Dave Bittner (14:57)

AI is kind of all the same thing, right? Like the idea that we're going to use some combination of either models or learning that's taken place on a particular data set. And there are three main things we're all trying to do with it. One is we want to get the business gains and we want to leverage it to level up our businesses or make us more productive or better as humanity. So that's one head of the dog. But then squared right next to it is how do we, as like, security professionals use it for defense? But next to that one is how does an attacker use it against us? And so there's really these three ways that we have to look at AI all the time as security practitioners, when a lot of the world is really only looking at it one way. A lot of the world is thinking about, how do I get business gains from it? And so to them, AI is like Pandora's box. Whereas to a security practitioner, we have to see all three heads of the dog.

Matt Radelek (15:50)

Well, I mean, let's continue that metaphor as a security practitioner, how do you make it so that those three heads of the dog are able to coexist?

Dave Bittner (16:00)

Some of the basic stuff like understanding where and how your organization is leveraging AI. And I think one growing concern for people is that apps that they purchased before are now getting AI embedded in them. And so something that they already bought that maybe they already did the terms and conditions with, released a new AI feature that they didn't realize was maybe using their data in a training set. So this, like, concept of, like, an inventory of, like, where you have data and how it's being used has never been more paramount than today. You need to know, like, with every kind of SaaS or PaaS application or even cloud storage that you're using, how is the data that you're exchanging with it being processed, stored and transmitted? And is it being used to train an AI model, whether it's localized to your tenant or a part of that vendor's larger learning. So I think that's one aspect of it. I think the second piece of it is endorsing it for your business. I find there are still some security practitioners and security pros that are hesitant to kind of push their business to go all in with it. But I think it's like a survive or die type of environment where you need to be using AI or your competitors are going to be using it before you, and then you should be partnering with people that have it as well. And these are all ways that you can, like, on the lower risk side, get a handle on what and how your organization is leveraging artificial intelligence. But then also get a handle on how your security teams can benefit from it while staying educated about how attackers are using it.

Matt Radelek (17:30)

Do you have a certain amount of empathy or dare I say, sympathy for folks in security who feel a little overwhelmed by all of this, that they're trying to turn those knobs to make sure that the business gets the best benefit, but at the same time they see the potential risks that are there.

Dave Bittner (17:49)

I mean, yeah, I have empathy for those people, but this is just cloud 2.0 in a lot of ways.

Matt Radelek (17:55)

Right.

Dave Bittner (17:55)

Didn't we just do this 10 years ago? What was I on a podcast and talking about adoption of the cloud and whether you were going to use box or whether you're going to use S3 object storage. And we were talking about rapid elasticity and the benefits of cloud and the resilience of cloud and new data sharing agreements. Is this really fundamentally that different?

Matt Radelek (18:19)

Well, so the notion is that the time for questioning whether or not this is going to be a thing is over.

Dave Bittner (18:26)

Yeah, it's not only over, but if you're in the mindset of this is going to be difficult, I don't know how I'm going to weather this storm. What about what comes next? Cloud file sharing services was first cloud containerization like Kubernetes and moving your workloads out of your data centers into just in time, Kubernetes clusters. That was five years ago, three years ago for a lot of companies right now. And now we're talking about using agentic AI instead of having a call center. The risk has just changed where you store, process and store the data and how the data is put at risk. It's just moved again. And so it's inevitable that it's going to move again, that it's going to happen again. There's going to be another in five or ten years from now, another major technological breakthrough that makes us all have to re question our security program. Maybe it's going to be quantum. Right. That makes us all have to question our security programs and adapt our security programs. But I think we as security professionals, to use your own language, is we have to have empathy and sympathy for our businesses. We have to usher that change in. And I think what AI really Represents is the need to have good underlying fundamental data security.

Matt Radelek (19:38)

So what are your recommendations then for the people who are trying to get their arms around this, trying to get ahead rather than playing catch up. What sort of words of wisdom do you have?

