A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Live from RSAC! Test, Verify, Validate
Episode
9

Live from RSAC! Test, Verify, Validate

In this episode, host Raghu Nandakumara sits down with Rob Ragan, Principal Researcher at Bishop Fox – live at RSAC 2023! – to discuss the different types of threats, offensive security trends, and how to continuously find new opportunities to improve cyber resilience. 

Transcript

00:02 Raghu Nandakumara: Welcome to The Segment. A Zero Trust Leadership Podcast. I'm your host Raghu Nandakumara, Head of Industry Solutions at Illumio the Zero Trust Segmentation Company. Today I'm joined by Rob Ragan, Principal Researcher at Bishop Fox, a leader in offensive security and penetration testing. At Bishop Fox, Rob focuses on pragmatic solutions for clients and technology and oversees the company's strategy for continuous security automation. With over a decade of cyber experience, Rob previously held various software engineering roles with Hewlett-Packard and SPI Dynamics. In this special edition episode, Rob joined me live at RSAC to explore different types of threats, offensive security trends and how to continuously find new opportunities to improve cyber resilience. What is the career path that you've had to get you where you are? So tell us a bit of your background.

00:57 Rob Ragan: It really for me started as a personal passion and hobby. I was fortunate at a young age to find some like-minded folks. It was actually through the 2600: Hacker Quarterly Magazine and I had a friend that maybe wasn't such a good influence at the time that was showing me about how to deface websites and I'll skip over the parts about getting in trouble with them but it really opened my eyes that there was even this community and this possibility of people that were looking at computers in this way. From there, I always thought I'd be a software engineer. I really went through the path of being an IT consultant and doing everything from tech support to network admin to sysadmin and... But I started actually getting the chance to do some coding when I was testing some software and doing debugging and maybe helping with some bug fixes and from there went on to become a web application developer. And so I was a web application developer professionally for about seven years. And then I got my first role in security actually in the security product space, for a company called SPI Dynamics that was making a product called WebInspect that was crawling and scanning web applications for vulnerabilities in an automated way.

02:05 Rob Ragan: And I was like, "Yes. This is really what I want to do." And I was working on that engine, I got to work on static analysis at that company as well. But actually my first job there was to write vulnerable web applications to make sure that our products could find it. So I got to really in-depth study all the wrong ways to build an application like, what are all the different ways you can implement SQL injection just to make sure that our products were at the code level and at the live application testing level finding those issues. But it was also there where I got my first taste of penetration testing. They actually put me with a group of people where we got to kind of, for two weeks, go after an organization. And really it was do your worst. And I was like, "Wait. You can do this professionally? People will pay you to just do this all day every day?" And that really opened my eyes and I was like, "Yes. Alright. This is... I want to make the shift. This is what I want to do. This is exciting."

02:52 Raghu Nandakumara: That's awesome. So in your role as Principal Researcher, I love the title by the way. If you look at sort of the nature of threats and to use a cliche term, “threat landscape,” how has that changed over the last sort of 10-15 years that you've been sort of an avid participant in this area?

03:17 Rob Ragan: Yeah. I think that our understanding of it has changed and evolved a lot. I still think fundamentally there's some consistent truths so... I like to think of the threats in the spaces as really like opportunistic threat hackers that don't even necessarily care which organization they're targeting. They are maybe scanning the entire internet for whatever the latest CVE is, whatever the latest issue is and seeing who's vulnerable and collecting resources, collecting assets, getting an initial access vector and maybe later figuring out where they're at. And I think there's also motivated threats that are... I have a goal to target a specific organization or... And then ultimately persistent threats that are, "I'm not going to give up until I get what I'm after." I think that we're seeing over the last 10-15 years this just evolved into... A lot more of those opportunistic threats are able to have such more of an impact of, "Okay. I got a shell on a system now I've realized what organization I'm in. This is a really ripe target for ransomware. And I think that I can sell that... Even sell that initial access vector to another group that's more motivated to actually run that ransomware tool and automate the process of extorting that company."

