David Spark

Before we start the episode, let me tell you what else is happening on the CISO series on our show Security youy Should Know the fastest way to learn about security solutions. We've got an episode on Cyber Risk Exposure management with Trend Micro. Also on the latest Defense In Depth, the pattern of early adoption of security tools. Interesting gap happening between enterprise purchasing and SMB purchasing. Something both buyers and sellers should know all about. Learn more over at cisoseries.com or subscribe at CISO. Cisoseries.com subscribe.

Podcast Announcer

What I love about cybersecurity. Go.

Brian Long

I love that in cybersecurity we are unquestionably the good guys. I've worked across many different industries, but it's a great industry to be in because we're doing something really good for people.

Podcast Announcer

It's time to begin the CISO Series Podcast.

David Spark

Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO series and joining me as my co host, it's Andy Ellis who is the principal over at Duha. Andy, say hello to the audience.

Andy Ellis

Good afternoon folks. Or depending on when you're listening in the world, good morning, good evening, or good night.

David Spark

I was listening to a podcast. I was going to sleep last night and I don't know what the heck I was listening to.

Andy Ellis

Well, it sounds like it did its job.

David Spark

Yes, it did its job. We are available@cisoseries.com we have lots of other wonderful programs over there. You should check them out. Just go to cisoseries.com Our sponsor for today's episode is Adaptive Security, OpenAI's investment for AI cyber threats next Generation Security Awareness Training. But it's built for AI email phishing, vishing, smishing and deepfakes. More about just that a little bit later in the show with our guest. Today we have a guest from Adaptive Security. But before I jump into that, we are just a few weeks away, Andy, you and I from the Black Hat Conference. They call it Black Hat or that whole week they call Cyber Summer Camp because it's Black Hat B Sides Las Vegas. And it's also defcon. So three conferences in a row in sweltering August heat in Las Vegas, right?

Andy Ellis

One of the most inhospitable locations on the planet, right?

David Spark

Most of the people in cyber wear all black. Again, not a good idea. But here's my one complaint, and this is to all the companies that send people to Black Hat. So many companies like to tout how they're so diverse or hiring more women in cybersecurity, but if you go to Black Hat, you wouldn't know because it is about 98% male and mostly white as well. So for those companies that are touting, well I'm mostly male, this is the big thing because honestly, I will look in a sea of people there and I'll see two women. So my feeling is if you want to tout that you have a lot of women on your team, send them to conferences, send them to Black Hat. It is, I think the sort of, the patting yourselves on the back is kind of limited.

Andy Ellis

Right. I think that the way you should look at this is conferences are two things. They're both opportunities for your staff and you should make sure those opportunities are sort of well distributed across your staff, that you're not discriminating in those. But they're also an opportunity to sort of put your representation on display, say, here's who we are. And so if you're hiring a lot of women and for some reason you decide that they're not people you want to have in public, maybe you need to second guess what you're doing. Now it may also be that women are more likely to be the primary caregiver and thus going to a week long conference is more problematic for them. But that's on you to solve company.

David Spark

Yes. So I would like to see better representation. If you claim the representation is within your organization, represented outside of your organization.

Andy Ellis

Yep.

David Spark

All right, let's bring our guest on. Thrilled that they're joining and by the way been a phenomenal sponsor of the CISO series. And we have the head honcho, we have the CEO, the co founder of Adaptive Security, our sponsor guest, none other then Brian Long. Brian, thank you so much for joining us.

Brian Long

Hey, thanks for having me on.

Podcast Announcer

Would this person be a good fit for the job?

David Spark

It used to be that hiring an employee that was a secret North Korean operative would be the stuff of overwrought paperback novel. But now it's just a Tuesday. Case in point, a story in the Register about Vidok Security Lab co founder Dawid Makzadio, who almost fell for hiring two North Korean hires twice in as many months. So both candidates sailed through initial interviews with strong background, seemingly legit LinkedIn profiles, but fell apart in the video interviews with laggy and unconvincing appearances and answers seemingly coming from ChatGPT. Since these scams don't seem to be going anywhere anywhere anytime soon, how does hiring need to adapt? Andy, this isn't just an issue for security hires. Sounds like identity verification has to happen earlier. In the process. What do you think?

