AI transcript
0:00:03 – It’s time to hand over cybersecurity to computers.
0:00:05 – Entropy is increasing.
0:00:09 They have more apps, more entitlements, and more actors.
0:00:11 – Every single year, it’s exponential growth
0:00:12 in the number of public breaches,
0:00:15 the size of the breaches, the damage in the breaches.
0:00:17 Vendors still exploding.
0:00:19 – How can they watch out for a bank run
0:00:22 that’s orchestrated by a deep-fake campaign?
0:00:23 If this is indeed state-backed,
0:00:25 this is probably not the only thing they did
0:00:26 in that two-year period.
0:00:30 – In 2022, $8.8 billion was lost
0:00:32 by consumers alone in the U.S.
0:00:35 – How can we build compound businesses from day one?
0:00:38 How can you actually build a platform from day one,
0:00:40 even though you’re a startup?
0:00:41 – Who does security?
0:00:42 Nobody does security.
0:00:46 – The cost to launch a disinformation campaign
0:00:49 that’s AI generated is quickly approaching zero.
0:00:52 – Now that the cybersecurity industry commands
0:00:55 a market of hundreds of billions of dollars,
0:00:57 it’s easy to forget how this industry
0:00:59 once ceased to exist.
0:01:01 And in its few decades of rapid growth,
0:01:03 things have changed a whole lot.
0:01:06 So in today’s episode, we’ll take you on a tour
0:01:08 through the history of security,
0:01:09 which can’t be disentangled
0:01:12 from the history of the internet and culture.
0:01:13 This episode was actually recorded
0:01:16 at A16Z’s campfire sessions event this April,
0:01:18 where our infrastructure team
0:01:21 brought in some of the top security minds in the industry.
0:01:23 And just like any good campfire session,
0:01:26 today you’ll hear four people talk candidly
0:01:28 about what’s really keeping them up at night,
0:01:30 from what really happened with the X and U-Tills attack,
0:01:32 to new AI threat factors
0:01:34 that are already impacting companies,
0:01:37 to empowering overworked developers, and a lot more.
0:01:41 For those both inside and outside the security community,
0:01:43 I hope this episode is a helpful reminder
0:01:45 of just how much has changed throughout the years
0:01:49 for both offenders and defenders of trustworthy computing.
0:01:52 So with that, we’ll start with Travis McPeak,
0:01:54 co-founder and CEO of resource aid.
0:01:57 And we’ll walk us through how we really got here.
0:01:59 Let’s kick things off in 1995.
0:02:05 As a reminder, the content here
0:02:07 is for informational purposes only.
0:02:09 Should not be taken as legal, business, tax,
0:02:10 or investment advice,
0:02:12 or be used to evaluate any investment or security,
0:02:14 and is not directed at any investors
0:02:17 or potential investors in any A16Z fund.
0:02:19 Please note that A16Z and its affiliates
0:02:20 may also maintain investments
0:02:23 in the companies discussed in this podcast.
0:02:25 For more details, including a link to our investments,
0:02:28 please see A16Z.com/disclosures.
0:02:35 – Okay, phase zero, The Dark Ages.
0:02:37 The year is 1995.
0:02:40 Billboard number one song, “Gangster’s Paradise.”
0:02:43 The box office number one was “Batman Forever.”
0:02:45 Nostalgia for the old people here.
0:02:46 Who does security?
0:02:47 Nobody does security.
0:02:48 It was a totally different world.
0:02:50 You have to realize that
0:02:52 we didn’t have much internet connectivity.
0:02:54 Patching wasn’t really much of a thing.
0:02:56 Vendors was basically like antivirus
0:02:58 in the start of firewalls.
0:03:00 Milestones of this Dark Ages time,
0:03:02 we had the first DEFCON,
0:03:03 we had the first CISO,
0:03:04 Steven Katz at City Corp.
0:03:07 So that year, they actually had a breach
0:03:09 where somebody stole money.
0:03:12 And they said, “This can never happen again
0:03:14 “without us having someone to go chop their head off
0:03:15 “when it happens.”
0:03:17 So this is the first CISO.
0:03:19 We had the first word macro virus.
0:03:20 The first bug bounty came from Netscape.
0:03:21 As we’ll get to your Netscape,
0:03:24 did a lot of cool things that moved forward security.
0:03:26 And of course, the hackers movie.
0:03:28 It was web 1.0.
0:03:30 It wasn’t an app that you went and dealt with.
0:03:31 It was a site that you came to.
0:03:33 So this is Apple’s site from ’97.
0:03:35 Hackers are like these dingy people.
0:03:36 It’s not like an actual job.
0:03:39 One of the things that really moved from this
0:03:41 to the next phase was web browsers went from
0:03:43 like that Apple thing that I just showed you
0:03:45 to a place that you go do business.
0:03:47 Netscape made a lot of those things possible.
0:03:50 So they brought forward SSL.
0:03:52 They had the first bug bounty.
0:03:53 They were putting forward a standard
0:03:55 of how we’re gonna build out apps on the internet.
0:03:57 And that standard was JavaScript.
0:03:59 At the same time, we had Java,
0:04:02 which was one of the first ways of building apps
0:04:04 on the internet from an old company called Sun,
0:04:06 today known as Facebook.
0:04:09 Checkpoint was founded in 1993
0:04:11 from somebody that came directly out of IDF
0:04:12 and used all of the stuff that they learned
0:04:15 to productize the web application firewall.
0:04:17 Okay, phase two.
0:04:19 Security is an actual thing, but it’s a function of IT.
0:04:21 So the year is 2001.
0:04:23 Billboard number one is hanging on by a moment.
0:04:25 Box office number one is Harry Potter
0:04:26 and the Sorcerer’s Stone.
0:04:27 Who does security?
0:04:29 IT does security.
0:04:31 So context here, this is the start
0:04:32 of when we get like big hacking.
0:04:35 So it’s not just like a thing that happens once in a while.
0:04:37 Businesses have all either moved online
0:04:39 or rapidly moving online.
0:04:43 Vendors now is antivirus firewalls, systems management,
0:04:46 milestones here, Microsoft engineers coined
0:04:48 the term SQL injection in ’98.
0:04:50 The first big internet worm
0:04:53 that made it like bad for business was Code Red.
0:04:56 The first patch Tuesday was in 2003.
0:04:58 And I don’t know, for anybody that’s old like me,
0:04:59 we had this Y2K thing,
0:05:01 which was actually like complete nothing burger.
0:05:03 But what was interesting about it is
0:05:05 we cared enough about computers
0:05:07 and what they do that we thought it might be a thing.
0:05:12 So one of the changes here was bug track and full disclosure.
0:05:14 So back in the day, we had mailing lists, bug track,
0:05:17 people would send security vulnerability reports
0:05:19 and vendors would basically do nothing with it.
0:05:20 They just sit on it forever.
0:05:22 And so there was this big moment at the time,
0:05:23 full disclosure where it’s like, okay, well,
0:05:26 we’re just gonna put like the full gory details
0:05:28 of this thing and force action from vendors.
0:05:30 And then that led to regular patching cycles.
0:05:32 So Microsoft quickly copied that.
0:05:36 We also had the first web application security tools.
0:05:38 So this is Nikdo and old one from 2001.
0:05:39 It was kind of open source,
0:05:41 but this is the beginning of these tools
0:05:43 being broadly available.
0:05:45 And then this is the beginning of what I call
0:05:46 the tail wagging the dog
0:05:48 when it comes to vendors and security.
0:05:50 So from some of the folks I talked to you,
0:05:52 we basically have these new attack paths
0:05:54 and the buyers, in this case, IT,
0:05:56 we’re very uneducated about how this works.
0:05:59 So it’s like, you need to have your web port open.
0:06:01 It needs to be legit open.
0:06:02 And I can get in and compromise you through that.
0:06:04 IT didn’t understand it very well.
0:06:06 So vendors had to do their part
0:06:09 to come and educate the IT buyers that this was possible.
0:06:10 What this looked like was basically,
0:06:12 I just completely compromised all your systems.
0:06:13 And they said, how did you do that?
0:06:16 And then you explain why this web application security
0:06:20 is an actual thing and why they need vendor solution for it.
0:06:23 All right, phase two is the risk sign off function.
0:06:25 So the year is 2004.
0:06:27 Billboard number one is, yeah,
0:06:30 by usher little John box office is Trek two.
0:06:32 This is what phones look like.
0:06:34 By the way, these phones will last longer than you will.
0:06:36 These things were like basically indestructible.
0:06:37 Who does security?
0:06:38 Now we have a security team that does it.
0:06:40 So this isn’t just like a thing that like IT does
0:06:41 with some of their time.
0:06:43 So this is when we start to get the beginning
0:06:45 of traditional security activities.
0:06:48 We have Microsoft basically getting popped in the mouth
0:06:49 and they need to do some stuff differently.
0:06:51 Tech companies start hiring people
0:06:53 that are actually called security.
0:06:54 Vendors now is exploding.
0:06:57 So we have Anabirus firewall still email security web
0:06:59 application firewall, Dast and Sast.
0:07:02 Milestones here, we had the first use of the term
0:07:04 cross-site scripting again by Microsoft engineers.
0:07:07 OOSP was founded in 2001.
0:07:08 The first use of the term shift left.
0:07:10 I actually thought it was much more recent,
0:07:11 but this is a very old term.
0:07:13 And then socks regulation was,
0:07:14 I think the first compliance standard
0:07:17 that actually mandated some security activities.
0:07:19 There was a growing community of folks
0:07:21 that were really interested in web security
0:07:23 and all of what’s possible here.
0:07:25 And Mark curfee started this group called OOSP
0:07:28 to basically make this knowledge more socialized
0:07:29 so that people knew about it.
0:07:32 One of the first projects in OOSP was the OOSP top 10.
0:07:33 And that immediately became like,
0:07:36 how can I get my vendor shit to be one of the top 10 things
0:07:37 that people are buying?
0:07:39 So this is, you know, yet more tail wagging the dog.
0:07:41 It’s like, oh, my thing should be, you know,
0:07:42 in the top five for sure,
0:07:44 because it’s going to help us sell a lot more of it.
0:07:47 Now we have the beginning of the big internet worms.
0:07:49 So at the time windows basically
0:07:50 didn’t come with any firewall.
0:07:52 You started up, it would get immediately
0:07:53 compromised by stuff.
0:07:55 The worms here were costing a lot of money.
0:08:00 So we had like attacks like a mafia boys DDoS in 2000.
0:08:02 It took down like more than 1 million
0:08:03 of the 5 million IS servers
0:08:06 and cost an estimated $2.6 billion in damages.
0:08:08 And so for part of this,
0:08:10 basically Microsoft had these big customers
0:08:11 that were saying like,
0:08:13 hey, we’re just getting killed because we’re using windows.
0:08:16 And then this led to in part to trustworthy computing.
0:08:18 Basically we need to see the light.
0:08:20 We can’t just keep doing business as is.
0:08:23 Bill Gates saw a very early version of a book
0:08:25 that Microsoft folks were writing
0:08:26 on these security practices.
0:08:29 And basically that led him to say like,
0:08:31 we need to completely change what we’re doing.
0:08:32 We’re losing trust with customers.
0:08:33 And then that was the beginning
0:08:36 of what we consider traditional security activities today.
0:08:38 We have threat modeling, stride,
0:08:41 all of these things are being birthed around this time.
0:08:43 We also get more compliance.
0:08:46 So PCI DSS version one was written in 2004.
0:08:48 This mandated security activities.
0:08:50 Again, vendors are trying to get themselves
0:08:53 into the standards so that they can sell more product, right?
0:08:54 It’s like, okay, well,
0:08:56 if you’re going to deal with payment card data,
0:08:59 then you need to do web scanning, for example.
0:09:01 Proofpoint was an example of one of the companies here.
0:09:04 This was founded in 2002, still around today,
0:09:06 very successful by email security, right?
0:09:08 So as soon as you have email being used
0:09:09 as widely as it is today,
0:09:11 and we also have email viruses, it’s okay,
0:09:12 we’re going to need something
0:09:14 to filter out spam and viruses.
0:09:16 So Proofpoint started that.
0:09:19 And then also improve a big web application firewall
0:09:21 that’s also still around today.
0:09:23 Okay, phase three is DevSecOps.
0:09:25 So the year is 2013,
0:09:26 billboard number one is ThriftShop,
0:09:29 box office number one is Ironman.
0:09:30 Who does security?
0:09:31 It’s everybody’s job.
0:09:32 We’ve collectively decided
0:09:34 that basically security doesn’t scale.
0:09:36 Like we’ve been this sign off function
0:09:38 that you have to do with security
0:09:40 before you ship your product for the year.
0:09:41 And now we’re moving to cloud
0:09:43 and we’re doing continuous deployment.
0:09:43 And security is like,
0:09:45 I don’t know when I do these assessments anymore.
0:09:48 So what we do is we basically take every single developer
0:09:50 and tell them, guess what,
0:09:52 good news, you’re a security person now.
0:09:54 So we’re also getting more and more mega breaches.
0:09:56 If you look at the numbers from this time,
0:09:58 every single year it’s exponential growth
0:10:00 in the number of public breaches,
0:10:02 the size of the breaches, the damage in the breaches,
0:10:04 vendors still exploding.
0:10:06 So EDR, Next Gen Firewall detection,
0:10:09 all the posture managements, dev training, bug bounty.
0:10:12 Milestones, the first use of the term DevSecOps
0:10:13 was actually in 2013.
0:10:15 And we had the first CSPM,
0:10:17 which gave birth to this massive posture management industry
0:10:18 that we have today.
0:10:20 We start to see no before, right?
0:10:22 It’s like we’re gonna train developers continuously.
0:10:24 Developers are gonna learn about
0:10:25 all of the types of cross-site scripting
0:10:28 and SQL injection with one day,
0:10:29 like once per year of training where they learn it
0:10:32 and then they immediately forget it the next day.
