How is knowledge of generative AI going to change what type of expertise we need? Will we be hiring prompt engineers in a few years? Right now there seems to be a benefit of having a generative AI domain expert for some organizations. Or will it become like putting “search engine proficiency” on your resume?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is our guest, Suresh Vasudevan, CEO, Sysdig.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Sysdig
Full Transcript
Intro
[Voiceover] Best advice I ever got in security. Go!
[Suresh Vasudev] In 2005, Bank of America lost some backup tapes that had a lot of PII data, and that became a really big deal. At the time I was running an encryption company called Deck Crew [Phonetic 00:00:16] that made appliances that would encrypt tapes and storage devices and so on, and our business grew exponentially, from almost 1 to 40 million, over eight quarters.
And so we invested massively in go to market, and engineering, and so on. Turned out two years later our business had halved partly because encryption started getting embedded in the underlying devices – in tape drives, in file systems – and external appliances were slowly going away.
Learned my biggest lesson then – when the underlying technology changes you have to rethink the relevance of your security approach and your security product, or you could really become obsolete.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of said CISO Series. And joining me as my cohost, it’s Mike Johnson. Mike, say hello to the nice audience.
[Mike Johnson] Hello, nice audience. I’m here. My cat is here. I’m ready for a podcast, David.
[David Spark] Your cat is useless on the show. I just want to point that out.
[Mike Johnson] She is my emotional support animal, and without her I would not make it through these podcasts.
[David Spark] Well, we’ve done live shows, and you’ve done perfectly fine without your cat.
[Mike Johnson] Sh. Don’t let her hear that.
[Laughter]
[David Spark] We’re available at ciso-dev.davidspark.dcgws.com. We’ve got lots of other programs there, too. And if you want to go back to our archived shows, they’re there. Also a lot of people don’t know… I’m going to remind people of things. One, we have transcripts of all our episodes.
Two, if you listen on your phone, which is where 95% of people listen to their podcasts, do you know that you can skip chapters, and you can go up a chapter or repeat listening to a chapter, jump to your favorite, “What’s Worse,” scenario, whatever. So, you can do chapter skipping as well.
We make that possible on this show. I do want to mention our sponsor. We have a great sponsor who’s been a phenomenal supporter of the CISO Series. It’s Sysdig, cloud security requires run time insights. That’s Sysdig. And guess what? They’re responsible for our guest today, and we’re going to be talking a lot more about that later in the show.
But first, Mike, you’re probably wondering what is the “Barb Wire” pinball machine. Now, “Barb Wire” was a movie starring Pamela Anderson.
[Mike Johnson] I unfortunately saw that movie.
[David Spark] You saw the movie.
[Mike Johnson] I will never get that time back. So, I have to admit it and just wish I hadn’t.
[David Spark] So, you’re probably wondering, “What is that pinball machine…” Not the movie. “What does the pinball machine have to do with the CISO Series?”
[Mike Johnson] I am wondering that. I’m on the edge of my seat. Please tell me.
[David Spark] The woman who voiced it, so who did the Pamela Anderson voice, on the pinball machine is the very woman does our bumpers on this very show.
[Mike Johnson] Really?
[David Spark] Yes.
[Mike Johnson] Wow.
[David Spark] Julie Cohen. She goes actually… Jules Nation is her name, and she’s a great voice talent. And there was a period of time she did the voices for pinball machines. I have actually played this game once. I saw it once, and I completely forgot to take a photograph of it, my stupid fault.
But now here’s the good news and the bad things… And I got to contact these guys probably after this recording. There is a “Barb Wire” that’s at a pinball location that has yet to open not far from here, but I just saw online that they’re selling it.
[Mike Johnson] Oh, no.
[David Spark] Now, I don’t want to own it. But here’s the thing, I also have to stress it’s not a good pinball machine.
[Laughter]
[Mike Johnson] I’m shocked.
[David Spark] It mimics the movie in that respect. [Laughs]
[Mike Johnson] Yeah, keeping up with the movie expectations.
[David Spark] And they only made like a thousand of these units, not a lot of these units.
[Mike Johnson] That’s about how many people saw the movie.
[David Spark] Well, it’s you and me, and so 998…
[Laughter]
[David Spark] …other people also saw it. So, if you are anywhere, when you see “Barb Wire” pinball machine, please play it. Take a photo. Even better, shoot video because we can hear the voice. We want to hear the voice on the pinball machine.
[Mike Johnson] That is awesome.
[David Spark] And that is Jules Nation. She’s the one who says on the pinball machine, which is from the movie, “Don’t call me babe.”
[Laughter]
[Mike Johnson] Perfect.
[David Spark] So, there you go. That’s where “Barb Wire,” Pamela Anderson, and the CISO Series all intersect. You never thought there would be an intersection, but now there is.
[Mike Johnson] I can now reduce my personal seven degrees to Kevin Bacon just through that story.