04:26 Raghu Nandakumara: So I kind of want to... You touched on essentially the whole sort of, I'd say, the malicious actor malware economy slightly, so we'll come back to that in just a second. But you talk about motivation and I see that evolution of motivation from, "Oh. I found this way to essentially disrupt something, slightly irritate some folks, maybe irritate an organization and leave it at that." And then of course ransomware being a prime example of, "How do I monetize, and demand ransom for being able to restore access to data to systems and so on?" And over the last sort of... Particularly the last... I think it's... The term has come in vogue over the last 12 months but it's definitely been the case because of political events, etc. of really about disruption on a massive scale. And as a result we've obviously seen and heard the term sort of “cyber resilience” now becoming really something that customers want and of course vendors talking about, "Okay. We help you achieve better cyber resilience." Have you also seen that change in the primary motivation of attacks shifting from nuisance to money to large scale disturbance?

05:32 Rob Ragan: Right. And I do think it becomes really organization specific of... Companies are getting more mature at being able to look at what they want to focus on from either that business continuity plan or the resiliency plan of, "Is availability something that I want to focus on? Is, how does that affect our bottom line if we do have outages is it property that I want to protect or is it some other thing that I want to focus on?" I am seeing these organizations even at the executive level want to sit down and maybe do a table top where they're actually talking through the incident response plan in these different scenarios that they feel are affecting their peers, and it's a matter of when not if they're going to have to deal with this - getting ahead of it by actually planning how they're going to try to recover. Even at all levels of the exec team it's like what's the legal team's role in this? What is HR's team in this, what is the PR team? Do they have a pre-written plan and response of how we're going to recover whenever this happens so that we're not scrambling to actually do it under pressure and making mistakes.

06:31 Raghu Nandakumara: Sure. And coming back to see, organizations and the threat landscape and so on and tying into the whole... Sort of we spoke about attacks that their primary motivation is large scale disruption. And connected to that, we see particularly of late the focus being on national critical infrastructure and as an extension of that OT... Large OT/IoT networks and that point at which IT and OT/IoT kind of meet. How is that really shaping your practice as a Threat Researcher and as an offensive security vendor?

07:10 Rob Ragan: We're fortunate to get to work with some of the largest companies in the world that are... One that's public that's a partner of ours is John Deere. And so whenever you're looking at that scale of an organization and how they see OT as really part of all of those tractors, become the tens of thousands or hundreds of thousands of devices that are interconnected that go through satellite networks to connect back to production, telematics and data centers and things along those lines so that they're actually getting visibility into the global food supply chain and if there were to be disruption of those OT devices, that could affect being able to feed entire countries and affect entire economies. What we're able to do is help them look holistically at what are the starting states of different threat actors that they want to be able to practice their incident response capabilities around and by that I mean it might be what does it look like to compromise the heads up display unit on a device? What does it look like if there's a workload in a cloud environment that's compromised? What if it's... The starting state is a laptop in a corporate environment or that of an employee? And then being able to actually have a plan in a scenario of, what are the controls that they're expecting to help them get visibility and even detect that this type of attack is occurring. What are the controls that they have from a prevention perspective?

08:43 Rob Ragan: And we're going in and helping them actually visualize what are all the components that are related? Even if this isn't developed, we're helping organizations map out the architecture and design of these components so they can look holistically from a red teaming perspective and answer the question, where are our intended trust boundaries? Where are the areas that we feel like we're going to want to trigger an incident response? And then helping them actually visualize on an attack graph what we see from an attacker's perspective. What are the MITRE ATT&CK framework TTPs that we are using to pivot whenever we're executing attacks in these environments, and where are their opportunities for improvement? We're helping them visualize on this graph like we made it to this system with this access. We pivoted to another system, we encountered a control here or we didn't encounter a control that we expected to, and this maybe becomes an opportunity for improvement. Or where we did encounter a control, this is where we had to take another path, and we're helping them actually understand where there's partial detections, where there is partial preventions, but there maybe was a lack of visibility here or there was a mis-config that they could improve.