0:10:34 We also have big bug bounties.
0:10:36 So crowd sourcing more and more vulnerabilities
0:10:38 in the hopes that the attackers aren’t gonna use these things
0:10:40 to cause massive breaches for us.
0:10:42 So much posture management.
0:10:45 So the first was cloud security posture management.
0:10:47 Evident was the first company here.
0:10:49 At Netflix, they had also created SecurityMonkey,
0:10:51 which is basically open source posture management.
0:10:53 And since then it’s just like posture management
0:10:55 just exploding all over the place.
0:10:57 We have AppSec posture management,
0:10:58 Data Security posture management,
0:11:01 Identity posture management, SSPM,
0:11:03 like whatever that bottom posture management is,
0:11:05 just so much posture management everywhere.
0:11:07 And what these things are really good at doing
0:11:08 is like going and finding problems
0:11:10 after they’re already deployed, right?
0:11:11 And then you have to go do something about it.
0:11:12 ‘Cause just knowing about risk,
0:11:14 you can just tell your boss like,
0:11:16 “Hey, okay, well, here’s all the risk that we have.
0:11:18 They’re gonna want you to reduce it somehow.”
0:11:19 And so what we moved to,
0:11:21 since this is now developer zoning security,
0:11:22 is we rip a bunch of JIRA tickets for them
0:11:24 and we call it a day.
0:11:26 So we also are getting at this time job shortage.
0:11:29 The first time the job shortage news articles
0:11:31 was in 2015, early 2016.
0:11:34 We’re short a million jobs already in 2016.
0:11:35 This is just piling up more and more.
0:11:36 We don’t have enough security people
0:11:39 to actually do the work that we need them to do.
0:11:41 So where does this leave us?
0:11:43 I think that we’re entering a new phase,
0:11:44 phase four of security,
0:11:46 where basically telling developers,
0:11:48 “It’s your job, you fix security all the time.”
0:11:49 Didn’t particularly scale well.
0:11:52 I think that that’s becoming very evident today.
0:11:53 So years 2020,
0:11:55 blinding lights is number one,
0:11:57 box office is bad boys for life.
0:11:58 Who does security?
0:12:00 I think systems do security.
0:12:02 What we’re doing doesn’t scale.
0:12:04 We have developer fatigue.
0:12:05 I hear people tell me all the time like,
0:12:07 “Oh, we take the posture management
0:12:08 and then we just filter out everything
0:12:09 that’s not higher critical.”
0:12:12 And then we ship those JIRA tickets to developers.
0:12:13 Training relentlessly, obviously,
0:12:15 it doesn’t matter how many times we’ve trained developers
0:12:17 on like all the SQL injection types.
0:12:19 They still don’t remember it
0:12:20 and really they shouldn’t have to.
0:12:22 So Milestones, one of the projects
0:12:24 they really informed how I see this is Limer,
0:12:26 the Netflix released in 2015.
0:12:30 Google launched the Identity Aware Proxy in 2017.
0:12:33 Chrome added a password manager by default back in 2018.
0:12:35 And Clint Gibbler, one of my friends
0:12:37 and somebody that has done a lot of work in the space
0:12:39 did his talk in 2021
0:12:42 called “How to Eradicate Vulnerability Classes.”
0:12:45 So Limer, when I got to Netflix, it was in 2017.
0:12:46 And I remember just being blown away
0:12:48 at how easy it was for our developers
0:12:50 to just get things like certificates
0:12:53 without having to select a Cypher Suite
0:12:54 and pick crypto parameters and rotate it
0:12:57 and store your private keys securely.
0:12:58 It was just made it like dead symbol.
0:13:00 And the benefit of this is that developers
0:13:02 never have to learn about crypto anything.
0:13:03 They just get it for free.
0:13:06 Google has done just probably more work than anybody here.
0:13:10 So we’re gonna upscale people to HTTPS automatically.
0:13:12 Chrome updates itself, which became standard
0:13:14 for many other pieces of software.
0:13:16 We have these basically like impossible
0:13:18 to mess up Golang libraries
0:13:20 to handle a lot of security things.
0:13:22 And actually, my mom sent me this article recently.
0:13:25 Mom’s so funny, she knows that I work in security
0:13:27 and sends me like everything that has security in it
0:13:28 out of Wall Street Journal.
0:13:29 And usually it’s like something
0:13:31 that either happened three months ago
0:13:33 or it’s got nothing to do with me.
0:13:35 But this one was written by Larry Ellison
0:13:36 and it’s not very old.
0:13:38 His point is it’s time to hand over
0:13:40 cyber security to computers.
0:13:42 Basically just relentlessly hounding the users
0:13:44 and like trying to get the users to be smarter.
0:13:45 Like it doesn’t work anymore.
0:13:47 What we want to get is developers
0:13:50 back to just writing app code, like working on the business
0:13:52 and not having to be like security people all the time.
0:13:54 So today, if you think about it,
0:13:57 devs have to burn down this never ending pilot Jira tickets.
0:13:59 This causes annoyance with the security team.
0:14:00 If you had a friend that only showed up
0:14:02 when they wanted you to do something,
0:14:03 you’re probably gonna start avoiding that friend
0:14:04 and we’re getting a ton of that.
0:14:07 What if instead, if they just use systems,
0:14:09 they made good security choices on their behalf
0:14:11 and forget about all of this like
0:14:13 training relentlessly all the time.
0:14:15 So conclusions, I was part of this move
0:14:18 from like waterfall to continuous and then saw this.
0:14:21 We just heap stuff onto our developers plate
0:14:23 and then saw developers learn to resent
0:14:24 and avoid security more and more.
0:14:27 I think what we should do instead is help them out.
0:14:28 Like they’re very, very busy people.
0:14:31 We should build a system that makes it fast and easy
0:14:33 for them to go do something they want to do
0:14:35 and then has security victim as a side effect.
0:14:38 So it’s like when you want your dog to take vitamins,
0:14:40 you don’t just put vitamins in your hand
0:14:41 and offer them to the dog.
0:14:42 You put the vitamins in the peanut butter
0:14:43 and the dog wants the peanut butter
0:14:45 and the dog gets the vitamins too.
0:14:46 I think this is what we should be doing
0:14:47 for our developer users.
0:14:50 – Speaking of meetings to make things easier
0:14:52 for our developers, let’s get a sense
0:14:55 of what these hacks can really look like in 2024.
0:14:57 – Now, usually in this talk,
0:14:58 I like to talk about solar winds,
0:15:00 but we actually have a better example
0:15:03 that was gifted to us, the XT-utils attack.
0:15:05 So everybody here has heard about this by now,
0:15:09 but this was some group likely, I think backed by a state
0:15:12 that infiltrated an open source data compression project
0:15:14 called XT-utils.
0:15:19 – That was Faraz Abukadijay, founder and CEO of Socket.
0:15:22 So XT-utils has taken the security industry by storm
0:15:25 since it introduced a backdoor via open SSH,
0:15:27 which is a critical piece of infrastructure
0:15:30 used by millions of servers around the world.
0:15:32 Let’s hear from Faraz regarding what really happened there.
0:15:34 To get a sense of the kind of security offenders
0:15:37 we’re now dealing with in 2024
0:15:38 that can involve multiple years,
0:15:40 multiple contributors, social engineering,
0:15:42 the potential for state actors and more.
0:15:46 – The way that they did this was just so interesting.
0:15:49 And it’s something that, I mean, look, I’m sad that it happened,
0:15:51 but I’m also like, I’ve been telling you guys
0:15:52 about this for so long.
0:15:54 I’m sort of like kind of satisfied in a way
0:15:56 that finally there’s an example
0:15:58 that’s really caught the imaginations of folks.
0:16:02 So what happened here was we had a group,
0:16:03 like I said, probably state backed,
0:16:05 winning over the contributor of the project
0:16:07 over several years of work.
0:16:09 So that’s like a scale of time invested in this
0:16:12 that we haven’t seen in other attempts like this.
0:16:14 And then they introduced a sophisticated though
0:16:17 not flawless backdoor that was aimed
0:16:19 at compromising SSH servers.
0:16:22 So it’s a pretty multi-layered vulnerability.
0:16:23 There were multiple personas involved
0:16:25 from identities that hadn’t been seen
0:16:26 anywhere on the internet before.
0:16:28 So that kind of is another indication
0:16:31 that probably this was someone relatively sophisticated.
0:16:33 This wasn’t just someone doing it for the LULs.
0:16:36 And so probably suggesting kind of state backed actors here.
0:16:38 And then just the way the timeline
0:16:40 and the kind of some of the stuff that they did
0:16:42 also seems to indicate that it might be
0:16:44 like the same people behind SolarWinds.
0:16:46 Probably, but again, this is all just kind of speculation.
0:16:47 I want to kind of go into a little bit of,
0:16:49 so you can kind of see just the character
0:16:51 of what this attack kind of looks like.
0:16:54 So this is kind of individual who ended up committing
0:16:56 and releasing the malicious code.
0:17:00 And this is his first email patch to the mailing list
0:17:04 where they do the development for this project XCutils.
0:17:05 And it’s interesting.
0:17:08 This is just kind of a totally pointless patch, right?
0:17:09 This is like the kind of thing that as a maintainer
0:17:12 you get all the time someone just drive by dropping in
0:17:15 an editor config file, which is basically does nothing, right?
0:17:17 It’s a no op in terms of the functionality of the project.
0:17:19 And oftentimes you’ll see these from people
0:17:20 who just want to get to be able to say
0:17:22 that they’re a contributor to a project.
0:17:24 It doesn’t require any understanding of the project.
0:17:26 So it’s just noise, but you can see their first attempt
0:17:28 to kind of get involved in the project.
0:17:30 Then they sent another patch a month later,
0:17:33 fixing some kind of build problem.
0:17:36 And they also sent a couple of more patches after this one,
0:17:38 all totally ignored by the maintainer,
0:17:41 who at this point has been maintaining this project
0:17:43 for about 15, maybe 20 years.
0:17:45 This is a long time project.
0:17:47 And the guy running it is just,
0:17:49 at this point it’s in maintenance mode.
0:17:51 It’s basically, he’s sort of burned out.
0:17:53 He’s sort of kind of half maintaining it,
0:17:55 checking the mailing list once in a while,
0:17:57 but really not actively working on this anymore.
0:18:00 So it’s something that a lot of the maintainers go through.
0:18:01 And so then finally the maintainer,
0:18:03 this is like, I think three more months
0:18:05 after the last email, we see that the maintainer
0:18:09 just randomly comes by and merges a couple line change
0:18:11 to the project that is the first code
0:18:14 from this GITAN individual that’s actually
0:18:15 included in the project.
0:18:17 And what I think is interesting about this is
0:18:19 all of his other patches were ignored.
0:18:22 The patch that was merged is this like trivial two line patch
0:18:24 that you can just look at and kind of,
0:18:25 as an overloaded maintainer, you can look at this
0:18:27 and sort of figure out what it’s doing.
0:18:28 And oh, it fixes a bug, cool.
0:18:29 Let me just merge it and move on.
0:18:33 The bigger multi-hundred line patches were ignored, right?
0:18:34 Typical, also typical behavior
0:18:36 for an overloaded maintainer, right?
0:18:38 Okay, then a couple of months go by
0:18:41 and now we see a new character enter the picture.
0:18:45 This guy Gigar Kumar sends kind of a few emails
0:18:49 complaining that some of GITAN’s patches weren’t landing.
0:18:53 This is often used to pressure maintainers
0:18:55 to include code in projects.
0:18:56 Patches spend years on this mailing list.
0:18:58 There’s no reason to think anything is coming soon.
0:18:59 So aggressive, right?
0:19:01 At this point, remember he’s already landed
0:19:03 a few of the patches, but the pressure is building here.
0:19:07 And then this is insert project name still maintained.
0:19:09 That is the bane of a maintainer’s existence.
0:19:11 It’s the meanest kind of issue you can open up
0:19:13 on a project, in my opinion.
0:19:15 This has happened to me many times.
0:19:16 I had a couple screenshots here.
0:19:18 Is this still being developed?
0:19:19 And like on a perfectly active project
0:19:21 because their PR wasn’t looked at for a little while, right?
0:19:23 Here’s another one on one of my projects.
0:19:24 Is this project dead?
0:19:25 It’s not nice.
0:19:27 Don’t do this, people.
0:19:28 And I think one of the interesting things
0:19:29 about this whole situation is that,
0:19:31 this is another one of the things I’ve seen change
0:19:33 in the way that open source is done is,
0:19:35 traditionally, you think of a project like Linux
0:19:37 or WordPress or these big foundation-backed projects.
0:19:39 They have the structure up here at the top
0:19:41 where you have one project, one entity,
0:19:43 with many, many maintainers that are participating
0:19:44 in the project.
0:19:46 A lot of times they’re paid by their employer
0:19:47 to even work on the project
0:19:49 and to submit patches as part of their day job, right?
0:19:52 But what we see a lot more of as we’ve shifted
0:19:55 into this world of many, many, many dependencies,
0:19:58 a lot of tiny dependencies is more of a structure like this
0:20:00 where you have an individual with hundreds, potentially,
0:20:02 hundreds of projects that they take care of.
0:20:04 And that was the case here with Lassie Collin.
0:20:06 He had multiple projects that he was managing
0:20:08 as an individual maintainer.
0:20:09 Okay, so let’s continue on.
0:20:11 So this is three months has gone by.
0:20:13 He replies, he apologizes for the slowness,
0:20:16 and he also adds in a bit about how Giotan
0:20:19 has helped him off-list with XTutils.
0:20:21 So probably they have some kind of chat conversation
0:20:24 going off-list now and they’re collaborating more closely,
0:20:25 building up the trust.
0:20:28 And he says he might have a bigger role in the future,
0:20:29 at least with XTutils.
0:20:31 It’s clear that my resources are too limited
0:20:33 and something has to change in the longterm.