[David Spark] Yeah. If Pamela Anderson is connected.
[Mike Johnson] Yeah. [Laughs]
[Suresh Vasudev] You’re picking the wrong person there.
[Laughter]
[David Spark] All right, let’s bring our guest… That was actually the voice of our guest right there. It is the CEO of Sysdig, our sponsor. So thrilled to have him onboard. It is Suresh Vasudev. Suresh, thank you so much for joining us.
[Suresh Vasudev] Thank you so much for having me, David and Mike.
Umm, is this a good idea?
5:02.877
[David Spark] Will the new SEC disclosure rules get more CISOs onto company boards? Now, we know boards and executive leadership suffer from a severe lack of cyber expertise. This also comes at a time when CISOs seem more exposed to personal liability than ever.
“At a time when organizations need their experienced CISOs more than ever, the SEC ruling can help turn this challenge into an opportunities,” argues Marc Solomon at Security Week. He sees the new rules as a win/win, bringing in CISOs on board seats with access to insurance while providing another person who can challenge or question the company’s CISO.
So, often when we talk about communicating to the C-suite or board we talk about speaking about cyber to people who don’t know about it, but, Mike, with a CISO onboard, that changes the dynamic. Now, have you had this situation? How does that change the way you communicate?
And do you see this SEC ruling a win for more CISOs on boards?
[Mike Johnson] The SEC rule change…
[David Spark] It doesn’t require it. I know that. It’s [Paudible 00:06:14]
[Mike Johnson] And it was just such a… It was an interesting thing to watch it unfold. There was the original, “Here’s all the things that we want to get comments on,” and then there was all the comments. Then there was the final rule. And as you said, it does not actually require CISOs to be on boards.
It does not require any level of cyber security expertise.
[David Spark] But don’t you have to disclose the level of expertise?
[Mike Johnson] That is one of the things it does ask is what is the level of experience, but it’s actually okay to say there is none. The rule doesn’t require that.
[David Spark] But doesn’t that become public information then?
[Mike Johnson] It does, and then shareholders decide what they want to do about that.
[David Spark] Right.
[Mike Johnson] But the reality is you have to take that together with the other disclosures that talk through your risk management program and how you actually manage the risks. And if you’ve got… I’m speculating here. If you’ve got a board who has zero experience, and then you have a very well thought out and detailed risk management disclosures section then as a shareholder you should look at that and say, “Eh, this is fine.
We’ve actually got the expertise within management.” If you don’t have a great disclosures about your risk management program and you don’t have board experience, that’s something where shareholders should be concerned. So, it’s really the combination of the two that matters, not just independently.
But the other thing I want to mention is you don’t actually have to be on a board to be covered by the directors and officers insurance. DNO insurance is kind of the term.
[David Spark] Yes. Yes.
[Mike Johnson] And in fact most CISOs are actually covered already, or they can be if they just ask. So, if that personal liability is your concern, you should talk with your insurance contact or treasury department probably about that particular insurance.
[Suresh Vasudev] I was going to say, Mike, if I wear the hat of the board in this case… And so there are two things that are really impactful. The first is that the company, whether it’s the expertise within the company or expertise at the board…and it’s probably some combination thereof…has to agree on what is a material breach.
And so there’s a question of how do I decide something is material. The SEC has clearly said cyber incidents are now a matter of interest to investors, and they could impact company valuation. That’s why we want you to do an 8K disclosure if it’s a material incident.
And so there are two questions here that the board has to think about – one, there’s a question of what constitutes a material incident. The second is there’s a disclosure once something is declared as material within a few days in the fall of an 8K which means every shareholder is being asked to pay attention to and that 8K has some rules about you have to disclose the scope of the event and some details.
And so there’s a question of at what point does my disclosure hurt my reputation, hurt my stock price, hurt my market cap, and so on.
[David Spark] But also isn’t it like a four-day, you got to disclose…? How much do you know in four days?
[Suresh Vasudev] Well, so the good news, David, is you can spend a lot of time determining whether something is material. But once you decide that it’s material…
[David Spark] Then you’ve got four days?
[Suresh Vasudev] Within four days, you have to turn it around. And so you want to set up your mechanisms…
[David Spark] Oh, so that’s a big leeway right there.
[Suresh Vasudev] It is. But if I think about, again… So, I’ve sat on audit committees, right? And so the first thing that an audit committee is going to say is, “Given that we have this obligation, we want some up front discussions about how would we decide materiality of something.” And so… Because the board is not going to be aware of every detail when an incident happens.
What the board does want to do is have a discussion with management on, “Here are the norms that we want to put in place for something that’s either material or not material.” That discussion is agreed before any incident. Typically most boards will say, “Let’s make sure we have some rules in place or some norms in place for how we’ll decide if something is material.”
