B (2:59)

What's it, what's your TV obsession lately? What's the latest thing you've been binging?

A (3:02)

Oh, my husband and I right now are watching his and hers. It's not trash tv, but it's this, like, limited series on Netflix that's really interesting. And somebody killed somebody and I'm going to figure out who.

B (3:14)

Very interesting. I love all the, like, the real estate ones, like selling the OC and selling Sunset. Those are kind of my, like, I'm.

A (3:20)

Watching those two on the side. My husband just won't watch them with me. But yeah, I get it.

B (3:23)

I get it. Guilty pleasures. But I don't even really feel guilty about it because I'm just not at all.

A (3:28)

I need the likeness. I feel no guilt.

B (3:30)

Awesome. Well, now everybody has some. Some new TV wrecks, but let's, let's dive into the media conversation here. So I'd love to start with the US National Cybersecurity strategy at the time of recording this. Right now the strategy hasn't been released yet, but U.S. national Cyber Director Shawn Karen Cross has teased out some of the themes that we expect to see and in the, in the strategy, some of which are partnering with private industry to enhance the nation's cyber posture and interestingly enough, increasing cyber offensive operations when adversaries attack U.S. critical infrastructure. I'd love to kind of get your take on those themes and specifically on that cyber offensive piece. Is that, you know, based off of your experience in cyber policy and national security, do you think that's an escalation or is this something that's kind of long overdue?

A (4:22)

So, you know, I'm really eager to see the cybertrither. There's a lot of really good things that were mentioned for the offense piece that remains to be seen. Cyber offense, particularly against the tactics against critical infrastructure, is not going to be brand new. I'm assuming he means scale and severity and all of those things. There are a lot of tools in the toolkit. So we don't always choose a cyber offensive attack as A reply to attacks on critical Infrastructure There are a whole lot of host of other things you could do and so I'll be interested to see what that says. I mean, the strategy is supposed to be around, what, five pages, So I don't know that we'll get that meat in there. But all the subsequent EOs and policy implementation that they have promised us, I think will give us that detail and I'll look forward to seeing that. I think the best way to address these attacks on critical infrastructure is not to limit ourselves just to cyber offensive attacks. We should really use all of the tools in the toolkits because sometimes that's not the best way to elicit the response that we desire.

B (5:26)

Anything else you'd like to see as a part of the cybersecurity strategy? Anything else that we haven't already heard about that based on your experience, you'd like to see included?

A (5:35)

Yeah, one of the pieces is the budget. There are a lot of interesting things in there. Where's the money to support that? There's been a shift from federal leadership on cybersecurity to a lot of state leadership. And so I'm interested to see how they fund and support that and how they keep it coordinated, particularly since the proliferation of AI tools and AI systems mean that we have a software quality problem that will exacerbate the cybersecurity issues that we are worried about. And with this bifurcation of AI policy, us wanting us to handle that at the federal level and cybersecurity at the state level, there's a little bit of a delta there. So I hope that's addressed. Love the public private collaboration piece. We always need that, particularly in this space where the private sector is really leaning in on innovation and driving where we are on AI innovation. And that will mean that they definitely need to partner with the federal government to promote security, to align innovation to our values and our goals as a nation, to promote national security. So I'll be looking for some granular detail on what that actually means beyond an investment in innovation, and I do actually hope it has that too. Right. We have seen a pullback in a lot of research and development dollars and a lot of R and D money focused specifically on the cybersecurity threats that we stand to see as our technology continues to evolve will be huge. There was mention of cyber workforce. I think that is great. I mean, I was the champion of the cyber workforce strategy that is currently out and I want to see what that means. Vocational training. Yes. Where's the money for all of this, how are you championing this? Are you using the private sector? Are you only focused on federal cyber workforce? Are we thinking about this whole scale? Because back to that software quality problem, that's going to be a real national security issue for all of us and a really quality of life issue for all of us. And so without the proactive investment and pushing organizations to really think about secure by design software, we're going to find ourselves in a problem.

