AI-powered threats like phishing and deep fakes are on the rise and pose a fundamental threat to the efficacy of many existing security controls. It is vital for security leaders to understand this emerging threat and take a proactive approach to safeguarding their critical assets.
Watch Reveal Security Field CTO Adam Koblentz and veteran threat hunter Ryan Link as they offer unique insights into the latest trends and techniques employed by threat actors leveraging AI.
Discover the pivotal role of threat detection in this evolving threat landscape – specifically the importance of ML-based behavioral analytics employed in SaaS and cloud to protect sensitive data effectively in these dynamic environments.
Transcript
00:07
hi everyone thank you for joining us for defending against AI driven threats um I am Katie Sanchez I am the marketing Communications manager at reveal security who’s hosting this webinar today um and just a couple of housekeeping things before we get started um we’ll have a Q&A at the end
00:30
and we’re going to do about the last 10 minutes so if you have questions put them in the chat um we might bring them up beforehand but um for now just put them in the chat um and then also as you probably heard we’re recording this so we’ll send you a copy um after the uh
00:50
recording’s finished probably tomorrow um so the reason why we’re here is uh we’re talking about a very H Hot Topic right now um AI um and right now we have two experts in the cyber security field who are going to share their unique insights on this topic and and how we as
01:09
Defenders can what we can do to to stop these threats um so our two speakers today first is my colleague um Adam kin who is the field CPO here at reveal um he’s an expert in cyber security Partnerships engineering and strategy um and our second spirit speaker uh a friend of reveal Ryan link he’s a
01:33
veteran threat Hunter he’s been a security practitioner for over a decade um and is currently the principal of threat detection and response at CDW um so for with that I will let you guys take it from here thanks Katie great to be here joining us appreciate it so as Katie
01:53
said the goal today is to kind of talk about how we as practitioners need to kind of change our defensive strategies given what we’re thinking about what’s going on with AI in the world and how attackers are leveraging it the same way that Defenders are yep so a little bit of
02:10
housekeeping as Katie said Ryan and I are are your your host and panelists today um and our agenda is we want kind to talk about um some of the trends we’re seeing over the last six to 12 months uh and how the rise of AI is changing how thread actors are working and then especially
02:30
you know as we’ve moved more and more into the SAS and Cloud environments from being on Prem we’re all remote now kind of thing how the challenges for those special environments are exacerbated by these new trends and then we’ll kind of talk about some of the different
02:45
defensive strategies that we can talk about from a detection standpoint and also how we can Implement those today in a more meaningful fashion to hopefully get us a leg up over uh the bad guys so Trends and tactics Ryan found this awesome report that kind of talks
03:03
about how AI has risen so much in terms of like fishing attacks and how it’s being used by the bad guys I mean Ryan I remember when chat gbt was like first public play available and people were saying things like hey write me malware that’s packed this way that does these
03:19
things in Windows and it would just do it like what was your experience like trying to defend against that kind of thing you know even unsis attackers having access to that kind of you know ability yeah and you know that’s the thing is this this new trend allows folks who aren’t
03:38
necessarily normally technical capable technically capable of Performing those um activities you know they’re not programmers they’re not building their own malware um so they’re able to you know utilize this uh technology to to uh produce these uh threats and then
04:04
utilize them uh in a way that you know um you you don’t have to be very sophisticated um so to defend against that is you know not only do you have to um defend against well uh deployed uh attackers uh and well-funded attackers now you have to deal with Joe Schmo you
04:30
know that’s in their mom’s basement or uh just somewhere um maybe not as wellb built as a organized uh crime syndicate or um you know a as a nation sponsored uh attack room yeah I mean I would I would say that even before this stuff became so prevalent and so available we
04:57
were already seeing a shift from less sophisticated attackers now doing like let’s say even five years ago the the less sophisticated attackers were the difference between what they were doing and what nation states or well-funded well sponsored attackers were doing was
05:16
enormous and the floor has risen in terms of what the I don’t want to call bad but like the the less traditionally challenging attackers have have already closed a lot of the gap before the AI boom hit for them and that’s I think in my in my view driving a lot of what we’re seeing in terms of