Now, if the board doesn’t have security expertise to have that conversation with the management teams then it’s really hard for the board to decide even on what constitutes materiality. So, I think boards are going to step back and say, “Without enough security expertise on the audit committee or on the full board we are essentially going to be liable to not have met our fiduciary standards,” if you will.
And so I believe it’s a higher standard than just have we covered our bases by doing enough disclosure. I think they’re going to want to say we had enough expertise to guide management on how to decide if something is material, how to decide what’s to be disclosed and what’s not to be disclosed, and so on.
Ok, What’s the risk?
11:11.171
[David Spark] Are we facing a security monoculture crises? Recently exploited vulnerabilities in Microsoft’s Azure Active Directory at least indicate the massive threat surface exposed by a breach at a single company that has such a huge user base, noted CrowdStrike’s Adam Meyers in a recent LinkedIn post and podcast episode.
Now, we know the value of diversifying our portfolios and also our Cloud investments, but we’re in an economic environment that favors consolidation. Most are running their Cloud environments across the big three cloud providers – Microsoft, Google, and AWS.
Different clouds offer different features, but more clouds require more management and more expertise. How much does, “If this cloud is compromised we’re completely screwed,” go into your cloud strategy, Suresh?
[Suresh Vasudev] Yeah, David, if I look across customer conversations I’ve had over and over again, I do see companies that are standardized on a single cloud almost exclusively, but that’s not as often as people that have a 70/30 split or someone that’s a big shareholder and then a second Cloud that’s not as big, or across three clouds.
And when I step back and think about what’s driven the strategy to be multi-cloud, to be honest, I think security concerns do not…as much I’d love to believe that they’re not one of the top reasons, I believe they’re driven more by economic considerations.
They’re driven by… I just met with one of the largest companies in Saudi Arabia where there’s only one cloud.
And so if you want to operate as a SaaS provider or have cloud services you’re going to go with that cloud provider. And so geographic considerations, economic considerations, considerations about if I’m going to do an open AI or a large language model.
Right now it sems like Microsoft and Google are better choices potentially than AWS. Whereas if I’m doing something else, AWS is a better choice. And so which technology I’m choosing often seems to influence that. So, first comment I would make is I think while there’s always a risk of a dominant vendor, cloud diversification is driven by many things, not just security alone, and I believe will continue to be in place.
I think there’s a bigger risk here, which is whether it’s directory services from Okta and Microsoft AD, or clouds in the form of a three bit public clouds. I can pick any technology and point to the fact that maybe the top two vendors account for 80% share.
And so what is my security on the underlying technology components, on the supply chain elements that I’m bringing into place? Because I’m responsible for the security associated within Okta, right?
[David Spark] Well, you know what? Your answer echoes everything we say on this show for that matter. We rarely talk specifically about an Azure, AWS, or Google issue. We are talking about the underlying text. Mike, what say you here?
[Mike Johnson] Yeah, it’s interesting that we’re having this discussion yet again, and it almost seems like the monoculture discussion comes up whenever Microsoft does something or something happens with Microsoft. The original conversation was Dan Geer started it in 2003, and it comes up again, and again, and again.
[David Spark] By the way, Microsoft has been a punching bag for a long time.
[Mike Johnson] They have.
[David Spark] For decades.
[Mike Johnson] They have. And a lot of that actually comes from their market dominance. It’s very easy to take swings at whoever is the biggest.
[David Spark] Everyone wants to punch up.
[Mike Johnson] Yes, exactly. That’s a very good way of putting it. And I think we’re just seeing that again – that there was an incident that really raised a lot of eyebrows. And it should have, and it’s good to have the conversation of do you trust your cloud provider.
But Suresh really mentioned it well there, that you have to make sure you’re thinking about which part of your cloud, which service that you’re really caring about. With Microsoft, there is all of your compute resources. AWS has compute resources. GCP, the same.
But your front door is your authentication. There’s a very good chance that you actually don’t have your diversification there – that you really are stuck with one vendor. I frankly remember when Okta had their big incident, what, a year and a half ago.
And there was a lot of people asking, “Hey, should we stick with Okta?” It happens every time. Not a whole lot changes. We’re going to do it again, but make sure that you’re really thinking about for your own situation where can you diversify, where can you have appropriate resilience.
Sponsor – Sysdig
16:04.792
[David Spark] Before I go on any further, I do want to talk about our awesome sponsor, Sysdig. So, here’s what you need to know. Sysdig helps companies secure and advance innovation in the cloud. That’s what we’ve been talking about. We’re going to talk more about it.
These days, building applications in cloud is a clear advantage, enabling businesses to accelerate their time to market, but the cloud has introduced a new world where attacks happen in the blink of an eye. It only takes ten minutes to initiate a cloud attack.
Ouch! Not good. So, as a result, security teams need better visibility to prevent threats and move faster to detect, investigate, and remediate tasks.