0:20:36 So the kind of idea has now been planted in his mind
0:20:38 that he probably should give access to somebody else
0:20:40 to help maintain the project.
0:20:41 And again, this all sounds nefarious
0:20:43 ’cause I’m doing it in a talk and I have slides up here,
0:20:45 but this is also open source working correctly.
0:20:46 This is thinking about, oh, hey,
0:20:47 maybe I’m not the best maintainer.
0:20:49 Maybe I should hand this off to somebody
0:20:51 that’s pretty normal as well.
0:20:53 At this point, nothing actually nefarious has happened.
0:20:54 By the way, there’s no bad code that’s been included.
0:20:56 This is just laying the foundation.
0:20:57 He said a couple of weeks go by.
0:21:00 So now we have this character, Jigar Kumar, who enters
0:21:03 and this person’s much more aggressive
0:21:04 and really starts to apply more pressure.
0:21:07 So they go over one month and no closer to being merged.
0:21:08 Not a surprise.
0:21:10 So like dropping into threads to just sort of
0:21:12 nag the maintainer and kind of make him feel
0:21:13 like he’s not doing a good job.
0:21:16 Progress will not happen until there is a new maintainer.
0:21:18 And then the maintainer finally replies and pushes back
0:21:19 and says, hey, I haven’t completely lost my interest here,
0:21:21 but I’ve been having some mental health issues
0:21:23 and I have a lot of things going on in my life.
0:21:25 But again, maybe Gia Tan will have a bigger role
0:21:26 in the project.
0:21:28 And so a few months after that,
0:21:30 Lassie Collin merges the first commit with Gia Tan
0:21:32 as the author you can see here.
0:21:33 And they actually are listed as an author.
0:21:36 This is a pretty innocuous change.
0:21:39 And then again, the pressure continues from Jigar and Dennis
0:21:41 who’s this other persona that are both there
0:21:43 and really just support the idea
0:21:44 that Gia should be made a maintainer.
0:21:46 And you can see here, you ignore the patches
0:21:48 that are rotting away on this mailing list.
0:21:50 Right now you choke your repo.
0:21:53 Why wait until 5.4.0 to change maintainer?
0:21:55 Why delay what your repo needs?
0:21:56 Right?
0:21:58 So applying the pressure.
0:21:59 And then again, the last one here is great.
0:22:01 Like, why can’t you commit this yourself, Gia?
0:22:02 I see you have recent commits.
0:22:03 So just kind of pushing more and more.
0:22:06 And then finally Lassie says, again,
0:22:08 Gia Tan has been really helpful off-list.
0:22:10 He’s practically a co-maintainer already.
0:22:12 And then finally, this is the first email
0:22:15 about two years after the very first interaction
0:22:17 with the mailing list where Gia Tan
0:22:20 is actually now doing the release notes for the project.
0:22:21 He’s been made a maintainer
0:22:23 and this is the first release going out.
0:22:26 So two year kind of effort here.
0:22:27 If this is indeed state-backed,
0:22:29 this is probably not the only thing they did
0:22:31 in that two year period, right?
0:22:33 They probably have other things going at the same time, right?
0:22:35 So we shouldn’t overreact and assume
0:22:37 that Linux is like totally backdoor or anything like that.
0:22:39 But also like, probably this isn’t the only thing
0:22:40 that these folks were working on, right?
0:22:42 So the truth is like somewhere in the middle here.
0:22:46 – Sophisticated software supply chain attacks
0:22:49 are not the only ones on our hands in 2024.
0:22:50 In fact, the XAU Tells Attack
0:22:53 was performed really without AI.
0:22:56 So let’s hear from Kevin Tien, founder and CEO of Doppel,
0:22:59 around the ways that AI is introducing new threat vectors
0:23:02 and already impacting real world businesses.
0:23:08 – In 2022, $8.8 billion was lost by consumers alone in the US.
0:23:11 We’ve had 39 billion credentials
0:23:14 stolen by bad actors that same year.
0:23:18 And the cost to launch a disinformation campaign
0:23:21 that’s AI generated is quickly approaching zero.
0:23:24 So if you’ve seen a lot of the startups
0:23:26 that are currently pitching about
0:23:29 how we can make it easy to generate AI videos
0:23:33 or how we can make it easy to generate AI voices, right?
0:23:35 That same sort of stuff is going to the bad guys as well.
0:23:37 And so how are we seeing this manifest today
0:23:41 with real world people and real world businesses?
0:23:45 So one common scheme that has grown super quickly
0:23:46 just in these past couple of months
0:23:49 has been the emergence of a lot of deep fake videos,
0:23:53 specifically deep fake videos of individual personas.
0:23:56 It could be Taylor Swift, could be Travis Kelsey,
0:23:57 could also be your CEO
0:24:00 and could be your financial institutions,
0:24:02 chief technology officer.
0:24:04 And so what we’ve quickly been seeing here, right,
0:24:09 in terms of the landscape is more and more deep fake videos
0:24:11 being produced in the exact same way,
0:24:14 models being trained in a very similar way,
0:24:16 the voice being generated in very similar way
0:24:18 and the intention of the tech being operated
0:24:21 in a very similar way all across different platforms,
0:24:23 whether it’s YouTube, TikTok,
0:24:26 any sort of video platform out there.
0:24:27 We’re already seeing deep fakes emerge
0:24:31 and this impacts a whole bunch of different sort
0:24:34 of individuals, whether it’s business,
0:24:37 whether it’s celebrities or even political campaigns.
0:24:39 Of course, big federal election this year,
0:24:41 it’s top of mind for everyone.
0:24:44 The good news, bad news is that it’s already happening
0:24:46 and we’re seeing it happen across a lot
0:24:47 of different platforms.
0:24:49 So I think the biggest thing here though is like,
0:24:52 this is not necessarily entirely novel,
0:24:55 attack surface right or entirely new threat, right?
0:24:57 Like we’ve always had social media,
0:24:59 we’ve always had video platforms
0:25:02 and we’ve had bad guys try to create fake content
0:25:04 to achieve certain means.
0:25:06 I think the main lesson here
0:25:08 in terms of what we’re seeing is that
0:25:10 it’s just become a lot easier to do.
0:25:12 And so just there’s entire markets around fishing kits
0:25:16 and there’s entire markets around cyber crime in general.
0:25:17 We’re gonna start seeing,
0:25:20 and we’re already seeing that same sort of stuff
0:25:23 come around with deep fake technology,
0:25:24 impersonation technology and just,
0:25:27 how do you personalize attacks more and more
0:25:29 for your target victim?
0:25:31 I think the biggest thing too is that
0:25:33 we’re seeing this not only to run scams,
0:25:36 but ultimately this stuff is impacting businesses at large.
0:25:38 I actually just wanna talk this morning,
0:25:40 chatting with some big banks out there
0:25:41 and one of the biggest concerns for them
0:25:44 is how can they watch out for a bank run
0:25:46 that’s orchestrated by a deep fake campaign, right?
0:25:48 Or we’ve even seen this effect
0:25:50 companies outside the financial sector
0:25:52 where pharmaceutical company had a impersonator
0:25:54 talk about how Viagra’s gonna be free now
0:25:58 and saw that impact of stock price very, very quickly.
0:26:03 It’s again stuff that has happened before,
0:26:05 but what we’re seeing in 2024
0:26:08 and what we’re expecting in 2025 and beyond
0:26:10 is that this just gets easier and easier to do
0:26:13 and it gets to the point where it makes it really hard
0:26:15 to tell what’s real or not online.
0:26:18 And it’s not just deep fakes.
0:26:20 Here’s a completely different approach.
0:26:23 This one is a SEO poisoning case,
0:26:27 so specifically something that we’ve seen out there
0:26:30 a lot for airline industry, finance industry,
0:26:33 any industry that has customer support, phone numbers,
0:26:35 things like that, right?
0:26:38 We’ve got the traditional SEO poisoning attack
0:26:41 where people will find a way to get content upranked
0:26:42 for any given company.
0:26:45 And what’s interesting is basically
0:26:48 how well can people do this in 2024?
0:26:50 What we’re seeing a lot of things happening today
0:26:53 is that they’re putting it on these third party sites
0:26:55 that do have great domain ranks.
0:26:58 Things like Microsoft, it could be LinkedIn.
0:27:00 We’ve seen a lot with Hub as well of course
0:27:02 and Webflow, other platforms like that.
0:27:04 And so they’re taking advantage of the fact
0:27:06 that these are legitimate third party sites
0:27:08 with great domain health,
0:27:10 stuff that Google will quickly uprank
0:27:12 or any other search engine will quickly uprank.
0:27:16 And they’re generating content and conversations on forms.
0:27:19 For example, how do I speak to a live agent at United?
0:27:22 How do I speak to a live agent at Uber, right?
0:27:24 And what we see happen here is,
0:27:27 they’re able to generate a bunch of the spam content
0:27:29 across these different third party forms,
0:27:30 get them all upranked,
0:27:34 get them all to dominate that first page of search results.
0:27:36 And again, it’s just a classic case of,
0:27:38 well, they would have to script this, right?
0:27:40 And generate the content now.
0:27:42 They can make it more dynamic with AI
0:27:44 and generate the AI specifically.
0:27:48 – Of course, it’s not all doom and gloom.
0:27:50 With every opening on offense,
0:27:52 there’s equal opportunity for defense.
0:27:55 Here is Andrey Sofansi, founder and CEO of Lumos,
0:27:58 taking us back to where we started in this episode
0:28:00 through a historical arc that brings us
0:28:03 to a digital era of autonomy.
0:28:05 So what do we do now that we’re in this new era?
0:28:06 And if you happen to be a company
0:28:08 hiring security professionals,
0:28:11 should you be thinking about things any differently?
0:28:14 – I just want to take you a little bit
0:28:17 on a historical journey, all right?
0:28:20 So the funny thing is, if you look 60 years back,
0:28:22 we are all ideas.
0:28:24 So there’s two types of factories.
0:28:28 There’s a product factory and there’s an idea factory.
0:28:30 So what the product factory is,
0:28:32 is usually where the cars are born, right?
0:28:34 Or where windows are made.
0:28:36 And where the idea factory is,
0:28:40 is where we create and design those cars, right?
0:28:44 And especially the idea factory changed in the recent years
0:28:47 and changed like two years ago again.
0:28:51 So the idea factory looks something like the office
0:28:53 or more like, you know, in the ’60s.
0:28:55 In the ’60s, ’50s, there were no computers.
0:28:57 So it was really interesting.
0:29:01 And we mostly used typewriters and pen and paper.
0:29:03 So then the computers came about
0:29:05 and we digitized the office.
0:29:07 That was kind of the first step.
0:29:11 IBM, SAP, Oracle, Microsoft,
0:29:14 all those big companies came about and digitized it.
0:29:16 So that was step one.
0:29:20 Step two is we cloudified, I guess, the office.
0:29:22 I was like with Salesforce.
0:29:25 They kicked it off and Workday and Atlassian,
0:29:26 those were the first cloud companies.
0:29:27 So suddenly we’re in the cloud.
0:29:29 So it was where AWS was born.
0:29:33 I think 2004, 2005, that’s when we cloudified it.
0:29:35 Then something interesting happened
0:29:37 is we made it collaborative, right?
0:29:39 Workday is not really collaborative.
0:29:40 Neither is Salesforce.
0:29:44 But then suddenly Zoom, Slack, Figma, Airtable,
0:29:46 all those kind of great companies
0:29:48 came about in the 2010s.
0:29:50 And suddenly it became very collaborative.
0:29:51 So that was like kind of, I would say,
0:29:55 the third change that happened in software,
0:29:56 which is pretty cool.
0:30:00 Now, what changed in the last two years
0:30:04 is we moved from just like digitizing it to cloud,
0:30:08 to collaboration, to autonomy, right?
0:30:11 So we’re creating more and more autonomous software.
0:30:12 And it started honestly for the first time
0:30:14 with something like a Grammarly,
0:30:17 where they are like more like kind of co-pilots
0:30:18 that help you kind of do a job better.
0:30:20 Even like GitHub, this is GitHub co-pilot,
0:30:21 they’re in the middle.
0:30:23 They’re not fully autonomous,
0:30:25 but they help you do your job better.
0:30:27 The big trend that we’re seeing right now
0:30:29 is especially OpenAI is bringing out
0:30:30 at the end of the year,
0:30:33 reason, models that can reason.
0:30:35 And they can literally talk with themselves
0:30:37 and do certain things, so really spooky.
0:30:39 And we’ve seen this as well like Devon,
0:30:41 that’s kind of a new kind of type of software engineer
0:30:43 and AI software engineer
0:30:45 that just like basically codes themselves.
0:30:48 So we’re moving from GitHub co-pilot or Grammarly
0:30:50 to actually systems and services
0:30:53 that build things themselves.
0:30:56 So that is actually a whole new paradigm
0:30:56 that’s changing.
0:30:58 And we’re like, okay, shoot,
0:31:00 how do we equip ourselves for that?
0:31:02 So to summarize,
0:31:03 actually there are kind of three waves,
0:31:05 I just call them two.
0:31:07 The first wave is the digitization,
0:31:09 the second one is a collaboration,
0:31:11 the third one is the autonomy.
0:31:13 And now we’re at the third one.
0:31:15 So the interesting thing is that I’m thinking about
0:31:18 on a daily basis is apps and access.
0:31:21 If you think about everything that you’re using,
0:31:22 those are apps.
0:31:23 We’re on Zoom, then on Slack,
0:31:26 then we go and SSH into a server,
0:31:28 which is also an app more or less,
0:31:30 then we use GitHub, so everything is apps.
0:31:33 Apps are literally our live blood without apps.
0:31:35 We can’t do things.
0:31:36 The question is like,
0:31:37 I think that we as security professionals
0:31:40 need to ask ourselves more and more is,
0:31:43 how are we gonna manage all those apps
0:31:45 with more and more service accounts coming up, right?
