Experienced a Breach?
|
Support
|
Contact Us
|
+1 855 426 3983

A Zero Trust Leadership Podcast

The Cybersecurity Cliff Nobody Is Talking About | Jen Ellis
Season Four
· Episode
9

The Cybersecurity Cliff Nobody Is Talking About | Jen Ellis

Jen Ellis joins for a conversation about why so many of cybersecurity's biggest debates keep missing the point.

Transcript

Raghu N  00:00

So welcome back everyone, for yet another episode of The Segment. Today I'm joined by Jen Ellis, founder of NextGen Security. So after 11 years at Rapid Seven, building its research, advocacy, and community engagement functions, Jen founded NextGen Security. She serves on the UK Government Cyber Advisory board is an associate fellow of our USI, co-chairs the ransomware task force, sits on the boards of the CVE program. There's a lot to talk about there after the last few weeks at the Center for Cybersecurity Policy and Law, co-hosts the Distalink Cyber Policy Podcast, and just because she's got a few spare minutes, goes and testifies before U.S. Congress, Jen. It's incredibly exciting to have you on the segment. Well,

Jen Ellis  00:46

Thanks. It was awesome to be here. Basically, what my bio tells you is that I have a really hard time saying no to things, and that people know I'll do free work for them. Like, that's what it is. It's like it's a really fancy way of saying I'm a sucker.

Raghu N  00:59

Well, that's fantastic, because it meant that you said yeah, you had to say yes to this podcast based on that bias, right? So we're grateful for whatever reason, we're grateful that you're here. So, Jen, as you can tell from her background, has spent years operating that intersection of security, strategy, policy, research, and industry transformation. She brings a sharp global perspective on how cyber has evolved and where it may be headed next. So, in this conversation, we're going to unpack why many of cybersecurity's biggest debates feel stale. What resilience should really look like, and whether the industry is preparing the next generation for success in an AI-driven - the notes say future, but I should really say an AI-driven present

Jen Ellis  01:41

reality, yeah.

Raghu N  01:42

Yes, a reality. So, Jen, again, welcome to the segment. I know the origin of this actually started in the basement of a bar in the city of London at an event that you and I were both sort of panelists on, as you were absolutely holding fort, essentially picking a fight with anyone who, who was brave enough to fight you.

Jen Ellis  02:03

Okay, that sounds really bad. I think, well, accurate. It's not super inaccurate, but it sounds really bad. It sounds like it was just like drunk and rowdy in the corner, like, come at me, you are perfectly.

Jen Ellis  02:17

Very sober. I think the point that I made is that I don't believe that banning ransom payments will end ransomware, and I think I sort of said I was perfectly happy to fight anyone on that topic, either individually or on pass, and I might have said something similar about private sector hack back, but I don't think that authorizing private sector hack back will lead us to good outcomes, and again, put them up.

Raghu N  02:43

So, let's start there with ransomware, ransomware payments, right? So this debate about, like, what is what are the most effective ways that we can essentially drive down the threat of ransomware, make it harder for for attackers to be successful, provide them with less incentives, etc. etc. This debate goes on and on and on, and of course, reservices every time there is yet another major ransomware attack, and the whole sort of question around payments continues to come up every time this conversation happens. You've been in these probably 1000s more than I've had. Why are you taking the position that you just summarized.