05:41
the adoption of these these new techniques from AI to help close that Gap further and not even not even on the technical side like as we’ve seen I think the Verizon DB report said something like 80 plus percent or maybe was a crowd strike report you know your your former employer but like you know
05:58
the crowd strike report I think it was like 80 plus% of all breaches involved valid stolen credentials or fished credentials or something like that so now if we can use Ai and deep fakes and whatever else it is so much easier to bypass that prevention control that we
06:16
trust with the the help desk or or the CSR or whomever and now they’re just being you know completely fooled by some generative AI that sounds just like Ryan link telling them hey I want you to reset my credentials and give me a new token yeah and not only that you know
06:38
imagine it’s not even your native language and now you can utilize uh you know Ai and the or various language uh models and produce audio that sounds and seems like it would fit directly in wherever that particular organization is located uh yeah absolutely I mean we we go back to
07:03
some of the biggest breaches of the last of last year that involved an IDP like OCTA or something being compromised via the help desk right I’m a and I think it was what teenagers or something that Were Somehow affiliated with like Alphacat or something that somehow you
07:20
know did that and it’s like how but but the you know the sea level everyone’s like but I I I have prevention I have this IDP I have MFA I have all these things it’s like yeah but if I can convince your it person to just reset it doesn’t matter yeah allegedly teenagers um but yeah as far as uh that
07:46
particular um group goes yeah and and that’s also where we saw a huge shift in targeting you know not only did we have um on Prem we also had out assets being attacked um and that has has launched us into a new era of landscape because it’s like okay you know now I I don’t only I can’t only
08:17
just defend against end points I have to defend again uh against all this different uh technology like um your uh user identities um your Cloud management plane um various you know SAS solutions that you’re using and stuff like that so you know yeah now the the the already
08:43
streamed security practitioners who were already looking at too many logs are now having to figure out what these new data sources are all about yeah look look Ryan I want you to know that when your company purchases a new sass solution they are promising to to secure all your
09:03
data in that and it’s definitely not a 2-way street except it is and there’s often this this implied um the the implied shared responsibility model that’s not formalized there’s no contract that you’re signing when your organization buys a new SAS product you know and for
09:21
example let’s say that you you Salesforce um you’re like one of the top 10 things that Salesforce recommends is to turn on audit login in their platform okay but they’re not doing anything about that that that’s new a a net new input for you and your team to have to now deal with without any
09:45
context on what that is so how would you even like think about that and the challenge that we have is you’re limited in a lot of ways by the access controls which we discussed or more easily bypassed than ever and often are not necessarily as robust as you luck in the
10:02
first place you know um and I think this is this is a good a good quote that we we found which is deep fakes and and AI are the second you know biggest thing behind malware and I think this all malware includes ransomware like let’s be clear ransomware is by far away the
10:21
the the most popular thing for bad guys to do because it makes them money the only people who aren’t all in IR ran somewh are nation states because they you know they have other plans yeah but that’s where you see your uh your financial um abuse so imagine if you were a state sponsored actor and you
10:45
want to inflict some sort of damage to another state well you can mess with the stock market um and imagine utilizing AI for that because now you don’t have to monitor all of these uh different aspects of the market you can use a automated program that you know just feeds you important
11:07
information and then you make the uh the various changes to those particular uh markets yeah and you know what if I’m in the pla or something and I want to mess with agriculture I can use AI to learn a lot about John Deere tractors that’s gonna mess with a lot of farmers that
11:25
people don’t realize you know yeah so I I think that there’s there’s it’s not like Ai and deep fakes Etc are not being used exclusively by lower end it just it’s raising the floor for the lower end it’s propelling the higher end into places that we didn’t think were
11:44
reasonable or possible before yeah and yeah that that’s also where we saw an increase in supply chain attacks you know before the state sponsored folks didn’t necessarily have to always utilize that but now that’s where their their focus is uh for the foreseeable future yeah absolutely
12:07