0:31:49 And with like software doing the job themselves.
0:31:50 So how do we deal with that?
0:31:54 So I love the metro framework.
0:31:55 I really love it.
0:31:58 If you think about identities,
0:32:00 there are certain identities on different tracks.
0:32:03 So marketing has their identities, right?
0:32:07 Marketing ops, the mansion, content,
0:32:09 customer success has their tracks.
0:32:13 And each station is more or less an application
0:32:15 or like an entitlement, right?
0:32:17 And some of those overlap, right?
0:32:20 So for example, customer success and sales overlap
0:32:21 maybe in Salesforce.
0:32:25 Then design and marketing overlap in Figma.
0:32:27 And then especially engineering,
0:32:29 there are probably like multiple engineering departments
0:32:32 if we zoom in and they overlap when it comes to,
0:32:34 especially on an entitlement level,
0:32:36 different permissions that they have access to.
0:32:38 So the only interesting thing is people,
0:32:41 which are more of those wagons,
0:32:44 they jump from one station to another.
0:32:47 And each station again is an app on entitlement.
0:32:49 And why I think that this is interesting is,
0:32:51 right now how we think about the world
0:32:52 as a world of RBAC.
0:32:55 – Quick interruption here.
0:32:59 For the uninitiated, RBAC means role-based access control.
0:33:01 So instead of assigning permissions individually,
0:33:03 you’re granting them based on a role.
0:33:08 – RBAC is not moving stations.
0:33:11 RBAC basically means, you are a marketing person
0:33:15 and you have access to everything on this marketing tier.
0:33:19 Even though probably a lot of that stuff you never use.
0:33:22 And sales or engineering is especially spooky.
0:33:24 Engineering, you and DevOps,
0:33:26 you have access to all customer data
0:33:29 because an incident might happen and you need access to it.
0:33:31 Now on top of that,
0:33:34 we have all those service accounts coming up
0:33:38 and soon autonomous actors, agents coming up,
0:33:41 that will also, if we still use RBAC,
0:33:44 get access to all of those things.
0:33:45 Even though they don’t need it.
0:33:47 So the concept is I’m a metro station
0:33:49 and I need each permission entitlement
0:33:51 just for a short amount of time.
0:33:55 And I think especially as complexity rises.
0:33:58 So we are going from like a hundred actors
0:34:00 to a thousand to 10,000.
0:34:02 And also the apps become more complicated.
0:34:06 So instead of having just one or two or three metro stations,
0:34:08 I will have thousands of metro stations.
0:34:12 Because I can get access to 10 EC2 instances
0:34:14 and just like the granularity and the cloud
0:34:15 and the snowflake is gonna become
0:34:17 more and more and more granular.
0:34:19 So the question is like, how are we gonna manage that?
0:34:22 What’s the new paradigm to manage that?
0:34:25 So what I believe, how we need to rethink things
0:34:28 is security was often seen as analysts, right?
0:34:31 Actually, security started as hackers.
0:34:34 Security people were those people that hacked the networks
0:34:36 and they were the people that were deep in Linux
0:34:38 with assist admins.
0:34:40 And actually most security people were assist admins before
0:34:43 because there was no security 30 years ago
0:34:45 and they were true hackers.
0:34:47 And then suddenly all those kind of great solutions
0:34:50 came about and they said, here’s an alert,
0:34:52 there’s an alert, here’s an alert.
0:34:53 And we’re gonna alert you about all those things
0:34:56 and you can remediate it very easily.
0:34:58 And so I feel like more and more security
0:35:01 became an operating department.
0:35:02 Similar thing happened to IT.
0:35:05 IT used to be the hackers and slowly but suddenly
0:35:07 they became ticket resolvers.
0:35:10 Security became a little bit of alert resolvers.
0:35:12 IT became ticket resolvers.
0:35:14 And I think the new paradigm that we need to think about
0:35:16 as we’re thinking about entitlements and access
0:35:20 as a metro station, security and IT needs to see themselves
0:35:25 as the architects of that metro station, more or less.
0:35:28 And what DevOps and infrastructure is to full stack teams.
0:35:31 So I think the same thing we need to think about
0:35:32 IT and security.
0:35:37 IT and security need to become so to say infrastructure teams
0:35:40 to each department, right?
0:35:42 And this kind of moves us back to security
0:35:46 actually hiring for engineering rather than analysts.
0:35:48 Especially also, as the AI will probably automate
0:35:50 most of the analyst work.
0:35:52 So that’s I think a very important insight
0:35:54 is when it comes to career development,
0:35:57 as it comes to what type of profile you need to hire,
0:35:59 especially engineers and analysts
0:36:01 and building on top of solutions that you’re buying
0:36:03 is very important.
0:36:07 So basically the premise in this first act is
0:36:09 software is becoming an autonomous.
0:36:12 It enables us to create more and more.
0:36:15 Because of that, entropy is increasing.
0:36:19 There are more apps, more entitlements and more actors.
0:36:23 And so what needs to change is security needs to handle
0:36:27 this infrastructure with some type of technology operations
0:36:30 or without some kind of technology infrastructure.
0:36:33 So I think that is kind of one important change
0:36:36 that we need to see as this whole market is changing.
0:36:39 Now, here’s the second thing.
0:36:41 It’s about startups by the way.
0:36:44 This is like kind of an appell to all my entrepreneurs.
0:36:46 I believe that we need to build compound businesses
0:36:47 from day one.
0:36:49 So what does that mean?
0:36:52 So security CISOs probably have this problem
0:36:56 that they need to use 50 different tools.
0:36:57 And that actually lasts two years,
0:37:00 especially as the economy has gone a little bit down.
0:37:02 CISOs ask themselves a lot of,
0:37:05 in terms of like, how can I consolidate?
0:37:07 And that kind of sucks for startups at the beginning,
0:37:08 I would say.
0:37:12 Like, okay, we’re starting solving this unique pain point.
0:37:13 But then CISOs are like, yeah,
0:37:16 but you know, I have 80 vendors to manage.
0:37:19 And so the question is that I ask myself a ton
0:37:23 is how can we build compound businesses from day one?
0:37:26 So how can you actually build a platform from day one,
0:37:27 even though you’re a startup?
0:37:29 And actually counter if people say,
0:37:30 I need to consolidate,
0:37:33 that you start up actually can consolidate.
0:37:35 So it was 2023.
0:37:37 The top three priorities for CISOs
0:37:40 was vendor consolidation, optimizing SaaS licensing.
0:37:43 Because of course you don’t wanna let people go.
0:37:46 You rather wanna kind of first increase your software spend.
0:37:48 So what does it mean for entrepreneurs?
0:37:49 The question for entrepreneurs is like,
0:37:51 how can I build a compound business from day one?
0:37:54 We’ve seen this actually done well across many companies.
0:37:56 I think Datadog is an awesome company
0:37:59 that does this super well more on the DevOps side.
0:38:03 For the longest time, right, they’ve had one product.
0:38:04 And then actually they switched
0:38:06 and became this kind of layered product
0:38:08 for anything observability,
0:38:10 whether it’s security observability,
0:38:13 infrastructure observability, application observability,
0:38:15 they were able to build a compound product.
0:38:18 And Figma rethought this whole kind of process
0:38:21 of before there was Sketch, there was Zeppelin.
0:38:23 And what basically Figma said is like,
0:38:24 what is the underlying concept
0:38:27 that’s the same across all of those?
0:38:30 And how can I build a solution that covers that all?
0:38:30 And I think by the way,
0:38:32 the whole kind of thing that we’ve seen in here
0:38:34 is like we had first the bundling era.
0:38:37 By the way, with Microsoft Oracle and SAP,
0:38:38 people didn’t have a lot of applications.
0:38:41 They said like, Oracle is doing it all.
0:38:42 That was that at the beginning.
0:38:44 And then slowly with like cloud,
0:38:47 especially AWS and Azure made that happen,
0:38:50 cloud became so approachable by everyone
0:38:51 that suddenly, you know,
0:38:54 we had all those collaboration tools come up.
0:38:59 I do think we’re changing back to an industry of rebundling,
0:39:02 especially as we have this autonomous wave coming up.
0:39:03 I do believe, I mean, like Wiz is actually
0:39:05 a great example of that,
0:39:07 is they started with like kind of a point solution,
0:39:10 but spread out very aggressively
0:39:12 and build a compound product very quickly.
0:39:15 So how are you going to manage that complexity?
0:39:17 And then the question is like,
0:39:19 how much did I protect my insider threat in some way?
0:39:20 Why?
0:39:23 Because go back to the metro station,
0:39:25 if the developers access to everything,
0:39:27 suddenly this intruder can just like hop
0:39:30 from one station to another and do harm.
0:39:33 So how can we make sure that it’s kind of just in time,
0:39:35 only when you are at the station,
0:39:37 you actually can have access to it?
0:39:39 Now, that gets kind of hard
0:39:42 with like millions of permissions.
0:39:43 So what I believe it’s going to happen,
0:39:45 and this is something that we are really working on right now
0:39:48 with models that come out at the reason.
0:39:52 Basically, I think models will be able to reason better
0:39:54 than our security analysts
0:39:58 in terms of what a certain role should have access to, right?
0:40:01 So basically an agent on your identity
0:40:04 and access management system will look into, okay,
0:40:09 we had 20 new tickets where these engineers needed access
0:40:13 to this type of database that live in North America.
0:40:16 They will automatically update your roles
0:40:17 and downgrade your roles,
0:40:19 or at least at the beginning be a co-pilot for you
0:40:22 and suggest, hey, this role should be updated in this way,
0:40:25 or those two roles should be merged in that way.
0:40:27 So this is just like a case study
0:40:31 where agents will have a huge impact.
0:40:33 The biggest story I think about security is,
0:40:36 is that there’s enormous complexity and risk,
0:40:38 you can never reduce risks to zero.
0:40:42 The cool thing is if you move more to an engineering mindset,
0:40:45 where you actually fine-tune your agents and models
0:40:47 on top of your infrastructure,
0:40:50 you will be able to solve certain problems
0:40:53 that you were never able to solve before.
0:40:56 The RAG will look into, okay, is this privileged access?
0:40:58 So basically the AI will be able,
0:41:00 you think about you have a million permissions,
0:41:02 how are you gonna tag where this permission
0:41:05 is actually sensitive or not?
0:41:06 It doesn’t always say read only,
0:41:09 it doesn’t always say admin access.
0:41:12 So the AI will be able to understand or can understand
0:41:14 if that permission is sensitive or not, right?
0:41:15 So you can reason, okay,
0:41:18 this person has privileged access or not,
0:41:21 and then this person can also reason on role anomalies.
0:41:24 Oh man, you know, you are in sales
0:41:27 and you have access to this right, access in AWS,
0:41:31 and no one else on your team has that access.
0:41:32 So basically, you know,
0:41:35 a RAG will ask themselves is,
0:41:38 how privileged is this permission, right?
0:41:40 What is your usage in that permission?
0:41:44 And is anyone else that has similar HRIS characteristics,
0:41:45 do they have that access?
0:41:48 And you can already do this now pretty easily, right?
0:41:49 This is like kind of more,
0:41:51 it’s not reasoning themselves,
0:41:53 but you kind of guide them to go through those steps.
0:41:55 That’s what chain of thought means.
0:41:56 And the last thing I want to say is like,
0:41:59 the cool thing about access is it can be preventative.
0:42:02 So here’s one thing that we’re already doing.
0:42:04 If you create a ticket in JIRA,
0:42:06 or if you create a Slack message and say like,
0:42:09 hey, can I get this access please in a public channel?
0:42:12 How AI can detect that you ask for access?
0:42:15 And usually the worst thing that can happen
0:42:16 is like back channel access.
0:42:18 What that means is someone gives you access
0:42:20 without following processes.
0:42:23 Now, you can alert yourself that this happened,
0:42:25 oh, this person got access without approval,
0:42:26 but the better way is to prevent
0:42:29 that from happening in the first place.
0:42:30 I think the main takeaway is,
0:42:32 there will be less and less analysts
0:42:33 because agents will take over
0:42:36 and you need to upscale them to become more engineers
0:42:38 or even prompt engineers.
0:42:39 That’s kind of one big thing.
0:42:41 The second big thing is think about now,
0:42:43 like the world is changing so quickly,
0:42:46 what you can do and what you can demand from vendors
0:42:50 or what you as an entrepreneur can implement
0:42:52 when a system can reason by itself,
0:42:54 that’s the second thing.
0:42:55 And the third thing is I believe
0:42:57 because I’m passionate about the industry
0:42:59 is that this global identity will increase
0:43:01 over the next couple of years, more and more.
0:43:06 – All right, that is all for now.
0:43:09 Obviously security is always a moving target.
0:43:11 A cat and mouse chase through progressively
0:43:15 more complex terrain with more complex tools on both sides.
0:43:17 Now, if you do have any suggestions
0:43:20 for future topics to cover, feel free to reach out to us
0:43:22 at podpitches@a16z.com.
0:43:24 And if you did like these exclusive excerpts
0:43:27 from our A16Z campfire sessions event,
0:43:28 make sure to leave us a review
0:43:32 at ratethispodcast.com/a16z.
0:43:34 We’ll see you next time.
0:43:37 (upbeat music)
0:43:39 (upbeat music)
0:43:42 (upbeat music)
0:00:05 – Entropy is increasing.
0:00:09 They have more apps, more entitlements, and more actors.
0:00:11 – Every single year, it’s exponential growth
0:00:12 in the number of public breaches,
0:00:15 the size of the breaches, the damage in the breaches.
0:00:17 Vendors still exploding.
0:00:19 – How can they watch out for a bank run
0:00:22 that’s orchestrated by a deep-fake campaign?
0:00:23 If this is indeed state-backed,
0:00:25 this is probably not the only thing they did
0:00:26 in that two-year period.
0:00:30 – In 2022, $8.8 billion was lost
0:00:32 by consumers alone in the U.S.