Andy Ellis

Yeah, I think this is one of the challenges we have, which is a lot of our business processes are fundamentally designed around in person interactions and have never been redesigned for virtual world. So we expect that we can see, see the candidate at some point. But Covid has completely derailed that assumption, even though for a lot of companies it hadn't even held true at that point you were hiring remote staff in various places. But we really have to accept that we've built on insecure protocols, entire business processes and adversaries are going to exploit them. So yes, we absolutely need to bring more than just identity verification. But just you have to think very carefully about, oh, I'm interviewing a person and I can't watch what they're doing. This completely changes the dynamic.

David Spark

Brian, this is kind of your bailiwick over at Adaptive. This problem is going to get tougher. I mean, it's like we kind of all know that, isn't it?

Brian Long

Yeah, I mean, look, I think that we're seeing the models get better so much faster, the LLM models that although you might be able to tell what is real and what isn't today, the ability to tell is quickly getting harder and harder with each new release. And then I think even more important than that, we're also seeing the cost of these models drop significantly every time that there's a big new release makes all the headlines. Oh, there's a new version of Grok or OpenAI or whatever it might be that buried somewhere in this story is that they also decreased the pricing of their prior model by 90%. Right. And when the second place model is going to be good enough to fool anyone and the third place model is also pretty good, that's when we're going to start seeing these types of attacks really happening at scale. When you can run it with almost infinite scale without spending that much money when the ROI is going to be there for the attacker.

David Spark

So, you know, we've started doing this with my family, with my employees, where we sort of have sort of off digital ways to verify. So like having a code or saying, what did I do yesterday? Or one friend was telling me, you can create a personal authenticator. Like you, anyone can create an authenticator. And you know, him and his wife are always discussing financial stuff. And so when they communicate they just say, go to the authenticator, tell me what the six digit code is right now. I mean, it seems we have to kind of have a verification that sort of, I'm going to say off the books, off the digital off the. Essentially the normal transom. Andy, what do you think?

Andy Ellis

Yeah, so I think we do, and I love some of the early things, like I love the idea of an off the books authenticator as a stopgap mechanism. We have to recognize that the problem is we're trying to patch over that we don't know who we're talking to. And the challenge is one of the things we've seen for a long time in the BEC world, the business email compromise, which people mostly think of as, oh well, it's just like targeted phishing. No, we see cases where people have their entire infrastructure compromised and you wait for a person to get on an airplane to fake them. Right. And now the deep fakes make that worse. But if you're relying on something that has a digital basis, like, oh well, they have the Authenticator app, well, how do you know that itself hasn't been compromised? What are you doing to sort of completely validate that pipeline and make sure that what you're being asked to do is something legitimate?

David Spark

I'm going to let you have the last word on this. Brian, do we have to go off books here?

Brian Long

I think your point around having an authentication code with loved ones, with people in companies, that's going to become a new standard. But even more broadly, two things. One, I think it's just awareness. I think that the folks here and a lot of the people listening, they are still the top 1% of knowledge on this stuff and they're pretty savvy. Everyday people really do not have any idea of what the capabilities are here. And I think that the first big step is just going to be that awareness. And I think we are urgently needing to spread that awareness because unfortunately, I think the technology is moving a lot faster than the awareness is.

David Spark

Let me throw this out. And I remember I had this conversation because I remember a woman contacted me and the alarm was going off in my mother's house. And I knew that my mother screws up with not communicating the alarm code. And I actually knew the alarm code. And Jeff Belknap, who's the co host of our other show, Defense in Depth, he said something goes, you know what, what's the worst happen if the alarm keeps going off? You don't tell this woman the code, cops show up, you pay a fine. Like sometimes you just gotta. If you don't know for sure, just take the alternative. Which isn't probably the worst thing in the world. Andy, you're nodding your head.