and and we we kind of already touched on the the challenges for assassin Cloud but I think you know one of the things you brought up that’s I think really important here is okay you’ve got a team they’re trying to focus on how to detect bad do they like I don’t think
12:25
everyone’s like Cy like Cipher in The Matrix able to read every log file natively right and and now suddenly we’re throwing in like there was some crazy stat I saw I think from bettercloud that like for every you know thousand or 2,000 employees you have you have at least 50 more SAS apps than you
12:43
realize and so like all the dark SAS all the ever like whatever right even if you have legitimate not dark SAS and this is just you as a real company you have a 500 applications you use for different point Solutions or whatever because we have transitioned from the old days of I’m
13:02
all on Oracle here’s my thing everyone my business is run on Oracle now it’s okay you have 365 you have some Google stuff you have maybe some you know few Salesforce you have work dat what whatever you end up with with the sprawl of SAS and Cloud estate that you’re still responsible for
13:23
and again you’re limited mostly to access control and prevention in a lot of ways I mean sales SP has some stuff built in they have some rules engine Microsoft has some stuff built in you know it’s got some some rules engine and some basic ml type stuff but I think it’s more volumetric than you you’d
13:43
prefer as as a Defender and I think for me personally I’m thinking about you know how do you lock down an on Prem Network a lot easier than trying to defend Cloud infrastructure for the service like we saw with the um XZ stuff last month or the month before like now
14:07
there’s supply chain youve well-funded we assume very well-funded well well sponsored actors running three plus year campaigns to get into the tooling itself that you’re using in your Cloud infrastructure that’s now accessible to the internet not just behind a firewall
14:23
yep I mean I don’t know how you would what you would do with that I mean to me it’s it’s kind of a huge problem I don’t think is being discussed enough you know because it it it seems to me we all just have decided over the last 10 years or so that okay all my stuff’s in the
14:42
Salesforce like okay cool and then what like do it seems to me maybe I’m crazy people are not or companies are not internalizing that threat because it’s not the salesforce’s problem not mine even though it’s their data you discussing that not only is there a huge sprawl in terms of what the business
16:34
needs to be successful and and to enable business but also on our side there’s so many other tools that we have to deal with that all handle these things differently or don’t even take them into account that it’s it’s really hard to really understand how how do you as as a a a a
16:56
blue teamer or a Defender protect your company’s data or IP Etc or your employees IP or the pii ETC if it’s stored in these environments that you have may be logging and very little control over what actually happens I mean I think one of the things that people don’t realize is
17:19
a lot of vendors actually charge you extra for the logs so and so for example like I think Salesforce is 15 to 30% of total spend to turn on logging but it’s also one of their best practices you know what do you do with that um yeah I think also as we’ve seen with like terraform it’s pretty easy for
17:40
people to or not even just terraform you look at all the different different csps cloud service providers and it is very easy we’ve seen some of the biggest financials in the world get popped through misconfigured AWS S3 buckets or other asset like we saw I think it was
17:59
like maybe a month ago where that guy found a loophole where like if you actually know a bucket ID you can jack up someone’s bill you know all these things that people don’t think about and have implications well that’s that’s the thing with with things that are publicly
18:16
exposed so say you have a website well if I go on your website and I pull up the developer mode on my browser if you don’t have certain things um implemented correctly you may be exposing your backend infrastructure that houses that database that houses whatever sort of information you’re
18:40
pulling from your back end to display it to whoever it may be um which you know that’s it comes back to this uh topic of H how do we how do we defend against all these different attack surfaces yeah you know absolutely and never mind Chrome Dev tools SM as burp Suite or
19:02
something yeah you know like so it’s a h it’s a huge problem and I think that you know as we have on the slide here we’ve kind of talked about around this but a lot of the detection strategies for cloud and and sasps is are still very nent this is still very much in its
19:21
infancy in a lot of ways yeah um there are many converstions I have with with cesos and and top level Defenders who if you ask them hey are you what are you doing about your Salesforce logs they might say what logs when they might say why are you asking that like why do I
19:40