They have to protect the business without slowing it down. But how do they cut through the noise to identify and prioritize real risk? That’s where our sponsor, Sysdig, comes in. This is what you want to do. We talk about this all the time. Sysdig strengthens cyber resilience across the cloud native lifecycle by reducing the attack surface, detecting threats in real time, and accelerating incident response.
They bring risk based prioritization to reduce vulnerability noise by as much as 95% and can help businesses stop cloud attacks in real time. Kind of giving you a lot of features you want here. So, in the cloud, every second counts, and to secure every second you should check out what Sysdig is doing.
So, here’s the website you want to remember – go to cisdig.com/ciso.
It’s time to play “What’s Worse?”
17:43.336
[David Spark] Suresh, do you know how this game is played?
[Suresh Vasudev] I have read the [Inaudible 00:17:57] show notes, so I have… I’m looking forward to this. I have no idea.
[David Spark] This will make perfect sense to you in just a moment. What it is our awesome audience sends in two horrible scenarios. You’re not going to like either one, but you have to choose between the two. Now, I take this back. This one… It’s not that they’re horrible.
It’s just two quirky differences here, okay?
[Mike Johnson] Quirky?
[David Spark] You’ll see when I get to it. But I always make Mike answer first. You can agree or disagree with Mike, but you just have to give rationale one way or the other. This comes from Paul Lanzi over at Remediant. Here is Paul’s scenario. Several senior level information security staff, that includes your CISO, spend one-third of their time attending and speaking at major info security conferences.
Okay? Or by their own choice, none of your senior information security staff including your CISOs attend or speak at major info sec conferences. Which one is worse, Mike?
[Mike Johnson] Oh, this one is interesting.
[David Spark] Yeah.
[Mike Johnson] And I would expect a quirky question like this out of Paul, so I get it. I understand and I’m going to answer it and then set it aside that it depends. But the reality is what you’ve got here is…
[David Spark] By the way, just so you know, Suresh, it depends doesn’t work in this game.
[Mike Johnson] Yeah. I’ve tried it too many times.
[David Spark] [Laughs]
[Mike Johnson] I’ll keep trying it.
[David Spark] I always shoot Mike down when he says that.
[Mike Johnson] But what you’ve got is some people who have made a personal decision, presumably with the company’s support, to be out there in the community to represent the company.
[David Spark] But they’re spending a good third of their time.
[Mike Johnson] Yes, they’re spending a good amount of their time.
[David Spark] That’s probably like… That’s practically two days a week.
[Mike Johnson] It’s a third of their time, and it’s some of your more senior folks.
[David Spark] And you need them in the office.
[Mike Johnson] Yes.
[David Spark] Or you just need them available.
[Mike Johnson] The advantage and what that gets you is the rest of the security community, potentially customers, see those people. They see those folks out there essentially marketing. And they’re able to look and go, “Oh, well, that company actually has their act together.” And it buys you some let’s call it incident capital that if something were to go wrong you actually get the benefit of the doubt.
[David Spark] You’re essentially… Their time, which you’re spending money on, is turning into your marketing dollars in a sense.
[Mike Johnson] Exactly.
[David Spark] And employment branding dollars.
[Mike Johnson] Yes, sourcing, being able to recruit new folks. The other one, you’ve got nothing. You have no presence in these environments.
[David Spark] It doesn’t mean you can’t hire people.
[Mike Johnson] No. And frankly you might not even need to do this to hire people. You might not need the marketing.
[David Spark] You may be working at a big company that everyone wants to work for.
[Mike Johnson] Exactly. Apple probably doesn’t actually speak at a whole lot of security conferences. I’m trying to go through… They certainly didn’t for a long time, and they had no problems hiring. So, you don’t have to.
[David Spark] So, that could be your “it depends” right there – what’s the company.
[Mike Johnson] It entirely comes down to what is the company, where are they spending their money.
[David Spark] This is company XYZ is who it is.
[Mike Johnson] Yes.
[David Spark] So, it could be a Google or an Apple, or it could be something much smaller than that.
[Mike Johnson] So, the reality for me… I think the worse scenario is the folks who are not giving back to the community. Where you’ve got the folks who are…
[David Spark] But you can take that hit to your security that a third of your senior staff are just not available.
[Mike Johnson] What you get back is highly valuable. You get them out there. They’re learning. They’re participating. They’re getting someone from the audience going, “Well, have you thought about blah?”
[David Spark] Also and they’re networking, making great connections. Although, I’m throwing this out, the networking could be looking for a new job, too.
[Mike Johnson] That’s absolutely the risks. Thw to risks is it actually ends up building the personal brand more than the company brand, which can certainly happen. And it really depends on what the presentations are. And the other is that this time is valuable, and they’re not getting any real value back to the company as a result.
But in the other…the downside is there’s assumptions about the company you’re not really investing in security, you don’t care. You’re not interacting with the security community, and you’re not able to…
[David Spark] So, is that how you feel about all companies that don’t speak at events?