Dave Bittner (19:48)

I think the first one is you got a lot of data to protect, right? And so you could think of, I'm going to try to protect all of it all the time. Or you could also. I have a saying aim small that comes from the precision marksmanship community. Like if you aim small, you might miss small. And you should try to protect the really important stuff first. You can get a grasp around like your intellectual property or your customer data or your employee data, you know, mergers and acquisitions information. If you can focus on that really, really high value data asset, figure out where it is, where it's put at risk, what AI is using it, if any, and then make a decision about it. You'll learn a lot along the way about what you did or didn't know or what you could or couldn't answer about your data. And then you could look more broadly. The other end of the spectrum is assume everything is going to get gobbled up by some Pacman copilot at some point and make sure that you have good access control. Because ultimately a lot of AI is a test of access control. Do you have developers that can just dump an entire data set into a new model? Do you have users that can enter a prompt and access far too much information? Like, do you, do you fundamentally know the kind of data you want to put into AI or not? These are the questions that somebody needs to answer and really think about in order to get a handle on it. And it's not that hard.

Matt Radelek (21:04)

I guess I'm trying to understand the difference between being cautious and resignation. Does that make sense?

Dave Bittner (21:15)

Yeah, I'll try to give you like a customer example.

Matt Radelek (21:17)

Yeah, that'd be great.

Dave Bittner (21:18)

A lot of companies that are looking at Microsoft Copilot even still to this day are thinking about how deep do they go with Copilot and the difference between, let's say you're a 10,000 employee company, 300 users and 3,000 users isn't that much. Like what? Do you Trust those other 2,700 people? Slightly more than the first 300. It just doesn't make a lot of sense to me. Yes, like you should do an initial pilot, but once you break out of like IT and security and you start getting into business, users that you know have different interests in mind or don't know that everything is logged and monitored or could be logged and monitored, you start to get people that abuse these co pilots. I mean, the more users, the higher the likelihood that you're going to have some insider that's going to abuse something like that or some compromised account, but you're just delaying the benefits. And so I think if you pair security with productivity and you teach people how to use prompts, but you let them know that all your prompts are logged and monitored, well, next thing you know, people are sharing what good is coming of it and you're learning what data that you have exposed. But unfortunately, companies don't even know what that is. They don't realize how much of their 365 is wide open. And as soon as Copilot gets connected, all the obscurity that existed before is gone. And so now you can just use Copilot to say, well, what did so and so make? Or what were the last trades that were made? Or are we buying any companies? Or what were the bonuses that were handled that last year? Or are there any passwords that I have access to and realize how quickly it is to get answers back? So if you didn't have good data security, what does 300 versus 3,000 employees having access to Copilot do for that problem? Yeah, you know, I mean, again, like there's slightly less likelihood of exploitation because the more people, the higher the likelihood you got a bad apple, I guess. Right. But is it really fundamentally that big of a difference of a risk profile? And what about that 3,000 to your full 10,000? The same vulnerability exists. The likelihood of being exploited goes up slightly.

Matt Radelek (23:13)

Well, let me turn the question around in a way and ask, in your experience, the companies who are seeing success in adapting to this, what are some of the common elements that they share?

Dave Bittner (23:27)

They've thought about data classification and data management for a long time. Maybe it was data archiving and stale data management that drove it, like some type of compliance regulation that made them think we have to keep X data type for 5 years or X data type for 7 years, or X data type for 10 years and they knew they needed to solve that problem. And so they started to think about where their data was and what they could do about it. But a company that has a sense of access control already, even if it's only at the identity layer, is going to have a much easier time at thinking about, well, how do I make my data ready for AI than one that they think of security as like harden the perimeter and throw EDR everywhere.

Matt Radelek (24:10)

Before we run out of time. I want to touch on a report that you and your colleagues at Varonis have published. This is your state of data security report. I want to make our listeners aware of that, but also ask you what prompts the creation of this report.

