramatic recreations—
612
00:32:39,860 --> 00:32:40,240
Ned: Oh, yeah.
613
00:32:40,590 --> 00:32:42,920
Chris: In the style of unsolved mysteries, if you prefer.
614
00:32:43,510 --> 00:32:45,300
Ned: [laugh] . If you don’t want us to play
615
00:32:45,300 --> 00:32:47,720
the audio, we will do a dramatic recreation.
616
00:32:47,720 --> 00:32:49,570
We may even bring in a voice actor to do it.
617
00:32:50,110 --> 00:32:51,810
Chris: We’ll make Ned do an Irish accent.
618
00:32:52,380 --> 00:32:53,580
Ned: That goes well [laugh] for everyone.
619
00:32:53,990 --> 00:32:54,060
Chris: [laugh]
00:00:00,550 --> 00:00:04,430
Ned: Once again, I spent 30-plus minutes
2
00:00:04,440 --> 00:00:08,240
fighting with my webcam and microphone setup.
3
00:00:08,610 --> 00:00:11,129
Chris: You mean the webcam that you bought because it was going to be easier?
4
00:00:11,670 --> 00:00:12,400
Ned: That’s the one, yeah.
5
00:00:12,570 --> 00:00:12,800
Chris: Yeah.
6
00:00:13,639 --> 00:00:14,349
It’s going good, then?
7
00:00:14,900 --> 00:00:15,590
Ned: Going great.
8
00:00:16,090 --> 00:00:18,259
There was a firmware upgrade that failed.
9
00:00:18,510 --> 00:00:22,330
So, then I had to look it up, and what I discovered is that the
10
00:00:22,330 --> 00:00:26,290
cable they ship you is a USB-C to USB-C, which I happen to have
11
00:00:26,480 --> 00:00:30,320
a USB-C port on my computer, so that’s what I plugged it into.
12
00:00:30,809 --> 00:00:33,919
If you try to do the firmware upgrade across that cable, it will fail.
13
00:00:34,389 --> 00:00:37,940
Because everything is awful, and burn it with fire [laugh]
14
00:00:38,310 --> 00:00:38,730
.
Chris: Cool.
15
00:00:47,460 --> 00:00:51,669
Ned: Oh hello, alleged human, and welcome to the Chaos Lever podcast.
16
00:00:51,719 --> 00:00:54,509
My name is Ned, and I’m definitely not a robot.
17
00:00:55,059 --> 00:01:00,230
I’m a real human person who has roots, and sentience, and
18
00:01:00,230 --> 00:01:03,840
gets jokes, and sometimes I even go for a long strolls
19
00:01:04,059 --> 00:01:10,380
with my canine companion who is also not a robot, for real.
20
00:01:10,940 --> 00:01:12,630
With me as Chris, who’s also here.
21
00:01:13,049 --> 00:01:13,540
Hi, Chris.
22
00:01:14,200 --> 00:01:15,449
Chris: I really thought you were going to say
23
00:01:15,470 --> 00:01:18,350
that the dog is here and is now the new co-host.
24
00:01:18,360 --> 00:01:20,620
Ned: [laugh] . Don’t tempt me [laugh]
25
00:01:20,940 --> 00:01:22,339
.
Chris: Hard decisions have been made.
26
00:01:23,030 --> 00:01:24,600
Kibble bribery has happened.
27
00:01:25,410 --> 00:01:26,460
Ned: Ah yes.
28
00:01:26,539 --> 00:01:27,779
Bark-a-tron 3000.
29
00:01:27,789 --> 00:01:30,409
Has opinions, and he wants you to hear about them.
30
00:01:31,099 --> 00:01:33,550
Chris: Especially about the mailman.
31
00:01:33,560 --> 00:01:35,980
Ned: [laugh] . Mostly the UPS guy.
32
00:01:36,440 --> 00:01:38,860
Just loses his goddamn mind over that.
33
00:01:39,559 --> 00:01:41,179
That and a woman pushing a stroller.
34
00:01:41,259 --> 00:01:43,380
That’s just, like, Threat Level Midnight.
35
00:01:43,770 --> 00:01:47,159
Chris: Can you imagine if there was just a number of packages in the stroller?
36
00:01:47,850 --> 00:01:49,089
Ned: His brain would explode.
37
00:01:49,809 --> 00:01:51,910
Central Processing Unit just, pop.
38
00:01:51,920 --> 00:01:55,250
[I had] a really weird experience walking the dog this morning.
39
00:01:55,280 --> 00:01:58,530
Like the actual real dog… and not my fake
40
00:01:58,530 --> 00:02:00,650
robot dog that we used for the sake of a bit.
41
00:02:01,469 --> 00:02:04,789
We’re walking, and we look across the street, and there’s a fox.
42
00:02:05,180 --> 00:02:07,310
Now that, in and of itself, is not odd.
43
00:02:07,920 --> 00:02:09,840
We see foxes all the time.
44
00:02:10,620 --> 00:02:16,720
But the fox stopped and stared at us, and then started mewling.
45
00:02:16,720 --> 00:02:21,350
I learned what the fox says, and it sounds kind of like a dying baby.
46
00:02:21,790 --> 00:02:23,730
Chris: Mmm, yeah, that sounds about right.
47
00:02:24,289 --> 00:02:26,710
Ned: And it just continued to do that, looking at us.
48
00:02:26,740 --> 00:02:30,079
And my dog was very disturbed by this, as was I.
49
00:02:30,300 --> 00:02:32,800
It’s also, like, 5:30 a.m.
50
00:02:32,809 --> 00:02:34,370
so it’s barely light outside.
51
00:02:34,929 --> 00:02:38,220
So, we walk slowly in the other direction, keeping an eye
52
00:02:38,220 --> 00:02:41,210
on that fox, and now I’m a little scared to go outside.
53
00:02:41,719 --> 00:02:45,630
Chris: Well, that’s a useful and fun PSA, that if you’re
54
00:02:45,630 --> 00:02:47,910
out in the woods, and you hear what sounds like a baby
55
00:02:47,910 --> 00:02:52,170
crying, do not try to find it because it’s not a baby.
56
00:02:53,020 --> 00:02:56,460
It’s an animal with teeth, and probably rabies, and maybe a knife.
57
00:02:57,570 --> 00:02:58,919
Ned: [laugh] . They are tricksie.
58
00:02:59,359 --> 00:03:02,950
That’s one thing I’ve learned from Aesop’s Fables: you can’t trust a fox.
59
00:03:03,690 --> 00:03:05,060
Chris: A gift that keeps on giving.
60
00:03:05,810 --> 00:03:06,980
Ned: Every day of my life.
61
00:03:07,870 --> 00:03:11,440
Anyhow, you did a thing, or you wrote a thing about a thing you didn’t do.
62
00:03:11,820 --> 00:03:13,279
Chris: Hey, hey, hey.
63
00:03:13,280 --> 00:03:13,390
Ned: [laugh]
64
00:03:14,030 --> 00:03:14,840
.
Chris: You settle down.
65
00:03:15,589 --> 00:03:20,860
This is a long-standing tradition on this show, where I don’t go
66
00:03:20,860 --> 00:03:24,690
to various conferences, tell you about it, so you don’t have to go.
67
00:03:24,800 --> 00:03:25,110
Ned: Yay.
68
00:03:25,290 --> 00:03:26,880
Chris: I’m helping.
69
00:03:27,240 --> 00:03:27,580
Ned: Sure.