0:00:35 – How can we build compound businesses from day one?
0:00:38 How can you actually build a platform from day one,
0:00:40 even though you’re a startup?
0:00:41 – Who does security?
0:00:42 Nobody does security.
0:00:46 – The cost to launch a disinformation campaign
0:00:49 that’s AI generated is quickly approaching zero.
0:00:52 – Now that the cybersecurity industry commands
0:00:55 a market of hundreds of billions of dollars,
0:00:57 it’s easy to forget how this industry
0:00:59 once ceased to exist.
0:01:01 And in its few decades of rapid growth,
0:01:03 things have changed a whole lot.
0:01:06 So in today’s episode, we’ll take you on a tour
0:01:08 through the history of security,
0:01:09 which can’t be disentangled
0:01:12 from the history of the internet and culture.
0:01:13 This episode was actually recorded
0:01:16 at A16Z’s campfire sessions event this April,
0:01:18 where our infrastructure team
0:01:21 brought in some of the top security minds in the industry.
0:01:23 And just like any good campfire session,
0:01:26 today you’ll hear four people talk candidly
0:01:28 about what’s really keeping them up at night,
0:01:30 from what really happened with the X and U-Tills attack,
0:01:32 to new AI threat factors
0:01:34 that are already impacting companies,
0:01:37 to empowering overworked developers, and a lot more.
0:01:41 For those both inside and outside the security community,
0:01:43 I hope this episode is a helpful reminder
0:01:45 of just how much has changed throughout the years
0:01:49 for both offenders and defenders of trustworthy computing.
0:01:52 So with that, we’ll start with Travis McPeak,
0:01:54 co-founder and CEO of resource aid.
0:01:57 And we’ll walk us through how we really got here.
0:01:59 Let’s kick things off in 1995.
0:02:05 As a reminder, the content here
0:02:07 is for informational purposes only.
0:02:09 Should not be taken as legal, business, tax,
0:02:10 or investment advice,
0:02:12 or be used to evaluate any investment or security,
0:02:14 and is not directed at any investors
0:02:17 or potential investors in any A16Z fund.
0:02:19 Please note that A16Z and its affiliates
0:02:20 may also maintain investments
0:02:23 in the companies discussed in this podcast.
0:02:25 For more details, including a link to our investments,
0:02:28 please see A16Z.com/disclosures.
0:02:35 – Okay, phase zero, The Dark Ages.
0:02:37 The year is 1995.
0:02:40 Billboard number one song, “Gangster’s Paradise.”
0:02:43 The box office number one was “Batman Forever.”
0:02:45 Nostalgia for the old people here.
0:02:46 Who does security?
0:02:47 Nobody does security.
0:02:48 It was a totally different world.
0:02:50 You have to realize that
0:02:52 we didn’t have much internet connectivity.
0:02:54 Patching wasn’t really much of a thing.
0:02:56 Vendors was basically like antivirus
0:02:58 in the start of firewalls.
0:03:00 Milestones of this Dark Ages time,
0:03:02 we had the first DEFCON,
0:03:03 we had the first CISO,
0:03:04 Steven Katz at City Corp.
0:03:07 So that year, they actually had a breach
0:03:09 where somebody stole money.
0:03:12 And they said, “This can never happen again
0:03:14 “without us having someone to go chop their head off
0:03:15 “when it happens.”
0:03:17 So this is the first CISO.
0:03:19 We had the first word macro virus.
0:03:20 The first bug bounty came from Netscape.
0:03:21 As we’ll get to your Netscape,
0:03:24 did a lot of cool things that moved forward security.
0:03:26 And of course, the hackers movie.
0:03:28 It was web 1.0.
0:03:30 It wasn’t an app that you went and dealt with.
0:03:31 It was a site that you came to.
0:03:33 So this is Apple’s site from ’97.
0:03:35 Hackers are like these dingy people.
0:03:36 It’s not like an actual job.
0:03:39 One of the things that really moved from this
0:03:41 to the next phase was web browsers went from
0:03:43 like that Apple thing that I just showed you
0:03:45 to a place that you go do business.
0:03:47 Netscape made a lot of those things possible.
0:03:50 So they brought forward SSL.
0:03:52 They had the first bug bounty.
0:03:53 They were putting forward a standard
0:03:55 of how we’re gonna build out apps on the internet.
0:03:57 And that standard was JavaScript.
0:03:59 At the same time, we had Java,
0:04:02 which was one of the first ways of building apps
0:04:04 on the internet from an old company called Sun,
0:04:06 today known as Facebook.
0:04:09 Checkpoint was founded in 1993
0:04:11 from somebody that came directly out of IDF
0:04:12 and used all of the stuff that they learned
0:04:15 to productize the web application firewall.
0:04:17 Okay, phase two.
0:04:19 Security is an actual thing, but it’s a function of IT.
0:04:21 So the year is 2001.
0:04:23 Billboard number one is hanging on by a moment.
0:04:25 Box office number one is Harry Potter
0:04:26 and the Sorcerer’s Stone.
0:04:27 Who does security?
0:04:29 IT does security.
0:04:31 So context here, this is the start
0:04:32 of when we get like big hacking.
0:04:35 So it’s not just like a thing that happens once in a while.
0:04:37 Businesses have all either moved online
0:04:39 or rapidly moving online.
0:04:43 Vendors now is antivirus firewalls, systems management,
0:04:46 milestones here, Microsoft engineers coined
0:04:48 the term SQL injection in ’98.
0:04:50 The first big internet worm
0:04:53 that made it like bad for business was Code Red.
0:04:56 The first patch Tuesday was in 2003.
0:04:58 And I don’t know, for anybody that’s old like me,
0:04:59 we had this Y2K thing,
0:05:01 which was actually like complete nothing burger.
0:05:03 But what was interesting about it is
0:05:05 we cared enough about computers
0:05:07 and what they do that we thought it might be a thing.
0:05:12 So one of the changes here was bug track and full disclosure.
0:05:14 So back in the day, we had mailing lists, bug track,
0:05:17 people would send security vulnerability reports
0:05:19 and vendors would basically do nothing with it.
0:05:20 They just sit on it forever.
0:05:22 And so there was this big moment at the time,
0:05:23 full disclosure where it’s like, okay, well,
0:05:26 we’re just gonna put like the full gory details
0:05:28 of this thing and force action from vendors.
0:05:30 And then that led to regular patching cycles.
0:05:32 So Microsoft quickly copied that.
0:05:36 We also had the first web application security tools.
0:05:38 So this is Nikdo and old one from 2001.
0:05:39 It was kind of open source,
0:05:41 but this is the beginning of these tools
0:05:43 being broadly available.
0:05:45 And then this is the beginning of what I call
0:05:46 the tail wagging the dog
0:05:48 when it comes to vendors and security.
0:05:50 So from some of the folks I talked to you,
0:05:52 we basically have these new attack paths
0:05:54 and the buyers, in this case, IT,
0:05:56 we’re very uneducated about how this works.
0:05:59 So it’s like, you need to have your web port open.
0:06:01 It needs to be legit open.
0:06:02 And I can get in and compromise you through that.
0:06:04 IT didn’t understand it very well.
0:06:06 So vendors had to do their part
0:06:09 to come and educate the IT buyers that this was possible.
0:06:10 What this looked like was basically,
0:06:12 I just completely compromised all your systems.
0:06:13 And they said, how did you do that?
0:06:16 And then you explain why this web application security
0:06:20 is an actual thing and why they need vendor solution for it.
0:06:23 All right, phase two is the risk sign off function.
0:06:25 So the year is 2004.
0:06:27 Billboard number one is, yeah,
0:06:30 by usher little John box office is Trek two.
0:06:32 This is what phones look like.
0:06:34 By the way, these phones will last longer than you will.
0:06:36 These things were like basically indestructible.
0:06:37 Who does security?
0:06:38 Now we have a security team that does it.
0:06:40 So this isn’t just like a thing that like IT does
0:06:41 with some of their time.
0:06:43 So this is when we start to get the beginning
0:06:45 of traditional security activities.
0:06:48 We have Microsoft basically getting popped in the mouth
0:06:49 and they need to do some stuff differently.
0:06:51 Tech companies start hiring people
0:06:53 that are actually called security.
0:06:54 Vendors now is exploding.
0:06:57 So we have Anabirus firewall still email security web
0:06:59 application firewall, Dast and Sast.
0:07:02 Milestones here, we had the first use of the term
0:07:04 cross-site scripting again by Microsoft engineers.
0:07:07 OOSP was founded in 2001.
0:07:08 The first use of the term shift left.
0:07:10 I actually thought it was much more recent,
0:07:11 but this is a very old term.
0:07:13 And then socks regulation was,
0:07:14 I think the first compliance standard
0:07:17 that actually mandated some security activities.
0:07:19 There was a growing community of folks
0:07:21 that were really interested in web security
0:07:23 and all of what’s possible here.
0:07:25 And Mark curfee started this group called OOSP
0:07:28 to basically make this knowledge more socialized
0:07:29 so that people knew about it.
0:07:32 One of the first projects in OOSP was the OOSP top 10.
0:07:33 And that immediately became like,
0:07:36 how can I get my vendor shit to be one of the top 10 things
0:07:37 that people are buying?
0:07:39 So this is, you know, yet more tail wagging the dog.
0:07:41 It’s like, oh, my thing should be, you know,
0:07:42 in the top five for sure,
0:07:44 because it’s going to help us sell a lot more of it.
0:07:47 Now we have the beginning of the big internet worms.
0:07:49 So at the time windows basically
0:07:50 didn’t come with any firewall.
0:07:52 You started up, it would get immediately
0:07:53 compromised by stuff.
0:07:55 The worms here were costing a lot of money.
0:08:00 So we had like attacks like a mafia boys DDoS in 2000.
0:08:02 It took down like more than 1 million
0:08:03 of the 5 million IS servers
0:08:06 and cost an estimated $2.6 billion in damages.
0:08:08 And so for part of this,
0:08:10 basically Microsoft had these big customers
0:08:11 that were saying like,
0:08:13 hey, we’re just getting killed because we’re using windows.
0:08:16 And then this led to in part to trustworthy computing.
0:08:18 Basically we need to see the light.
0:08:20 We can’t just keep doing business as is.
0:08:23 Bill Gates saw a very early version of a book
0:08:25 that Microsoft folks were writing
0:08:26 on these security practices.
0:08:29 And basically that led him to say like,
0:08:31 we need to completely change what we’re doing.
0:08:32 We’re losing trust with customers.
0:08:33 And then that was the beginning
0:08:36 of what we consider traditional security activities today.
0:08:38 We have threat modeling, stride,
0:08:41 all of these things are being birthed around this time.
0:08:43 We also get more compliance.
0:08:46 So PCI DSS version one was written in 2004.
0:08:48 This mandated security activities.
0:08:50 Again, vendors are trying to get themselves
0:08:53 into the standards so that they can sell more product, right?
0:08:54 It’s like, okay, well,
0:08:56 if you’re going to deal with payment card data,
0:08:59 then you need to do web scanning, for example.
0:09:01 Proofpoint was an example of one of the companies here.
0:09:04 This was founded in 2002, still around today,
0:09:06 very successful by email security, right?
0:09:08 So as soon as you have email being used
0:09:09 as widely as it is today,
0:09:11 and we also have email viruses, it’s okay,
0:09:12 we’re going to need something
0:09:14 to filter out spam and viruses.
0:09:16 So Proofpoint started that.
0:09:19 And then also improve a big web application firewall
0:09:21 that’s also still around today.
0:09:23 Okay, phase three is DevSecOps.
0:09:25 So the year is 2013,
0:09:26 billboard number one is ThriftShop,
0:09:29 box office number one is Ironman.
0:09:30 Who does security?
0:09:31 It’s everybody’s job.
0:09:32 We’ve collectively decided
0:09:34 that basically security doesn’t scale.
0:09:36 Like we’ve been this sign off function
0:09:38 that you have to do with security
0:09:40 before you ship your product for the year.
0:09:41 And now we’re moving to cloud
0:09:43 and we’re doing continuous deployment.
0:09:43 And security is like,
0:09:45 I don’t know when I do these assessments anymore.
0:09:48 So what we do is we basically take every single developer
0:09:50 and tell them, guess what,
0:09:52 good news, you’re a security person now.
0:09:54 So we’re also getting more and more mega breaches.
0:09:56 If you look at the numbers from this time,
0:09:58 every single year it’s exponential growth
0:10:00 in the number of public breaches,
0:10:02 the size of the breaches, the damage in the breaches,
0:10:04 vendors still exploding.
0:10:06 So EDR, Next Gen Firewall detection,
0:10:09 all the posture managements, dev training, bug bounty.
0:10:12 Milestones, the first use of the term DevSecOps
0:10:13 was actually in 2013.
0:10:15 And we had the first CSPM,
0:10:17 which gave birth to this massive posture management industry
0:10:18 that we have today.
0:10:20 We start to see no before, right?
0:10:22 It’s like we’re gonna train developers continuously.
0:10:24 Developers are gonna learn about
0:10:25 all of the types of cross-site scripting
0:10:28 and SQL injection with one day,
0:10:29 like once per year of training where they learn it
0:10:32 and then they immediately forget it the next day.
0:10:34 We also have big bug bounties.
0:10:36 So crowd sourcing more and more vulnerabilities
0:10:38 in the hopes that the attackers aren’t gonna use these things
0:10:40 to cause massive breaches for us.
0:10:42 So much posture management.
0:10:45 So the first was cloud security posture management.
0:10:47 Evident was the first company here.
0:10:49 At Netflix, they had also created SecurityMonkey,
0:10:51 which is basically open source posture management.
0:10:53 And since then it’s just like posture management
0:10:55 just exploding all over the place.
0:10:57 We have AppSec posture management,
0:10:58 Data Security posture management,
0:11:01 Identity posture management, SSPM,
0:11:03 like whatever that bottom posture management is,
0:11:05 just so much posture management everywhere.