care because they aren’t in the mindset of that’s my data that’s my customers data that’s my employees data whatever I have to be responsible for it because it’s not mine it’s sales forces for example you know so now one of the things that we should probably talk about and this is this is
20:01
a a a big one that you and I have have gone back and forth on a bit I I think we all agree that if you have logs you have some things that are known bad like not having threat Intel not have is is irresponsible not having some basic rule sets irresponsible like you you know for
20:24
example putting us back in the endpoint mindset for a second like you know leeting you know Shadow copies that that’s generally a bad thing and you want to know when someone’s doing that that shouldn’t be happening every day Etc okay my time at Caron black your time at at rri we we
20:43
understand this goes like okay shs are deleted that’s probably bad but what about the things you don’t know are bad because you know you don’t know what’s a bad thing in Salesforce you don’t know what’s a Bad Thing necessarily in 360 and that’s a big challenge you know and
21:02
that’s kind of why we’re here today is to talk about how we as Defenders can utilize ML and AI better and not just have it be a a harder problem for us when the attackers leverage it you know I I’ve seen some really cool stuff I mean I’m sure you have two where people are using a to generate like
21:23
Sigma rules or the equivalent for different kinds of things you know like are you using this yourself are you trying get this you know in practice where you are um I want to say it is on the road map um but it’s one of those things like figuring out how to best utilize all of
21:42
this stuff because you know various products have ml integrated in with uh in with it but um it’s it’s still all of the stuff is still in its infancy of being able to help Defender because ultimately what we care about is not so much the known bads I want to know about the suspicious
22:08
activity the anomali like what what what is what are some things that are interesting that are happening in my environment that are being allowed to happen um you know and that’s that’s where like you have some of your various methods of like statistical anomalies
22:27
and and stuff like that that come into play uh yeah versus you know depending on how like what the ml is integrated with you know you just have something that analyzes a binary and based off of a certain weight all of a sudden it’s malicious or uh not malicious yeah you know what this is a
22:50
good time Pro probably for me to kind of you know step in and kind of explain the different kinds of like ML and AI Etc so I guess from the purposes of our conversation laying this out for everyone so ml there’s there’s there’s trained or or supervised machine learning which is trained with known
23:07
good known bad and then there’s unsupervised machine learning which is really clustering so the idea with unsupervised machine learning is you’re just finding weird and anomalous you’re not trying to make a determination of good or bad and what’s also important is we haven’t hit this yet kind of
23:25
explicitly but what we’re talking about here is everything we’re talking is post authentication the idea is these things are happening in your environment are they okay or not are they normal are they reasonable now I’m saying post authentication because there are any
23:41
number of tools that do a great job of detecting pre off issues IP scanning or other you know weird things that are involved in infrastructure or someone’s trying to do a a cred stuffing attack you’ll see that in in different kinds of logs but post off this is really
24:00
important because as we’ve gotten more and more into the mindset of social engineering and fishing or smashing or fishing or whatever the idea is that we are now post off because the assumption is that an attacker is going to log in not break in the the number of real zero
24:19
days that involve rce shell popping on applications that you don’t own in the Sass and Cloud environments pretty like way it’s now much more likely they’re going to use AI to generate a deep fake or something that is going to let them log in and we had a question come in
24:40
actually Ryan can we give an example of a real deep fake that happened that caused problems I have two off top of my head if you have any please go first but I I I have two that that I want to I would love to throw out there no go ahead do it all right well we just saw
24:56
that someone was indicted today or yesterday for using a deep fake of Joe Biden’s voice telling everyone to not vote in in Maine like that’s that’s an example of a deep f is being used to buy a attacker in this case political or otherwise but you know then we also have another
25:15
example I think it was last year a person at a bank I think it was in Singapore got a deep fake from their CFO who told them to transfer $25 million to a bad guy well that that that was not the CFO they they actually deep faked the CFO and giv the instruction and in a setting that if I remember
25:38