70
00:03:28,590 --> 00:03:32,439
Chris: In particular, in this instance, we will be talking about the RSA
71
00:03:32,450 --> 00:03:37,430
conference, or RSAC as they insist on calling it, which I absolutely will not.
72
00:03:38,200 --> 00:03:40,380
Ned: That makes me really uncomfortable.
73
00:03:41,200 --> 00:03:41,230
Chris: [laugh]
74
00:03:41,240 --> 00:03:43,980
.
Ned: Like, I shifted around in my seat a little bit when you said that.
75
00:03:45,460 --> 00:03:49,410
Chris: Now, for those who aren’t a hundred percent familiar, the RSA Conference
76
00:03:49,410 --> 00:03:53,400
is one of the premier security conferences that comes along every year.
77
00:03:54,039 --> 00:03:56,950
This year, it was held in San Francisco, which is not
78
00:03:56,950 --> 00:03:59,640
a surprise because it’s always held in San Francisco.
79
00:04:00,210 --> 00:04:00,600
Duh.
80
00:04:00,610 --> 00:04:01,510
Ned: Of course.
81
00:04:02,290 --> 00:04:04,519
Chris: Now, in another long-standing tradition, as
82
00:04:04,520 --> 00:04:07,859
discussed before, I didn’t go, but I heard about it.
83
00:04:08,280 --> 00:04:08,690
Ned: Yay.
84
00:04:09,429 --> 00:04:14,140
Chris: So, as usual, the sessions did all get recorded, and if you
85
00:04:14,190 --> 00:04:19,399
bought the remote attendees On-Demand Pass, you can watch them all now.
86
00:04:19,800 --> 00:04:22,070
And you can in fact, still buy the On-Demand
87
00:04:22,070 --> 00:04:24,200
Pass if this stuff is all interesting to you.
88
00:04:25,110 --> 00:04:27,689
There are already some sessions available for
89
00:04:27,690 --> 00:04:31,780
free, especially the keynote-y type sessions.
90
00:04:32,550 --> 00:04:35,210
Now, their official statement on the matter is that this
91
00:04:35,210 --> 00:04:38,840
stuff starts to become available approximately 30 days after
92
00:04:38,840 --> 00:04:42,350
the conference, but they’re actually already sharing them.
93
00:04:42,540 --> 00:04:43,790
There’s a good amount out there, and
94
00:04:43,790 --> 00:04:45,469
they’re going to just keep on trickling out.
95
00:04:45,490 --> 00:04:49,060
So, keep an eye on the RSA Conference’s YouTube channel if you’re
96
00:04:49,070 --> 00:04:52,880
interested in what you can see from this conference for free.
97
00:04:54,340 --> 00:05:00,829
Now, I said keynote-y type sessions and I said that for a reason.
98
00:05:01,540 --> 00:05:03,390
There are 36 keynotes.
99
00:05:04,030 --> 00:05:05,650
Ned: Uh— [sigh] —I—
100
00:05:05,959 --> 00:05:09,630
Chris: Which, if you’re doing the math at home, is a lot.
101
00:05:10,180 --> 00:05:12,690
Ned: It ceases to be a keynote at that point.
102
00:05:13,180 --> 00:05:13,550
Right?
103
00:05:13,810 --> 00:05:14,070
Chris: Right.
104
00:05:14,429 --> 00:05:14,759
Ned: Right.
105
00:05:14,980 --> 00:05:15,570
Chris: Correct.
106
00:05:15,639 --> 00:05:16,089
Ned: Okay.
107
00:05:16,510 --> 00:05:19,880
Chris: Because if you look up the definition for keynote,
108
00:05:20,910 --> 00:05:24,970
it’s a quote, “Talk that establishes a main underlying
109
00:05:25,000 --> 00:05:28,900
theme.” One would assume from this that there’s one.
110
00:05:29,950 --> 00:05:33,460
This has stopped being a thing for way too long now.
111
00:05:34,740 --> 00:05:36,830
Now, before we even talk about the conference, I want to
112
00:05:36,840 --> 00:05:40,439
start a change.org petition to call it something else.
113
00:05:40,969 --> 00:05:41,309
Ned: Okay.
114
00:05:41,690 --> 00:05:44,890
Chris: How about we’ve got ‘sessions,’ of which there are an
115
00:05:44,890 --> 00:05:50,940
infinite amount, “The keynote,” of which there is one, and the
116
00:05:50,940 --> 00:05:55,930
super-duper, fancy special speeches, of which there can be 36.
117
00:05:55,940 --> 00:05:56,500
Ned: Sure.
118
00:05:56,880 --> 00:05:59,510
Chris: Longer name, sounds way more important that way.
119
00:06:00,090 --> 00:06:00,680
Who says no?
120
00:06:01,960 --> 00:06:03,810
Ned: Can’t we just call them, like, ‘Premier Sessions?’
121
00:06:04,330 --> 00:06:05,380
Chris: Oh, that’s good, too.
122
00:06:05,500 --> 00:06:07,219
I think mine’s better, but that’s good, too.
123
00:06:07,650 --> 00:06:08,020
Ned: All right.
124
00:06:08,090 --> 00:06:08,849
Chris: We’ll workshop it.
125
00:06:09,520 --> 00:06:10,090
Ned: Of course.
126
00:06:10,260 --> 00:06:13,230
And, you know, if listeners have suggestions, write them in.
127
00:06:13,410 --> 00:06:13,889
Let us know.
128
00:06:14,280 --> 00:06:14,599
Chris: Yeah.
129
00:06:15,440 --> 00:06:15,740
Okay.
130
00:06:16,609 --> 00:06:18,609
So, on to more serious topics.
131
00:06:19,040 --> 00:06:19,290
Ned: Okay.
132
00:06:19,700 --> 00:06:22,590
Chris: Let’s start with the obvious question that a lot of people probably
133
00:06:22,600 --> 00:06:27,890
don’t know: what the hell does RSA stand for in the name RSA Conference?
134
00:06:28,730 --> 00:06:30,719
I’m not going to lie, I have probably looked this up ten
135
00:06:30,719 --> 00:06:33,450
times, found out about it, and then forgot it ten times.
136
00:06:34,170 --> 00:06:35,839
So, I had to look it up again.
137
00:06:36,660 --> 00:06:39,010
And it’s not as exciting as you might think.
138
00:06:39,040 --> 00:06:43,140
It’s actually just made up of last name initials of the cofounders of RSA.
139
00:06:44,020 --> 00:06:47,939
That would be Ron Rivest, Adi Shamir, and Leonard Adelman.
140
00:06:48,259 --> 00:06:48,590
Get it?
141
00:06:48,860 --> 00:06:49,250
R.
142
00:06:49,590 --> 00:06:49,979
S.
143
00:06:50,309 --> 00:06:50,609
A.
144
00:06:51,110 --> 00:06:51,719
Ned: I get things.
145
00:06:51,719 --> 00:06:52,869
I’m smart [laugh]
146
00:06:53,670 --> 00:06:54,259
.
Chris: So, there you have it.
147
00:06:54,380 --> 00:06:55,520
One mystery solved.
148
00:06:55,530 --> 00:06:58,270
[singing] And we’ve only just begun.
149
00:06:59,030 --> 00:06:59,479
Ned: Oh.
150
00:06:59,770 --> 00:07:00,460
Chris: And we’re sued.
151
00:07:01,040 --> 00:07:01,830
Ned: Eh, always.
152
00:07:02,110 --> 00:07:02,610
Always.
153
00:07:02,970 --> 00:07:06,700
Folks may be familiar with RSA if they look at different encryption
154
00:07:06,780 --> 00:07:11,830
types because RSA is one of the encipherment types, I think.