B (7:45)

Right, right. Funding and workforce are topics we've talked about a lot. I know just in the news especially the funding piece has been such an ongoing issue and there's so much volatility. So having some stabilization in both of those areas will be really important in the long term, for sure. Now, I'd love to hear a little bit more about what you're currently working on, which from our previous conversations is a lot of AI security and strategies for enterprises and talk a little bit about identities as well. So with your experience shaping AI security programs at companies like Crowdstrike and advising enterprises globally, how do you see identity based attacks evolving to bypass traditional EDR tools? And what are the biggest gaps that organizations need to address today in terms of those areas?

A (8:35)

Yeah, I mean, traditional EDR tools are looking for malware, they're looking for, you know, abnormal movement. But identity is the attack surface now. Right. They are latching on to the opportunity to leverage your credentials, your tokens, your passwords to access a system. According to a recent industry report, there are roughly 82 to 1 non human identities outnumber human identities. That's insane. And if that's the case, you're not only worried about the identity of the people within your organization and how you train them. You need to be worried about whether those are AI agents or they're APIs, IoT devices. You have to be worried about how you're locking those things down because they have become the most attacked surface within your environment. And one of the things that organizations need to do is really basic. We've been talking about it for a long time, but less than 50% of organizations have implemented, and that's Multi factor authentication. That is a huge part of building some resilience in your organization. But that said, if you leverage OAuth and if someone gets a token after you have used Multi Factor Authentication, they can still move within your organization. That means that you really should think about some conditional access policies. Not everything should use OAuth to allow you to authenticate into a number of different applications. Some of your SaaS apps have too much sensitive information for you to be able to authenticate into your Gmail and then authenticate into something that houses really sensitive customer information or organizational information. The other thing that organizations really need to start thinking about is with the proliferation of AI systems, whether they are sanctioned by the organization or you've got a bit of a problem because you've got some shadow AI that is an aggregation of really valuable information that has been put into one place, so probably pulled from a bunch of different data sources, whether that's the brains of your team, or from different tools about customers, about internal processes pulled together in aggregate, synthesized and operationalized. So that becomes a high value target. I don't even need to move laterally within your organization as much as I was inclined to do in the past. If I can find that AI system that has not been secured properly or that you're using OAUTH to authenticate, I've got a treasure trove of information without moving around your organization. So there's a lot to be thought about in terms of identity, particularly as organizations seek to deploy agents and give them a lot of autonomy.

B (11:28)

Absolutely. I do want to circle back to AI agents in a little bit too. But something that I'm really excited to do is we actually have some questions from listeners that are related to AI and cybersecurity and I would love to pick your brain on these and kind of get your response to them. So the first one that we that we got was how can AI enhance the threat detection and response?

A (11:49)

Oh yeah. I mean, we've been long using anomaly detection and leveraging AI and machine learning in cybersecurity to help calm down the noise of all the indicators that you get. It can also be a first line of defense in terms of teeing up response actions. What organizations have to be careful about is how they keep people in the loop because that contextual knowledge, that human judgment is going to be really important. But leveraging AI systems to incorporate intelligence, to really wade through that and get some synthesis on the movements that are happening to inform the choices that you make, weeding through all the log data and some of the indicators that come up, all of those things are really helpful mechanisms that AI systems and eventually AI agents as you deploy them can be helpful in doing some load reduction for your analysts so that you can get more out of them. You should always think about AI systems as an augmentation to your team, not a replacement, particularly in security, Right?

B (12:53)

Absolutely. And we recently published an episode with Amit Malik, who is from Rubric zero Labs on how they developed a system for LLMs to analyze malware in code and kind of like just expedite the work that that team's already doing. And so they can focus more of their time on some of that high impact analysis as well. And what you do with the analysis afterwards too.

A (13:15)

That's a great example.

B (13:16)

Yeah, absolutely. All right, our next one is what are the ethical implications of using AI and security practices?

A (13:24)

I mean, I think it kind of ties to what I just said. Thinking that you can completely replace your security team with a suite of AI agents is not only a bad move from an effectiveness and strategic perspective, but there are ethical pitfalls because depending on how the system is trained, there are going to be indications that are biased or lead you down a wrong path. We've seen a lot of that. Not with AI specifically, but it will manifest itself there in insider risk. Right. The data says that, or some of the data says that. This attribute about a person tends to pop up when they are a potential insider risk. And if your agent or AI system over pivots on that one characteristic and doesn't leverage the contextual information that is inherent in the people who usually kind of comb through that, you could set yourself up for legal risk and for other risk or to miss things. So there are a lot of considerations, both from an ethical perspective and from a strategic and just effectiveness perspective. The other thing I would say is people like to talk about AI ethics as if it's a completely separate discipline from thinking about AI security, AI ethics and thinking about the content that comes out, the data that goes in, how bias moves through a system, how it's trained. All the things that tend to be rolled up in AI ethics are actually extremely important to AI security and securing an organization. What I would caution folks to do is not separate those two disciplines because you will have to do AI ethics well to do AI security well as well as AI security tools. Security tools in general are the ways that you get your AI systems to act and behave in the manner that you want them to, in the ways that you've promised your users and your customers.

B (15:19)

That's so true. Absolutely. And you've already kind of touched on this one a little bit. But just to lay it out more specifically, how can organizations effectively implement these technologies without compromising data integrity?

A (15:31)

The biggest mistake that I see organizations make is think that you can just shove AI into an existing workflow or process. It is not a plug and play technology. You get the what I think is truly a luxury to redesign a process around the capability that was within the AI system. Think about where you are and where you'd like to be and how an AI system can help you get there. AI is not going to be the best tool for every process, for every outcome you seek. But there are a number where it can reduce load, add value completely, take a piece off of the plate of an analyst or an organization. But you really have to understand the context and that's where people come into play. You have to pull together a cross functional team that can really think about the threat, not just from a security perspective, but from a user perspective and how this impacts your workers and how this impacts your bottom line. Organizations that don't think about governance as a part of deploying AI systems find themselves with a number of different exposures that they didn't account for. So if I had two pieces of advice, it would be AI governance. Really investing in a cross functional operation that hones the intellect and skills and expertise of the organization you have, and not thinking about security in the ways that you've done before. Trust and safety as a discipline has long been left to big tech companies and social platforms to think about content and behavior, but behavior and content and all of those considerations and concerns and the policy rigor and the operational rigor that are within trust and safety teams now must be part of how you think about holistic security. So broaden your aperture on that as well.

B (17:24)

Absolutely, yeah. Governance and policy implementation for AI is like such a critical component rather than just shipping something into production and, you know, hoping it works for the best. Hoping for the best, yeah.

A (17:37)

Start small and grow. Pick a pilot project, really invest in understanding how it impacts your organization and then go from there.

B (17:44)

Yeah, absolutely, absolutely. So I want to hop back a little bit to talking about edr and you mentioned this earlier too, a little bit, and you just touched on it. But I'd love to get a deeper perspective from you on this as well. So many organizations are heavily relying on automated detection through EDR platforms. But from your perspective, how should they balance that automation with the human led threat intelligence to spot attacks?

A (18:08)

Ooh, I love this. So I actually have been coaching a lot of organizations on rethinking what threat modeling looks like. It involves that cross functional perspective. But in the past, a lot of the threat modeling components of your organization, maybe a subset of your threat intel team, maybe a separate organization, maybe one person who just gets creative, is kind of relegated to thinking about short term new threats. Not the big audacious, but the time from where we are now to some manipulation that we did not expect or emergent behavior from an AI system is much shorter. And so I encourage organizations to really invest in that threat modeling capability as part of their threat intelligence. The other thing is to really extract a lot of data from your systems about how they're operating. You should have a lot of observability across your organization and be using that to build a continuous learning system for your detection and response. You should not have static detection criteria unless that's necessary for a legacy system or something like that. But your detection should be adaptive. It should adapt to the changing intel you're getting. It should be adapting to the research that's coming out really rapidly on how AI systems are changing the way adversaries move or changing the way organizations operate and how systems are able to access different information. You know, back to the identity piece. One thing I've seen a lot is when you provision access for an agent and you forgot that you have provisioned access in a number of different ways when it was people. And you can kind of rely on the fact that they wouldn't go back to access that system, that even that physical location agents then don't have the same context, aren't as inclined to not go back and they can move through your organization in ways that you didn't anticipate. So creating a monitoring capability that really looks for those deviations even beyond some of the normal anomaly detection is going to be really important. But that continuous learning piece is huge.

B (20:27)

Absolutely. And you know, we like to keep things pretty vendor agnostic here too. But I would would behoove me to mention Rubrik, the company that sponsors this podcast. Also, we've talked about governance. That's definitely one of the huge pillars of the Rubrik agent cloud platform. We've talked a lot about that and it's important. But a really interesting feature that the platform has as well is this agent rewind or remediation capability too, which, like, to your point, governance and observability of these, you know, your agents and what they're doing is so important. But then also having that kind of kill switch and that moment to say like. Or that capability to rewind an agent's mistakes so that they go back to a state before they were doing this. This incorrect action is. Is really a game changer for many organizations too. So that's. I have to throw that in as a quick shout out as well, because it's a really.

A (21:21)

And I'm glad you said that too, because it's not even just rewind before they took that action. But making sure that you can recreate that data, making sure, you know, there's so many layers to that, but the ability to undo a mistake is huge.

B (21:34)

Yeah, absolutely. And since we're on the topic of AI agents, you know, looking ahead, what are the top three strategic adjustments that organizations should make to protect against identity based attacks and mitigate internal and external threats from agentic AI?

A (21:49)

I mean, let's start with the one we started with at the beginning. Please implement MFA at least some conditional use policies that kind of segment how you use OAuth to allow people to authenticate across apps within your environment. Please be using Zero Trust if you're not already. And make sure you really think about your agents or your AI systems not as normal software, but as identities or employees that will be making decisions and moving through your organization in ways that you do anticipate. Because they're doing the things you ask, but also as emergent behavior pops up, or poorly coded rules or bad data influence how they move, you could have what amounts to an insider risk that you didn't account for. So really honing in on what identities you are provisioning access to. I talked to an organization this week that what they decided to do was anything granted by an agent gets shut down 24 hours later. So if you need access to a physical space, if you need access to a tool, that's fine. The agent can use whatever criteria to approve that, but it will be temporary. And anything that needs to be approved for a longer term you will have to get done by Haman. They can tee up the recommendation, but they won't be able to do it. And guardrails like that really help you get a handle on your organization and prevent this kind of unauthorized access and lateral movement tied to identity.

B (23:21)

Right. What I really appreciate about your response here is that we're talking about really new and innovative technologies. We're talking about identity security and resilience and AI agents and all of these. I don't want to say that they're especially with AI agents. I understand it is a newer topic. Identity isn't as much of a new topic, but what you're saying is it's really about some of the fundamentals. You've brought it up several times now is like MFA is still so critically important and many organizations are not implementing that for various different reasons, of course. But it's really, a lot of times it's going back to the basics. Mfa, governance, observability, they all still matter so much today. So I really Appreciate that you're hitting that home regularly. Well, Camille, thank you so much for your time. Is there anything else you'd like to leave with the folks listening in today?

A (24:08)

You know, I hope that organizations do play around with these new capabilities and this new functionality. That's not the goal, right? It's to limit your ability to deploy AI agents across your environment or to leverage an AI system to streamline a workflow or a process. But just take the time to build the governance apparatus around it and to really make the necessary investments up front, like cleaning up your data. Your data really matters. Those things help mitigate the potential for security risk later on. And so that would be my caution to folks. The places where I see the most mistakes in large organizations and small organizations alike, is when you rush to try to deploy an AI system because it looks cool, but you haven't done the work to think about what value is actually adding to you, how you organize your organization around it, and what guardrails you need to put in place.

B (24:57)

Absolutely. Absolutely. Great sentiment to end it on. Camille. Thank you again so much. I appreciate, really, I really appreciate the time.

A (25:02)

Thank you.

B (25:12)

That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about. And if you want to reach out to me about the show, email me directly at data dash security decoded 2. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes senior producer Alice Carruth and executive producer Jennifer Ibin. Content strategy by Mayan Plout Sound design by Elliot Peltzman. Audio mixing by Elliot Peltzman and Trey Hester. Video production support by Bridget Crickey Wild and Sorrel Joppy. Until next time, stay resilient.

A (25:52)

Sam.