Andy Ellis

Oh, absolutely. Anytime that you have this interaction with Somebody who says, hey, you, can you X Your brain should be in two different models. One is this person is an adversary, and one is this person is a friend or a helper or just needs assistance. And you should walk through like, well, what do I do in both cases? And what makes it work? Well, I can be radically hospitable to the person saying, hey, I'm at your mom's house. I just set off the alarm, help me. And I'm like, that's great, but I don't know who you are. I wasn't expecting. Now we have this all the time. Like, we have our house up for sale, we're not in it. And the realtor keeps setting off the alarm, right? They get the key, they open, unlock, and open the door and go back to their car and they forget to turn off the alarm. And so I get a call that says, hey, the alarm is going off. Do you want us to dispatch police? Now I know who I'm getting the call from. And then I get the text from the realtor. And so in that case, I'm like, the likelihood this is an adversary. And besides, like, the house is empty at this point. Like, what are you going to do where the realtor is doing an open house? You're going to rob the house? So there I'm comfortable. But in this case, like, we actually then have personal codes that are just for voice. When the alarm company calls me, they're like, I want to authenticate who you are, what's your personal code? And I have a code that is just used with them just to authenticate that I'm the person who picked up the phone.

Podcast Announcer

What about this AI security challenge?

David Spark

Speaking of AI technology that is going anywhere, coding is one of the prime use cases where we're seeing some of the most rapid adoption. A post on the Cybersecurity subreddit points out that AI generated code can usually pass static analysis tests, but often suffers from issues like bypass authorization flows or missing input validation. Now, commenters on the Reddit post pointed out that even with AI generated code, the engineer who submits it still needs to own it and check their work, like in anything in this world. But others pointed out that this solution doesn't really scale, even as developers use these tools to produce more code. So are we creating a whole new paradigm for code development or are we just now shifting code development to security and qa? So think about it this way. It's this vibe coding. Create a code for this, create code for this, create a code for that. Boom. I got something qa, security, figure it out. Like, does that become the new development model? I throw it out. I'm sure, like everyone hearing this is like shivering. But what do you think, Brian?

Brian Long

Yeah, I mean, I think something that Andy said earlier resonates with me here as well, which is a change in controls. I think that while we have not adjusted our controls for a lot of remote workers, we have not also adjusted our controls for agenic type of workers. And we're going to have to see a pretty significant change in those controls around looking at these agents just as we would looking at people. And because agents can behave and operate very differently and they may not have those alarm bells and awarenesses that go off that happen to people, it's going to have to be much more stricter governance. I think where we are now, where you can vibe code and work with it and kind of go back and forth, this is going to be looked at as the kindergarten of AI coding. Right? We're going to see agents completely putting together entire pieces of software for folks. And as as that is becoming more clear every day, it's going to lead to massive change in how we look at security.

David Spark

Andy, your take here. Again, I throw this theory will essentially coding be someone dictates what they want and then it just gets thrown to QA and security from that point.

Andy Ellis

So in a sense, yes, but I think that's an oversimplification. I think Brian's on the right path here. The biggest challenge is that most people don't engineer software. They're already vibe coding just with their fingertips. The AI isn't fundamentally changing the problem, which is we tend not to have software specifications. We do not know how to test the software that got written because we don't know what it's supposed to do. And now you just have an AI that's vibe coding it. And here's my biggest thing. I love people who say, well, AI will write more secure software. Like, if you have an LLM writing your software, what did the LLM train on? All of the software written by humanity to date, which is pretty dang insecure. So we're going to end up with repeats of bad software. What I'm looking forward to in the agentic world is the idea that we can say, hey, you're going to sort of vibe code to an agent, but the first agent actually writes specifications. And then you have an agent that comes in and says, okay, let's add in all the specs for how to have authentication done correctly and authorization and how to harden ourselves against all of the known vulnerabilities. In a sense, the agentic world gives us this opportunity to basically massively refactor prompt engineering, to basically say humans should not write prompts. You need AI to write prompts for AIs to write prompts before you even write code. And that at some point you're also writing your test cases out of your AI as well.

David Spark

Well, and by the way, we have solutions for this in that there are many AI tools out there. You sort of give it a prompt and they said, here's a better one for you. So this is kind of the same idea.

Andy Ellis

Right. But these are just nascent. I love the kindergarten version. Like, I don't even think we're into kindergarten yet. For when you think about how AI will disrupt the software development industry, like it's going to be to the point that somebody is like, Brian is going to say, I want to found a company to do X. And at that point you'll have a fleet of agents that will come in and be like, okay, well this is the set of features you're going to need. Let's get our front end UX developer agent and our back end UX developer agent and our software architect agent. And we're nowhere close to that yet, but that's where we're going to be. And then you're going to basically say QA becomes cheap. Like you will have QA agents. You don't have to pay humans to go do this. That's actually where we need AI more, is in all of the work that we're unwilling to pay humans to do, but desperately needs to happen.

