Sponsored: Should we ever trust AI?

A

Good afternoon, good morning and good evening everyone. This is Casey Ellis. We're here with the Risky Business sponsored interview. It's time to chat with Chris Beam of Zero Networks. We're going to talk about when to trust AI in security and when not to. At least today that's kind of the, the topic of conversation. So, you know, like, let's, let's kind of kick it off. Chris, tell us a bit about what you do at Zero Networks. Like you're field CTO there. What does that, what does that mean? What does that look like in practice?

B

The field CTO role is a very up and coming thing for sure. I've been seeing these pop up into almost every organization I'm associated with, even on LinkedIn and other groups with Friends. But for me as an individual, I am on the executive leadership team here at Zero Networks and I provide internal operation assistance as well as working with our customers, helping with, primarily solving the challenge that we have here at Zero Trust is Zero Trust, segmentation and ransomware. That's the things we're solving. So my mission is to help customers solve those problems and make sure it works effectively across our organization. Whether that's marketing, sales, engineering, customer advocacy, the list kind of goes wide. But I'm a technical expert in the field for micro segmentation.

A

Excellent. So technical expert that understands the business layer and that side of things and understands obviously the solution, sales process and problem solution fit all those good things.

B

Yeah, it's an interesting role for sure because you have to kind of have an experience in every field. And then for me, I have been in the cybersecurity space for over 15 years now. One of the things that I've been really, I fell into is the product management side. So I've worked on SIMs, EDRs, identity security, key authentication. Like the list kind of goes on and on and all of a sudden you just realize you're a product expert without even trying to be.

A

Yeah, absolutely. I can relate to that a little bit with the founder hat on. It's a similar experience on that side. So like in terms of the conversations that you're having, like before we jump into the topic du jour, what kind of security challenges are you seeing C and infrastructure folk face like now in this moment? Because obviously they're always changing. There's some things that change and other things that stay the same. Like what's kind of bubbling to the top at the moment?

B

You know that that is an interesting question. I think it kind of depends on each CISO and who you talk to. In each industry, I don't think there's a perfect scenario and perfect question. One topic I always say I talk about is the impact of artificial intelligence. Like we're going to be talking about on this call, like how is that going to be impacting? That could be personnel, it could be how do we train and advise and how do we educate users. I just saw a phenomenal video this of Google's new AI technology showing how an interview just like this could be all faked with AI. And it's amazing how deepfakes are becoming a common trend. So deepfakes, common trends, common current, current challenges is usually the CISO conversation. But for me, obviously I get put into that micro segmentation conversation more often because of where I'm sitting. And usually those are customers facing either penetration testing, how to solve it and dealing with real world scenarios, or it could be even meeting compliance and regulations for their current either insurance standards that they're looking at or just to meet their customer standards and they look at us to see can we solve that problem for them today. So I would say that's kind of where I would fit into the CISO conversations based on our product knowledge.

A

Yeah, perfect. I mean that makes total sense. Obviously you're going to be talking about the thing that you guys are doing, but seeing kind of the convergence between that and some of the context around the conversations that are coming up at the moment on the AI side. So let's talk about that. AI is literally everywhere in cybersecurity marketing in particular at the moment. Everyone's either trying to do an early stage AI company or slapping AI on top of whatever it is they've already got, or in some cases actually highlighting the fact that machine learning or AI has been there the whole time. They just haven't necessarily been marketing it in the way that they're kind of forced to. Now where do you see the real value? Because cutting through the hype and getting to the signal is really tricky at the best of times. And AI seems to be almost like a version of that on crack.