09:35 Rob Ragan: And I think a lot of teams are craving seeing that from emulating an attacker perspective. And we're even going down into the detail of we made our own malware implant framework that has a journaling capability. And so we're actually recording whenever we're on a system this is the date and timestamp that we ran this exact command so that blue team can then go study if... are we able to correlate in our Splunk or in our other logs that we saw that activity, or is this something that there's no legitimate use for that, so we want to be able to trigger that as a new event that happens in our incident response.

10:09 Raghu Nandakumara: I kind of want to ask with a very basic question to pay off from what you just said. Often when we talk about IT the threat of IT, OT, IoT, it's often like well the focus is on that IT and OT boundary. Where that interconnection happens and I guess the simplistic representation of the risk is compromise of IT leads to compromise of the OT network, leads to, let's say, manufacturing stopping or a healthcare organization not being able to deliver patient services. But I'm sure that the real threat or risk is significantly more complex than that and it's even essentially a compromise of the OT network of itself without any interaction with IT. That is a real threat. So what are you seeing as a more better representation of what the real threats are?

11:00 Rob Ragan: Yeah. We're seeing organizations want to actually dig into... We're going down in some cases to testing the firmware on those devices and actually trying to understand what are the third party components that the organization maybe didn't have a role in building but now has the shared responsibility and the security of their usage of those components. We're seeing that's often where they previously weren't doing testing and analysis but it's come to light especially with the focus on supply chain risk and especially with the focus on like that might be our weakest point and previously we weren't testing it and to try to uncover vulnerabilities with it. But that might be the weakest link in compromising that device. And the threats are... So attackers are studying these commonly used components in these devices. Maybe it's a chip set that has inherent issues that's going to be out there in the wild for years and can’t actually be fixed. So they're looking at it from, if I have an exploit for it, this is going to affect all those devices that I can find and see on the internet. And organizations need to know the answer to that question of should they be putting other mitigations in place or plan for that if it's something that's going to live out there for dozens of years.

12:02 Raghu Nandakumara: And actually you touched on something that... I know we were offline. We were having a conversation about how as offensive security teams and vendors that you do have an opportunity to essentially pick up brand new or I'd say, very old technologies and just dive deep into them. And I think the OT space is a great example of where it's such a diverse range of technologies. Each manufacturer does their own thing to a large extent. So having to go in deep into those must be a real challenging but also fascinating part of the role.

12:31 Rob Ragan: It is. It becomes fun. We get the chance often to... I'll give an example where we worked with a power utility. And they had concern about the risk of their substations that were all over an entire region of the United States. And the devices that are in those substations are from the 90s. The protocols that they used were designed with no security in mind, the opposite of Zero Trust. They're full trust. They’re trust anything that talks to this, there's no authentication, authorization, there's no even concept of an identity. And we were able to come in and help in a lab environment study how these work, study that protocol that hasn't been updated in decades, and actually show how we could send commands to it to flip the switches of actually turning power on and off until the point where it's shorted out and completely broke and shut down - which being able to affect that on our network would be a complete catastrophic failure of the power grid.

13:31 Rob Ragan: And.. but we're coming in and helping our customers actually understand that, demonstrate that risk so that they can plan for their mitigations around it and then they can get the focus from their teams and their executive buy-in on, I actually know I need to do something about this. And having that proof and having that evidence that this is possible helps influence the budget and the resources for, “We need to put other mitigating controls around this, we need to make sure this device can't be talked to remotely from other things on our network”, and really I'd say segment it off and whitelist what's talking to it.

13:58 Raghu Nandakumara: So you mentioned that word Zero Trust, so we're going to come on to that in a second. This is a Zero Trust podcast after all. But I wanted to just before we leave the whole sort of the OT/IoT security space and move on to other things, there's obviously been a huge development in what security vendors are doing to better secure OT and IoT. And there are a plethora of vendors that sort of focus on some aspect of that. In your opinion, what is the key need above all else to better secure OT and IoT?