Brian Long

Yeah, I mean, I think that the optimistic approach here, the optimistic view is that we are in the early innings and ultimately where we're going will enable humans to do a lot of the art side of creating software. And I do think software is art. And I think there's good art, there's bad art, but it is art. And humans could do the amazing art side of that. And if we get this right, it will allow AI to enable us to not have to do all the tedious things and all the stuff that happens in the background in order to, to focus on the stuff that really makes it special, makes it different between good software and bad.

David Spark

Before I go any further, I do want to tell you about our spectacular sponsor, and that would be Adaptive Security, OpenAI's first cybersecurity investment. Yeah, you heard that right. That means a lot. So let me point out what we all know right now. AI powered social engineering threats like Deepfake, Voice Calls, Genai, Phishing and phishing attacks are are evolving fast. Adaptive helps security leaders get ahead with an AI native platform that simulates realistic gen AI attacks and delivers expert vetted security awareness training. It does it all in one unified solution. And now with Adaptive's AI content creator, security teams can instantly transform breaking threat, intel or updated policy docs into interactive multilingual training. No instructional design needed. That means faster compliance, better engagement and less risk. Adaptive is trusted by Fortune 500s and backed by Andreessen Horowitz and the OpenAI Startup Fund. Adaptive is helping security teams prepare for the next generation of cyber threats. You need to learn more. You need to go check them out. Go to adaptivesecurity.com it is spelled just the way it sounds. A-P T I V E security.com, adaptivesecurity.com, go check them out. And when you do, take a look at them and you want to learn more, let them know that the CISO series sent you there. That's how you found out about them.

Podcast Announcer

It's time to play what's Worse.

David Spark

All right, Brian, you know how this game is played. Two horrible scenarios. You have to decide which one's worse. I make Andy answer first. This is a little bit of a detailed one. It's long. I think it's good. Hopefully I'm right. Good means, by the way, tough. That's the plan. Comes from Louis Zhang of AIA Australia. Here we go. We have two scenarios. Scenario number one, telemetry everywhere, insight nowhere. That's a headline. So your tooling stack is textbook, enterprise grade. You got SIM soar, edr, ndr, dlp, cspm, iam, you name it. You got everything. Probably some stuff you don't need, but it's all deployed. Logs stream in by the terabyte, dashboards glow with KPIs, alerts, never sleep. But context completely missing. So you got no business driven threat modeling, no meaningful data classification. The CMDB is outdated or incomplete. Asset criticality is anyone's guess. You're drowning in detections. You can't triage. Patching blind and reacting to noise without knowing what really matters. Sounds awful, right?

Andy Ellis

But it sounds like at least patching blind means at least there's some patching. So there's like a tiny beacon in there, okay?

David Spark

Something's happening. I mean, you know, it's like a thousand monkeys in front of typewriters.

Andy Ellis

They got something, right?

David Spark

Leadership sees a shiny tech stack and assumes you're secure. They cut funding for future proofing, AI, automation, scalability. You're equipped with tools, but not defense. The good news, you'll keep your job at least until there's a breach, which we know will happen. All right, that's scenario number one. Okay, Scenario number two, context rich, capability poor. So you're strategically aligned with the business. Threat models, occurrent and asset maps are accurate, risk is contextualized, and execs understand cyber. In business terms, that sounds great, but your environment can't keep up. Tooling is legacy and fragmented. Talent has walked and you've got no backfill. Detection relies on humans, not machines, and integrations are brittle or non existent. Automation is a dream deferred. You know what to defend and why, but you cannot scale. You cannot respond fast. You can and you cannot modernize. The business is supportive, at least mentally, but the budget only stretches to compliance checkboxes. You're not flying blind. You just can't take off here. All right, Andy, which scenario is worse?

Andy Ellis

So I think what's fascinating about this one is that these are actually two scenarios that are both better than the norm for a lot of companies. A lot of companies have neither the context nor do they have the infinite telemetry.

David Spark

Yeah. But the thing is, in both of these, they're extreme good on one and extreme bad on the other. So yeah, very few companies have extreme good in either end, but most companies.