[Mike Johnson] It depends on the company.
[David Spark] Ah!
[Laughter]
[Mike Johnson] But it really just comes down to there’s so many benefits to doing it that it’s generally worth the costs. And so I think the second one is worse, yes.
[David Spark] The benefits severely weigh out the costs. All right. Suresh, do you agree or disagree with Mike on this one?
[Suresh Vasudev] I actually wholeheartedly agree with Mike. To be honest, I very much appreciate the question from Paul. I don’t have much of a conflict when choosing which way to go. I agree completely with Paul that between the two… I wish it was not a third of their time, but between the two…
[David Spark] Well, I think actually… It’s interesting. I think Mike…if I remember correctly, Paul didn’t specify the time amount, and I’m the one that put the time amount. I’m like, “I think it’s got to be a good chunk.”
[Suresh Vasudev] You made it a little bit more difficult. [Laughs]
[David Spark] Yeah, I said, “Let’s make it a third.” He didn’t specify.
[Suresh Vasudev] Yeah, I honestly think security is a profession. It’s not a job. It’s not a project. It’s a profession. And over time there’s an apprenticeship model to security where pure learning, community learning is the only way that you’re going to really stop attackers because there’s so much knowledge sharing that’s needed.
Otherwise it’s like asking to build a missile defense system where every home is defending against enemy attack. And so if every company thinks of security as defending against every attacker all on its own, it’s really hard to win this war. And so in that sense I actually think going there and being visible and learning just is… You’re giving to the community, but I think you learn an enormous amount as well.
[David Spark] I agree. So, agreement all the way around.
[Suresh Vasudev] Indeed.
[David Spark] Did not surprise me on this one but still a good question to ponder regardless.
[Mike Johnson] Absolutely.
[Suresh Vasudev] For sure.
[David Spark] Kudos to Paul.
[Mike Johnson] Thank you, Paul.
Please enough! No, more!
24:21.361
[David Spark] Our topic for this episode of “Please, enough. No more,” is cloud attacks and their prevention. So, I will start with you, Mike. What have you heard enough about with cloud attacks and the prevention? And I’m sure you’ve heard plenty. And what would you like to hear a lot more about?
[Mike Johnson] I would argue that a lot of the conversation around cloud security today is really focused on detection – seeing that something went wrong.
[David Spark] Oh, yes. In fact all the cloud providers will give you a frees can to tell you how screwed up your environment is.
[Mike Johnson] Oh, and they’ll also sell you plenty of services to actually tell you as well.
[David Spark] Well, of course. You don’t bring your car in to be locked at to not get stuff sold to you.
[Mike Johnson] Exactly.
[David Spark] By the way, that’s perfectly fine.
[Mike Johnson] Yes. At the same time, a lot of what you’re hearing or what I hear around prevention is focused solely on access management, and that’s really kind of the end of the discussion around prevention. I’d really like to hear more about other types of prevention.
Maybe guardrails. Make it hard for humans to make mistakes, to mess up a configuration. Maybe rapid rollbacks. Those are some of the things I’d really like to hear more about.
[David Spark] I think guardrails would be a big win because we talk about them all the time. It just seems like you have to make them out of the whole cloth half the time. All right, Suresh, I throw this to you. What have you heard enough about with cloud attacks and the prevention, and what would you like to hear a lot more?
[Suresh Vasudev] This is an interesting one. A very interesting one, David. Because I feel like I have a slightly sort of different point of view, Mike, in that when I talk to a lot of our customers, prospects, there is a lot of discussion around how to deploy posture management tools that tell me when there’s a misconfiguration in place?
How do I deploy vulnerability management too because I have to now that there are more and more mandates in supply chain security? How do I deploy vulnerability management tools that make sure that I can find the vulnerability and put in place mechanisms to fix it?
And so to me, it’s a nuance on are they true prevention in that they’re catching mistakes before they happen, or are they prevention in that when there’s something misconfigured that could be exploited you are essentially highlighting that to developers and cloud ops teams.
But overall, hardening the cloud has had a lot of discussion.
There are numerous stories about the exposed S3 bucket that has unencrypted and with data that can be exploited. Over and over you see articles about that. What I’m really worried about is that our SOC was built centered around network forensics and around endpoint forensics.
So, most SOC teams know exactly how to use endpoint detection tools to understand how an attack took place. They understand how to use network forensics. But when something goes wrong in the cloud, they don’t have the necessary tools to say exactly how did the attacker move laterally?
Once they may have exploited a credential, they then hopped from an EC2 machine to a exposed GitHub repo, stole code, and then found a secret insider Terraform template and used that to get to an adjacent cloud account. All of that diagnostic that they need to do, the SOC teams don’t have enough tools.
So, maybe… I feel like there’s not been enough…
[David Spark] Well, isn’t…? Hold on. Can I pause you here? Isn’t, Suresh, this the whole model of like SOAR and XDR platforms trying to answer that very question.
