Podcast Announcer (12:36)

What'S your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber.

Dave Bittner (13:41)

Ben Serry is co founder and CTO of Zafran. I recently sat down with him for information on the trend of AI native attacks.

Ben Serry (13:52)

I think there is a great interest in this field and how it can actually be a force multiplier for practitioners in their day to day. I think there is still a question about how much of the human should be still in the loop and be the one controlling the AI or how much agency essentially should the AI be given. But I think there is the basic of it. There is many, much, much curiosity and wonder about what is the opportunities of this market. And this is a great thing for innovation. This is a great opportunity for companies like ourselves and others to offer new solutions and see how the market reacts.

Dave Bittner (14:32)

Well and I suppose it's fair to say to a certain degree it's a necessity because the adversaries are adopting this rather quickly.

Ben Serry (14:42)

That is completely true. Attackers have been observed to be using AI to exploit vulnerabilities, to develop malware, to scan the Internet and find and find prey. And unfortunately they've been very successful at it. And so defenders need to up their game and to see how they can also Adopt new tech to better defend themselves.

Dave Bittner (15:09)

So what are some of the opportunities that you see here in terms of using this technology to better protect people?

Ben Serry (15:17)

So being a bit technical, I think from a technical perspective, LLMs and agentic AI, the potential of it is to be a great tool to analyze text. That is the basics of it, right? That's how it began. And many of our problems also in cybersecurity include unformatted non structured text. And there is expertise into understanding this text. And this is why vendors are required to train or to at least guide the AI towards sensible outcomes. But at the principle of it, at the basis of it, it's a tool that is awesome, that is really incredible at analyzing text and reacting to it. And from that and from there it can create plans. And from plans it can also do actions.

Dave Bittner (16:06)

What are some of the specific things that you see there being a future here?

Ben Serry (16:11)

So in our field of exposure management or continuous threat exposure management, there is a just a huge pile of vulnerabilities that practitioners need to deal with on a daily basis. Many of these are actually false positives that are not exploitable vulnerabilities in their environment. But it's very difficult for practitioners to know what is false and what is true. Some automation in existing tools in CTIM like Safran already provide great context to be able to better prioritize and understand this data. And then agent technology can come on top of that and actually also make sense of that last mile. I understand that I have an impact. Is this impact actually relevant for me? And then how can I remediate it? So connecting the dots between potential impact to actual impact to remediation plans, concrete remediation plans, is something that we are seeing that the genetic technology can be a great opportunity in.

Dave Bittner (17:14)

How do you recommend that organizations balance the need for putting guardrails on this technology, but at the same time taking advantage of the speed with which it can do things?

Ben Serry (17:28)

I think it's the beginning of it is here in the loop that is essential. And so it's twofold. I would say let me, let me go back. It's twofold. One is you have to understand how the solutions that you are buying in this field, how they work. So you can't just connect them and trust them out of the box. Each solution that takes on a gentic topology needs to implement on its end. A guard rules. What data does the tool have access to, what tools it can then interact with and at which points will the human be in charge in approving actions. So it's essential to understand guardrails that are provided by vendors. And then it's essential to ask what would the human be validating in this process? It's not only I would approve what is present off me. I also need to be a feedback loop to be cognitive of the fact that AI needs to be validated at our current stage. We have all experienced the fact that it can hallucinate, it can come up with wrong evidence or distorted realities. And the human needs to be also a guardrail in that sense. But I do believe that not far from now, humans will try this tool on, in our field, not in other fields. They'll find the 90% or 98% or 95% of cases where it is accurate, where it is offering them good advice. And then there's an opportunity to automate further and say, okay, for these actions, for these insights that you're providing, you don't need me in the loop. You can provide that as a report. I can get that offline, right? So starting with human envelope, that's required. But as trust is gained, there is opportunity to do more.

Dave Bittner (19:23)

What sort of results are you and your colleagues seeing here? What does success look like?