Andy Ellis

Are basically bad at both of these. So this is one of those fascinating of like, oh, I'm so good at something in a way nobody else is good at, but I'm just as bad as everybody else at this other thing. And so this one's a fascinating challenge, and I think I have to look at it from a couple different perspectives. Right. So let's look at it from the career perspective of the person in charge. Right. So in one of them, you get to play with a lot of technology. You're patting your resume your whole team's very happy with. They get to learn all these techs and they're sort of the classic information security trope of completely disconnected from the business but has cool technology, like knows a lot of what's going on, but not why or what it means. I think that's a trope that we have. And there'll be a lot of people who'd be happy in that situation. And so you should sort of honor that. And there'll be people who will love that situation because it's good for them for the short term. And that's the first scenario. Second Scenario. In a sense, from the business perspective, this is a much better scenario because the reality is, I think one, we in the security profession have too often believed that it is our job to solve problems. Right. And what's being pointed out in this one is you can't solve any problems. We don't have the people to do it. But the business knows what the problems are because you have the right alignment with them. Well, it's the business's responsibility to solve problems. So I'll be honest. If I have to pick between these two, I'm going to say the first one is worse because you are spending a lot of money and providing no.

David Spark

Business value, and the business believes you're doing well in the first place, and.

Andy Ellis

The business thinks you're doing. They have outboxed to you risk awareness. They're not aware of any risks. They think you have solved the problem, but you have not. And so they're really happy. You're checking all the boxes. It's great.

David Spark

But you brought up a good hold up. I'm gonna argue back with you. You brought up a really good point when I was reading that saying something's getting patched. I don't get any sense anything's happening in the second scenario, Right.

Andy Ellis

So the second one, it's hard to say, like, what's actually happening. But in a sense, if the business knows that they're not investing in security, which was very clear in that one, the business is like, great. Security is really important. We can't afford it. Your team is under resourced, kind of sucks. And you're gonna be very stressed in that. Like, the CISO in that world is not happy. But I actually think you're gonna end up with potentially better business outcomes. You're certainly not wasting money on security that you're not actually doing anything with. So I'm gonna reluctantly say that the first one, and I worry that Brian's gonna be like, ah, I completely disagree.

David Spark

I hope so. That's what I'm hoping for.

Andy Ellis

I think that the first one is worse simply because you are spending money and getting no value out of it. But you have a bunch of happy vendors.

David Spark

That's good. Happy vendors, which, I mean, Brian could get behind that.

Andy Ellis

I'm gonna put Brian on the spot. Now, if Brian goes in, I basically said, oh, Brian, you're just doing it because you're the happy vendor that you're there buying.

David Spark

All right, Brian, what's your answer on this one?

Brian Long

Yeah, you know, I was pulled in by the happy vendor closing there. That Drew me. And I was initially going to say that the second one was worse because I like that with the first one, it seems at least that you have the opportunity to do something about the problems. It seems clearer that there's something that you can push and maybe draw attention to.

David Spark

I get the sense also in the first scenario, there's more physical action, action happening where there's not much happening in.

Andy Ellis

The second scenario, but it wasn't clear to me that there was a valuable action happening. You see this in a lot of socks, right? They're chasing alerts.

David Spark

No, no, no, no, that's true. It's not valuable.

Andy Ellis

But the fact that you're closing alerts and investigating things doesn't mean you're actually doing anything for the business.

David Spark

It could be whole Sisisophean scenario in the first one, right? It could be. But at least the rock is moving, even though not too far.

Andy Ellis

Yeah, the rock is moving side to side, crushing one foot, then the other one.

Brian Long

There's something you could put in board slides and draw attention to and say, we did X, we did Y, we did Z. And even if everything breaks one day, you can still point back to all those slides. So. Yeah, but I did like, also the point around just being able to get a lot of great experience, understand a lot of things, because when that day does come, you'll have a lot of nice things on your resume to get the next job.

David Spark

So. Hold it. So you are saying the second one's worse or the first one's worse?

Brian Long

I've kind of gone back and forth, but I think that the second one is probably worse.

David Spark

All right, so he's against you here on this one, Andy.

Andy Ellis

Yep, that's good. I have noticed this and I have to go back through and now, like, rescore everything that on sponsored talks. I do the worst. That's where we get the most, the most disagreement. I love it.

David Spark

Brian, we love it when you disagree with Andy. So keep it up.

Andy Ellis

Please. Enough. No more.