[Suresh Vasudev] I think the XDR drive was exactly that, which is in order to detect an attack that’s broader than just an end point or broader than just network, how do I make sure I can look across a wide range of sources. But much of what XDR has accomplished today is being able to centralize logs into a large repository.
But there isn’t an easy way to use all of that log data to predict whether an attack is taking place.
[David Spark] To predict? No. But I thought that the whole point of XDR was to give you the story, to show you the connections like you just described.
[Suresh Vasudev] Correct, post an incident. So, what I’m really worried about is once an attacker gets into your cloud there’s a lot of research that has shown that it takes about ten minutes before the first exploit begins. The first exploit could be a crypto miner.
It could be ransomware. It could be data theft. So, you have ten minutes within which your XDR needs to look at all the signals and say, “I have an attack in motion.” That’s really sort of what I’m saying. There aren’t enough tools for that kind of real time attack detection.
[David Spark] Aw, so it’s operating in motion.
[Suresh Vasudev] Exactly. Exactly. Do you have the tools to detect an attack in motion once someone has bypassed your preventive controls and is exploiting a credential or a vulnerability?
[David Spark] So, please… I got to assume this is what Sysdig is doing, so please tell me how you’re doing it.
[Suresh Vasudev] A large part of what we focus on is exactly that. So, we created almost eight, ten years ago an open source project called Falco which analyzes workloads in the cloud and is able to do streaming detection. So, instead of having to store your data somewhere and then do detections based on centralized analysis of data that’s first processed we are able to do detections in stream.
We started with a focus on looking at workload activity. So, just as you look at an endpoint or understand what’s happening in an endpoint, in the cloud you’re looking at container workloads, virtual machine workloads.
We gradually expanded that to look at user activity in the cloud, service activity in the cloud. So, for example if someone has just created an EC2 machine, has downloaded some sort of software that you know is a crypto miner, instead of waiting for the next scan of the cloud to detect that, we are able to do that in real time because we don’t wait for the logs to go get processed later.
And so that’s a real part of what we do is real time threat detection where in a matter of minutes you’re able to detect an attack in motion and flag an alert, if you will.
[David Spark] So, give me some scenarios that Sysdig operates best in that many of our listeners may not be dealing with right now.
[Suresh Vasudev] Yeah, so fundamentally when you’re deploying workloads, whether they’re made up of containers or virtual machines, in the cloud and you’re using a lot of cloud services, and you want to detect abnormal activity in that environment. So, abnormal activity within my AWS accounts, my Google accounts, running containers or virtual machines.
There are two problems that Sysdig is really good at addressing, and one of those is exactly that. Where we are able to track and connect the dots across a user’s activity, activity that’s happening within a containerized workload, and activity that’s happening within a cloud service.
We’re able to connect the dots.
So, for example, some user logged in without MFA. They then managed to get into an EC2 machine. That EC2 machine has access credentials to look at an S3 bucket, and they started doing abnormal read activity on the S3 bucket. How do I connect the dots across all of these?
To do that, I have to know…I have to use track user activity. I have to track activity that’s happening on my S3 buckets or on my Elastic databases [Phonetic 00:31:36]. I also have to be able to look at activity that’s happening within an EC2 machine that’s really all three of these bringing it together to know that when I connect the dots there is something risky that’s taking place, flag a alert at that point.
That’s really sort of the way we approach the problem. So, real time threat detection and response is one of the areas that we focus very heavily on.
Should you hire this person?
31:56.803
[David Spark] What does the employment landscape around generative AI look like? So, after about a year into mass access to these tools, we’ve seen the rise of having “prompt engineer skills.” Now, there doesn’t appear yet to be a role yet for prompt engineering.
Prompt engineering would affectively be generative AI domain experts that have experimented with these tools and know how to get the most out of these LLMs, large language models. And Cameron Shockell of The Conversation looked at how many of these jobs are out there, finding most tied to roles within AI specialties.
And these tools are changing so fast that what you know in one year completely changes the next year. It appears a great depth of knowledge in how LLMs work rather than having the skill to write the perfect prompt. So, Mike, I will start with you. Will prompt engineering soon be the equivalent of putting “proficient with a search engine” on your resume?
[Mike Johnson] The mention of search engine I think is interesting here, because you’ve heard the term search engine optimization.
[David Spark] Yes.
[Mike Johnson] That became a huge thing several years ago. Everyone was trying to figure out how can we game Google, how can we get our ads placed well.
[David Spark] And similarly Google kept changing its algorithm and changing the whole model of SEO.
[Mike Johnson] Exactly. The technology kept changing very rapidly. I see a lot of parallels here. I see that for a while there might actually have been people who could make a living just doing search engine optimization, but over time it became a skill.