B

Yeah, you're right. AI is truly everywhere. I guarantee when I'm at Black Hat the next month, every booth will say AI somewhere on it. But to kind of go through it, I would say based on my personal experience, even at my last company and previous companies, really where AI starts to shine is actually proving in context and helping out the end user. So think of analysts, think of reporting, think of dashboards, think of collecting a bunch of information, I mean like petabytes of information. And then summarizing it and giving a pretty good reliable count of that information. It may not be a hundred percent, but it's pretty good to the point where it's 90 something percent. And you can feel confident behind like hey, that is something I should look at or hey, that is something I didn't know or notice before. So can like correlations of logs, anomalies, those are things where AI starting to shine. I remember pitching a product at my, one of my previous employers of uaba User Behavior analytics and Technology and it was garbage, I'm going to be honest. So hopefully anybody that's listening to this can probably agree with me. This is years ago, it's probably better now, I'm going to say that. But at that time we didn't really have a strong AI. We were just kind of mapping, we're doing like A plus B equals C and the connection was extremely complicated. So with modern artificial intelligence, and I'm talking about generative AI capabilities, you could get into a scale of much, much bigger volumes and start coming up with pretty cool scenarios where it was very hard seven to eight years ago today. So I would say it's transforming, but it's like I said, kind of unreliable. Unfortunately a lot of times in the market.

A

Yeah, you're giving me flashbacks to the whole kind of nested if statements in a trench coat phase of AI back in, whenever that was, 2015, 2016, there was this sort of period of peak stupidity around this idea of AI, which you could pretty easily argue it actually wasn't at the time, but that concept coming out and actually replacing the human operator as opposed to kind of the use case that you're talking about here, which is really where it's the suit of armor as opposed to the warrior in the middle there. So I guess when you're talking about that kind of use case, and it'd be interesting to hear your thoughts on this in terms of zero Networks and how that all kind of works and the role of I guess, AI machine learning in some of its behavioral learning and different pieces there. But where should AI, I guess not be making the call? Where should we not be trusting it? Or where are we as an industry at risk of perhaps trusting it too much at this point in time.

B

Yeah, so that, that is a good question. The reason the one thing that zero networks does uniquely well is they learn and then they provide automation on top of that without guessing. So instead of saying I think it's this based on the following information and I'm going to provide you an idea based on real natural language processing. We're saying, no, we know because of what you've done, we're going to do the following. So zero networks. One of the prime things they do, which they have patented and configured in their environments, is they can say, hey, Mr. Customer, when you deploy us, we will learn based on each asset and then we'll tell you what that asset's doing, like a machine server service account. And then we control it and we manage and we automate it. So that almost feels like, oh, there must be doing artificial intelligence in this product. Actually, we don't advertise that at all. We advertise the capability of learning based on that asset and then implementing what we've learned. So it's just a different kind of technology capability. How comfortable would you be is if we're like, oh, we believe we're doing the right thing, we're doing machine learning and we're adding artificial intelligence into it. And your hospital machine now can't talk to the pill processing machine that's right next to it because we thought it was the wrong asset that would not fly for any of our customers and we wouldn't be growing as a business. So we had to take it as a let's actually learn what's going on, then authorize access and then provide capabilities there. So that's where it starts making that call. Should AI be doing everything for us? And I know that's the pipe dream, I won't deny, but right now, with today's technology, do you feel comfortable for your hospitals, your police departments, your multiple things for being fully artificial intelligence driven? There's some things I would say probably not yet today I would look at it, but I wouldn't trust it to make a life or death decision across all sectors.

A

Yeah, I think that's a really good way to frame it. Like the idea of applying a probabilistic approach to a deterministic outcome. Perhaps not the best use of AI if there's availability issues, if there's safety criticality, if there's actual real user risk in play. Is that kind of what you're getting at there?

B

That's exactly what I would get at. I mean, there is some things that I can say AI does chime in and then there's other things that I would say everyone's leverage Gemini or ChatGPT or some kind of OpenAI capability of allowing you to ask a question with natural language and process it in there. And there's tons of documentations on what is intelligence and is Artificial intelligence, true intelligence. And so when it gets down to it, you can be like, oh, it can be smart, but it could still be a smart idiot in the nicest way. So instead of guessing based on the information, confidently wrong. Yeah, yeah. It feels like 100% it knows what it's talking about and it'll provide some real context around it until you start doing research and you're just like, what, what the heck is it actually talking about? I love seeing blogs and things being created because it's instantly visible to me based on me using that technology. Like, that was 100% AI generated. I can tell because there's no facts. It comes up in very credible. It shows a lot of information and has the exact wording in a specific way. And I'm like, I can tell this was artificially generated in a fashion. So I don't want that as a product line. Within our solutions, we look at generative AI capabilities, but it's not going to be the decision factor of where a customer is going to feel confident that their network is going to go up or down today.

A

Yeah, that's, that's, that's a really, that's a great way to frame that because. Yeah, I mean, in some instances, kind of going back to what we were talking about at the start. You know, this idea of being able to provide data decoration to get an analyst to a point of decision more quickly, but not actually making that decision, that's not necessarily as critical. And some of the ways that you're kind of characterizing an AI generated blog post don't actually matter as much in that application as long as you're getting that person to a place where they can make a call. Whereas if you're switching something on or off, that's a completely different story.

B

Yeah, I mean, just talking about. Let's go to podcasts real quick. There was an interesting one. I saw a fully AI generated podcast. You just put in the text, it generates the voice based on me learning, and then it keeps my eyes looking like I'm paying attention to the whole entire conversation, no matter where I'm looking. And that's not necessarily new technology, but it's getting good enough to fake it to where it's like, should I use it as a podcast user or should I maybe emphasize, like, redo something if we messed it up? Like things, accidents happen, as you know, it's amazing how the artificial intelligence play is starting to impact not just cybersecurity, but across every vector within our industries, 100%.

A

And that could very easily turn into a much longer conversation. Because I do agree some of those implications of it all are quite fun to tear apart and can get a little scary. I guess, kind of rounding this out in terms of advice to your peers, to practitioners, to folks that you, you know, ultimately out there speaking to, educating, learning from, in the market, like for security teams that are being pitched like AI powered everything. What's your advice for, you know, when it comes to actually separating the risky from the useful? And I think we've covered a few kind of ideas off, but sort of summarizing that and anything else you wanted.

B

To add to that, I will simply put this. If you're looking at artificial intelligence powered anything, if it can't explain what it's doing, it's not worth considering. I mean, it has to be able to explain to you how it came up with that decision and walk through the process of the decision making. That's one of the key things I would say, like, can you explain it to your peers? Can you explain it to your board of directors? Can you explain it to a regulator? That's asking, okay, here's the audit trail. How did you make that decision? And we're actually, you know, concerned that you just made a poor decision. Who do we go after based on. We're not going to cover this scenario. So make sure prioritization should be explainability. If you're leveraging or looking at artificial intelligence, that's the number one thing. Two, I would say start as a baby step, don't have it, take full control, allow it to extend your capabilities. If you have those petabytes of data, massive summarizations, looking at certain things that will is usually hard for your business, then I would, I would encourage just to say it's better than nothing, especially if it doesn't cost a lot. Some of these scenarios are inexpensive, but then you have the risk of, okay, well, inexpensive. Sometimes that does have the factor of you're getting false positives if you don't train it, learn it and have your own custom capability. So in the cybersecurity space, I would say make sure you're familiarizing what you're looking at and it can explain what it's doing and walk you through the process. When you look at artificial intelligence, that's what I would say.

A

Well, look, we're up on time, but yeah, thank you so much for the jam, Chris. It's very, very cool to hear your perspective. It's going to be interesting, as you said, to see kind of the AI palooza that we're going to run into down at Hacker Summer Camp in Vegas this year.

B

Very much so.

A

And, you know, sorting the wheat from the chaff. This is a very timely conversation to be having. Where do people reach out to to get in touch with you guys on the, on the Zero Trust and the Zero Network side?

B

I mean, I will be frank. You can reach out to me directly at any time. I'm usually active on LinkedIn or however. But you can go through our website, have communication with us. I'm sure we can even share something with you and have it easily accessible for anybody to reach out to. Zero Networks.

A

Alrighty, thanks. All this has been Casey Ellis with the Risky Business sponsored podcast and Chris Boehm with Xero Networks. Appreciate time, Chris.

B

Oh, thank you. I appreciate it.