14:30 Rob Ragan: I think helping with the usability of making it easier to actually apply security onto some of these devices that have no security built in or weren't designed with security at all. If there's a problem to solve, it's making it easier to apply that. If it's not easy, then it's not going to get easy.

14:48 Raghu Nandakumara: Yeah. Absolutely. Okay. Alright. Let's shift gears a bit. You mentioned the term Zero Trust. I didn't. Okay. So what does Zero Trust mean to you as a security practitioner?

15:00 Rob Ragan: Yeah. From my perspective, it's that ability to authenticate and authorize this action. It's where every action that's happening in the environment and in the systems, it's can we, with confidence, understand who is doing this, how they're doing it and is it authorized.

15:16 Raghu Nandakumara: Okay. So now as in your role like offensive security and what Bishop Fox does, what type of conversations are you having that are straight up about Zero Trust? Does it come up in engagements, and talk to us a bit about how that happens? What are the discussion points you're having and what typically the outcomes are?

15:36 Rob Ragan: Yeah. It comes up in conversations when I'd say customers feel like they've made an investment in the area. And honestly we're almost always still seeing like a hybrid environment. If someone says, "Well we have implemented a Zero Trust environment,” there's still typically some hybrid things that aren't following those principles. And it comes up a lot when our customers want to push the limits of their team or they want to see and understand their blind spots in their environment based on the controls and the investment they've made in implementing that type of framework. We'll have maybe a CISO that says, "I've implemented application whitelisting. What would you do to bypass that in my environment?" And so we're building out scenarios where we're going to say, "Okay. If you were to put us onto an employee system or onto a laptop we're going to assume a breach of that with some malware that's been installed." Actually going through and emulating what real attackers would do such as DLL injection into an application that has permission to access another part of the environment.

16:32 Rob Ragan: And then we're assuming that role and that identity of that application and now we're on the whitelist but we've injected it with malware that can help us perform whatever our objective is or help us with further malicious actions. And then from there, it's what other controls are in place to either detect or mitigate the risk. But they really want us to take them through those scenarios so that they can practice and see do they have other triggers or other events that are going to help them in their incident response capability.

16:57 Raghu Nandakumara: So what then does the recommendation look like? Because it's like how does... 'Cause it feels as an attacker, you do have sort of the ability to test all kinds of things. And as a customer there's a finite set of things that they focus on and say, "The rest of it, I accept the risk." So how do you guide your customers to say this is important?

17:20 Rob Ragan: A lot of it becomes very specific to where they're at in their maturity level. And if a customer already has application whitelisting, they're more mature than most. It's helping them then understand what other controls do they have and where's the opportunity to catch the attacker, 'cause they've already increased the amount of time and effort and resources that the attacker had to spend to achieve that. If they had to find an application that's on the whitelist, find a way to inject into it and then assume the identity of that application and that user that's running it. It's what other things could they have done in the environment or what other steps and commands that attacker run that they could trigger an event and contain and eradicate the threat. So we're often running those scenarios on a continuous basis to just help them keep practicing, help them identify new opportunities. And it's not then just relying on that one control. It's looking holistically. It's like what else do we have available to us that's an indicator of compromise that we could trigger that event on.

18:19 Rob Ragan: And we're actually helping our customers in a lot cases push that further to having a better understanding of what their indicators of exposure are and what their indicators of vulnerability are so that we can... Maybe that's even starting with testing that OT device that they're relying on that's critical to their environment or maybe that's testing some of the applications that they're using to understand, does it even have that vulnerability or that weakness that you can address and fix so that an attacker can't take advantage of it as part of a greater attack chain.