155
00:07:12,090 --> 00:07:12,599
Chris: Encipherment?
156
00:07:13,440 --> 00:07:13,860
Ned: Yes.
157
00:07:13,860 --> 00:07:14,392
It’s a word I use.
158
00:07:14,392 --> 00:07:15,580
Chris: That is absolutely not a word.
159
00:07:15,940 --> 00:07:17,450
Ned: [laugh] . It is now [laugh]
160
00:07:17,450 --> 00:07:20,640
.
Chris: It sounds like something you get six months in jail for.
161
00:07:22,200 --> 00:07:23,620
Ned: [laugh] . Encipherment, right next to embezzling?
162
00:07:24,330 --> 00:07:24,359
Chris: [laugh]
163
00:07:24,919 --> 00:07:27,039
.
Ned: He enciphered the company for thousands of dollars.
164
00:07:27,690 --> 00:07:29,049
I think it is a cipher type.
165
00:07:29,410 --> 00:07:29,870
Chris: Yes.
166
00:07:30,129 --> 00:07:31,620
Ned: So, you may have seen it there.
167
00:07:32,510 --> 00:07:35,490
Chris: Anyway, the theme of the conference—and they actually did have
168
00:07:35,490 --> 00:07:41,609
a theme—was ‘The Art of the Possible,’ which sounds wishy-washy, and
169
00:07:41,620 --> 00:07:46,019
more like you know the title of an airport self-help book than something
170
00:07:46,020 --> 00:07:51,099
that would be around relevant topics in technology, but in the way
171
00:07:51,100 --> 00:07:55,210
of the old blessing slash curse, “May you live in interesting times,”
172
00:07:55,890 --> 00:07:58,650
get to think a little deeper about ‘The Art of the Possible’ name.
173
00:07:59,210 --> 00:08:03,809
Kind of, the idea here is, not only what we as
174
00:08:04,000 --> 00:08:07,370
technologists can do, as you know, security professionals
175
00:08:07,370 --> 00:08:11,500
can do, what is possible that our adversaries can do.
176
00:08:11,970 --> 00:08:12,070
Ehhh?
177
00:08:15,160 --> 00:08:15,170
Ehhhh?
178
00:08:15,170 --> 00:08:15,640
Anyway.
179
00:08:17,090 --> 00:08:21,249
Ned: As a response to whether or not this is a self-help book, it is.
180
00:08:21,429 --> 00:08:23,320
It’s called The Art of the Possible: Create An
181
00:08:23,330 --> 00:08:26,150
Organization With no Limits, written by Daniel M.
182
00:08:26,150 --> 00:08:29,450
Jacobs in 2010, and it is, quote, “An integrated
183
00:08:29,480 --> 00:08:32,080
leadership and management guide to success.”
184
00:08:32,860 --> 00:08:34,959
Chris: Why do you insist on putting the audience to sleep?
185
00:08:35,400 --> 00:08:38,610
Ned: [laugh] . Well, I didn’t actually try to read it to you, though,
186
00:08:38,650 --> 00:08:42,309
that would absolutely put everyone to sleep, probably me included.
187
00:08:42,570 --> 00:08:43,970
Chris: That’s on the Patreon page.
188
00:08:45,360 --> 00:08:46,550
Ned: [laugh] . We should have one of those.
189
00:08:47,610 --> 00:08:52,329
Chris: So, with 36 sessions listed as a keynote, it was
190
00:08:52,330 --> 00:08:55,530
a little difficult to pin down where to start [laugh] and
191
00:08:55,549 --> 00:08:59,119
what the main mission of this year was supposed to be.
192
00:09:00,320 --> 00:09:04,620
But if you look at the schedule—and that is also available on
193
00:09:04,620 --> 00:09:11,329
their website—the first one that was not weird, was put on by Hugh
194
00:09:11,330 --> 00:09:16,679
Thompson, who is a big-wig at RSA, and did a number of keynotes.
195
00:09:16,680 --> 00:09:20,970
But this one, I think, got as close to a main topic or a main
196
00:09:21,340 --> 00:09:24,360
overarching theme speech type of thing that we’re going to get.
197
00:09:25,060 --> 00:09:27,750
It was titled “The Power of Community”, and is
198
00:09:27,750 --> 00:09:30,060
available for streaming on their YouTube channel.
199
00:09:30,809 --> 00:09:31,910
It’s only 18 minutes.
200
00:09:31,980 --> 00:09:33,429
It’s worth the watch, actually.
201
00:09:33,429 --> 00:09:34,150
It’s very entertaining.
202
00:09:34,160 --> 00:09:34,760
The guy’s good.
203
00:09:36,240 --> 00:09:38,540
The main theme of the speech was basically
204
00:09:39,210 --> 00:09:42,610
that none of us is smarter than all of us.
205
00:09:43,460 --> 00:09:46,100
Now, on the one hand, you might think this is a cynical
206
00:09:46,100 --> 00:09:49,120
message that only serves to reiterate the importance of
207
00:09:49,380 --> 00:09:51,449
paying a lot of money to go to a security conference.
208
00:09:52,209 --> 00:09:52,579
Ned: Fair.
209
00:09:53,070 --> 00:09:54,710
Chris: But on the other hand, he’s kind of right.
210
00:09:56,010 --> 00:10:00,630
These conferences are, in fact, a sharing of knowledge enabling every security
211
00:10:00,630 --> 00:10:05,059
practitioner to learn just a little bit more about their own areas of expertise,
212
00:10:05,450 --> 00:10:10,870
and the ones they need to know, but never had any type of experience with.
213
00:10:11,780 --> 00:10:16,849
And to that end, he talked about two things that are really good life
214
00:10:16,850 --> 00:10:20,270
lessons for conference-going that we’ve actually discussed before.
215
00:10:21,260 --> 00:10:24,689
The first one is to attend sessions outside of your wheelhouse
216
00:10:25,389 --> 00:10:29,340
because sometimes it might not help, but often it actually will.
217
00:10:29,730 --> 00:10:33,349
It’s fairly surprising to hear other subject-matter experts
218
00:10:33,350 --> 00:10:36,380
talk about what they’re passionate about, and then be able
219
00:10:36,380 --> 00:10:39,790
to kind of think about your own stuff in a different way.
220
00:10:40,440 --> 00:10:40,890
Ned: Mm-hm.
221
00:10:40,990 --> 00:10:43,920
Chris: External perspectives on other technologies
222
00:10:44,360 --> 00:10:46,640
opening up little neural pathways in your brain.
223
00:10:47,430 --> 00:10:48,740
It does actually help.
224
00:10:49,370 --> 00:10:49,790
Ned: It does.
225
00:10:50,030 --> 00:10:50,460
I agree.
226
00:10:51,120 --> 00:10:54,079
Chris: And the second one is a stupid thing.
227
00:10:55,380 --> 00:10:58,169
He thinks that you should talk to people.
228
00:10:58,940 --> 00:10:59,919
Ned: Bah, no.
229
00:11:00,949 --> 00:11:00,979
Chris: What?
230
00:11:00,979 --> 00:11:01,489
Ned: Thumbs down.
231
00:11:01,879 --> 00:11:02,099
Chris: You fool.
232
00:11:04,319 --> 00:11:04,349
Ned: [laugh]
233
00:11:04,359 --> 00:11:08,050
.
Chris: No, he enjoined the audience to, quote, “Meet at least three
234
00:11:08,050 --> 00:11:12,190
new people.” Which, to me, sounds terrifying and counterproductive.