correctly involved more of like the exec team so this person had like no reason to suspect that was a problem it was such a good well produced deep fake that they just there was no obvious glitching and they are not you know we are all kind of told to follow our managers or
25:55
whatever so this person’s being told by half the exec team in in the room and the CFO saying transfer money that’s an example of a deep fake that you have no defense against like you know unless you train your employees super duper well on some kind of back Channel process or
26:14
something to figure this stuff out but you also could look at it from the standpoint of well is this normal or anomalous and that’s where the weird comes in that’s where the fun comes in as a threat Hunter you want to come and figure out well this is kind of weird what what
26:31
strings can I pull to see what’s going on here yep because known bad’s easy known bad’s been out of the box you can buy it off the shelf at Micro Center for 25 years that’s called signatures it doesn’t matter whether it’s a EDR platform xdr platform or antivirus from 25 years ago does doesn’t
26:50
matter like it’s Dr marttin over here but for cloud I guess but but the the idea is that we’re we’re trying to figure out like okay well okay we all agree that ml is important uh because we need it for defense because the attackers have it for their purposes so if we assume that all the
27:10
bad guys are logging in and we assume that the bad guys are going to appear to be legitimate credential users what do we do and we look for deviations you know and I think I think that’s something that isn’t really being understood well because it’s not just deviations and statistics you know I get
27:29
asked all the time you know I have ms365 I have an E5 license so I have Defender I have mcast Etc I have Sentinel why do I need something like a reveal or something and the answer is I don’t we’re not looking at things the same way you know ubaa failed I think if you ever
27:47
tried using ubaa it it went poorly because you know they’re built on a single baseline or some very simple models that are trying to derive abnormal via you still breaking some kind of rule the rule is maybe trained by activity so something like oh Ryan you sent a lot of
28:07
emails today is that okay like well I’m doing doing a webinar today so I’m invite people or something like that right or I log into many times logging into many times is not a thing and oh impossible travel I don’t know vpns exist you know like you and I were discussing I want to say like what like
28:25
a month ago about how oh someone logged in from China so it can’t be the pla it’s like no definitely could you know like they have VPN so I guess you know from your standpoint where do you see like are do you implement uas do you implement the statiscal analysis that UA type things
28:44
provide or or where are you right now thinking where’s your headspace at in terms of detecting like the anomalies of user based like identity based stuff yeah um you know again it it kind of comes back to that uh an like statistical anomaly fact um yes you know products have out of the box uh
29:10
detections to to uh potentially assist you in that stuff but it’s also having that mindset of like okay you know if I was to compromise uh an account you know what do I have to what do I have to potentially worry about um you know I have to potentially worry about the GE
29:28
that I’m signing in because that could get flagged um I could I I would have to potentially worry about you know the the user agent that I’m authenticating with um and then you know say you you do successfully log in um I don’t want to just start doing things right on a
29:49
physical host I want to see you know what this person has access to and you know that’s that’s kind of where um this AI can potentially come and assist the attackers is now you know you might be able to utilize AI to um start scoping the network for you what what’s the
30:11
probability I might be able to laterally move you know via this or that um what what files are potentially important and you know just utilizing that stuff and automating it that’s where your breakout times are going to shorten you know the the fastest ransomware I’ve ever seen in
30:31
my time was 15 minutes um and well in ransomware detection is not a problem they they want you to know they’re there so you can pay them but if you can kill a campaign from a a well a well executed campaign earlier by detecting something strange that’s probably a lot more valuable you
30:51
know like we saw um I think it was nxp they had bad guys in the network for like two and a half years is just taking IP Etc until they eventually found them and there I’m sure there were several things that could have been caught with ML Etc but again they come into the standpoint of how do your sock
31:10
analyst know what’s normal or not normal or bad or okay or good by trust identities in every application where you’re storing data and how do you how do you that to the how do you bubble that to the top too you know so that you’re not getting that uh detection fatigue for for your analysts yeah no
31:32