Jen Ellis  03:23

Yeah, so I mean, the basic gist that people have around this idea is like ransomware is a wholly profit motivated activity, and that if you take away the stream to profit, you take away the activity, right? And on its surface, that's a really seductive message, and seems quite compelling. And then you can also mix in some other things that are really compelling as well, like we don't want to fund crime, and putting money into the criminal ecosystem is a bad idea, and these are criminals who do really bad other things often, and so we shouldn't be funding those other things, and you know, we don't want to use our customers' money in that way, or our shareholders' money, or etc, etc. I think all of those latter things make a lot of sense, but they're all about, you know, the sort of ethical position you want your company to take. They're not really about stopping the threat. So, let's look at the initial argument, the argument that by cutting off the revenue stream, you cut off the activity, right. So, what you have today is you have a criminal segment that has almost no barriers to entry, and has very rapid entry in multiple regions, and it takes it, you know, we see, we see groups appear and disappear very quickly, very commonly all the time, right? And some of them are proper organized crime, and you know, they, this is what they do for a living. Some of them are branches of existing organized crime that do other nasty things. My point being that they're probably not going to go, "Oh, this looks hard, let's go get a job at McDonald's, but I think more than that, what we have as an assumption here is that the. There is a level of targeting that happens that actually isn't normally the case. Now, like, I get it that in the UK we've seen some anomalous activity, and that might give people the wrong idea. So, like, last year we had M&S and Harrods and Co-op and JLR, and they all looked highly targeted. I think it's unlikely that they were as highly targeted as they might have appeared, but they look highly targeted. They were also perpetrated by an attacker group that is anomalous. Scattered spider is not the norm, right? So, the norm are attacker groups that sit not in the UK, they're in another country, they're normally based in safe haven nations, and actually their attacks are, if not politically motivated, at least, at least politically tied, in as much as a safe haven nation exists, either because it fundamentally cannot prosecute, i.e. the activity makes up too much of their economy, or they don't have the policing force to go after it, they don't have the solicitation on, on, on intel gathering, or evidence gathering, whatever, or a safe haven nation is a nation that chooses to allow the activity because it furthers their own aims. That doesn't necessarily mean they give marching orders, but maybe what they do is just like set some, some lanes, some like parameters, right? Like, hey, it can't be within this country that you target, and it can't be something that, like, is going to lead to triggering any NATO articles, right? Like, those might be as close as the parameters get, and, and that might be as much as the targeting then looks like, right? So, like, imagine you're standing on the shore of a really big lake, and you got a stick of dynamite in your hand, right, and you can choose, like I can go throw my stick of dynamite that way, or I can choose to throw it that way, or I can choose to throw it that way. Anywhere I throw it, provided it's in the lake, I'm eating fish for supper. But I, and I don't really care which fish, because, like, I like the fish that's in the lake, I'm happy either way, right? It all tastes pretty decent, and so, whether I choose to throw my grenade, my grenade, my stick of dynamite to my left, to my right, or down the middle is really about whim. It's not really about targeting pretty much what targeting for ransomware looks like, right? Like, I know I can't throw behind me because that's going to get me in trouble. I'm going to blow myself up, right? Yeah, but that still gives me a lot of reason to go out ahead of me, and I might literally target as, as much as to say, well, the US looks awful juicy, and so does the UK, right? I mean, well, if I go after those nations, so I think when you think about ransomware attacks, this idea that, like, you cut off the revenue stream is somewhat naive, because for one thing, you're assuming that there's no political motive, there's purely profit, right?

Raghu N  07:53

Yeah.

Jen Ellis  07:54

Do we know it's not true, you're assuming that you can successfully say we're going to cut off the ability to be targeted, but if I'm literally putting something out on the internet and seeing what happens, then in reality it isn't as refined as that, right? Like me saying I can put something on my website that says I solemnly swear I will never pay a ransom, it doesn't change the fact that I interact on the internet and therefore I might get victimized by accident, right? And an attacker, frankly, is just going to be like, "Shrug, it's no skin off my nose, you know. It sucks to be you, you can pay me or not, right? And on top of that, it completely misses the fact that attackers are really good at evolving their strategy for getting money. So we saw them do disruptive attacks, the water got too hot, so they switched to data theft and say right, and then we saw in some cases people say, well, we won't pay you, so then they switched to taking the data they'd stolen, and rather than going to the primary organization, they started going to the organization's clients or customers. You're a law firm, all of a sudden your clients are getting told, we know what your secrets are, and we will disclose them unless you pay us well, or you're a mental health institute, and your patients are suddenly getting that message, which is gross, right? Yeah, my point being like attackers will find a revenue stream, and if I was a cyber criminal, which I am not, I keep saying it, I'm hoping people will believe me one day. If I were a cyber criminal and a country said to me, 'We are going to have a ban. What I would think is okay. Well, let's test your metal, and so then I would be like, because I'm pretty sure that, like, the most vulnerable are unlikely to be able to hold on to that, right? Like, and to an extent, like, maybe they think they wouldn't - no one would know if they made a payment, right? There are ways around it. There are always, always ways around it, and so I might think to myself, well, hang on a second, you know, the UK and Europe, they have a lot of small to medium businesses, like the UK 99% small businesses economy, right, small to medium businesses economy, and a lot of small businesses, a ransomware attack cannot. Actually, be an existential threat, right? Like, if you're in a situation, I brought this example up with someone the other day, and I think they think I'm insane. Have you seen either the stage show or the movie Kinky Boots?

Raghu N  10:12

I personally haven't. Okay, I'm listening. I'm listening.

