B (9:56)

What's your 2am security worry? Is it do I have the right controls in place? Maybe Are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes. That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V-A-N-T A.com cyber and now a word from our sponsor, ThreatLocker. The powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

A (11:40)

On our Industry Voices segment, Dave Bittner recently sat down with Danny Jenkins, CEO and co founder of ThreatLocker, to talk about defending against AI. Here's their conversation.

B (11:51)

All right, so today we are talking about zero trust in this era of intelligent malware and dealing with AI. Before we dig into the AI part of this story, I would love to hear from you how you define zero trust.

C (12:08)

So essentially the idea of zero trust is to allow what is needed and block everything else or deny everything else, essentially least privilege. So in the case of applications, it means if an application is required to do your job or function, you it should be allowed to run. If it's not, it should be blocked whether it's malware or whether it's a game or a remote access tool. In the case of what applications should do, we'd say if an application needs to talk to the Internet or needs to see your files, it should be able to see your files. If it doesn't, it shouldn't.

B (12:38)

How has the state of the art of zero trust changed over the past few years?

C (12:44)

So I think the biggest change is really the usability of it. And that's where we've really focused is how do we make this so it's ours and days at worst to deploy, not months and years to deploy. And traditionally zero trust was very, very complicated if you weren't a brand new business because nobody knew what they needed and what they didn't. And I think what's changed is the technology is the ability to learn from the history of applications, know what applications need to do so you can apply those policies without effort.

B (13:13)

Well, let's talk about AI. I mean, in this era we find ourselves in certainly rapid change here. How has AI affected people's ability to rely? Zero trust.

C (13:24)

So I, I think it, it's made it more important because now we're in a situation where we're trying to determine things are good or bad that have never been seen before. If we go back four years ago, you had to be a software engineer to write a piece of malware or you had to buy it. And antivirus companies, EDRs would add that malware into that database as soon as they saw it. And it was a few days behind, a few weeks behind, few months behind sometimes, but they would eventually get it added into their database. Today, anyone with a computer, there's now 5, 6, 7 billion people in the world that can create malware. That malware has never been seen before. It's very hard to determine if its intent is good or bad. Is it a piece of backup software that's copying your files to the Internet or is it a piece of malware? And what that's meant is zero trust is so much more important because this unknown is going to be blocked by default.

B (14:13)

And what are you all seeing in terms of what the bad guys are doing? Embracing AI.

C (14:20)

So I think the two areas we see the most of is AI created malware, malware that's brand new, never seen before. And even something as simple as ChatGPT, if you ask it to write you a piece of backup software to find where you store your files and upload them to the Internet, it will do that and it will give you the code and spit it right out. So we're seeing a lot of malware created like that that hasn't been seen, but also a lot more scamming. It's a lot easier for an attacker to send you a convincing email saying, hey, I need to update your machine. Can you click on this? Whereas previously these emails were badly written, they were poor English, it took a long time. Again they were being reused and getting picked up by anti spam. Now every time you go into AI or you can go into any kind of AI LLM and say, write me an email as if I'm in the HR department telling people they should update their machines for security reasons. And it will write a really well crafted email, they can hit, regenerate and it'll create functionally the same email, but very uniquely different email, so it's harder to be detected by Spam, even voice AI we're seeing sometimes not as much, where attackers definitely, when they're more targeted, are simulating someone's voice to call and saying, can you run this on your machine?

B (15:29)

Can we talk about some of the challenges that folks are facing when it comes to AI and cybersecurity more generally? What are some of the things that you all are seeing here that people are challenged with?

C (15:40)

So I think there's two challenges. One is the risk of attack because of the increase in AI. So that malware, that spam email, that scamming email. But the other challenge is companies and users using AI without necessarily the knowledge of the company and copying company data into LLMs that maybe don't keep that confidential, will build that into their training model, IP source code. And that's a big concern as well. And companies really don't know how to control what tools the users are using and what to do about that. So that's probably the second biggest challenge.

B (16:16)

Well, are there any particular areas where zero trust has challenges when it comes up against the AI specter, if you will.