0:11:07 And what these things are really good at doing
0:11:08 is like going and finding problems
0:11:10 after they’re already deployed, right?
0:11:11 And then you have to go do something about it.
0:11:12 ‘Cause just knowing about risk,
0:11:14 you can just tell your boss like,
0:11:16 “Hey, okay, well, here’s all the risk that we have.
0:11:18 They’re gonna want you to reduce it somehow.”
0:11:19 And so what we moved to,
0:11:21 since this is now developer zoning security,
0:11:22 is we rip a bunch of JIRA tickets for them
0:11:24 and we call it a day.
0:11:26 So we also are getting at this time job shortage.
0:11:29 The first time the job shortage news articles
0:11:31 was in 2015, early 2016.
0:11:34 We’re short a million jobs already in 2016.
0:11:35 This is just piling up more and more.
0:11:36 We don’t have enough security people
0:11:39 to actually do the work that we need them to do.
0:11:41 So where does this leave us?
0:11:43 I think that we’re entering a new phase,
0:11:44 phase four of security,
0:11:46 where basically telling developers,
0:11:48 “It’s your job, you fix security all the time.”
0:11:49 Didn’t particularly scale well.
0:11:52 I think that that’s becoming very evident today.
0:11:53 So years 2020,
0:11:55 blinding lights is number one,
0:11:57 box office is bad boys for life.
0:11:58 Who does security?
0:12:00 I think systems do security.
0:12:02 What we’re doing doesn’t scale.
0:12:04 We have developer fatigue.
0:12:05 I hear people tell me all the time like,
0:12:07 “Oh, we take the posture management
0:12:08 and then we just filter out everything
0:12:09 that’s not higher critical.”
0:12:12 And then we ship those JIRA tickets to developers.
0:12:13 Training relentlessly, obviously,
0:12:15 it doesn’t matter how many times we’ve trained developers
0:12:17 on like all the SQL injection types.
0:12:19 They still don’t remember it
0:12:20 and really they shouldn’t have to.
0:12:22 So Milestones, one of the projects
0:12:24 they really informed how I see this is Limer,
0:12:26 the Netflix released in 2015.
0:12:30 Google launched the Identity Aware Proxy in 2017.
0:12:33 Chrome added a password manager by default back in 2018.
0:12:35 And Clint Gibbler, one of my friends
0:12:37 and somebody that has done a lot of work in the space
0:12:39 did his talk in 2021
0:12:42 called “How to Eradicate Vulnerability Classes.”
0:12:45 So Limer, when I got to Netflix, it was in 2017.
0:12:46 And I remember just being blown away
0:12:48 at how easy it was for our developers
0:12:50 to just get things like certificates
0:12:53 without having to select a Cypher Suite
0:12:54 and pick crypto parameters and rotate it
0:12:57 and store your private keys securely.
0:12:58 It was just made it like dead symbol.
0:13:00 And the benefit of this is that developers
0:13:02 never have to learn about crypto anything.
0:13:03 They just get it for free.
0:13:06 Google has done just probably more work than anybody here.
0:13:10 So we’re gonna upscale people to HTTPS automatically.
0:13:12 Chrome updates itself, which became standard
0:13:14 for many other pieces of software.
0:13:16 We have these basically like impossible
0:13:18 to mess up Golang libraries
0:13:20 to handle a lot of security things.
0:13:22 And actually, my mom sent me this article recently.
0:13:25 Mom’s so funny, she knows that I work in security
0:13:27 and sends me like everything that has security in it
0:13:28 out of Wall Street Journal.
0:13:29 And usually it’s like something
0:13:31 that either happened three months ago
0:13:33 or it’s got nothing to do with me.
0:13:35 But this one was written by Larry Ellison
0:13:36 and it’s not very old.
0:13:38 His point is it’s time to hand over
0:13:40 cyber security to computers.
0:13:42 Basically just relentlessly hounding the users
0:13:44 and like trying to get the users to be smarter.
0:13:45 Like it doesn’t work anymore.
0:13:47 What we want to get is developers
0:13:50 back to just writing app code, like working on the business
0:13:52 and not having to be like security people all the time.
0:13:54 So today, if you think about it,
0:13:57 devs have to burn down this never ending pilot Jira tickets.
0:13:59 This causes annoyance with the security team.
0:14:00 If you had a friend that only showed up
0:14:02 when they wanted you to do something,
0:14:03 you’re probably gonna start avoiding that friend
0:14:04 and we’re getting a ton of that.
0:14:07 What if instead, if they just use systems,
0:14:09 they made good security choices on their behalf
0:14:11 and forget about all of this like
0:14:13 training relentlessly all the time.
0:14:15 So conclusions, I was part of this move
0:14:18 from like waterfall to continuous and then saw this.
0:14:21 We just heap stuff onto our developers plate
0:14:23 and then saw developers learn to resent
0:14:24 and avoid security more and more.
0:14:27 I think what we should do instead is help them out.
0:14:28 Like they’re very, very busy people.
0:14:31 We should build a system that makes it fast and easy
0:14:33 for them to go do something they want to do
0:14:35 and then has security victim as a side effect.
0:14:38 So it’s like when you want your dog to take vitamins,
0:14:40 you don’t just put vitamins in your hand
0:14:41 and offer them to the dog.
0:14:42 You put the vitamins in the peanut butter
0:14:43 and the dog wants the peanut butter
0:14:45 and the dog gets the vitamins too.
0:14:46 I think this is what we should be doing
0:14:47 for our developer users.
0:14:50 – Speaking of meetings to make things easier
0:14:52 for our developers, let’s get a sense
0:14:55 of what these hacks can really look like in 2024.
0:14:57 – Now, usually in this talk,
0:14:58 I like to talk about solar winds,
0:15:00 but we actually have a better example
0:15:03 that was gifted to us, the XT-utils attack.
0:15:05 So everybody here has heard about this by now,
0:15:09 but this was some group likely, I think backed by a state
0:15:12 that infiltrated an open source data compression project
0:15:14 called XT-utils.
0:15:19 – That was Faraz Abukadijay, founder and CEO of Socket.
0:15:22 So XT-utils has taken the security industry by storm
0:15:25 since it introduced a backdoor via open SSH,
0:15:27 which is a critical piece of infrastructure
0:15:30 used by millions of servers around the world.
0:15:32 Let’s hear from Faraz regarding what really happened there.
0:15:34 To get a sense of the kind of security offenders
0:15:37 we’re now dealing with in 2024
0:15:38 that can involve multiple years,
0:15:40 multiple contributors, social engineering,
0:15:42 the potential for state actors and more.
0:15:46 – The way that they did this was just so interesting.
0:15:49 And it’s something that, I mean, look, I’m sad that it happened,
0:15:51 but I’m also like, I’ve been telling you guys
0:15:52 about this for so long.
0:15:54 I’m sort of like kind of satisfied in a way
0:15:56 that finally there’s an example
0:15:58 that’s really caught the imaginations of folks.
0:16:02 So what happened here was we had a group,
0:16:03 like I said, probably state backed,
0:16:05 winning over the contributor of the project
0:16:07 over several years of work.
0:16:09 So that’s like a scale of time invested in this
0:16:12 that we haven’t seen in other attempts like this.
0:16:14 And then they introduced a sophisticated though
0:16:17 not flawless backdoor that was aimed
0:16:19 at compromising SSH servers.
0:16:22 So it’s a pretty multi-layered vulnerability.
0:16:23 There were multiple personas involved
0:16:25 from identities that hadn’t been seen
0:16:26 anywhere on the internet before.
0:16:28 So that kind of is another indication
0:16:31 that probably this was someone relatively sophisticated.
0:16:33 This wasn’t just someone doing it for the LULs.
0:16:36 And so probably suggesting kind of state backed actors here.
0:16:38 And then just the way the timeline
0:16:40 and the kind of some of the stuff that they did
0:16:42 also seems to indicate that it might be
0:16:44 like the same people behind SolarWinds.
0:16:46 Probably, but again, this is all just kind of speculation.
0:16:47 I want to kind of go into a little bit of,
0:16:49 so you can kind of see just the character
0:16:51 of what this attack kind of looks like.
0:16:54 So this is kind of individual who ended up committing
0:16:56 and releasing the malicious code.
0:17:00 And this is his first email patch to the mailing list
0:17:04 where they do the development for this project XCutils.
0:17:05 And it’s interesting.
0:17:08 This is just kind of a totally pointless patch, right?
0:17:09 This is like the kind of thing that as a maintainer
0:17:12 you get all the time someone just drive by dropping in
0:17:15 an editor config file, which is basically does nothing, right?
0:17:17 It’s a no op in terms of the functionality of the project.
0:17:19 And oftentimes you’ll see these from people
0:17:20 who just want to get to be able to say
0:17:22 that they’re a contributor to a project.
0:17:24 It doesn’t require any understanding of the project.
0:17:26 So it’s just noise, but you can see their first attempt
0:17:28 to kind of get involved in the project.
0:17:30 Then they sent another patch a month later,
0:17:33 fixing some kind of build problem.
0:17:36 And they also sent a couple of more patches after this one,
0:17:38 all totally ignored by the maintainer,
0:17:41 who at this point has been maintaining this project
0:17:43 for about 15, maybe 20 years.
0:17:45 This is a long time project.
0:17:47 And the guy running it is just,
0:17:49 at this point it’s in maintenance mode.
0:17:51 It’s basically, he’s sort of burned out.
0:17:53 He’s sort of kind of half maintaining it,
0:17:55 checking the mailing list once in a while,
0:17:57 but really not actively working on this anymore.
0:18:00 So it’s something that a lot of the maintainers go through.
0:18:01 And so then finally the maintainer,
0:18:03 this is like, I think three more months
0:18:05 after the last email, we see that the maintainer
0:18:09 just randomly comes by and merges a couple line change
0:18:11 to the project that is the first code
0:18:14 from this GITAN individual that’s actually
0:18:15 included in the project.
0:18:17 And what I think is interesting about this is
0:18:19 all of his other patches were ignored.
0:18:22 The patch that was merged is this like trivial two line patch
0:18:24 that you can just look at and kind of,
0:18:25 as an overloaded maintainer, you can look at this
0:18:27 and sort of figure out what it’s doing.
0:18:28 And oh, it fixes a bug, cool.
0:18:29 Let me just merge it and move on.
0:18:33 The bigger multi-hundred line patches were ignored, right?
0:18:34 Typical, also typical behavior
0:18:36 for an overloaded maintainer, right?
0:18:38 Okay, then a couple of months go by
0:18:41 and now we see a new character enter the picture.
0:18:45 This guy Gigar Kumar sends kind of a few emails
0:18:49 complaining that some of GITAN’s patches weren’t landing.
0:18:53 This is often used to pressure maintainers
0:18:55 to include code in projects.
0:18:56 Patches spend years on this mailing list.
0:18:58 There’s no reason to think anything is coming soon.
0:18:59 So aggressive, right?
0:19:01 At this point, remember he’s already landed
0:19:03 a few of the patches, but the pressure is building here.
0:19:07 And then this is insert project name still maintained.
0:19:09 That is the bane of a maintainer’s existence.
0:19:11 It’s the meanest kind of issue you can open up
0:19:13 on a project, in my opinion.
0:19:15 This has happened to me many times.
0:19:16 I had a couple screenshots here.
0:19:18 Is this still being developed?
0:19:19 And like on a perfectly active project
0:19:21 because their PR wasn’t looked at for a little while, right?
0:19:23 Here’s another one on one of my projects.
0:19:24 Is this project dead?
0:19:25 It’s not nice.
0:19:27 Don’t do this, people.
0:19:28 And I think one of the interesting things
0:19:29 about this whole situation is that,
0:19:31 this is another one of the things I’ve seen change
0:19:33 in the way that open source is done is,
0:19:35 traditionally, you think of a project like Linux
0:19:37 or WordPress or these big foundation-backed projects.
0:19:39 They have the structure up here at the top
0:19:41 where you have one project, one entity,
0:19:43 with many, many maintainers that are participating
0:19:44 in the project.
0:19:46 A lot of times they’re paid by their employer
0:19:47 to even work on the project
0:19:49 and to submit patches as part of their day job, right?
0:19:52 But what we see a lot more of as we’ve shifted
0:19:55 into this world of many, many, many dependencies,
0:19:58 a lot of tiny dependencies is more of a structure like this
0:20:00 where you have an individual with hundreds, potentially,
0:20:02 hundreds of projects that they take care of.
0:20:04 And that was the case here with Lassie Collin.
0:20:06 He had multiple projects that he was managing
0:20:08 as an individual maintainer.
0:20:09 Okay, so let’s continue on.
0:20:11 So this is three months has gone by.
0:20:13 He replies, he apologizes for the slowness,
0:20:16 and he also adds in a bit about how Giotan
0:20:19 has helped him off-list with XTutils.
0:20:21 So probably they have some kind of chat conversation
0:20:24 going off-list now and they’re collaborating more closely,
0:20:25 building up the trust.
0:20:28 And he says he might have a bigger role in the future,
0:20:29 at least with XTutils.
0:20:31 It’s clear that my resources are too limited
0:20:33 and something has to change in the longterm.
0:20:36 So the kind of idea has now been planted in his mind
0:20:38 that he probably should give access to somebody else
0:20:40 to help maintain the project.
0:20:41 And again, this all sounds nefarious
0:20:43 ’cause I’m doing it in a talk and I have slides up here,
0:20:45 but this is also open source working correctly.
0:20:46 This is thinking about, oh, hey,
0:20:47 maybe I’m not the best maintainer.
0:20:49 Maybe I should hand this off to somebody
0:20:51 that’s pretty normal as well.
0:20:53 At this point, nothing actually nefarious has happened.
0:20:54 By the way, there’s no bad code that’s been included.
0:20:56 This is just laying the foundation.
0:20:57 He said a couple of weeks go by.