235
00:11:12,880 --> 00:11:16,080
As all security practitioners know, new people
236
00:11:16,110 --> 00:11:18,060
have cooties, and they’re all out to get me.
237
00:11:18,410 --> 00:11:18,700
Ned: Uh-huh.
238
00:11:18,710 --> 00:11:19,480
Chris: I mean us.
239
00:11:20,049 --> 00:11:20,429
Ned: Yes.
240
00:11:20,730 --> 00:11:24,160
Chris: But if you wanted to get cooties, there was something
241
00:11:24,160 --> 00:11:27,500
like 42,000 people wandering around the halls of the RSA
242
00:11:27,500 --> 00:11:29,700
Conference, drinking stale coffee to give it a shot with.
243
00:11:30,760 --> 00:11:33,350
Ned: Wow, I did not realize it was 42,000 people.
244
00:11:33,980 --> 00:11:36,390
That’s getting up there with, like, re:Invent numbers.
245
00:11:36,840 --> 00:11:38,909
Chris: It is creeping up there, and it is a bit of a surprise.
246
00:11:38,990 --> 00:11:43,189
It also explains perhaps why there were 36 keynotes, but probably not.
247
00:11:43,760 --> 00:11:44,640
Ned: [laugh] . Still, no.
248
00:11:45,140 --> 00:11:50,179
Chris: Now, all of that being said, let’s talk about some of the themes of the
249
00:11:50,179 --> 00:11:54,740
conference, based on the material that they actually shared in the sessions.
250
00:11:55,630 --> 00:12:00,600
So first, with a bullet, you’re not going to believe this.
251
00:12:01,090 --> 00:12:02,660
Ned, I hope you’re sitting down.
252
00:12:03,230 --> 00:12:05,150
Ned: Can I sit down lower?
253
00:12:05,300 --> 00:12:05,670
Would that help?
254
00:12:05,670 --> 00:12:08,110
Chris: Can you put a chair on a chair, and then sit on that chair?
255
00:12:08,340 --> 00:12:08,530
Ned: Okay.
256
00:12:08,530 --> 00:12:09,710
Chris: Because that’s the kind of sitting down
257
00:12:09,710 --> 00:12:11,539
you’re going to need because this is a shocker.
258
00:12:12,200 --> 00:12:13,960
AI was a big old topic.
259
00:12:15,350 --> 00:12:15,460
Ned: [big silly gasp]
260
00:12:15,809 --> 00:12:16,690
.
Chris: I warned you.
261
00:12:17,289 --> 00:12:17,720
Ned: Damn it.
262
00:12:17,750 --> 00:12:19,310
I should have been sitting on a milk crate.
263
00:12:19,960 --> 00:12:20,590
[I need stability]
264
00:12:21,240 --> 00:12:22,730
.
Chris: I mean, good God, man.
265
00:12:23,290 --> 00:12:27,100
Of the 36 keynotes, 13 of them were directly AI-related.
266
00:12:27,660 --> 00:12:30,840
Of the regular sessions, it was 82 out of 298,
267
00:12:30,880 --> 00:12:33,610
and that is just ones that had AI in the title.
268
00:12:34,240 --> 00:12:35,530
Ned: Frankly, that seems low.
269
00:12:36,289 --> 00:12:41,400
Chris: [laugh] . So, what did they actually have to say about AI?
270
00:12:42,160 --> 00:12:45,320
A lot of what they had to say was not really that surprising.
271
00:12:46,260 --> 00:12:50,190
Main themes: AI is going to be more and more utilized by both attackers
272
00:12:50,429 --> 00:12:54,079
and defenders, and it’s an open question if there’s any way to
273
00:12:54,230 --> 00:12:58,860
guarantee that the defenders will maintain an upper hand going forward.
274
00:12:59,420 --> 00:13:00,740
Ned: Almost certainly not.
275
00:13:01,470 --> 00:13:02,270
Chris: Hold that thought.
276
00:13:02,610 --> 00:13:04,319
Because there is one piece of it that
277
00:13:04,320 --> 00:13:07,540
might be just the faintest glimmer of hope.
278
00:13:07,759 --> 00:13:08,469
Ned: Oh, okay.
279
00:13:08,750 --> 00:13:11,860
Chris: So, before we get to that, there are two things that attackers
280
00:13:11,860 --> 00:13:15,840
can do now that were just flat out harder for them before AI.
281
00:13:16,570 --> 00:13:23,060
The first one is, hackers attacking from all over the globe have a problem, and
282
00:13:23,060 --> 00:13:26,849
that problem is, generally speaking, they don’t speak every language on Earth.
283
00:13:27,330 --> 00:13:27,760
Ned: True.
284
00:13:28,039 --> 00:13:30,069
Chris: But they would like to attack everybody on Earth.
285
00:13:30,490 --> 00:13:35,700
So, what you used to end up with was hilariously poorly
286
00:13:35,700 --> 00:13:42,790
Google-translated emails that were obvious scams, or attacks, or
287
00:13:43,349 --> 00:13:48,389
just loaded with malware, and grammatically incorrect things, right?
288
00:13:49,130 --> 00:13:55,550
AI can help just rewrite communications into natural-sounding language
289
00:13:55,750 --> 00:13:58,319
for whatever they are trying—whomever they are trying to attack.
290
00:13:58,960 --> 00:14:02,390
You can do that with ChatGPT, for free, right now, indefinitely.
291
00:14:03,040 --> 00:14:07,939
Now admittedly, ChatGPT still has an extremely heavy English language
292
00:14:07,959 --> 00:14:12,370
bias, but they are working on including more and more sources from
293
00:14:12,390 --> 00:14:15,819
other languages, so it’s going to continue to get better and expand.
294
00:14:16,590 --> 00:14:22,339
Ned: There’s an interesting theory that I’ve heard proposed before that the
295
00:14:22,639 --> 00:14:28,850
poor wording syntax and English usage in those emails is somewhat intentional.
296
00:14:29,250 --> 00:14:32,430
Could they get someone to write it in a more natural-sounding way?
297
00:14:32,430 --> 00:14:37,190
Yes, but they’re using it as a filter to only capture those people
298
00:14:37,259 --> 00:14:40,229
who would read that email and think it’s perfectly fine because
299
00:14:40,379 --> 00:14:44,600
in order for their scam to work, they need someone who will read
300
00:14:44,600 --> 00:14:47,550
that email and think that it’s perfectly fine, and that also they
301
00:14:47,550 --> 00:14:51,120
should click on the link and transfer $1,000 to a bank account.
302
00:14:51,770 --> 00:14:52,880
Chris: Interesting theory.
303
00:14:53,690 --> 00:14:54,750
Ned: I don’t know if it’s a hundred percent
304
00:14:54,750 --> 00:14:57,039
accurate, but I have heard it proposed.
305
00:14:57,860 --> 00:14:58,880
Chris: Well, they didn’t talk about that.
306
00:14:59,320 --> 00:14:59,760
Ned: Well fine.
307
00:15:00,000 --> 00:15:00,970
Chris: So, stop helping.
308
00:15:01,340 --> 00:15:02,490
Ned: [laugh] . Okay.
309
00:15:03,290 --> 00:15:08,069
Chris: So, the second thing that AI can do to help attackers is research.
310
00:15:08,690 --> 00:15:12,629
Thanks to the careless, wide-open way that people use the
311
00:15:12,630 --> 00:15:15,989
internet, and the total lack of data sovereignty laws that matter
312
00:15:15,990 --> 00:15:20,240
at all, there is—and I looked this up—it’s a quatro-bajillion
313
00:15:20,700 --> 00:15:23,290
data points out there about everyone and every company.