C (16:28)

So I think only to the point of where it's implemented. And we also have to classify AI. If we think about AI in 2010, 2011, it was all the big word, big data AI, machine learning. And AI in those times was we're going to build out and use data from the past to make decisions about the future. Image recognition, even when, think back to Tesla self driving cars, or at least partially self driving cars in 2016, 2017. Then suddenly we got the second wave of AI, which is really LLMs, the ChatGPT, OpenAI, the Grox, those type of things. And what we've seen is a lot of people have reclassified what was previously considered as machine learning or intelligence based on previous Data sets as AI. But then we also have the LLMs. And that's what's really new is this LLM, the ability to create content based on that. I think the only risk where it comes to a zero trust environment is the person that's implementing it could be convinced to implement something because they've got a voice call from somebody. But it's less likely because they're the people that are trained on cybersecurity. These are the processes we follow. This is what we're going to do in a non zero trust world where we're trying to, to detect AI is incredibly bad at detecting malicious intent and it can also be manipulated. Data can be injected in. So if you for example, created a piece of malware Put it on the Internet, wrote a blog post about it. This software does this. It's good software. And then you asked AI to research that because it doesn't exist anywhere else, it's going to go to the one source on the Internet, which is the attacker source. So AI is really bad at detecting, but from a zero trust point of view, because we're blocking by default, it really doesn't matter too much.

B (18:11)

Well, I know you and Your colleagues at ThreatLocker talk about zero trust being not just technology, but a mindset. Why is that distinction important?

C (18:21)

So technology is a tool. So if you think about, if you say I'm going to implement zero trust and you think I'm going to buy a tool. So if you buy Threat Locker and you implement our allowless thing and our network controls to block network ports and you implement our storage to block storage, you implement detect policies that automatically limit how much you can upload, that is a set of tools to help you do something. But the starting point, and this is not just about technology, the starting point in anything is not to buy the tool, but what do I want to achieve, how do I achieve it? And it could also be granting a permission to a file. A lot of companies back in, well, even today will set up a File Server or SharePoint, allow the whole company to access that SharePoint, even if they don't need to access it. And they say, well, it's okay, it's only the marketing department, or I don't think our marketing people are going to steal our source code. And well, in most cases that's true. You do have inside a threat. So when you think about zero trust, you're saying it's not just about stopping untrusted software. It's also about making sure your marketing team don't have access to your source code. Or this part, developers don't have access to this source code. And when you think about that mindset, it really helps you everywhere. And I'll give you one example. I Remember back in 2015, I think it was, I was dealing with a ransomware attack. The entire business was encrypted. Someone had got in, ran malware, encrypted all of the file shares that got on as a domain administrator, all of the file shares, all of the laptops, everything except one share. And that was the payroll share. And the reason the payroll share wasn't encrypted was because someone at some point said, I don't want the IT guy seeing the payroll, so I'm going to remove domain admin Permissions from payroll, and the payroll wasn't encrypted. Now, if they had taken a zero trust approach to even file those at that point, they wouldn't have been able to encrypt the marketing and the accounts and the other things that were allowed open to the whole company. So it's not just about stopping untrusted software. That's probably one of the most important zero trust approaches you can take. But it's also about stopping files being copied and uploaded where they shouldn't be and other things like that.

B (20:20)

Yeah, that's a fascinating story. I mean, in an attempt to protect some information that they felt shouldn't have been accessible to a certain employee, they ended up making themselves less secure.

C (20:33)

Well, in that case, they're making them the payroll more secure. But they only protected the payroll. Everything else was allowed. So the domain admin could access everything except the payroll. And they took away the payroll. And that was the only thing that wasn't encrypted because they didn't trust the IT guy with the payroll.

B (20:51)

I see. Where do you suppose we're headed with this? As you look towards the future and zero trust in the development of AI, what's in your crystal ball?