It became a function. It became a part of the responsibility of a child, not a job in and of itself. And I think what we’re going to see with prompt engineering with LLMs… It’s early days, right? This is…we’re, what, a little over a year since this became mass, and it was in front of everyone.
So, it’s going to take some time to see how it all plays out. But ultimately LLMs, generative AI, they’re tools. It’s like a shovel.
You’re not going to see a whole lot of job postings for a person who can dig a hole. You’re seeing job postings for someone who has a job and one of the responsibilities is to dig holes, and they’re very good at them because they know how to use shovels well.
This is going to be very similar where a lot of different jobs can benefit from generative AI or from LLMs, and people are just going to become more efficient at their jobs, proficient at using search engine. Proficiency with Excel – that was a big one for a while.
[David Spark] Mm-hmm. It was on my resume back then.
[Mike Johnson] Exactly. So, you’re going to see the same thing of I’m really good at using LLMs. Prompt engineering is one of those things that I can get out of it. You should hire me because I’m a more efficient worker. I think that’s what we’re going to see.
[David Spark] All right, I like it. Suresh, my question to you, have you hired a prompt engineer yet?
[Suresh Vasudev] No, we’ve not hired from the outside, but I will tell you we have an AI team that’s working heavily with LLMs. There are two roles on that team. One role is you need to understand the tradeoffs of different LLMs because ChatGPT-4 is too expensive.
So, if you use it for everything, it’s just not viable. And so there are some areas where you can make due with other… Whether it’s a large language model or other AI models. GPT 3 may be good enough for certain types of queries and so on. Right? So, really understanding what each LLM can do and when do you need which LLM.
So, that’s exactly as you said, deep understanding of LLMs is one domain. The second one where we’ve not hired for a specific reason… It is a role we internally call an API whisperer because what we want this person to do, to have deep domain knowledge about the security problem that a user might be using our product for.
But we’re not feeding all of our data into the LLM and saying directly respond to the user with the data that a product is extracting because that is not viable. The amount of data that we analyze to answer security questions is to vast. If we fed all of that to LLMs, first no enterprise would allow us to feed all that data into the LLM.
Second, it’s too expensive. And so what we do is we have this [Inaudible 00:36:31] layer that sits between the LLM and queries our product. And so what we need the LLM to do is know how to talk to our product using APIs. And so this person needs two skills – domain expertise and teaching the LLM how to talk to our product so that our product gives the right answers back to the user.
That’s sort of what we call an API whisperer. So, it’s not quite a prompt engineer’s role but someone who’s an expert in our product, an expert in he security domain. And that, I think, will remain in place over time. If you’re a healthcare company that’s using LLMs, you want healthcare domain expertise and domain expertise in the product that you’re using the LLM to optimize and so on.
And so I don’t know what to call it, whether it’s… I don’t think of it as narrow as prompt engineering, but it is a role that requires expertise in how to manipulate.
[David Spark] Now, this is some specific expertise you’re talking about. I also want to point out that we all know how to use search engines. We all know how to use Excel. We’re all going to learn how to use these AI tools.
[Suresh Vasudev] Indeed.
[David Spark] So, I will tell you, by the way, what we’re doing at CISO Series. Interested to know if you’re doing anything else. I initially was putting all this responsibility on one person, and I go, “This is a mistake.” My whole team once a day, we are educating each other on just three cool tips we found, and we just started this.
I’m actually responsible for tomorrow’s tips. And we’re maintaining a document, but the idea is that we’ll slowly learn over time, and we’re all responsible for educating each other.
[Suresh Vasudev] Fantastic.
[David Spark] What is the greater knowledge of your team doing, Suresh? I’ll start with you, and I’ll close with you, Mike.
[Suresh Vasudev] Yeah, so our engineering program management team, one of the charters they have for the next quarter’s project is building a training program that every developer at Sysdig will go through on best practices for using LLMs as part of their day job.
And so we did a survey internally. We found only 20% of the organization felt proficient in how to use LLMs. Everybody was trying to use it.
[David Spark] By the way, I’m impressed you got 20%.
[Suresh Vasudev] I know.
[David Spark] [Laughs]
[Suresh Vasudev] Well, their answer was that they felt…20% felt they were proficient. And so what we realized is we need to qualify best practices and teach people. Even if they know, they might learn from tips and tools.
[David Spark] Were those 20% tapped to be the educators?
[Suresh Vasudev] So, they are. We’re using an external consulting firm and internal users to figure out exactly what works in our context and sort of how we can use LLMs to sort of make engineers more productive. Our support team is doing the same. They are basically playing with a tool and figuring out exactly how to bring LLM into our support process.
And so as an imperative, we decided that every function has to research tools that would be relevant that use LLMs and AI for their own function, and so that’s something that we’re trying…
[David Spark] Smart move.
[Suresh Vasudev] Some are further ahead, and some are not. But every function is researching tools that they can use built on LLMs and AI.
[David Spark] All right, Mike, is there any education happening at your organization right now?