18:46 Raghu Nandakumara: 'Cause I think in what you're saying really that education for customers of their entire security organization's such an important thing because it does feel like the skillset that is now required to be a professional in cyber is very different to what it was even five years ago where there's now a real emphasis on, "Do you understand the nature of threat? And do you understand how an attacker is going to progress?" I think there was sort of a talk just earlier today from one of my colleagues that is really about “think like a hacker to build better resilience.” So how are you seeing that uplift in skill set taking place in your customer base?

19:27 Rob Ragan: Yeah. I'm seeing a lot of folks that are willing to adopt more proactive testing and continuous testing and it's always reevaluating what was the scenario or what was the goal of the test and adapting and enhancing it to whatever outcome they're trying to achieve. I'm seeing a lot more folks that are... Security engineers are now on blue teams that are also then wanting to participate in those red team exercises and in those tests and be involved and actually understand how they can learn to apply those techniques while they're building and into their threat models. And I see that the folks that are doing that on a more regular basis are maturing more rapidly. And if they're not factoring in that testing to what they've implemented, then there may be are long periods and long gaps of where there's a susceptibility that remains unknown.

20:14 Raghu Nandakumara: Understood. So, moving a bit, what are you seeing as a key areas that need significant sort of investment, that are now cropping up over the last, let's say, 12 months.

20:26 Rob Ragan: Yeah. I still see a lot of folks that are coming to us for help with understanding their attack surface. Understand... And where we're going to see this go is it's going to be not just external attack surface, it's going to be, authenticated application attack surface. It's going to be internal and private networks attack surface. The cloud environments, VPC attack surface and all interrelated systems including up through their supply chain and vendors that they have in their environment. There's still a... This is what I'm seeing folks trying to focus on because especially at the enterprise where as soon as they have an acquisition, it feels like a setback.

21:04 Raghu Nandakumara: Yeah.

21:04 Rob Ragan: A security team that's, trying to get a handle on what they've had for in their core environment but they've now acquired this company and it's trying to make sense out of what they have that they're responsible for protecting. I think that we're going to continue to see investment in getting a better definition of, as those changes are happening and they're happening on a daily basis, what they... Getting visibility into them, and then being able to proactively test them for indicators of vulnerability and being able to then decide which of those matter first. And I'm seeing a lot of folks ask for help with remediation priority. "I have so many things I could fix, help me decide what to fix first." And I still think the best way to do that is to thoroughly test it and to actually demonstrate the impact of exploiting it. And if you can't do that, if you can't show that... I think there's an issue here, this might be vulnerable, but actually what does it look like? Is it possible to exploit it or either mitigating factors and if it is exploited, what's the actual impact? What data you think gets you from there? Having that question answered helps decide what that priority becomes then in fixing it.

22:11 Raghu Nandakumara: The question is, how do you then also inject into that, what is the probability that it is going to be exploited? Because as an offensive security.. you clearly have... essentially, you've been asked to go and do something. So how do you assign the likelihood, because that's almost the key factor in do I pick X or do I pick Y when I only have to pick one of the two?

22:33 Rob Ragan: Yeah. We've actually evolved our severity ratings in our reports to, I'd say, actually be a little bit more selective about what we're assigning critical to, which is probably counter to what maybe a lot of other vendors are doing. They're driving like, "No. Everything's critical. Everything's red." We're seeing our customers really want us to take a closer look at that and scrutinize a lot more if it deserves that level of attention. And we're doing that a lot based on, going back to those, "Is this something that an opportunistic attacker could exploit unauthenticated that has no needs, no initial access factor or no way to assume the role of an employee? Or is this something that's going to be more of an unintentional or intentional insider threat that's more motivated, has credentials already and that was able to find this vulnerability versus this is a, complex multi-step chain that we've uncovered, but there might be an opportunity to prevent that if you just fix this one issue." And so we take a lens where we're actually focused on what do we think is the most effective remediation or fix or if there's mitigating controls that can be put in place. We're factoring that into how we're making a recommendation on priority to fixing it.