Jen Ellis  10:15

Work with me here, right? The premise of Kinky Boots. I took my mum to see the stage show last year, so it was an enlightening thing for me. On the premise of Kinky Boots is a guy inherits a shoe factory in, I think, in the north of England, right? Right, and the shoe factory was started by, like, his grandfather or his great-grandfather, and to be honest with you, in this day and age, it's quite hard to compete, you know, keeping your bespoke, beautifully handmade shoes or boots with things that are coming in from other countries that are produced much more cheaply, and so he is in a position where basically the factory is going to fold, he's having pressure from people to sell, and he is one of the big employers for the town where he was raised, right. So, like, a lot of people locally work in his factory, and he stumbles upon the idea of making boots for drag queens, pivoting his business and making very niche boots for drag queens. It's a captured market, and this save his business, and that's what the whole thing is about. I'm really sorry if I spoiled that for anybody. I think hopefully people knew that much, and I've not ruined anything, right?

Raghu N  11:30

I really want to go and see it now.

Jen Ellis  11:34

To the makers of Kinky Boots, you're welcome. And Kinky Boots is based on a real story, right? So this really happened. There's a real person who inherited this factory and felt this pressure. My point being, like, come on, they're not alone, right? Lots of people inherit family businesses, or they have a business that they worked their entire life to build themselves, and the cut, and lots of people run businesses that are huge employers in their local area, and they feel a huge pressure on that. My point being, like, when you face an existential threat and you have a bunch of other pressure in front of you, and you think, well, would anyone really know, why wouldn't you pay a ransom? But what you then do is you put yourself in the pocket of that bad guy, right? Because now they know what, only will you pay the ransom, but you've broken the law to do so, because there was a whole ban. So I just think, like, one, I think it won't solve the problem, two, I think it re-victimizes victims, and I think it actually potentially puts us in a further hole. I think we wanted to make a payment ban work, it would have to be global, and even then you would face a bad period before you got to a good period, right? Like, it's a little bit like people who are listening to or reading the news about Claude Mythos or Project Glasswing and are saying, oh, this is the end of security. In the future, there will be no need to have security, and I'm like, yeah, but that's a little bit like looking out at the sunset and saying, what a beautiful sunset. We should head towards that sunset. Watch the giant cliff right in front of you, right? Don't fall off that cliff on the way. We've got a lot of pain to get through before we get to the good side, and like, when I say a lot of pain, like, I don't think we should be declaring ourselves dead for another 20 years, frankly, you know, at the least. So we have to survive a lot of bad stuff before we get there. And yes, to those who are playing bingo at home, that was your first mythos reference.  

Raghu N  13:18

Ding, ding, ding. I think you've already got a line. Let's go. Let's talk about that, like sort of again, right? Understanding from you about your whole reasoning around why we shouldn't have a payment ban, right? It, it makes it makes absolute sense, because I think really kind of what you landed on at the end is that the impact of it will be, it will first, it will further victimize victims, but that's before we even get into the logistics of how it's even ever going to be enforced, and the practical realities of that. Just forget, I mean, forget about globally, but just even in a single country, to enforce it is going to be nigh on impossible, right? There's just too many exceptions.

Jen Ellis  13:59

Can you imagine saying to people, hey, if you get mugged, it's against the law to hand over your wallet in your phone.

Raghu N  14:04

Yeah, exactly. I mean, that, that, that's the exact perfect analogy.

Jen Ellis  14:08

Yeah, right. What I will say, though, is I'm not saying we shouldn't have a ban. This is where it gets complicated. I do believe that the government should not be allowed to pay, because I think fundamentally taxpayers' money should not be used in that. I don't think that a ban is necessarily, I think that a ban has trouble right now. I think a ban has a goal with a glide path on how to get there to support those businesses to think about what that looks like in the future could be okay. I don't believe it will see an end to ransomware. However, I do think that there are other reasons to have one. For example, I think a lot of companies would like to be able to say to their customers, we're not allowed to pay, because in reality they don't really want to pay, but they feel a lot of pressure to do so for. I think that I think the insurance policies should be focused on recovery, which is a much longer, more expensive thing, rather than being focused just on paying out, which is not to suggest that insurance companies are all pushing people to pay ransoms, that is not what I'm saying, before anyone, like, you know, writes anything and says, well, we're not doing this. I know you're not doing that. Some people might be doing it, but not everyone's doing it. There's no real evidence about it. But yeah, so like, I think there are perfectly reasonable reasons to say payment is bad, and I agree that payment is not desirable. I'm just saying a ban today, we're not ready for it, and I also just don't think it's going to solve the problem we're trying to solve.