absolutely so we we actually had uh I I’ll kind of give some some rough numbers we had a very large hospital system that had mcast and Defender apps enabled uh with their E5 licenses and they were getting over 600 alerts a month uh just for their SAS and Cloud apps and that’s too much even for a very
31:51
large stock to have one source like one input be that noisy and that’s kind of where we come in from the the the idea of the different implementation strategies so again like you have the logs Step One is get the logs and then and and not everyone’s doing that but
32:09
Step One is get all the logs y step two is do something with them and so the challenge everyone has is what I do with those logs you can put them into a Sim put them into an XTR type platform or whatever but I think everyone who tried implementing you know application layer
32:26
logs detection like level seven log is having a really hard time because you don’t know what’s okay what’s not okay so this comes back to the implementation strategy of unsupervised machine learning to identify anomalies and again it’s not known good it’s not known bad
32:43
so everything that’s being raised is not a inherent malicious thing but it is worth looking into again like you said weird is interesting it’s suspicious let’s dig into it it could not be an external attack it could be Insider threat it could be someone who’s being
33:01
negligent today maybe you had an admin who didn’t follow process and didn’t do service now ticketing on both sides of their admin activities you don’t know dig in find those SE find those new Search terms for your hunt that are relevant to anomalies in your environment than the weirdness that
33:19
you’re you know living with so I mean I I don’t know you know I I I think that people have tried doing this for years and they’ve been typically doing the statistical differencing things but again I don’t think that’s the right move because look businesses are Dynamic
33:42
environments are Dynamic especially in cloud and SAS where we are now with this hybrid model we still have on Prem custom apps Etc how do you handle that I mean it’s it’s a real challenge yeah no and the thing too is is making sure you have your bases covered so that you can actually
34:03
leverage these different models to assist your analyst making these decisions so that you don’t get burnout you don’t have you know folks running down rabbit holes uh because a particular detection went off and they don’t fully understand what it means so now I got to spend 30 minutes trying to
34:25
investigate one what it means and then you know to where can I find out more context around this particular event exactly and that that’s where you go into now you can start searching your data lake or your sim with those new terms trying to figure out the more the
34:43
broader context not just the one session or Journey that this this identity took throughout an application yep and yeah this is one of things that that we do like we actually we we had a I think a fun anecdote so again to that hospital had 600 plus alerts a month from
35:02
Defender and mcast we gave them five a week and the things that we were finding were not the known bad because they should have the other tool already does that and filter out the the things they don’t know are bad we found things like for example hey why is this admin doing
35:19
queries against you know people other people’s inboxes in 365 and then copying the emails into their inbox directly I can to give no valid use case for that versus asking someone to for me an email you know it’s that kind of thing that’s kind of thing that we can find because
35:38
that’s weird is it a known bad thing no it’s not there’s no rule written you can’t do that I mean the functionality exists and one of the things I like to point out is there’s nothing inherently wrong with any single operation or action in any application because if there was it why
35:57
would they have written like again going back to the shadow copies there are legitimate reasons to do this but that’s 5% of the time it’s done you know and so understanding that it’s happening and it’s not happening a lot but it’s happening now it’s worth looking into yeah yep you know and I I
36:20
think we have roughly eight minutes left I want to give some time for questions if we have any um so I think we we have a few we have the one with the the Deep fake example which I think that we we handled Katie do we have any more questions um we had a raised hand I
36:44
don’t know if that was an accident or not um if you could type your question in the chat um that would be great um if you have a a question if if it was you know by by mistake carry on um so uh one of the other questions we had uh that came in uh are the companies who make these AI models responsible
37:08
when they’re abused you know that’s a really good question and I I think that we’ve seen a lot more guard rails be put up recently for this kind of thing um you can still ask chat gvt for like end map scans or like you know but it won’t let you generate binaries anymore that are
37:27
malware for example I mean Ryan what’s your perspective on that yeah I think it’s it’s interesting because if you think about it you know uh like a a related topic um where we saw plenty of thread actors utilizing um remote management software well that’s what it’s designed to do