0:21:00 So now we have this character, Jigar Kumar, who enters
0:21:03 and this person’s much more aggressive
0:21:04 and really starts to apply more pressure.
0:21:07 So they go over one month and no closer to being merged.
0:21:08 Not a surprise.
0:21:10 So like dropping into threads to just sort of
0:21:12 nag the maintainer and kind of make him feel
0:21:13 like he’s not doing a good job.
0:21:16 Progress will not happen until there is a new maintainer.
0:21:18 And then the maintainer finally replies and pushes back
0:21:19 and says, hey, I haven’t completely lost my interest here,
0:21:21 but I’ve been having some mental health issues
0:21:23 and I have a lot of things going on in my life.
0:21:25 But again, maybe Gia Tan will have a bigger role
0:21:26 in the project.
0:21:28 And so a few months after that,
0:21:30 Lassie Collin merges the first commit with Gia Tan
0:21:32 as the author you can see here.
0:21:33 And they actually are listed as an author.
0:21:36 This is a pretty innocuous change.
0:21:39 And then again, the pressure continues from Jigar and Dennis
0:21:41 who’s this other persona that are both there
0:21:43 and really just support the idea
0:21:44 that Gia should be made a maintainer.
0:21:46 And you can see here, you ignore the patches
0:21:48 that are rotting away on this mailing list.
0:21:50 Right now you choke your repo.
0:21:53 Why wait until 5.4.0 to change maintainer?
0:21:55 Why delay what your repo needs?
0:21:56 Right?
0:21:58 So applying the pressure.
0:21:59 And then again, the last one here is great.
0:22:01 Like, why can’t you commit this yourself, Gia?
0:22:02 I see you have recent commits.
0:22:03 So just kind of pushing more and more.
0:22:06 And then finally Lassie says, again,
0:22:08 Gia Tan has been really helpful off-list.
0:22:10 He’s practically a co-maintainer already.
0:22:12 And then finally, this is the first email
0:22:15 about two years after the very first interaction
0:22:17 with the mailing list where Gia Tan
0:22:20 is actually now doing the release notes for the project.
0:22:21 He’s been made a maintainer
0:22:23 and this is the first release going out.
0:22:26 So two year kind of effort here.
0:22:27 If this is indeed state-backed,
0:22:29 this is probably not the only thing they did
0:22:31 in that two year period, right?
0:22:33 They probably have other things going at the same time, right?
0:22:35 So we shouldn’t overreact and assume
0:22:37 that Linux is like totally backdoor or anything like that.
0:22:39 But also like, probably this isn’t the only thing
0:22:40 that these folks were working on, right?
0:22:42 So the truth is like somewhere in the middle here.
0:22:46 – Sophisticated software supply chain attacks
0:22:49 are not the only ones on our hands in 2024.
0:22:50 In fact, the XAU Tells Attack
0:22:53 was performed really without AI.
0:22:56 So let’s hear from Kevin Tien, founder and CEO of Doppel,
0:22:59 around the ways that AI is introducing new threat vectors
0:23:02 and already impacting real world businesses.
0:23:08 – In 2022, $8.8 billion was lost by consumers alone in the US.
0:23:11 We’ve had 39 billion credentials
0:23:14 stolen by bad actors that same year.
0:23:18 And the cost to launch a disinformation campaign
0:23:21 that’s AI generated is quickly approaching zero.
0:23:24 So if you’ve seen a lot of the startups
0:23:26 that are currently pitching about
0:23:29 how we can make it easy to generate AI videos
0:23:33 or how we can make it easy to generate AI voices, right?
0:23:35 That same sort of stuff is going to the bad guys as well.
0:23:37 And so how are we seeing this manifest today
0:23:41 with real world people and real world businesses?
0:23:45 So one common scheme that has grown super quickly
0:23:46 just in these past couple of months
0:23:49 has been the emergence of a lot of deep fake videos,
0:23:53 specifically deep fake videos of individual personas.
0:23:56 It could be Taylor Swift, could be Travis Kelsey,
0:23:57 could also be your CEO
0:24:00 and could be your financial institutions,
0:24:02 chief technology officer.
0:24:04 And so what we’ve quickly been seeing here, right,
0:24:09 in terms of the landscape is more and more deep fake videos
0:24:11 being produced in the exact same way,
0:24:14 models being trained in a very similar way,
0:24:16 the voice being generated in very similar way
0:24:18 and the intention of the tech being operated
0:24:21 in a very similar way all across different platforms,
0:24:23 whether it’s YouTube, TikTok,
0:24:26 any sort of video platform out there.
0:24:27 We’re already seeing deep fakes emerge
0:24:31 and this impacts a whole bunch of different sort
0:24:34 of individuals, whether it’s business,
0:24:37 whether it’s celebrities or even political campaigns.
0:24:39 Of course, big federal election this year,
0:24:41 it’s top of mind for everyone.
0:24:44 The good news, bad news is that it’s already happening
0:24:46 and we’re seeing it happen across a lot
0:24:47 of different platforms.
0:24:49 So I think the biggest thing here though is like,
0:24:52 this is not necessarily entirely novel,
0:24:55 attack surface right or entirely new threat, right?
0:24:57 Like we’ve always had social media,
0:24:59 we’ve always had video platforms
0:25:02 and we’ve had bad guys try to create fake content
0:25:04 to achieve certain means.
0:25:06 I think the main lesson here
0:25:08 in terms of what we’re seeing is that
0:25:10 it’s just become a lot easier to do.
0:25:12 And so just there’s entire markets around fishing kits
0:25:16 and there’s entire markets around cyber crime in general.
0:25:17 We’re gonna start seeing,
0:25:20 and we’re already seeing that same sort of stuff
0:25:23 come around with deep fake technology,
0:25:24 impersonation technology and just,
0:25:27 how do you personalize attacks more and more
0:25:29 for your target victim?
0:25:31 I think the biggest thing too is that
0:25:33 we’re seeing this not only to run scams,
0:25:36 but ultimately this stuff is impacting businesses at large.
0:25:38 I actually just wanna talk this morning,
0:25:40 chatting with some big banks out there
0:25:41 and one of the biggest concerns for them
0:25:44 is how can they watch out for a bank run
0:25:46 that’s orchestrated by a deep fake campaign, right?
0:25:48 Or we’ve even seen this effect
0:25:50 companies outside the financial sector
0:25:52 where pharmaceutical company had a impersonator
0:25:54 talk about how Viagra’s gonna be free now
0:25:58 and saw that impact of stock price very, very quickly.
0:26:03 It’s again stuff that has happened before,
0:26:05 but what we’re seeing in 2024
0:26:08 and what we’re expecting in 2025 and beyond
0:26:10 is that this just gets easier and easier to do
0:26:13 and it gets to the point where it makes it really hard
0:26:15 to tell what’s real or not online.
0:26:18 And it’s not just deep fakes.
0:26:20 Here’s a completely different approach.
0:26:23 This one is a SEO poisoning case,
0:26:27 so specifically something that we’ve seen out there
0:26:30 a lot for airline industry, finance industry,
0:26:33 any industry that has customer support, phone numbers,
0:26:35 things like that, right?
0:26:38 We’ve got the traditional SEO poisoning attack
0:26:41 where people will find a way to get content upranked
0:26:42 for any given company.
0:26:45 And what’s interesting is basically
0:26:48 how well can people do this in 2024?
0:26:50 What we’re seeing a lot of things happening today
0:26:53 is that they’re putting it on these third party sites
0:26:55 that do have great domain ranks.
0:26:58 Things like Microsoft, it could be LinkedIn.
0:27:00 We’ve seen a lot with Hub as well of course
0:27:02 and Webflow, other platforms like that.
0:27:04 And so they’re taking advantage of the fact
0:27:06 that these are legitimate third party sites
0:27:08 with great domain health,
0:27:10 stuff that Google will quickly uprank
0:27:12 or any other search engine will quickly uprank.
0:27:16 And they’re generating content and conversations on forms.
0:27:19 For example, how do I speak to a live agent at United?
0:27:22 How do I speak to a live agent at Uber, right?
0:27:24 And what we see happen here is,
0:27:27 they’re able to generate a bunch of the spam content
0:27:29 across these different third party forms,
0:27:30 get them all upranked,
0:27:34 get them all to dominate that first page of search results.
0:27:36 And again, it’s just a classic case of,
0:27:38 well, they would have to script this, right?
0:27:40 And generate the content now.
0:27:42 They can make it more dynamic with AI
0:27:44 and generate the AI specifically.
0:27:48 – Of course, it’s not all doom and gloom.
0:27:50 With every opening on offense,
0:27:52 there’s equal opportunity for defense.
0:27:55 Here is Andrey Sofansi, founder and CEO of Lumos,
0:27:58 taking us back to where we started in this episode
0:28:00 through a historical arc that brings us
0:28:03 to a digital era of autonomy.
0:28:05 So what do we do now that we’re in this new era?
0:28:06 And if you happen to be a company
0:28:08 hiring security professionals,
0:28:11 should you be thinking about things any differently?
0:28:14 – I just want to take you a little bit
0:28:17 on a historical journey, all right?
0:28:20 So the funny thing is, if you look 60 years back,
0:28:22 we are all ideas.
0:28:24 So there’s two types of factories.
0:28:28 There’s a product factory and there’s an idea factory.
0:28:30 So what the product factory is,
0:28:32 is usually where the cars are born, right?
0:28:34 Or where windows are made.
0:28:36 And where the idea factory is,
0:28:40 is where we create and design those cars, right?
0:28:44 And especially the idea factory changed in the recent years
0:28:47 and changed like two years ago again.
0:28:51 So the idea factory looks something like the office
0:28:53 or more like, you know, in the ’60s.
0:28:55 In the ’60s, ’50s, there were no computers.
0:28:57 So it was really interesting.
0:29:01 And we mostly used typewriters and pen and paper.
0:29:03 So then the computers came about
0:29:05 and we digitized the office.
0:29:07 That was kind of the first step.
0:29:11 IBM, SAP, Oracle, Microsoft,
0:29:14 all those big companies came about and digitized it.
0:29:16 So that was step one.
0:29:20 Step two is we cloudified, I guess, the office.
0:29:22 I was like with Salesforce.
0:29:25 They kicked it off and Workday and Atlassian,
0:29:26 those were the first cloud companies.
0:29:27 So suddenly we’re in the cloud.
0:29:29 So it was where AWS was born.
0:29:33 I think 2004, 2005, that’s when we cloudified it.
0:29:35 Then something interesting happened
0:29:37 is we made it collaborative, right?
0:29:39 Workday is not really collaborative.
0:29:40 Neither is Salesforce.
0:29:44 But then suddenly Zoom, Slack, Figma, Airtable,
0:29:46 all those kind of great companies
0:29:48 came about in the 2010s.
0:29:50 And suddenly it became very collaborative.
0:29:51 So that was like kind of, I would say,
0:29:55 the third change that happened in software,
0:29:56 which is pretty cool.
0:30:00 Now, what changed in the last two years
0:30:04 is we moved from just like digitizing it to cloud,
0:30:08 to collaboration, to autonomy, right?
0:30:11 So we’re creating more and more autonomous software.
0:30:12 And it started honestly for the first time
0:30:14 with something like a Grammarly,
0:30:17 where they are like more like kind of co-pilots
0:30:18 that help you kind of do a job better.
0:30:20 Even like GitHub, this is GitHub co-pilot,
0:30:21 they’re in the middle.
0:30:23 They’re not fully autonomous,
0:30:25 but they help you do your job better.
0:30:27 The big trend that we’re seeing right now
0:30:29 is especially OpenAI is bringing out
0:30:30 at the end of the year,
0:30:33 reason, models that can reason.
0:30:35 And they can literally talk with themselves
0:30:37 and do certain things, so really spooky.
0:30:39 And we’ve seen this as well like Devon,
0:30:41 that’s kind of a new kind of type of software engineer
0:30:43 and AI software engineer
0:30:45 that just like basically codes themselves.
0:30:48 So we’re moving from GitHub co-pilot or Grammarly
0:30:50 to actually systems and services
0:30:53 that build things themselves.
0:30:56 So that is actually a whole new paradigm
0:30:56 that’s changing.
0:30:58 And we’re like, okay, shoot,
0:31:00 how do we equip ourselves for that?
0:31:02 So to summarize,
0:31:03 actually there are kind of three waves,
0:31:05 I just call them two.
0:31:07 The first wave is the digitization,
0:31:09 the second one is a collaboration,
0:31:11 the third one is the autonomy.
0:31:13 And now we’re at the third one.
0:31:15 So the interesting thing is that I’m thinking about
0:31:18 on a daily basis is apps and access.
0:31:21 If you think about everything that you’re using,
0:31:22 those are apps.
0:31:23 We’re on Zoom, then on Slack,
0:31:26 then we go and SSH into a server,
0:31:28 which is also an app more or less,
0:31:30 then we use GitHub, so everything is apps.
0:31:33 Apps are literally our live blood without apps.
0:31:35 We can’t do things.
0:31:36 The question is like,
0:31:37 I think that we as security professionals
0:31:40 need to ask ourselves more and more is,
0:31:43 how are we gonna manage all those apps
0:31:45 with more and more service accounts coming up, right?
0:31:49 And with like software doing the job themselves.
0:31:50 So how do we deal with that?
0:31:54 So I love the metro framework.
0:31:55 I really love it.
0:31:58 If you think about identities,
0:32:00 there are certain identities on different tracks.
0:32:03 So marketing has their identities, right?
0:32:07 Marketing ops, the mansion, content,
0:32:09 customer success has their tracks.
0:32:13 And each station is more or less an application
0:32:15 or like an entitlement, right?
0:32:17 And some of those overlap, right?
0:32:20 So for example, customer success and sales overlap
0:32:21 maybe in Salesforce.
0:32:25 Then design and marketing overlap in Figma.