David Spark

Today's topic is deep fakes. We started talking the show a little bit about this. Andy, I'm going to ask you about this and I'll be interesting. We should revisit this topic in just a few months because this is a moving target. But I want to know what have you heard enough with deepfakes. And what would you like to hear a lot more.

Andy Ellis

So I've heard enough about everything about deepfakes, but my top thing is this presumption that deepfake detection alone is going to be interesting because it presumes that people will not be using deepfakes legitimately. We are already slightly deep faking ourselves, virtual backgrounds, things of this nature. My expectation is, and I'm surprised it isn't mainstream already, but that within the next year or so, it's gonna be pretty mainstream, that you're just gonna have a cleanup agent running that'll basically be like, yeah, I know what you look like at your best. I've got your profile photo. Let me remove reflections from your glasses and deal with the fact that you forgot to shave this morning and just clean up your imagery. And that is a deep fake. Like, we will be deep faking ourselves. And so any solution for deep fakes that relies on, I have detected that there is a deepfake technology being employed fundamentally is uninteresting. This is a deepfake itself. Even when we're doing nothing else. We've got weird video, we've got post processing. Let's get past that and talk about what do you do when this is happening, when there's an adversary involved that's not just, oh, I tell my users that there's some deepfake technology that happens to be running here.

David Spark

I think it gets down to this whole concept of verification and zero trust, that whether deepfakes exist or not, we should follow these procedures kind of a thing.

Andy Ellis

Right?

David Spark

All right, Brian, I throw this to you. Same question. What have you heard enough about with regards to deepfakes and what would you like to hear? A lot more?

Brian Long

Yeah, I mean, look, I think just to first address Andy's point on deepfake detection, I tend to agree with that. It's definitely not going to be the end solution. It may be a filter, right? It may be able to filter out 60, 70% or whatever it is, but also that the models are getting so much better, so much faster, et cetera. You're going to be playing that arms race. So I think tbd, there could be value on the filtering side. I think what to me we're not talking about enough is when you think of deepfakes, you're thinking of the, oh, okay, we're going to make something with your likeness or your voice. I don't think what's being talked about enough is something we call deepfake Personas, which is all of the context and open source intelligence about an individual or a company that makes these Persona deepfakes super intelligent. And that doesn't need to be someone that's on a video. In reality, most interactions are not happening over video.

David Spark

This is a really good point.

Brian Long

It's going to be happening over voice phone calls, SMS messages, WhatsApp, any number of different communication channels, you know, Instagram discussions, LinkedIn, whatever. It's going to be happening email, obviously it's happening across all these channels. And the amount of context, the amount of OSINT that you could pull off of the LLMs now is staggering.

David Spark

Let me actually just add something. I remember interviewing a hacker. This goes back many years ago, before AI was in vogue. And this was the very question I asked of the hacker, what's the big difference between hacking now and five years ago and the very issue you're bringing up? Because the amount that I know about you, way more, way more.

Brian Long

It's way more information. But I think also on top of that, because the models allow us to input a tremendous amount of information and say hey, use this to figure this thing out. It can actually use that information at unlimited scale. And I just think that the information that's out there. One recent example that we used was just using a LinkedIn URL on an LM we were able to find out the name of one of our employees, five month old daughters, because his wife had posted a job listing where for the first 20 seconds it included the child's name of the job listing on one website before she auto saved the difference. So that's something that previously it would have taken a very long time to dig and find but the LLMs can now all find an index instantly and you could hit it and get incredible amounts of data. And that's really where we're going to see these attacks coming is these Personas, not just this kind of. To me again we use this kindergarten example like sure, sure I can make me look like Andy, that's fine. But to truly be Andy, to know everything about you and that your house is for sale and that I'm going to be able to know what type of alarm system you use and your family members names and all that stuff in real time and do that a thousand times a second across many different attacks. That's where the difference is coming.

David Spark

By the way, this is the common response I have when people don't seem to be worried about online privacy. Because the common response of well, I got nothing to hide. And of course it's not about what you have to hide, it's it's about what information you have out there that others will use against you. So let me, let's skip to, I want to talk about what adaptive security is doing in this area. Let's skip ahead here. How are you dealing with this very issue?