37:49
yeah so you know like do you do you necessarily hold those companies accountable for their software being abused um so I look at it as I think they should do the best that they can but ultimately us as Defenders have to prepare to defend against this being abused because it’s going to happen it
38:12
it’s happening but yeah so some someone that that we both know I was speaking with recently at kakon and was telling me that they had an m&a event where they acquired another company and that company actually uses like team viewer for their csrs so now they have to undo
38:32
their corporate wide policy of not allowing team viewer and that becomes a whole problem and you would think that like a company like team viewer or any desk would take it upon themselves to make them less attractive for scammers or for attackers but the reality is that’s also very hard
38:51
because they’re very they’re scamming them too so yeah that’s that’s a good point and I guess you know another question Katie you said there was another question as well about leveraging AI is that how yeah um how can we leverage AI right now for Defenders so I think it that’s another
39:12
good one I mean you know like we discussed we we can I think there’s a lot of a lot of ways to do this you know I I’ll let Ryan I’ll let you speak a lot more to the generative AI approach to to to defense but for me just the um like what I think how we use Ai and ml is
39:32
that anomaly detection you know finding those logs figuring out what’s what’s weird in the logs but I know that also you still have to have the rules so maybe like you know gener of AI you know Sigma rules Etc right if you want to talk more to that I think that would be a valuable
39:48
exercise yeah I mean one of the the things that you could also utilize this for is actually filtering out noise you know like not just detect ing the potential threats but you know utilize the these various Technologies to quiet down the other stuff so that maybe um either known bad or potential
40:14
Oddities and anomalies bubble up to the surface so that you can um conquer those and and remediate and then ultimately come up with a game plan of how to try to have that not happen again yeah I remember um RSA like two or three years ago probably two years ago uh when a lot of the AI stuff
40:38
started like becoming real big there was a very large security vendor who said imagine asking questions am I safe from China and it’s like there’s no way that you can do that with AI but you can do things like hey write me some spunk rules that will find this kind of ity
40:58
blah blah and that’s more or less just taking the already established like Sigma rules project and and Beyond and just kind of like expanding it you know the idea that we can ever get into a situation where like asking questions like my say from China is just I don’t think gonna be
41:19
realistic it’s like the the full self-driving car thing yeah uh K do we have any more questions in the last couple minutes we have here um we got one right here um when detecting threats post off what applications or cloud services would you recommend an organization start
41:39
with you know Ryan I I’ll let you think about like what your top prior you you walk into a new environment what are your top priorities on on what you want to start detecting you know what do you think yeah I mean first of all you’re you’re going to want to have like that
41:54
authentication piece have all of that lock down as much as you can um I understand that you know for organizations you know uh U key may not be necessarily scalable for them or it may be too big of a lift so figuring out different ways that you can utilize these Technologies to ensure that when
42:19
there’s authentication you try to defend against you know even though you might have MFA well okay that’s that’s great you can still have MFA fatigue and somebody clicks the yes or you have the threat actor trick you know uh an individual into thinking they’re actually
42:36
authenticating to the page that they are and accept that authentication hijack their session and they’re Off to the Races um so more besides the the protecting uh aspect you also have to have that detection aspect so figuring out okay now that that user like you said post off now that that user has
42:59
logged in um what is my ability to detect them performing or that particular identity performing malicious activity or suspicious right that’s a good point I think you know you and I have both been I think primarily detection focused our careers because prevention is okay fine it exists like
43:22
you block you think you’re blocking things but the question is what then because I don’t I don’t care and I don’t think you do either whether it’s an external attacker or an Insider threat the point is that this identity is being used in some way to do things that they
43:40
shouldn’t be doing or are harmful to the business or the organization it doesn’t matter whether it’s you know some dude on his couch trying to steal your money or if it’s one of your employees trying to steal money it doesn’t matter so the idea is like yes absolutely lock down the idps