0:32:27 And then especially engineering,
0:32:29 there are probably like multiple engineering departments
0:32:32 if we zoom in and they overlap when it comes to,
0:32:34 especially on an entitlement level,
0:32:36 different permissions that they have access to.
0:32:38 So the only interesting thing is people,
0:32:41 which are more of those wagons,
0:32:44 they jump from one station to another.
0:32:47 And each station again is an app on entitlement.
0:32:49 And why I think that this is interesting is,
0:32:51 right now how we think about the world
0:32:52 as a world of RBAC.
0:32:55 – Quick interruption here.
0:32:59 For the uninitiated, RBAC means role-based access control.
0:33:01 So instead of assigning permissions individually,
0:33:03 you’re granting them based on a role.
0:33:08 – RBAC is not moving stations.
0:33:11 RBAC basically means, you are a marketing person
0:33:15 and you have access to everything on this marketing tier.
0:33:19 Even though probably a lot of that stuff you never use.
0:33:22 And sales or engineering is especially spooky.
0:33:24 Engineering, you and DevOps,
0:33:26 you have access to all customer data
0:33:29 because an incident might happen and you need access to it.
0:33:31 Now on top of that,
0:33:34 we have all those service accounts coming up
0:33:38 and soon autonomous actors, agents coming up,
0:33:41 that will also, if we still use RBAC,
0:33:44 get access to all of those things.
0:33:45 Even though they don’t need it.
0:33:47 So the concept is I’m a metro station
0:33:49 and I need each permission entitlement
0:33:51 just for a short amount of time.
0:33:55 And I think especially as complexity rises.
0:33:58 So we are going from like a hundred actors
0:34:00 to a thousand to 10,000.
0:34:02 And also the apps become more complicated.
0:34:06 So instead of having just one or two or three metro stations,
0:34:08 I will have thousands of metro stations.
0:34:12 Because I can get access to 10 EC2 instances
0:34:14 and just like the granularity and the cloud
0:34:15 and the snowflake is gonna become
0:34:17 more and more and more granular.
0:34:19 So the question is like, how are we gonna manage that?
0:34:22 What’s the new paradigm to manage that?
0:34:25 So what I believe, how we need to rethink things
0:34:28 is security was often seen as analysts, right?
0:34:31 Actually, security started as hackers.
0:34:34 Security people were those people that hacked the networks
0:34:36 and they were the people that were deep in Linux
0:34:38 with assist admins.
0:34:40 And actually most security people were assist admins before
0:34:43 because there was no security 30 years ago
0:34:45 and they were true hackers.
0:34:47 And then suddenly all those kind of great solutions
0:34:50 came about and they said, here’s an alert,
0:34:52 there’s an alert, here’s an alert.
0:34:53 And we’re gonna alert you about all those things
0:34:56 and you can remediate it very easily.
0:34:58 And so I feel like more and more security
0:35:01 became an operating department.
0:35:02 Similar thing happened to IT.
0:35:05 IT used to be the hackers and slowly but suddenly
0:35:07 they became ticket resolvers.
0:35:10 Security became a little bit of alert resolvers.
0:35:12 IT became ticket resolvers.
0:35:14 And I think the new paradigm that we need to think about
0:35:16 as we’re thinking about entitlements and access
0:35:20 as a metro station, security and IT needs to see themselves
0:35:25 as the architects of that metro station, more or less.
0:35:28 And what DevOps and infrastructure is to full stack teams.
0:35:31 So I think the same thing we need to think about
0:35:32 IT and security.
0:35:37 IT and security need to become so to say infrastructure teams
0:35:40 to each department, right?
0:35:42 And this kind of moves us back to security
0:35:46 actually hiring for engineering rather than analysts.
0:35:48 Especially also, as the AI will probably automate
0:35:50 most of the analyst work.
0:35:52 So that’s I think a very important insight
0:35:54 is when it comes to career development,
0:35:57 as it comes to what type of profile you need to hire,
0:35:59 especially engineers and analysts
0:36:01 and building on top of solutions that you’re buying
0:36:03 is very important.
0:36:07 So basically the premise in this first act is
0:36:09 software is becoming an autonomous.
0:36:12 It enables us to create more and more.
0:36:15 Because of that, entropy is increasing.
0:36:19 There are more apps, more entitlements and more actors.
0:36:23 And so what needs to change is security needs to handle
0:36:27 this infrastructure with some type of technology operations
0:36:30 or without some kind of technology infrastructure.
0:36:33 So I think that is kind of one important change
0:36:36 that we need to see as this whole market is changing.
0:36:39 Now, here’s the second thing.
0:36:41 It’s about startups by the way.
0:36:44 This is like kind of an appell to all my entrepreneurs.
0:36:46 I believe that we need to build compound businesses
0:36:47 from day one.
0:36:49 So what does that mean?
0:36:52 So security CISOs probably have this problem
0:36:56 that they need to use 50 different tools.
0:36:57 And that actually lasts two years,
0:37:00 especially as the economy has gone a little bit down.
0:37:02 CISOs ask themselves a lot of,
0:37:05 in terms of like, how can I consolidate?
0:37:07 And that kind of sucks for startups at the beginning,
0:37:08 I would say.
0:37:12 Like, okay, we’re starting solving this unique pain point.
0:37:13 But then CISOs are like, yeah,
0:37:16 but you know, I have 80 vendors to manage.
0:37:19 And so the question is that I ask myself a ton
0:37:23 is how can we build compound businesses from day one?
0:37:26 So how can you actually build a platform from day one,
0:37:27 even though you’re a startup?
0:37:29 And actually counter if people say,
0:37:30 I need to consolidate,
0:37:33 that you start up actually can consolidate.
0:37:35 So it was 2023.
0:37:37 The top three priorities for CISOs
0:37:40 was vendor consolidation, optimizing SaaS licensing.
0:37:43 Because of course you don’t wanna let people go.
0:37:46 You rather wanna kind of first increase your software spend.
0:37:48 So what does it mean for entrepreneurs?
0:37:49 The question for entrepreneurs is like,
0:37:51 how can I build a compound business from day one?
0:37:54 We’ve seen this actually done well across many companies.
0:37:56 I think Datadog is an awesome company
0:37:59 that does this super well more on the DevOps side.
0:38:03 For the longest time, right, they’ve had one product.
0:38:04 And then actually they switched
0:38:06 and became this kind of layered product
0:38:08 for anything observability,
0:38:10 whether it’s security observability,
0:38:13 infrastructure observability, application observability,
0:38:15 they were able to build a compound product.
0:38:18 And Figma rethought this whole kind of process
0:38:21 of before there was Sketch, there was Zeppelin.
0:38:23 And what basically Figma said is like,
0:38:24 what is the underlying concept
0:38:27 that’s the same across all of those?
0:38:30 And how can I build a solution that covers that all?
0:38:30 And I think by the way,
0:38:32 the whole kind of thing that we’ve seen in here
0:38:34 is like we had first the bundling era.
0:38:37 By the way, with Microsoft Oracle and SAP,
0:38:38 people didn’t have a lot of applications.
0:38:41 They said like, Oracle is doing it all.
0:38:42 That was that at the beginning.
0:38:44 And then slowly with like cloud,
0:38:47 especially AWS and Azure made that happen,
0:38:50 cloud became so approachable by everyone
0:38:51 that suddenly, you know,
0:38:54 we had all those collaboration tools come up.
0:38:59 I do think we’re changing back to an industry of rebundling,
0:39:02 especially as we have this autonomous wave coming up.
0:39:03 I do believe, I mean, like Wiz is actually
0:39:05 a great example of that,
0:39:07 is they started with like kind of a point solution,
0:39:10 but spread out very aggressively
0:39:12 and build a compound product very quickly.
0:39:15 So how are you going to manage that complexity?
0:39:17 And then the question is like,
0:39:19 how much did I protect my insider threat in some way?
0:39:20 Why?
0:39:23 Because go back to the metro station,
0:39:25 if the developers access to everything,
0:39:27 suddenly this intruder can just like hop
0:39:30 from one station to another and do harm.
0:39:33 So how can we make sure that it’s kind of just in time,
0:39:35 only when you are at the station,
0:39:37 you actually can have access to it?
0:39:39 Now, that gets kind of hard
0:39:42 with like millions of permissions.
0:39:43 So what I believe it’s going to happen,
0:39:45 and this is something that we are really working on right now
0:39:48 with models that come out at the reason.
0:39:52 Basically, I think models will be able to reason better
0:39:54 than our security analysts
0:39:58 in terms of what a certain role should have access to, right?
0:40:01 So basically an agent on your identity
0:40:04 and access management system will look into, okay,
0:40:09 we had 20 new tickets where these engineers needed access
0:40:13 to this type of database that live in North America.
0:40:16 They will automatically update your roles
0:40:17 and downgrade your roles,
0:40:19 or at least at the beginning be a co-pilot for you
0:40:22 and suggest, hey, this role should be updated in this way,
0:40:25 or those two roles should be merged in that way.
0:40:27 So this is just like a case study
0:40:31 where agents will have a huge impact.
0:40:33 The biggest story I think about security is,
0:40:36 is that there’s enormous complexity and risk,
0:40:38 you can never reduce risks to zero.
0:40:42 The cool thing is if you move more to an engineering mindset,
0:40:45 where you actually fine-tune your agents and models
0:40:47 on top of your infrastructure,
0:40:50 you will be able to solve certain problems
0:40:53 that you were never able to solve before.
0:40:56 The RAG will look into, okay, is this privileged access?
0:40:58 So basically the AI will be able,
0:41:00 you think about you have a million permissions,
0:41:02 how are you gonna tag where this permission
0:41:05 is actually sensitive or not?
0:41:06 It doesn’t always say read only,
0:41:09 it doesn’t always say admin access.
0:41:12 So the AI will be able to understand or can understand
0:41:14 if that permission is sensitive or not, right?
0:41:15 So you can reason, okay,
0:41:18 this person has privileged access or not,
0:41:21 and then this person can also reason on role anomalies.
0:41:24 Oh man, you know, you are in sales
0:41:27 and you have access to this right, access in AWS,
0:41:31 and no one else on your team has that access.
0:41:32 So basically, you know,
0:41:35 a RAG will ask themselves is,
0:41:38 how privileged is this permission, right?
0:41:40 What is your usage in that permission?
0:41:44 And is anyone else that has similar HRIS characteristics,
0:41:45 do they have that access?
0:41:48 And you can already do this now pretty easily, right?
0:41:49 This is like kind of more,
0:41:51 it’s not reasoning themselves,
0:41:53 but you kind of guide them to go through those steps.
0:41:55 That’s what chain of thought means.
0:41:56 And the last thing I want to say is like,
0:41:59 the cool thing about access is it can be preventative.
0:42:02 So here’s one thing that we’re already doing.
0:42:04 If you create a ticket in JIRA,
0:42:06 or if you create a Slack message and say like,
0:42:09 hey, can I get this access please in a public channel?
0:42:12 How AI can detect that you ask for access?
0:42:15 And usually the worst thing that can happen
0:42:16 is like back channel access.
0:42:18 What that means is someone gives you access
0:42:20 without following processes.
0:42:23 Now, you can alert yourself that this happened,
0:42:25 oh, this person got access without approval,
0:42:26 but the better way is to prevent
0:42:29 that from happening in the first place.
0:42:30 I think the main takeaway is,
0:42:32 there will be less and less analysts
0:42:33 because agents will take over
0:42:36 and you need to upscale them to become more engineers
0:42:38 or even prompt engineers.
0:42:39 That’s kind of one big thing.
0:42:41 The second big thing is think about now,
0:42:43 like the world is changing so quickly,
0:42:46 what you can do and what you can demand from vendors
0:42:50 or what you as an entrepreneur can implement
0:42:52 when a system can reason by itself,
0:42:54 that’s the second thing.
0:42:55 And the third thing is I believe
0:42:57 because I’m passionate about the industry
0:42:59 is that this global identity will increase
0:43:01 over the next couple of years, more and more.
0:43:06 – All right, that is all for now.
0:43:09 Obviously security is always a moving target.
0:43:11 A cat and mouse chase through progressively
0:43:15 more complex terrain with more complex tools on both sides.
0:43:17 Now, if you do have any suggestions
0:43:20 for future topics to cover, feel free to reach out to us
0:43:22 at podpitches@a16z.com.
0:43:24 And if you did like these exclusive excerpts
0:43:27 from our A16Z campfire sessions event,
0:43:28 make sure to leave us a review
0:43:32 at ratethispodcast.com/a16z.
0:43:34 We’ll see you next time.
0:43:37 (upbeat music)
0:43:39 (upbeat music)
0:43:42 (upbeat music)
Is it time to hand over cybersecurity to machines amidst the exponential rise in cyber threats and breaches?
We trace the evolution of cybersecurity from minimal measures in 1995 to today’s overwhelmed DevSecOps. Travis McPeak, CEO and Co-founder of Resourcely, kicks off our discussion by discussing the historical shifts in the industry. Kevin Tian, CEO and Founder of Doppel, highlights the rise of AI-driven threats and deepfake campaigns. Feross Aboukhadijeh, CEO and Founder of Socket, provides insights into sophisticated attacks like the XZ Utils incident. Andrej Safundzic, CEO and Founder of Lumos, discusses the future of autonomous security systems and their impact on startups.
Recorded at a16z’s Campfire Sessions, these top security experts share the real challenges they face and emphasize the need for a new approach.
Resources:
Find Travis McPeak on Twitter: https://x.com/travismcpeak
Find Kevin Tian on Twitter: https://twitter.com/kevintian00
Find Feross Aboukhadijeh on Twitter: https://x.com/feross
Find Andrej Safundzic on Twitter: https://x.com/andrejsafundzic
Stay Updated:
Find a16z on Twitter: https://twitter.com/a16z
Find a16z on LinkedIn: https://www.linkedin.com/company/a16z
Subscribe on your favorite podcast app: https://a16z.simplecast.com/
Follow our host: https://twitter.com/stephsmithio
Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures.