A

Hey, this is Casey Ellis for Risky Business and today we're talking to Edward Wu, the founder and CEO of DropZone AI. If you're not familiar with DropZone, they're an AI powered SoC that delivers analyst grade investigative reports in minutes instead of hours, which is certainly what we need right now. Great to chat. Ed, welcome to the show.

B

Thank you for having me.

A

Absolutely. So today we're going to be talking about the, the report that Tuna, who's the former deputy commander of U.S. cyber Command, author for Vanderbilt on defending the digital space. I guess you as a starting point, you recently had a chat with Tuner about the paper and his thoughts and shared your thoughts and all those different things. I guess starting it off, what was your kind of wake up call from that?

B

Yeah, I'm a civilian, so I don't have the depth of knowledge as well as expertise and experience that Tuna and U.S. cyber Command has had. But from my perspective, I think one thing. Tuna, sure, that really was interesting. He mentioned like a couple of years ago it's actually very easy for US Cyber operators to spot Russians, Chinese, North Koreans in the environment because their craft was pretty cruel or rudimentary, to say it nicely. But he mentioned in the last just couple of years the tradecraft has drastically improved to the point that I remember him mentioning in terms of quality of Tradecraft, they are 80, 90% or even 90, 95% there. But what he has seen a lot in the field is there's an absolute massive difference in terms of the quantity of the capabilities. And he mentioned it's not unusual for the adversaries of United States to have one or two more orders of magnitudes of resources in terms of headcount operators performing the offensive activities. And that's very interesting from my perspective because as a founder of an AI startup focused on cybersecurity, we too believe that AI capabilities is critical for the future of cyber defense because it's just unrealistic for, for the company to spend, for the country to spend or hire its way out of this deficit or gap. Right?

A

Yeah. And I like how you're calling out the fact that there's like a whole of system, kind of whole of nation version of this problem as well as kind of the individual organizational version of it as well. Right?

B

Yeah. It's interesting because historically when you talk to different security teams, their number one responsibility is to protect the organization. And as part of that, a lot of that really comes down to prevention of financial damages. Right. And most organizations are not expecting true nation state attackers to focus on them. Their primary threat models are ransomware groups, cybercrime organizations. But now we are living in a different era of world politics or international politics, and there's a lot more at stake than financial damages.

A

So, like, given the global kind of political environment, the global kind of tension environment that we're working into, and the Internet's frankly the bedrock for a lot of that. Right. There's been a lot of conversation around how deterrence is a solution. The paper itself actually argues the fact that it's not. Because deterrence, in a truth, traditional military thinking sense, operates in a very different way from an outcome standpoint. When you're using a nuclear weapon versus a cyber weapon, what does that, I guess, imply for how we should think about defense? Assuming that's true going forward?

B

I think from my perspective, like, traditionally in the physical security space, we have missile defense networks, we have carrier groups, Military is able to physically protect citizens and habitats of United States. But at the same time, in the cyberspace, that's not true. Right. Foreign hackers can easily target any organization within United States. And oftentimes it's also very difficult to attribute who's actually attacking you. And I think that makes a lot of these more difficult. And this is where, to some extent, every organization that has any asset on the Internet right now is on the front line of this conflict, regardless if they know it or not. As long as you have something that's accessible, you are on the front line. And there are a lot of different ways to actually cause damages that I think historically people think about critical infrastructure as a way to really cause harm. But for example, recently we had an unfortunate situation where our HR provider accidentally made a mistake and canceled all the medical insurance of all the employees. And that's not a fun experience. But imagine, traditionally insurance providers are seeing as, okay, what can you do? If you have root access in an insurance provider, you can dump everybody's Social Security number and maybe some claim information. But now imagine a nation state just shutting off everybody's insurance. Like, how much damage would that cause? I think to some extent it's probably bigger than dropping a lot of bombs.

A

Yeah. And I think you kind of flag, I mean, for what it's worth, we're on exactly the same page here in terms of the relationship between civil cyber defense, in a sense, and what's traditionally been considered as a nation state set of ttps when it comes to cyber offense. This idea that at this point in time, it's pretty blurred.

B

Right.

A

You mentioned before CISOs and folks that have been Thinking about cyber offense and cyber defense with the corporate hat on and, and not being on the high side, not being within cyber command, but thinking about obviously the community and the nation that they're within and their responsibility and their part in protecting that. Those two things have been seen as quite separate I think historically, but obviously over the past period of time, we've seen almost a convergence of the techniques of cybercriminals and your more traditional kind of garden variety threat actors, I guess you'd call it, with ultimately like nation state interests that are being directed in a way that's not necessarily something that's a good thing.

B

Right? Yeah. From my perspective, just working with a lot of different security teams, like you said, there is this merging of tactics of run off the mill cybercrime organizations and nation state actors. Sometimes those cybercrime organizations are kind of see storefront of nation state interests. They might be focused on just making money most of the time, but with a flip of a switch they can do other stuff as well. And I think this is where, like you said, there is this blend. And when I talk to CISOs, most of the time, most security leaders and security practitioners are thinking about protecting the commercial interest. But I do think this paper is a good wake up call and shine a light on this maybe uncomfortable truth that in addition to protecting against commercial damages, there are another element. Every organization is now part of the national cyber frontline and every security team has some responsibility to protect the organization not only from the financial damages, but also the national interest. Our way of life as well.

A

Yeah, no, definitely. I think that makes perfect sense and I completely agree. I ran a roundtable at districtcon last year and the thesis of it was basically peacetime cyber versus wartime cyber. Like what are the things that we've developed as patterns and kind of assumptions in how we approach cyber defense in the west that have been informed by 10 years of peace and prosperity. Like assuming that we're transitioning into a period of that not being as true. Right. So I think it's obviously a good thing for people to be thinking about this, but it sounds like you guys are trying to get onto the front line in terms of actually equipping that with your systems. Because obviously at this point in time, all of the attackers have AI available to them. That's accelerating the time to success. The logical conclusion on the defensive side is you need to increase your time or decrease rather your time to success when it comes to defense as well, right?

B

Yeah, absolutely. If you look at just cybersecurity from the beginning it is a cat mouse game. And we all have heard a saying, as defenders we need to be right every single time. And as attackers, they only need to be right once. So naturally there is already this asymmetry between attackers and defenders. Defenders generally need to spend orders of magnitude more resources to stop attacks that were pretty cheap and pretty simple to launch. And the unfortunate reality is now with agentic AI systems and all the large language models, it has really further lowered the bar or lowers the barrier of entry for attackers to cause harm. Historically it takes a multimillion dollar shop to customize some sort of rootkit malware. But nowadays you can use open source models to vibe code different variations of backdoors, C2 servers and command and control infrastructure. And what that really translates to is the asymmetry or the capacity gap is further increasing and will further increase in the coming years. But when I talk to security leaders, very few of them are saying, hey, our security budget is growing 130%, 150% every single year. So what do we do when the budget is not increasing but the responsibilities, the number of barbarians at the door is increasing drastically.

A

Yeah, and that's where I was going to go next with this because thinking about, as I said a couple of times now, I'm fully on the same page with the problem space that we're talking about here. The combination of the fact that this is now basically an international relations game that we're playing in, whether or not we want to admit that, and the fact that AI has really decreased the size of the util loop that we get to fit inside of as defenders to think about what we do next, I guess when it comes down to practice and brass tacks, like if I'm a CISO who's not having my budget increased anyway, necessarily, because there's definitely a bit of that going on around the place. But in light of the kind of things that we're talking about, even if I do believe that the theories that we're kind of throwing out here are true, what should I be doing about that? What's the practical next steps that I can take?