[Mike Johnson] Oh, absolutely.
[David Spark] But I mean widespread so everyone learns, to a degree, I guess.
[Mike Johnson] What we’ve been doing is various teams have been exploring it themselves and trying to decide, “Does this work for our use cases?” The closest that I would say to your wide education was we…a couple months ago at this point… Well, when this airs, several months ago.
We had a hackathon, which was multiple teams were invited. It was a broad broadcast of, “Hey, do you have ideas? What could you do with an LLM?” Then when they were accepted, they were given resources. To Surashe’s point, these things aren’t cheap. So, we gave folks resources to then go and explore.
Some of those actually became interesting use cases that are being explored further. That’s the way that we’ve been going after exploring AI in general is just what are the use cases that are not immediately obvious for us, so we’re trying to identify those.
And then learn from that, invest further from there.
[David Spark] I think a lot of people are struggling to figure out what the use cases are, but they know some are out there. And by the way, we’re slowly discovering them ourselves. But I think with the ongoing education, that’s where sort of the seeds will be planted for us to sort of say, “Oh, you know what we could do with that?
We could do this,” kind of a thing, and that’s kind of my hope of this sort of ongoing education that we’re doing at the CISO Series. More to come with that.
Closing
41:01.392
[David Spark] Well, that brings us to our very end of the show. Suresh, you were absolutely awesome. Thank you so much, and thanks to Sysdig as well. I’m going to let you have the very last word, but first I want to remind everybody to got to cisdig.com/ciso.
So, cisdig.com/ciso for more information about cloud security requires runtime insights. Yes, know what’s happening when it’s happening so you can react in the moment an attack is happening. Thank you very much. All right, Mike, any last words on today’s topic?
Or topics, plural.
[Mike Johnson] We covered a lot of them. So, Suresh, thank you for joining us. It was really great, especially getting your experience as a CEO. I think that’s something that…experience we don’t get a whole lot on this show. We talk to a lot of CISOs, a lot of security professionals.
So, your perspectives as a CEO really came through over and over again in all of the conversations, so thank you for that. I specifically want to point people back to your points around materiality and the SEC rules. I think there was a great discussion.
I think folks could really learn a lot. Just listen to that section a few times.
[David Spark] Oh, yeah. You nailed it on that.
[Mike Johnson] And have a bunch of takeaways from that. So, thank you for joining us. Thank you for sitting down for the conversation. I really appreciate it.
[Suresh Vasudev] Thank you very much, David and Mike. Appreciate it.
[David Spark] By the way, any last words for our audience? If you have a special offer, if you want to make a big plug for Sysdig, let’s hear it.
[Suresh Vasudev] First of all, thank you very much for having me. As a company we live on the motto that in the cloud every second counts, and that’s because attackers are constantly probing your defenses. And once…if they get in, it only takes ten minutes before an exploit starts.
That’s what research has found for us. And so there are really two things that we obsess about as a company. First, as security teams and dev ops teams, how do you decide where to spend your time, how do you prioritize which vulnerabilities…
[David Spark] Oh, we hear this all the time, yes.
[Suresh Vasudev] Right. Which vulnerabilities, which misconfigurations, which credentials are likely to lead to the next breach. And so that’s the first problem we focus on. The second is assuming that no matter how much hardening you do people will make their way in, how do you detect and stop an attack in real time in a matter of minutes?
And so those are the two problems. And really what sets us apart is our deep run time insights. Leveraging our open source [Inaudible 00:43:35] foundation, we believe we have deep insights into run time production environments that allows us to prioritize which risks you should focus on and how do you stop attacks in motion, if you will.
So, if you’re interested in learning more, we would love to talk to you, and we’d love to have… Please request a demo, and that’s a great starting point to understand what we do.
[David Spark] They can show you one of these real time attacks happening.
[Suresh Vasudev] Indeed. Indeed. And we’d love to start with a demo and further the conversation. So, thank you very much.
[David Spark] Again, cisdig.com/ciso. Thank you so much, Suresh. Thank you very much, Mike. And thank you to our audience. We greatly appreciate your contributions, like, “What’s Worse,” scenarios. By the way, we’ve had a few, “What’s Worse,” scenarios that are two things, and what’s the lesser of the two good things.
Kind of like what we had today.
[Suresh Vasudev] Yeah, indeed.
[David Spark] So, we accept those as well. But we do like these disaster scenarios, too, as well. We got one recently that actually our audience has already heard that was very science fiction based. It was kind of an end of the world situation.
[Mike Johnson] Well, that’s fun.
[David Spark] So, we’ll accept those, too. Anyways, we greatly appreciate your contributions and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, ciso-dev.davidspark.dcgws.com. Please join us on Fridays for our live shows, Super Cyber Friday, Our Virtual Meetup, and Cyber Security Headline’s Week in Review.
This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com.
Thank you for listening to the CISO Series Podcast.