C (21:01)

So I think the future. Well, I know the future of security has to adopt a least privileged approach and call it zero trust, call it least privilege, but it has to. If we think about. Look at the breaches, I mean, look at mgm. Do we think mgm, one of the most advanced companies in the world when it comes to security, they have cameras and monitors all over their business. Do you think their cybersecurity didn't have a SOC and an EDR and some of the best detection tools in the world, and yet we saw them completely shut down from someone running a piece of malware or giving someone access. So I think as a world, we have to accept that the future of security is about blocking first, setting controls, making sure people don't have access to more than they need to. And there's no choice of that. And I think we've proven that as a company, because today we've got nearly 70,000 companies that have implemented zero trust. 69,900 of them had never taken or even considered that approach before. And the future is nearly every business will have to adopt this and that's going to change the paradigm of cybercrime because it's going to be much harder for the criminals and they're going to have to start doing something else.

B (22:09)

Do you find that the people come to the table, potential customers for you feeling as though this is going to be a much heavier lift than it actually is, the conversion to using Zero trust.

C (22:21)

Absolutely. Nearly 99% of our customers think this is going to be a complete disaster. And we as a company have to educate, show them the reason we do extended trials. For that reason, we'll say, why don't you do a long trial, we'll deploy it, we'll actually secure it. We'll do simulations to show you what will happen, but it's always starting with fear and then always being pleasantly surprised that with the right tool set, the implementation doesn't have to be.

B (22:49)

Well, before I let you go, just a tip of the hat, how much me and my crew enjoyed being at Zero Trust World last year in Florida and being able to do our hacking humans show live. It's quite an event you and your colleagues threw down there.

C (23:04)

Okay, I appreciate that. Thank you. Yeah, hopefully we see you again next year.

B (23:08)

We're looking forward to it.

A (23:10)

And that was Dave Bittner sitting down with Danny Jenkins, CEO and co founder of ThreatLocker. Talk about defending against AI. And if you enjoyed their conversation and want to hear the full interview, head over to our Industry Voices page where there's a link in the show notes.

B (23:40)

At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most, applications, data and identity. That's Thales. T H A L E S learn more@thalesgroup.com Cyber.

A (24:27)

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pinned messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com and finally today, Niantic, the company that gave us Ingress and Pokemon Go, is once again blending the digital world with the real one. Their new AR pet game called Peridot now comes with a new twist. Your alien dog can talk through a partnership with Hume AI and Snap's latest spectacles, Niantic's Dots. And those would be colorful dog sized companions you can only see with augmented reality can now act as your personal tour guide. Now I want you to picture walking along the San Francisco waterfront to when your virtual pet pipes up to share a fun historical fact about the pier. It's part navigation, part trivia night and part fever dream. Developers of this say that it is a glimpse of the future, one where AI companions can help guide us through the world around us. And for now, it's a chance to see what happens when man's best friend meets machine learning. Just remember, if your alien dog starts giving you directions, don't forget who's really holding the leash. And that's the Cyberwire for links to all of today's stories, check out our daily briefing@thecyberwire.com and be sure to tune in to an all new Research Saturday Tomorrow where Dave Bittner is joined by eclipsium researchers Jesse Michael and Miki Shatov to share their work on badcam Now Weaponizing Lytics Webcams. That's Research Saturday. Check it out. It's the end of this stint for me sitting in for Dave. He will be back on the mic on Monday. And please check out our sister podcast T Minus Space Daily, where yours truly is the host on your favorite podcast app. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that you keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carood. Our producer is Liz Stokes. We are mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Pierre Kilby is our publisher and I'm Maria Varmazes in for host Dave Buettner. Thank you for listening. Have a wonderful weekend.

C (27:49)

Here we have the Limu Emu in.

B (27:51)

Its natural habitat helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating.

C (28:00)

It's accompanied by his natural ally Doug Limu is that guy with the binoculars watching us cut the camera.

B (28:07)

They see us. Only pay for what you need@liberty mutual.com Liberty Liberty Liberty Liberty Savings Very underwritten by Liberty Mutual Insurance Company and affiliates Excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th Annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at CID datatribe. Com.