B

Yeah, I think again, I don't think we as a country can hire or spend our way out of this. A lot of this involves just more automation. So our recommendation first and foremost is look at, evaluate the entire security program and identify areas that could benefit from a lot more Automation. At DropZone, we are focused on alert investigations because we, at least in our experience, alert investigation is one of the least efficient and most labor intensive part of any security program. And this is where by leveraging AI agents, a security team can really offload a lot of the day to day drudgery and allows the existing team members to focus on other projects as well as see only the real threats and the real breaches. And to some extent that really allows the security team to kind of more or less force multiply their budget. They can get a whole lot more done, but still with the same set of resources.

A

That makes total sense. And there's definitely an appetite towards that kind of optimization just in general in industry right now. But I think putting it in light of this bigger picture of what's actually going on behind the scenes, I think creates a different sense of priority around it. The paper calls out, Tuna's paper calls out this idea of team of teams where private sector sectors and private sector kind of contributors and participants in that sense work in concert with the public sector to be able to try to address this whole thing as a system level issue at the same time as dealing with the things the private sector need to think about day to day. What does that look like in practice from your perspective?

B

Yeah, from my perspective, given we mostly work with blue teams or SOC teams, a very big component of that is just bilateral information sharing. Like historically we have taxi sticks, IOCs, but nowadays it's not that difficult to change your IP address or use a different domain name. And I do think a key component of the next phase of this information sharing involves really sharing kind of more TTP level information. And this is also where we have seen like historically, IOCs, there are a lot of information shared of IOCs. Because IP addresses and domain names are easy to parse, they are easy to understand. But ttps are generally like natural language sentences. Right? This attack group really focus on generating or sending phishing emails that resemble DocuSign. There's no single IP address you can regex on with that particular TTP. But nowadays with AI systems and large language models, these unstructured threat intelligence can be utilized for the first time because large language models can understand a natural language sentence and maybe look into your exchange environment and see if there are any new DocuSign emails that seem to come from unofficial DocuSign domains.

A

So what you're saying is the probabilistic nature of the different tooling that we're working with at this point in time actually suits the fact that we can identify patterns of behavior that aren't deterministic like the ones we've relied on traditionally?

B

Yeah, exactly. And those patterns or behaviors Historically cannot be expressed by regular expressions or, or block lists.

A

Yeah. Okay, cool. That's a fascinating take on the whole thing and I fully agree. I think the fact that AI has ultimately allowed a broader variety of threat actors to join the fray and it's decreased their time to success and the level of sophistication they need to actually succeed. These ideas of being more flexible in how we approach detection and understanding, attribution and figuration, our priority, and what we do off the back of that on the defender side is definitely a needed thing at this point in time. I guess to wind this up. Like, if there was one thing that you would say to security practitioners that they should stop doing or start doing tomorrow, what would that be?

B

Yeah, in terms of one concrete item, from my perspective, it will be really evaluating the program and identify opportunities to introduce more automation. I think that's by far the biggest thing. And one other element we have seen that makes us very excited about just leveraging AI agents in cybersecurity is also, for a lot of organizations, they have small budget security budget and it's hard to build a comprehensive program when you only have two and a half people that's truly working security. And this is where we are also seeing a lot of good real world success stories of small teams taking advantage of AI agents to really do things that they typically or historically couldn't afford to. So this great shift in the poverty line in cybersecurity is also something that we are very excited about. So organizations who couldn't afford good or better security couldn't afford now afford those.

A

They've now got an opportunity to actually make a dent on the problem because their efforts are way more efficient because of all of this tooling and because of the kind of stuff that DropZone has been building.

B

Right, Absolutely.

A

Very cool. Well, look, it's been really great to catch up. Edward Wu, massive fan of what you guys are doing and I firmly believe in the problem that you're solving and the fact that that problem is going to become more relevant as we go forward. So you appreciate the opportunity to chat. This has been Casey Ellis for the Risky Business podcast and this is Edward Wu, founder and CEO of Dropzone AI. Thanks.

B

Thank you for having me.