Brian Long

Yeah, look, I mean these AI attacks are growing at a blistering pace and at adaptive security, we're trying to protect people from this next generation of social engineering attacks. So deepfake Personas, SMS based phishing, voice based phishing or phishing and generative AI email. And what we do is we actually simulate those types of attacks. So we build up these huge OSINT models on companies and then we run simulations over real time deepfake voice phone calls over sms, over generative AI email to figure out where the controls are weak at a company. We also pair this with an incredible security training software suite that helps bring awareness to employees about these types of next generation attacks. And we do it in a way that's really personal to them. So it includes always sent about them in the training or deepfakes of employees and interactions within the actual trainings, all that sort of stuff to make it really engaging and real for them.

David Spark

Let me ask, because one of the things we always hear, it's like, I don't need just my problems pointed out, I need solutions here. Do you then? And also, given that you're dealing with so many customers, you must be able to sort of create a good playbook on how to deal against this. Yes. You help your customers in this way.

Brian Long

Yeah, yeah. So there's also playbooks on how to deal with these issues. And I do think that the first step for a lot of companies is A understanding the problem and then B, spreading awareness of that problem. But I do think there's another step there which is, okay, if I can basically take all the data that's out there and I can run attacks on myself, figure out what those attacks look like. The other big step is I need to update my controls today. Companies, when they talk about controls, they're like, oh, okay, well I have a system where no one can request a wire transfer without this. And you're like, it's way beyond wire transfers. There's so many other things at the company that you currently, as Andy was talking about before, were built for this in person. Handing someone a file and saying, go do X or you know, approving Y at an office, very, very different from where we're going. And that's really, those controls are going to need an update. You're going to have to do an LM audit of your business.

David Spark

So let me speaking of that, let's close with this question and that is in all your research and all your testing, what has surprised you as, oh, this is a way an Attacker could get in and take something that nobody has thought about. And we only saw this through a testing or dealing with the customer. What has been your biggest surprise, Brian?

Brian Long

Yeah, I mean, I think that traditionally when people think about social engineering, they think about it coming from authority figures and authority figures being used to kind of push urgency and push timing to get people to do things right. That's the traditional of thinking about it. Something that we're seeing be more effective is when someone in the middle of the organization who isn't necessarily an authority figure is able to actually ask people for things as a favor, as for help, as for just everyday life in order to either gather information or get someone to do something. So I think that instead of our prior view of these attacks always sort of coming with impersonation from the top down, we may see it come from the middle up or the middle out, which is a little different way of doing it. Most people just view it as someone's going to impersonate our C level execs.

Podcast Announcer

Are we having communication issues?

David Spark

If you needed another reason not to trust SMS as an authentication factor, well, we've got you covered. A new investigation by Lighthouse Reports reveals that millions of quote secure login codes from Google, Meta, Amazon and over a thousand other companies were flowing through the network of a controversial Swiss contractor linked to surveillance operations. The company, Fink Telecom Services had access to nearly 100 million data packets containing not just the supposedly secret codes, but often the account names and phone numbers as well. This exposes a fundamental flaw in how SMS two factor authentication actually works. To save money, tech companies don't send codes directly to users. Instead they rely on a sprawling network of subcontractors using lowest cost routing, where each middleman promises to shave costs in exchange for market share. But any of these middlemen can see everything that passes through their system, which is, you know, not great. So those codes that say do not share with anyone may have already been shared with just about anyone. As an industry, we're already pushing to abandon SMS authentication entirely, but we won't be there for a while. All right, Andy, given these systems are mired in B2B deals you have no visibility into, is there any way to have confidence in the SMS supply chain or it's going out and we're screwed.

Andy Ellis

Long question. To get to a really simple answer, you should have no confidence in SMS if you are hand texting the codes to your customers. Let's just start from that. The way in which SMS is structured is not designed for security. So no, if I've got my customer support, I've got somebody in the back room who's frantically typing Dobby the house elf on his fleet of iPhones sending people codes. I still wouldn't rely on it because you can't trust the telecom vendors themselves who are required by law in many places to make it easy for law enforcement to capture those and that those then create backdoors that other people can exploit. Now, once we add in the automation vendors who are going to make it cheaper and they're sitting in the way, all that you have done is added people, which adds risk and none of the additions are reducing the risk in any meaningful way. Like sometimes you add a vendor that increases risk, but their addition reduces risk on other vendors. In this case, no, you just keep adding more and more people. You have gone from having Dobby the house elf sending the message to a whole network of house elves and other people and you're like literally writing SMS codes, taping them to passenger pigeons feet and hoping that they fly in the right direction is functionally what we're equivalent to. And anybody can read them. No, we shouldn't have any faith in SMS2FA. You should not be using SMS2FA. If you have a relationship with somebody, you should have some form of an out of bound authenticator app.