23:42 Raghu Nandakumara: Got it. And that's a really good point for me to pick up on. And the last 12 months, if there's been consistent themes within what's been reported in the security press. One of the themes has been ROI. How do organizations make their bets when they have budget constraints? And they're now, more than ever being asked to justify ROI of security investments. And I was speaking to a guest a few weeks ago whose position on this was that security teams shouldn't... ROI shouldn't be something that you should be demanding of your security investments. The value is in terms of what's the risk they reduce. What is your thoughts on, when you think about value, is it just the security benefits or is it also the whole TCO of the solution?

24:32 Rob Ragan: I'm glad you said total cost of ownership. I think a lot of times, security investments are made from buying a particular product or solution and it's not clear what the total cost of ownership is going to be. And it's not clear until maybe you're deep into implementation phases and deep into using it, how much work this is generating for the team and how much work it's putting on them. And that might ultimately lead to things being missed. I've seen cases where... We came in after an incident had happened to help test an application and they were trying to understand the root cause of how a web shell got uploaded through this PHP application. And there actually was... For 13 months, before that, there was a red critical finding in the static analysis tool that they're using that this is vulnerable, but it had been closed out and triaged out by a developer that said, "I don't think that's exploitable." But it was... Maybe that developer didn't have the expertise to understand how to exploit that issue. And maybe they shouldn't have been the ones making that decision.

25:28 Rob Ragan: But the team maybe didn't have the security, expertise or time to help answer that question. And so then they had invested in a product, got the report that said something was vulnerable, accidentally ignored it and then still had a breach. But I think it was not understanding what that total cost of ownership would be to have the expertise, to help actually answer those questions. And that's where looking for maybe a solution to the problem, and it might be a combination of services and products sometimes, or managed services that help achieve the actual complete outcome of the problem that you're working on, rather than having to have people on your team own part of that.

26:05 Raghu Nandakumara: And that's a really interesting perspective because it's... And actually it's sort of the first time I'm hearing that perspective because it's about, if you don't truly understand the problem you're trying to solve, then your ability to assign or to say, "This is my ideal TCO." You're effectively guessing what that should be, right? Because it's done with incomplete information. And then you said, and a part of that is understanding that you probably need to compliment tool sets with services and maybe third party offerings that complement that. So within that and to provide better TCO of your investments, what role do you think sort of offensive security offerings, whether that's folks like yourselves or these automated testing suites that are now everywhere, what role do they play?

26:58 Rob Ragan: I think we're still very much in a phase where the automation isn't there to do the job entirely and that goes for most things. Not just even in security, but we're working on it. It's going to be something that we continue to push the limits of for many years to come. I think bringing in and having a plan for your expertise that's going to use that automation, whether you're buying a product that's helping with automated testing, there's still going to be output of that, that someone is going to have to make a decision on. And I think there's an opportunity to decide is it someone that's in house on your team or is it someone that you are going to partner with and trust that's a third party.

27:31 Rob Ragan: I've seen a lot of folks need that help in scaling, especially if people on their team are wearing so many hats that they maybe don't have the time to focus on the output of a particular tool or they feel like maybe they did have people on their team that are no longer there anymore. And it's like plan... I guess, planning for that resiliency and the security organization model. If we had one person that was running these three tools that we bought and they leave, what happens? Does that become shelfware or do we have a plan for who's going to be their backup to maintain using those? I see that that's often where we're having our customers come to us and say, "We need help. Look, we need a tester or someone with expertise to help us actually get to the outcome and not just have a tool."

28:11 Raghu Nandakumara: Alright. And again, I just want to summarize that for the viewers and the listeners, it's to be able to truly understand like how you're going to get ROI or how you're calculating TCO, you need to first determine whether you have the skillsets available to get full value out of existing investments or new investments. Otherwise, you're never going to be able to realize it's benefit. You have those challenges of being able to justify why you didn't get value out of something. I know we've just got a few minutes left. Crystal ball time, right? You look into your crystal ball of the future, right? What are you excited about? What are you scared about? From the cyber landscape?