Dave Bittner (24:26)

Yeah, so we run risk assessments. It's what we do. It's our go to market strategy. It's also how we engage with existing customers. And so what companies will have us come in and help them. Am I prepared for Copilot or is my data ready to connect to a large language model or can I put some type of masking or encryption in place on my databases or my snowflake to be better prepared? Can I do a cloud transformation project? How we help them is we'll come in and we'll assess that risk. We'll say, hey, you got a lot of data that's open or you got a lot of data that's exposed. And every so often when we run those assessments we zoom out and we look at like, well, what are the trends? And what we saw with the cloud data store specifically is that there's a lot of the same problems that existed in the on premises and we've had enough time in the cloud to say, yeah, like people don't use all the access that they have. There's a lot of third party guest identities or third party apps that are unverified and unregistered that have access to your data. There's AI apps that are connected to everything. And a lot of times, and I'll give you Salesforce an example, users have the abilities to install plugins and add ons either to like a Salesforce or a365 and they don't understand that they're connecting corporate data to a third party app. When they click Allow they but because they have the permissions to do so, they think it's okay.

Matt Radelek (25:50)

What are some of the key things in the report that stood out to you? Anything particularly surprising?

Dave Bittner (25:57)

I don't know. I do assessments every day so I can't say that anything is going to surprise me. But the number of third party identities that are unused and still have access to data. I thought people had better contractor management that like when someone stopped working with them, they wanted to offboard them. Maybe I just got lucky at all the different places that I worked where offboarding was like a really big deal, but I see that a lot. The amount of data that someone has access to and doesn't use doesn't surprise me. But for something that's so new, like A data lake or an object repository or like a salesforce where a company just moved there two years ago for most of your employees to have access to most of everything means you never set it up properly. And so I am surprised sometimes that we aren't investing in security from the get go when we undergo these cloud transformation projects or these like cloud migration projects, which is real common for databases to data lakes. Right now that we're not thinking about security from the forefront and we're still coming back to do it later. I wasn't expecting that to be as pervasive as it is, but the cynical part of me goes, well, why did I expect anything less?

Matt Radelek (27:05)

It reminds me of a statement I saw in the past week or so is an engineer saying, well, of course this is just a temporary solution, unless of course it works.

Dave Bittner (27:15)

Yeah, I think that's really well stated. Right? Like, like, well, we were just trying it out and then it, it kind of just worked so we stuck with it. I also, it's like, you know, you go from pilot to production and then you say you're going to do security and then the next project comes along and, and look to an extent that that's, that's okay. That's risk acceptance. Risk acceptance is a part of risk management. But where it's going to get you is when that data is private to you and ends up in a model that's served to more people. That's where it's kind of hard to get undone. Or you unleash a bunch of data on copilot that's private to your company or to smaller groups at your company. And now anyone with copilot can get to it. These things are not easy to undo, to take out of the semantic index. And I think this is the place. Why? Justfully so, some people are a bit more cautious because they don't want to get bit. But also why, I don't know that everyone fully understands the risk that it poses. All the more reason to figure out again, like aim small, what data do you not want to get there? Can you take some steps to make sure that that doesn't happen? You might learn a lot along the way.

Matt Radelek (28:23)

That's Matt Radelek, VP of Incident Response and Cloud Operations at Veronis.

Dave Bittner (28:38)

Foreign.

Unknown (28:43)

Regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track. You're not alone. But let's be clear. There is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber.

Matt Radelek (30:03)

And finally, it turns out the major US airlines you know, the ones who can't find your luggage have been quietly selling your domestic flight data to Customs and Border Protection. An Investigative report from 404 Media reveals that through a data broker the airlines own called arc, airlines shared names, itineraries and payment information, all while telling CBP not to mention them by name. This cloak and dagger data deal, documented through FOIA requests, supports tracking persons of interest without pesky things like warrants. The program, known as the Travel Intelligence Program, updates daily and holds over a billion records. Civil liberties advocates are unsurprisingly unimpressed. One called it a digital age revival of the collect it all mentality. Meanwhile, Congress is starting to ask airlines why their loyalty programs apparently come with complimentary government surveillance. Turns out when it comes to data collection, the sky's the limit. And that's the Cyberwire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There is a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Helt Smith. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing. To neutralize identity based threats like account, takeover, fraud, and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.