314
00:15:24,189 --> 00:15:24,449
Ned: [laugh] . Okay.
315
00:15:25,160 --> 00:15:27,079
Chris: Now, in terms of corporate research,
316
00:15:27,220 --> 00:15:30,459
previously, you would have to rely on paid services.
317
00:15:30,799 --> 00:15:34,379
The most famous one that I know of is ZoomInfo, and what they do is collate
318
00:15:34,379 --> 00:15:38,260
all this information from LinkedIn, from blog posts, from 10-Ks, from
319
00:15:38,260 --> 00:15:42,189
wherever they can find it, to figure out, how is it company structured?
320
00:15:42,480 --> 00:15:43,870
What are they up to lately?
321
00:15:43,970 --> 00:15:45,459
How many employees do they have?
322
00:15:45,460 --> 00:15:46,419
What are their markets?
323
00:15:46,450 --> 00:15:47,560
Blahdy, blahdy, blahdy, blah.
324
00:15:48,230 --> 00:15:52,800
This may not sound like much, but remember, the human element
325
00:15:52,820 --> 00:15:57,340
is and probably will always be the biggest security risk.
326
00:15:58,130 --> 00:16:01,730
Figuring out who works where, what they’re responsible
327
00:16:01,740 --> 00:16:05,880
for, and how a company is structured, both from a personnel
328
00:16:05,880 --> 00:16:08,760
perspective and potentially from a security perspective—IT
329
00:16:09,840 --> 00:16:13,209
infrastructure, et cetera—often makes its way into press releases.
330
00:16:14,190 --> 00:16:19,620
This helps fine-tune long-running attacks, right?
331
00:16:19,620 --> 00:16:22,420
This is not the fly-by-night scams we were talking about before.
332
00:16:22,420 --> 00:16:25,280
This is APTs and state-level actors.
333
00:16:25,950 --> 00:16:29,229
But it makes it so much easier to do this research with AI.
334
00:16:29,229 --> 00:16:33,970
Now, in terms of people being the worst—just a little side to jaunt
335
00:16:33,990 --> 00:16:40,470
here, a little venture—the 2024 Verizon Data Breach Investigation
336
00:16:40,470 --> 00:16:45,400
Report, or DBIR—came out around the same time as the RSA Conference.
337
00:16:46,080 --> 00:16:50,650
And one of the main numbers to pay attention to from this report was 68%.
338
00:16:51,870 --> 00:16:55,690
68% of breaches involve a non-malicious human element like
339
00:16:55,690 --> 00:16:58,800
a person falling victim to a social engineering attack,
340
00:16:59,230 --> 00:17:02,590
making an error in configuration, et cetera, et cetera.
341
00:17:03,360 --> 00:17:05,949
Meaning people make mistakes.
342
00:17:06,969 --> 00:17:10,050
Now, if you want more info about the report, there is a link to it in the
343
00:17:10,050 --> 00:17:14,310
[show notes] . The report is free, it is informative, and it is depressing.
344
00:17:14,920 --> 00:17:16,999
Ned: Well, you and I have both read at least
345
00:17:17,000 --> 00:17:19,670
one Kevin Mitnick book about social engineering.
346
00:17:19,799 --> 00:17:23,800
And the general way that he got into anything was to figure out
347
00:17:23,930 --> 00:17:26,939
the organizational structure, and then find a weak point in it.
348
00:17:27,589 --> 00:17:31,940
And often that weak point is going to be the personal assistant for any of
349
00:17:31,940 --> 00:17:38,449
the muckety-mucks at a company because they have a vast amount of access—much,
350
00:17:38,469 --> 00:17:43,580
much more than they’re getting paid to have—and they know where all the
351
00:17:43,580 --> 00:17:47,230
bodies are buried, all the secrets are, and if you can compromise them,
352
00:17:47,310 --> 00:17:50,330
then it’s relatively straightforward to compromise the rest of the company.
353
00:17:51,290 --> 00:17:51,510
Chris: Right.
354
00:17:52,290 --> 00:17:54,179
Also people that are new to the company.
355
00:17:54,809 --> 00:17:56,240
Ned: That’s a good one, too, because they don’t
356
00:17:56,259 --> 00:17:58,441
know the proper procedures, and they’re report—
357
00:17:58,441 --> 00:17:59,780
Chris: And don’t they know everybody.
358
00:18:00,129 --> 00:18:00,509
Ned: Right.
359
00:18:00,810 --> 00:18:02,370
Chris: And they’re probably very stressed out
360
00:18:02,370 --> 00:18:04,820
to do a good job and to keep everybody happy.
361
00:18:05,280 --> 00:18:05,629
Ned: Right.
362
00:18:05,640 --> 00:18:10,660
So, you get a request from Angela over in HR to send over some
363
00:18:10,780 --> 00:18:14,370
very important information that they need to complete your benefits
364
00:18:14,370 --> 00:18:17,029
package, and you’d be like, “Sure, I’ll get right on that, Angela.”
365
00:18:17,350 --> 00:18:18,360
Chris: I like benefits.
366
00:18:18,600 --> 00:18:19,679
Ned: I—who doesn’t?
367
00:18:19,930 --> 00:18:22,740
You know, “Participate in our employee bonus
368
00:18:22,740 --> 00:18:25,020
program.” Like, yeah, I’m responding to that.
369
00:18:25,020 --> 00:18:27,115
Except Angela doesn’t work for the company [laugh]
370
00:18:27,320 --> 00:18:27,610
.
Chris: Right.
371
00:18:27,610 --> 00:18:29,280
Ned: And now they have all of your personal
372
00:18:29,280 --> 00:18:31,760
information and your password for some reason.
373
00:18:32,610 --> 00:18:36,379
Chris: So, let’s pivot, and we’ll talk about what they had to say about
374
00:18:36,389 --> 00:18:40,830
things from the defenders’ point of view because it’s not all a nightmare.
375
00:18:41,520 --> 00:18:41,780
Ned: Okay.
376
00:18:42,390 --> 00:18:46,289
Chris: One thing that could help tilt the balance in favor of defenders
377
00:18:46,960 --> 00:18:50,020
ties back to the whole, “We’re all in it together,” point from earlier.
378
00:18:50,799 --> 00:18:54,889
Defenders have a hell of a lot more data than attackers do.
379
00:18:55,830 --> 00:19:01,860
Bruce Schneier, IT security technology guy extraordinaire, stated it plainly.
380
00:19:02,150 --> 00:19:03,440
“We have more data than they do.
381
00:19:04,130 --> 00:19:09,990
LLMs and AI, they be trained on data, therefore, our data stuff
382
00:19:10,100 --> 00:19:15,870
is going to make our AI stuff better than their AI stuff.” Now,
383
00:19:15,870 --> 00:19:18,060
he said it a little better than that, but I’m paraphrasing.
384
00:19:18,800 --> 00:19:19,900
Actually no, I take that back.
385
00:19:19,900 --> 00:19:20,679
It was an exact quote.
386
00:19:21,170 --> 00:19:21,749
Ned: All right, fair.
387
00:19:22,230 --> 00:19:25,720
Chris: So, if you step back and think about it, it does make sense.