David Spark

Brian?

Brian Long

Yes, it is an easy answer. I mean, look, with my last company called Attentive, we sent over 50 billion messages, SMS messages last year. And I was always surprised when I was running that company that whenever you thought that there wasn't an additional middleman, there was an additional middleman. It's definitely one of these places where you're ending up going through eight different vendors before it actually reaches the end. And as Andy alluded to, whenever you're adding that complexity, there's additional steps, there's more opportunities for something to go awry. I do think that there are some good ways to try to go more directly for sure, but you do generally need scale in order to be direct and not a lot of businesses have that scale. So as a result they end up going through more and more middlemen.

David Spark

All right, well that brings us to the very, very end of this show. Thank you very much, Brian, and thanks to our sponsor, Adaptive Security. Thanks for supporting the CISO series. Remember, Adaptive Security is OpenAI's investment for AI cyber threats. They're your next generation security awareness training. They're built for AI email, phishing, vishing, smishing and deepfakes. Go to their website, adaptivesecurity.com, let them know you found out about them from the CISO series, by the way. Did you, when you were creating your company name, did you think of, like, any of these other, like, weird words? Where did you have, like, a silent queue in the middle of it? Brian?

Brian Long

Yeah, you know, there's schools of thought. People want to pick a name that's unique, and then there's other people that want to pick fanatic names. I've always been on the side of fanatic. And then I always pick names with that start with an A because I want to be at the top of the sponsors list.

David Spark

All right, well, thank you very much. Now I'm going to let you have the very last word here. Is there any special offer you'd like to give to our audience? And are you hiring too?

Brian Long

Yeah. So in terms of special offer, for anyone that visits adaptivesecurity.com and comes in and pings a demo and mentioned the show, we will offer you special rates, a special discount, and in addition to that, we also are going to make a custom deepfake attack for you that will do a simulation of anyone you want in your team's voice with full aiosynth behind it so you can have a real conversation with anyone you want through our tool to understand some of those simulated attacks, with their approval, of course. So really special there. It's pretty wild.

Andy Ellis

You should do one of David Spark interviewing them for a podcast.

Brian Long

Yeah, we could. We could definitely do David Stark.

David Spark

There's plenty of audio of me out there. I know that all we need these.

Brian Long

Days is really three seconds. You know, 10 seconds is best practice.

David Spark

But it's three to 10 seconds. There's. I don't know. There's decades of my audio out there.

Andy Ellis

I don't know if we can find 10 good seconds of data.

David Spark

You can definitely get more than that.

Brian Long

It's gotta be good, though.

David Spark

Well, thank you very, very much. Are you hiring over at Adoption Security?

Brian Long

We are, we are. We're hiring across every function. Super excited. Everything from engineers to marketers to salespeople and everything in between. So please also visit our job site. Just go to adaptivesecurity.com go about the company, and there's a whole set of job listings there.

David Spark

And do mention that you heard it on this show, by the way. This sounds like, I mean, like fun because you are in a super hot growing field right now. So it's always fun to be in a growing field as well.

Brian Long

Yeah, it's. It's a lot of fun. And we, we just raised a, A bunch of additional capital from OpenAI and OpenAI's first and only cybersecurity investment. And I think they're, they're seeing what we're seeing, which is a large uptick in these types of attacks. Look, I, I had a lot of these conversations 18 months ago where maybe like 5% of people had seen this type of sophisticated, deep take Persona attack. Now it's like 40 to 50% of people. So it's, it's grown quite a bit in the last 18 months.

David Spark

Excellent. Thank you very much, Brian. Thank you very much, Andy. And thank you to your company, Brian Adaptive Security. Remember, go to their website adaptivesecurity.com Huge thanks to our audience as well. You know, I say it all the time, but I mean it. I don't know how I convince the audience that I truly mean, I do mean. We greatly appreciate your contribution. Send in more what's Worse scenarios. And for listening to the CISO Series.

Podcast Announcer

Podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.