28:50 Rob Ragan: I personally am actually really excited and have been diving deep into the large language model space. There's a lot of, I think, both hype around this, but there's a lot of optimism and some concern around risk. And I personally though, in some of the prototypes I’ve been building with it, I'm actually very optimistic in how easy it will be to achieve certain things that were really challenging before. I do think that we're going to be in this phase where... I actually read a book not too long ago about this that I'd recommend if anyone is interested in this called, "The Missing Middle." And it's about where human and machine come together and what is the machine good at and what is the human good at. And it essentially outlines a framework for how to work together and be able to do more. And I think we're going to be in this phase though, for still the foreseeable future, that we're figuring that out and we're... And what goes wrong in the implementation of that, but I'm actually... I'd say I'm more on the optimistic side of this is going to open a lot of doors.

29:48 Rob Ragan: We've been using it in ways to actually identify ownership of assets as part of that attack surface question. And it's something where the input in the... A lot of times for those questions it's completely unknown or it could be completely different. It's anything that's out on the internet to write like a traditional application to help or API to answer that question is really challenging because you don't know what the input's going to be. But to have something that helps you parse and read the input and then gather evidence about it and then help you answer questions about it for maybe the next stage in your workflows and your processes is to me really exciting. I've seen like a big advancement there.

30:20 Raghu Nandakumara: I think just going back to what you said about the book, right? I think that's what that meeting in the middle is really where we should be focusing because I think overly soon as the discussion about AI comes, and now with the LLM, it again, it goes back to that, right? At what point will AI be greater than human intelligence and then that sort of thing of machines taking over, yada, ya the usual sort of like Terminator 2 scenario. But I think absolutely, I think the ultimately it is about converging, right? It's what are humans optimal at doing, and that's what we should be focusing our talented efforts on and what are machines and machine AI is optimal at doing, right? Because ultimately that's the whole point of the industrial revolution was not to replace humans, but...

31:06 Rob Ragan: To optimize it.

31:07 Raghu Nandakumara: To optimize. And this is really what this is about.

31:09 Rob Ragan: Right. And I think that we still need to be seeing it as a tool and as a technique to apply. And I think anyone that's rushing right to implementing this in production without that human in the loop or that way to hit like zero to talk to an operator, that is asking for a lot of trouble. But I think that it's like... It'll be exciting to see the application specific ways that we use this tech.

31:31 Raghu Nandakumara: So just be on the LLMs, how concerned are you about input poisoning?

31:36 Rob Ragan: Oh. I think it's a very real problem. And that's why I'm saying anyone that's jumping to using this in any production applications or any live use cases without testing it for ways that the abuse cases, is asking for a lot of trouble and they're going to have incidents and they're going to have issues and the prompt injection is still very easy to do. I mean, I was talking with the CISO yesterday who already has put it in their LinkedIn profile that if there's any marketing bots that are parsing there, his page, he has a prompt injection to have it do something else. And I think that we're going to see maybe those light... There's not really a whole lot of impact on that if someone's marketing campaign didn't work well. But I think it's going to be interesting to see how else it's being used.

32:13 Raghu Nandakumara: I had a conversation with ChatGPT a few months ago about Zero Trust and I was just grateful that I still knew just a touch more than it did, but I'm sure that it's not too far. So any final thoughts, Rob?

32:24 Rob Ragan: Thank you so much for having me. I think that this has been always a great conversation with you, Raghu and, yeah I look forward to seeing like more of how this space evolves.

32:30 Raghu Nandakumara: Fantastic. Rob, thank you so much for joining us today. It's always a pleasure to speak to you and dive into your knowledge in this space. For anyone who's watching, listening, if you are interested in offensive security and hooking up with the experts in this space, go and check out www.bishopfox.com. Rob, thank you again very much. Thank you all for joining us today. Enjoy RSA.

32:53 Raghu Nandakumara: Thanks for tuning into this week's episode of the Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter at @illumio. And if you liked today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara and we'll be back soon.