388
00:19:26,670 --> 00:19:31,570
Pick any random EDR company that’s large, like say, SentinelOne—whomever;
389
00:19:31,590 --> 00:19:36,530
doesn’t matter—now, these companies, they don’t release precise specifics
390
00:19:36,550 --> 00:19:39,850
on their deployments of the field, but SentinelOne proudly states that
391
00:19:39,850 --> 00:19:43,329
they have quote, “Tens of millions,” of protected endpoints out there,
392
00:19:43,880 --> 00:19:49,209
all of which report back about attacks, SentinelOne vulnerability
393
00:19:49,210 --> 00:19:53,410
researchers can then take that data and turn it into protections.
394
00:19:53,950 --> 00:19:57,580
Thus, you have areas of security where you didn’t have
395
00:19:57,580 --> 00:20:00,139
anything before because you can see what people are doing.
396
00:20:01,399 --> 00:20:05,100
And there are even areas of security where researchers from
397
00:20:05,100 --> 00:20:07,920
multiple different companies will pool their resources to
398
00:20:07,930 --> 00:20:12,139
help increase the overall security posture of everybody.
399
00:20:12,910 --> 00:20:13,580
So, that’s good.
400
00:20:14,410 --> 00:20:17,340
Attackers, on the other hand, don’t do that.
401
00:20:18,350 --> 00:20:19,000
Ned: [laugh] . Yeah.
402
00:20:19,309 --> 00:20:21,230
Chris: They all work, more or less, alone.
403
00:20:22,170 --> 00:20:25,730
And I don’t care how popular a given piece of malware is.
404
00:20:26,050 --> 00:20:29,470
It’s, one, probably not phoning home like that because that would
405
00:20:29,480 --> 00:20:33,530
be immediately discovered by network trackers, and two, they’re not
406
00:20:33,530 --> 00:20:37,140
hitting tens of millions of anything, except maybe dollars they get
407
00:20:37,140 --> 00:20:39,669
from ransomware payments that are never disclosed to the public.
408
00:20:40,219 --> 00:20:40,400
Ned: Wa-wah.
409
00:20:40,690 --> 00:20:46,290
Chris: Quote, “We have a very rich data source which, uncommonly, is
410
00:20:46,290 --> 00:20:50,370
an asymmetry in favor of the defender that we don’t see very often,”
411
00:20:50,460 --> 00:20:56,630
unquote, stated Daniel Rohrer, VP of Software Product Security at Nvidia.
412
00:20:57,610 --> 00:20:58,890
So, what does all this add up to?
413
00:20:59,180 --> 00:21:04,670
From the AI perspective, what it adds up to is finely tuned LLMs.
414
00:21:05,520 --> 00:21:09,899
Not general stuff like ChatGPT, but we’re talking about very focused
415
00:21:09,900 --> 00:21:15,009
things based on security, trained on that huge amount of data to
416
00:21:15,009 --> 00:21:19,860
help with things like identifying adversarial behavior, zero-day
417
00:21:19,860 --> 00:21:24,310
protections, and eventually, even things like auto-remediation.
418
00:21:25,030 --> 00:21:28,820
You can have a listener on each endpoint that tracks for all this stuff;
419
00:21:28,849 --> 00:21:33,220
if it sees something nightmarish, it could just turn off the network.
420
00:21:34,219 --> 00:21:36,800
Now, it’s going to take a long time for people to be comfortable
421
00:21:36,800 --> 00:21:41,000
with auto remediation based on AI, but if we look far enough
422
00:21:41,000 --> 00:21:43,810
into the future, and I’m thinking probably less than five
423
00:21:43,810 --> 00:21:46,180
years, my guess is that this is going to become the norm.
424
00:21:46,870 --> 00:21:53,499
Ned: We’ve already seen a flood of security vendors adding AI into all
425
00:21:53,500 --> 00:21:57,930
their marketing materials, which some of that is, you know, just marketing,
426
00:21:57,990 --> 00:22:02,989
marketecture—vaporware, if you will—but a lot of it is we’re bolting on a
427
00:22:02,990 --> 00:22:08,050
new feature to our existing offering that makes use of a trained LLM that we
428
00:22:08,080 --> 00:22:13,360
trained on our giant pool of data we’ve collected from all of our clients.
429
00:22:13,910 --> 00:22:14,150
Chris: Right.
430
00:22:14,310 --> 00:22:18,730
Ned: So, I think, from a security perspective, that could happen pretty rapidly.
431
00:22:19,350 --> 00:22:22,449
What’s a little more difficult is putting in the detection portion that
432
00:22:22,450 --> 00:22:25,379
you’re talking about because that needs to be closer to the endpoint.
433
00:22:25,870 --> 00:22:29,669
So, we’re going to have to wait for, probably, some specialized hardware to be
434
00:22:29,680 --> 00:22:36,879
available—the sort of TPUs, GPUs, XPUs—to be available on these endpoint devices
435
00:22:36,890 --> 00:22:40,470
to do that real-time scanning if you’re looking for that level of protection.
436
00:22:41,020 --> 00:22:43,450
Chris: TPU, of course, as everyone knows, is the Toilet Paper Unit.
437
00:22:44,030 --> 00:22:44,829
Ned: Yes [sigh]
438
00:22:45,490 --> 00:22:46,549
.
Chris: I got jokes, man.
439
00:22:47,139 --> 00:22:48,209
I got jokes.
440
00:22:48,629 --> 00:22:49,470
Ned: It’s fantastic.
441
00:22:49,720 --> 00:22:49,970
No notes.
442
00:22:49,970 --> 00:22:54,990
Chris: [laugh] . Oh, Bark-a-tron 3000 looks so disappointed in me.
443
00:22:56,650 --> 00:22:59,169
Ned: [laugh] . He’s kind of licking his own ass, but whatever.
444
00:23:00,509 --> 00:23:00,859
Chris: Okay.
445
00:23:01,340 --> 00:23:01,940
Moving on.
446
00:23:02,440 --> 00:23:04,300
Something else that was a big topic.
447
00:23:04,730 --> 00:23:08,430
Everybody’s favorite four letter word: regulations.
448
00:23:09,140 --> 00:23:10,370
These are a— [mouth noises]
449
00:23:10,370 --> 00:23:10,857
—
Ned: [laugh]
450
00:23:10,857 --> 00:23:12,830
.
Chris: That is not important.
451
00:23:12,950 --> 00:23:14,929
Just… doing the thing over here.
452
00:23:15,270 --> 00:23:15,680
Ned: All right.
453
00:23:16,300 --> 00:23:18,610
Chris: So, it was a big concern at the conference.
454
00:23:19,090 --> 00:23:20,910
Honestly, it’s a big concern all over the
455
00:23:20,910 --> 00:23:24,310
world, and it does have relations to AI.
456
00:23:24,770 --> 00:23:28,220
But first, one thing that came out at the conference
457
00:23:28,220 --> 00:23:31,240
was the quote, “Secure by Design,” pledge.
458
00:23:32,200 --> 00:23:37,420
Now, this was created by CISA, and is intended to ensure that quote, “Products
459
00:23:37,530 --> 00:23:42,039
should be secure to use out of the box, with secure configurations enabled
460
00:23:42,049 --> 00:23:46,310
by default, and security features such as multifactor authentication,
461
00:23:46,570 --> 00:23:53,449
logging, and single sign on available at no additional cost.” So, this
462
00:23:53,450 --> 00:23:57,320
pledge is super great, and I hope that it gets a ton of attention.
463
00:23:57,929 --> 00:24:04,060
It is disappointing and more than a little galling that it has to exist,
464
00:24:04,830 --> 00:24:10,570
but as the SSO, Wall of Shame website clearly shows, plenty of vendors have
465
00:24:10,719 --> 00:24:15,340
no qualms whatsoever charging extra to enable features like single sign-on.
466
00:24:15,900 --> 00:24:16,130
Ned: Yeah.
467
00:24:16,500 --> 00:24:20,790
Chris: Now, at the conference, 68 companies, including big-wigs
468
00:24:20,790 --> 00:24:26,610
like AWS, Google, Cisco, Microsoft, and IBM, signed the pledge.
469
00:24:27,420 --> 00:24:28,370
Kind of a big deal.
470
00:24:28,950 --> 00:24:30,450
Except, of course, that it’s not binding.
471
00:24:30,910 --> 00:24:32,249
It’s not a law.
472
00:24:33,469 --> 00:24:33,579
Ned: [laugh] . That’s true.
473
00:24:33,579 --> 00:24:38,689
Chris: But it does at least commit these companies from a PR perspective to work
474
00:24:38,720 --> 00:24:42,790
towards the increased product security goals over the course of the next year.
475
00:24:43,660 --> 00:24:44,950
So, why was this important?
476
00:24:45,580 --> 00:24:50,610
In my opinion, it’s one of those ‘which way is the wind blowing’ kind of moves.
477
00:24:51,330 --> 00:24:55,130
To wit, it is likely that these companies are trying to self-regulate to
478
00:24:55,140 --> 00:24:59,929
get ahead of the world’s various governing bodies regulating for them.
479
00:25:00,770 --> 00:25:03,989
To that end, other regulations are already happening.
480
00:25:04,510 --> 00:25:05,009
Ned: Mm-hm.
481
00:25:05,240 --> 00:25:06,550
Chris: There was a lot of discussion about these.
482
00:25:06,559 --> 00:25:11,180
In Europe, there is NIS2 and DORA, which focus on cybersecurity
483
00:25:11,190 --> 00:25:15,040
mandates and operational resilience requirements respectively.
484
00:25:15,450 --> 00:25:16,630
Ned: And also finding the map.
485
00:25:17,280 --> 00:25:17,440
Chris: Ugh.
486
00:25:17,440 --> 00:25:18,980
Ned: I’m sorry.
487
00:25:19,850 --> 00:25:20,310
So, sorry.
488
00:25:21,179 --> 00:25:24,250
[laugh] . I can’t tell if you’re frozen or just mad at me [laugh]
489
00:25:25,509 --> 00:25:28,609
.
Chris: [laugh] . For whatever reason, America continues to
490
00:25:28,609 --> 00:25:31,909
trail behind Europe on things like this, but it does stand
491
00:25:31,910 --> 00:25:34,610
to reason that we will have them sooner rather than later.
492
00:25:35,210 --> 00:25:39,129
Now, we already know about the cybersecurity mandate and the AI
493
00:25:39,130 --> 00:25:43,959
mandate, all basically just things that were executive-summarized.
494
00:25:44,429 --> 00:25:47,239
My assumption is that we will get a law at some point.
495
00:25:47,619 --> 00:25:48,580
Ned: It seems likely, yeah.
496
00:25:48,859 --> 00:25:54,630
Chris: Along the AI footpath to this issue, AI regulation and governments were
497
00:25:54,640 --> 00:26:03,360
big talking points, not just from regulating and governing AI, but using AI to
498
00:26:03,360 --> 00:26:08,060
make sure that your company stays compliant with regulations and governance.
499
00:26:09,090 --> 00:26:14,350
So, if you’ve ever looked into any of these regulations, you will know
500
00:26:14,360 --> 00:26:21,530
that there are, I think, six times eleventy-bajillion attestations and data
501
00:26:21,530 --> 00:26:26,980
points that have to be collected in order to prove evidence of compliance.
502
00:26:27,830 --> 00:26:31,230
There’s actually a huge subcomponent of the consulting world that
503
00:26:31,230 --> 00:26:34,790
is based exclusively around helping companies prove this compliance.
504
00:26:35,759 --> 00:26:38,250
A subcomponent of the consulting world that might be a little
505
00:26:38,250 --> 00:26:41,230
worried that AI tools are going to come around and do that.
506
00:26:42,190 --> 00:26:42,710
Ned: Yeah.
507
00:26:43,270 --> 00:26:48,260
And they’re almost necessary at this point because of all the security
508
00:26:48,260 --> 00:26:54,150
frameworks that we’ve baked into various deployments of compute and whatnot.
509
00:26:54,849 --> 00:26:58,409
They all have a virtual TPM now, they all are doing attestation
510
00:26:58,410 --> 00:27:01,820
of boot—not all, but a lot of them are doing that—and something
511
00:27:01,820 --> 00:27:04,620
needs to verify all of that and keep up to date with that.
512
00:27:04,630 --> 00:27:08,970
We’re generating so many more data points, as you said, there’s no
513
00:27:08,970 --> 00:27:12,870
way a human, even a consultant that’s getting paid thousands and
514
00:27:12,870 --> 00:27:16,840
thousands of dollars an hour, can comb through all of that and prove it.
515
00:27:16,910 --> 00:27:21,800
We need something to do, sort of, just gather it all up and look
516
00:27:21,800 --> 00:27:24,850
through it and then give us back a thumbs up or a thumbs down.
517
00:27:25,550 --> 00:27:25,830
Chris: Right.
518
00:27:26,860 --> 00:27:31,279
There were tons of other AI notes in dribs and drabs.
519
00:27:31,790 --> 00:27:35,880
Things like utilizing AI for data protection, utilizing AI for
520
00:27:35,889 --> 00:27:40,140
micro-segmentation, utilizing AI for log management and observability,
521
00:27:40,200 --> 00:27:45,680
using AI to make you a sandwich, et cetera, et cetera, [big gasp] et cetera.
522
00:27:47,040 --> 00:27:49,440
There’s a lot of AI, I guess is what I’m saying.
523
00:27:49,940 --> 00:27:50,559
Ned: It’s what I’m hearing.
524
00:27:51,139 --> 00:27:53,630
Chris: One thing that was notable for its
525
00:27:53,670 --> 00:27:57,550
absence, was the concept of zero trust.
526
00:27:57,960 --> 00:27:58,370
Ned: Oh.
527
00:27:58,490 --> 00:28:01,399
Chris: In previous years, zero trust was
528
00:28:01,410 --> 00:28:04,850
the belle of the ball at these conferences.
529
00:28:05,500 --> 00:28:11,149
This year, it showed up in a mere two sessions, and zero keynotes.
530
00:28:11,899 --> 00:28:14,970
Ned: That is a significant drop-off from, like, two years ago.
531
00:28:15,490 --> 00:28:16,870
Chris: Even last year, yeah.
532
00:28:16,940 --> 00:28:17,610
It’s crazy.
533
00:28:18,210 --> 00:28:23,160
So, the absence is probably down to a few things.
534
00:28:24,320 --> 00:28:29,179
First of all, companies that have embraced ZT are already
535
00:28:29,190 --> 00:28:32,709
doing it, and there’s really not anything to chat about.
536
00:28:33,830 --> 00:28:37,200
It’s an understood topic, philosophically and designalophically.
537
00:28:39,300 --> 00:28:40,490
Ned: Who’s making up words now?
538
00:28:41,320 --> 00:28:45,049
Chris: [laugh] . I mean, I think that’s really the problem is that it’s gone
539
00:28:45,059 --> 00:28:52,370
from marketing buzzword-y razzle-dazzle, to just a standard operating procedure.
540
00:28:52,870 --> 00:28:53,370
Ned: Yeah.