43:57
get everything behind the 9p SSO best practices yeah everyone should do all those things you know fishing resistant MFA is is great please do that y but it you have to assume breach you have to assume that no prevention’s perfect every Castle’s got an extra wall
44:15
somewhere or extra door somewhere no one knew about or some great whatever it doesn’t matter point is they’re going to get it and and we have to be perfect every time they have to be right once and that’s that’s that’s the important piece so from a detection standpoint what
44:30
applications IDP and then whatever the core business app is that your company leverages and in my experience that’s going to be either like a Google workspace or a 365 something like that is where the majority of the business actually runs and then you can start expanding into
44:49
other things like V Salesforce and work day Etc and from the CSP standpoint whatever your main CS p is yeah you should be looking at all those logs leveraging every tool available to you because you know posture management is great it’s awesome but you’re implying
45:07
that your posture is perfect your rules are perfect and that there’s no deficiencies anywhere in the platform we have seen that csps have had their own issues that have caused these problem problems so protection you have to assume breach and you have to assume that detection is is required at every
45:25
step this is like the one part of zero trust that no one actually takes into consideration is like one of the last ones which is like the monitoring of the activity and right like yeah and so that’s the most difficult yeah I mean you know everyone has ever tried consuming application
45:43
logs into a sim said great I’m paying a ton of money for this and I don’t know I’m doing it or they usea and they’re like great now I have a million alerts I do with these either and logging is not cheap no hey you know there’s whole compan is based around logging and they make a lot
46:02
of um I don’t Katie do we have any more questions or are we to be um I think that is all um awesome so yeah um if you guys have any final thoughts or or any key takeaways you want people to to have from this or I mean I I would love you know I’ll do a quick wrap up and then I’d love you
46:26
know Ryan to give his his closing remarks as it were uh you know I think you know we’ve all experienced a lot of shift in in cyber security in the last 10 plus years it’s only gotten harder for us in every way um Ai and and ml is useful for us but it’s also I think even
46:46
more useful in a lot of ways for the attackers and so it’s going to be even more of a challenge I mean I remember you know back in the day like being write very clear rules on what was like things I wanted to find because the ttps associated with those things were well
47:04
known but looking at the ttps for Windows and Linux is a very like small confined you know set of of things to consider but now suddenly the the attack surface is and the data sprawl it’s everywhere yep and Ryan I’ll let I’ll let you close us out what are your what are your
47:28
thoughts on on this closing remarks yeah I would say for a Defender don’t be afraid to utilize these new technologies um obviously you know there there’s a bit of a learning curve with implementing this stuff and getting it to fit correctly in your security stack
47:46
um but uh it it should be starting to be looked at to be utilized if it’s not already being utilized already and then the other piece I would say is more so to the business aspect don’t think AI is going to replace your security individuals it’s not that’s a good point you still need
48:09
your security folks ultimately this is just there to help them perform their Duty effective and efficiently that’s a great point I had even thought about that but yet yes I mean people are looking at AI as a way to uh cut heads Etc without losing capabilities AI is never going to have like part of
48:29
again I brought self-driving cars there’s nothing about AI That’s going to solve the intuition and the the knowledge aspects that we have it’ll help us be more efficient absolutely but not not going to cut it when it comes to actually doing an like you’re not going to get a 20 Page report from a
48:51
good pen tester that’s ever going to come out of a gener of AI or something happen so yeah Katie I think uh I think Ryan and I have talked enough yeah thank you so much guys this has been great and I think you know a lot of people are are talking about this and they don’t you know necessarily know
49:15
what to do about it or or what’s on the horizon so it’s great that you guys have those insights and you know we’re we’re talking about it we’re figuring it out you know as we go um so yeah thank you to everyone who attended um and like I said at the beginning we will send you a
49:32
recording um after this call um and then reveal security if you’d like to learn more on the slide uh go to reveal. security um and that’s about it so thank you so much for your time and and have a wonderful day