Ben Serry (19:30)

So what we have published is research and a blueprint of how agentic tech can also be the remediator of vulnerabilities in production environments. So there are various types of vulnerabilities and various types of environments. And what we found is that you are giving an instruction to the agent. Here is an asset. It has a certain exposure, a certain vulnerability. Now investigate that in depth. Understand the potential impact of patching this. What will it do to my system if I actually remediate it? Because that is a primary risk, not only the cyber risk, but the operational risk of remediation. So understanding dependencies, understanding interaction between different parts of your system is one thing that we found that it can be, it can do very well. And then that second half is. It can then simulate the path or offer actual scripts, create code that will do the remediation. And that makes sense because these models by Anthropic, for example, have been trained on code, so they know how to produce code. That is one of the use cases that they are doing very good. And doing patching and doing remediation involves creating these upgrade packages. So that piece came quite natural to these tools to do because they have been trained on doing code. So to summarize, they can actually be a remediator of vulnerabilities. They can be one that interacts with your endpoints and or your servers and offer concrete plans to how to do the patch. And that is a huge gap on how predictors are trying to do that today. And we are seeing that as a huge opportunity.

Dave Bittner (21:19)

For folks who are curious about this or think perhaps it's a good fit. What sort of questions should they be asking, what sort of things should they be considering to discover if it really is a good match for them?

Ben Serry (21:33)

I think like a very basic question to ask. It's, it's about AI, but it's not only about AI is do you believe in your current state that you are able to actually remediate everything that you're impacted by or to actually prioritize? Well, have enough context to know that you are patching, you're remediating against the threats that are going to pose the most risks to you. And that is basic and basic questions that needs to be asked continuously. And now as attackers are using AI, that question needs to be asked twice as much because the speed in which attackers are able to exploit vulnerabilities is not matching the speed in which defenders are able to remediate against emerging threats. So the combination of the two means that there is opportunity for attackers to be much, much faster. And they don't need to find zero days vulnerabilities, they can just exploit vulnerabilities that were known for some time. So from the corporation's point of view, he needs to ask himself, is there a tool that I can take on, agentic or otherwise, that can allow me to actually be much quicker than I am today and maybe to also shorten the gap not only between attackers and defenders, but also between security and it. Security used to have one job is to say, this is critical, go ahead and patch it, and then it takes it on. And does the remediation side, one of the questions I think that practitioners need to ask themselves, can I shorten this gap? Are there cases where security can be while acting on the remediation side? Can I provide more context and more practical tips to it on how to attach as well as to the DevOps and to the engineers? So I think that is the main question. Can we be faster with this tool? Much, much faster.

Dave Bittner (23:33)

All right, terrific. Well, I think I have everything I need for our story here. Is there anything I missed? Anything I didn't ask you that you think it's important to share?

Ben Serry (23:43)

Yes, I think one of the elements that we're seeing becoming a growing concern is the fact that not only are attackers using AI, more and more vendors, more and more customers are now part of enterprises that are developing AI in house. And there is also risk in the applications that these enterprises develop. And it's very new field. It's unknown in many regards what will be the greatest risk of developing applications that use AI for customers for enterprises. I think that is one of the things that is also looking to be a partner for enterprises to find vulnerabilities and to find exposures in their AI applications. That is a field that will become significant because as more AI becomes inherent in coding, the more vulnerabilities and new types of risks include.

Dave Bittner (24:46)

That's Ben Serry from Zafran. And finally Zenni. The online glasses retailer best known for affordable frames and bold colors now sells eyewear that claims to block facial recognition because apparently that's where we are as a society. The company's new ID guard coating gives lenses a subtle pink shimmer that reflects infrared light blinding the cameras used in some surveillance Systems. Tests by 404 Media confirmed the glasses can foil Apple's Face ID and turn wearers eyes into mysterious voids under infrared cameras. Unfortunately, they're less effective against the more mundane threat of someone photographing your face in daylight and uploading it to a search engine. Still, there's something comforting about the idea. When the world is one big panopticon, at least Xeni will sell you reasonably priced rebellion in a flattering shade of rock. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening.

Podcast Announcer (27:03)

We'll see you back here tomorrow. Cyber Innovation Day is the premier event.

Dave Bittner (27:27)

For cyber startups, researchers and top VC.

Podcast Announcer (27:30)

Firms building trust into tomorrow's digital digital world. Kick off the day with unfiltered insights.

Dave Bittner (27:36)

And panels on securing tomorrow's technology.

Podcast Announcer (27:39)

In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding The Innovation Expo runs all day, connecting founders.

Dave Bittner (27:52)

Investors and researchers around breakthroughs in cybersecurity.

Podcast Announcer (27:56)

It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at CID Datatribe. Com.