541
00:28:53,860 --> 00:28:57,129
That jives with what I’ve been hearing is, the companies
542
00:28:57,130 --> 00:28:59,720
that are actually doing it are now doing it, and the ones
543
00:28:59,720 --> 00:29:02,939
that it was all just fluff, they are no longer in business—
544
00:29:03,099 --> 00:29:03,379
Chris: Right.
545
00:29:03,660 --> 00:29:05,099
Ned: Or got bought by other companies.
546
00:29:05,949 --> 00:29:09,460
Chris: I mean, and the other thing is, it’s not the new hotness anymore.
547
00:29:10,130 --> 00:29:13,890
So, it’s really hard for its QScore to stay high.
548
00:29:14,650 --> 00:29:18,070
This is the downside of deep engineering concepts like zero trust.
549
00:29:18,799 --> 00:29:22,479
Once you get past that first wave of publicity,
550
00:29:22,830 --> 00:29:24,990
it’s just really hard to keep it top-of-mind.
551
00:29:25,540 --> 00:29:28,910
And since it is such a challenge to, you know, sit down and explain
552
00:29:28,910 --> 00:29:32,500
to somebody, things like zero trust just don’t get nearly as many
553
00:29:32,510 --> 00:29:36,450
influencers keeping up with it as whatever the latest new hotness is.
554
00:29:37,480 --> 00:29:38,770
Ned: But we’re better than that.
555
00:29:38,809 --> 00:29:40,660
Check out our previous episode on Zero Trust DNS.
556
00:29:42,170 --> 00:29:42,330
Ehh?
557
00:29:42,330 --> 00:29:42,360
Chris: [laugh]
558
00:29:43,890 --> 00:29:44,629
.
Ned: I worked it in there.
559
00:29:44,629 --> 00:29:45,200
That was good.
560
00:29:45,760 --> 00:29:46,629
I’m good at this [laugh]
561
00:29:47,110 --> 00:29:49,139
.
Chris: So, those were all the major things,
562
00:29:49,140 --> 00:29:51,260
and I could go on a little bit, but I won’t.
563
00:29:51,679 --> 00:29:55,849
One thing that was talked about that was interesting and was not necessarily
564
00:29:55,870 --> 00:30:01,780
technical in nature is the pernicious and not-talked about issue of burnout
565
00:30:01,800 --> 00:30:06,580
in IT, particularly in security, and it was boiled down to a couple of
566
00:30:06,600 --> 00:30:10,679
things: number one, there’s not enough people doing it; number two, the
567
00:30:10,679 --> 00:30:16,160
ones that are doing it are overworked and underpaid; number three, the
568
00:30:16,160 --> 00:30:20,959
budgets are just not there for what is required to keep modern IT security
569
00:30:21,260 --> 00:30:25,810
up to date in almost any company; and number four, whenever anything goes
570
00:30:25,820 --> 00:30:32,060
bad, it gets dumped on IT security’s shoulders with basically no support.
571
00:30:32,630 --> 00:30:34,690
Ned: Yeah, that all stacks up for me.
572
00:30:34,690 --> 00:30:40,490
I mean, burnout is a well known issue in IT, writ large.
573
00:30:41,360 --> 00:30:43,209
Security might even be worse.
574
00:30:43,950 --> 00:30:49,069
And we need more people to get into the field, which means
575
00:30:49,070 --> 00:30:52,809
the field needs to be more inviting, which is another issue
576
00:30:52,809 --> 00:30:57,560
with InfoSec as a whole, is it can be rather hostile to new
577
00:30:57,560 --> 00:31:01,639
people, especially ones that don’t fit a particular stereotype.
578
00:31:02,030 --> 00:31:03,439
Chris: That’s because new people have cooties.
579
00:31:03,460 --> 00:31:04,409
We talked about this.
580
00:31:04,620 --> 00:31:04,939
Ned: Yeah.
581
00:31:04,969 --> 00:31:05,640
And they smell.
582
00:31:06,300 --> 00:31:07,799
They smell good, which we don’t like.
583
00:31:08,290 --> 00:31:10,279
No, no good smelling people in InfoSec.
584
00:31:10,420 --> 00:31:11,669
Chris: That’s how you know it’s a trap.
585
00:31:11,719 --> 00:31:14,370
Ned: [laugh] . You’re probably right.
586
00:31:14,970 --> 00:31:15,530
Oh, dear.
587
00:31:15,990 --> 00:31:19,900
If anybody is interested in learning more about the
588
00:31:19,910 --> 00:31:23,280
Secure by Design proposal, we did a whole episode on that.
589
00:31:23,360 --> 00:31:24,389
Do you remember that, Chris?
590
00:31:24,469 --> 00:31:26,670
Chris: Nope, sure don’t [sigh]
591
00:31:26,670 --> 00:31:30,469
.
Ned: In March, we did a whole episode on Secure by Design and analysis
592
00:31:30,480 --> 00:31:35,679
of the proposal by CISA, and also some reactions to that proposal.
593
00:31:35,810 --> 00:31:38,879
So, if you’re interested, definitely worth checking out that episode.
594
00:31:38,889 --> 00:31:41,190
But hey, thanks for listening or something.
595
00:31:41,190 --> 00:31:43,730
I guess you found it worthwhile enough if you made it all
596
00:31:43,740 --> 00:31:46,110
the way to the end, so congratulations to you, friend.
597
00:31:46,459 --> 00:31:47,829
You accomplished something today.
598
00:31:47,850 --> 00:31:49,770
Now, you can sit on the couch, fire up
599
00:31:49,790 --> 00:31:52,520
your AI prompt and ask it about zero trust.
600
00:31:52,570 --> 00:31:53,740
You’ve earned it.
601
00:31:54,310 --> 00:31:57,910
You can find more about this show by visiting our LinkedIn page, just
602
00:31:57,910 --> 00:32:03,220
search ‘Chaos Lever,’ or go to our newish website, pod.chaoslever.com.
603
00:32:03,799 --> 00:32:06,400
You’ll find show notes, blog posts, and general tomfoolery.
604
00:32:06,620 --> 00:32:10,770
If we got something wrong, we did something you hated, you can leave
605
00:32:10,770 --> 00:32:16,149
us a comment or leave us a voicemail, which we will proudly read, or
606
00:32:16,150 --> 00:32:20,179
maybe even play during our tech news segments [laugh] , so enjoy that.
607
00:32:20,400 --> 00:32:23,249
If you want to be heard on tech news, leave us a voicemail.
608
00:32:23,430 --> 00:32:23,970
Go for it.
609
00:32:24,549 --> 00:32:27,070
We’ll be back next week to see what fresh hell is upon us.
610
00:32:27,390 --> 00:32:28,120
Ta-ta for now.
611
00:32:36,389 --> 00:32:39,650
Chris: We’re also not above doing dramatic recreations—
612
00:32:39,860 --> 00:32:40,240
Ned: Oh, yeah.
613
00:32:40,590 --> 00:32:42,920
Chris: In the style of unsolved mysteries, if you prefer.
614
00:32:43,510 --> 00:32:45,300
Ned: [laugh] . If you don’t want us to play
615
00:32:45,300 --> 00:32:47,720
the audio, we will do a dramatic recreation.
616
00:32:47,720 --> 00:32:49,570
We may even bring in a voice actor to do it.
617
00:32:50,110 --> 00:32:51,810
Chris: We’ll make Ned do an Irish accent.
618
00:32:52,380 --> 00:32:53,580
Ned: That goes well [laugh] for everyone.
619
00:32:53,990 --> 00:32:54,060
Chris: [laugh]
Listen On