Raghu N  15:39

So kind of connecting that to the whole you mentioned mythos and sort of the this now this AI powered present that we're absolutely in. Do you think then that let's say there is that glide path to a band, but I kind of want to move on from the band pit, but like using this as a bit of a bit of a jumping off point, right? Do you think a key glide path to that is really around forcing organizations to put in place a baseline security architecture, security control set like that is proof that it gets them to some level of I am trying to figure out the best way of expressing it, but like a provably better place, like, show, show that you've actually made the effort, rather than sitting there, sitting back on your insurance policy, right? And, and essentially, the backstop that that provides, like, is that a key part of the glide path?

Jen Ellis  16:33

Yeah, I mean, I think you know, if you look at cyber insurance, which lots of people think will solve the problem for us in the long term, right, and maybe it will, but I think we're not there, you yet. Again, this is another area where, like, we can't underestimate it. I love the fact that, because the security industry is young, we're a generation old, right? Like, we're about 40 years old as an industry, that everything feels like it takes forever. Like, our concept, it's like when you're little, right? Your concept of a term at school, it's like the longest amount of time ever, but when you're older, you're like, "Oh, dear God, are they on holiday again, right? Like, it's constant. I think we're like that in the industry, that like, we view time scales really, really weirdly. We're like, "Oh, it's cooking so long, whereas the insurance industry, which has been around forever, is like, oh, we have to accrue data, and it'll take us a minute to get there to what we can see, and they're working on it, right? They are developing, they are maturing them way more, like cyber insurance as an industry is way more mature now than it was five years ago, just astonishingly more mature, and I think it will be a force for real good in the future, in the same way that, like, you know, my household insurance mandates that I have certain locks on my door, right, but one thing to remember is that adoption of cyber insurance in the UK is still in, I think, single digits market adoption, and actually, you know, the way insurance works is all built on data, they have to have that base of data, and when you're talking about cyber, you're talking about a less finite domain than the kinetic domain, where it's harder to build your models and to project in the right way, and to predict how things will come, so we just need to give it time, right? It has potential to get there, but I think you know just the reality is what we need to do is build in resilience. We do need to get that baseline, and I are people who have talked about a policy whereby you know if you can prove that you have an appropriate baseline, then you get either more access to government support, or you get access, or you get permission to pay a ransom of your needs, or something like that, right? Like, but you have to have the baseline there in the first place. I think you know the reality is, if we want to see organizations invest, then we have to mandate it. That there is no.. I've really tried, because I'm not massively pro regulation. I think a lot of people in this country are not massively pro regulation. I think I've really tried to figure out how we do it without, and the reality is, like, small to mediums will never get there unless it's something, what they absolutely have to do, in the same way that they have to invest in health and safety, right, and we can't keep beating them over the head with the same message and the same stick that without actually like really turning it into a proper stick, right. So, and I think even then, in reality, you know, we're not, because the barriers to entry are so low and there is so much money to be made, and the risk is actually relatively low for those in safe haven nations. I just don't think we're going to see this go away anytime soon. Like, there are so many countries in the world that have access to a high level of technical infrastructure, they've got really high unemployment, and that creates a sort of melting pot for people to get involved in this, and actually, to a certain extent, AI is just going to continue to be a level playing field for that, right? Like, we are going to see, like, here's the thing about, and again, this is going to be your third, are you ready, Mythos. The thing about Mythos is that when you look at the whole piece around vulnerability discovery, right, there are three key. Stakeholder roles, this is a grand oversimplification. There are obviously far more than three stakeholder roles, but three buckets of activity, shall we say.

Jen Ellis  20:08

There's initial discovery, right, and that's your researchers, now it's your AI, and it includes things like your disclosure programs and all that kind of stuff, and your bug bounties, etc. There is the vendor response, and then there is the end user organization response, right? And what we have seen with myself so far is we've seen a lot of people talking about this piece over here, discovery. Now this is really important, because obviously what AI is doing is massively accelerating discovery, and that is really a problem, and part of the reason it's a problem is because over here, where we had our end user response, we have a real problem with seeing patch adoption today, and that's one of the reasons we're not super resilient, and while we offer opportunities for criminals, right? And so everybody's like, well, we have a problem with patch adoption, how are we going to get these end user organizations where they need to be. However, what people aren't talking about massively, as far as I've seen, is the vendor response piece, and actually, you can't adopt a patch that hasn't been released. Members today struggle quite a lot with doing triage and verification, prioritization, and then applying the resources to develop a patch, and people seem to have this idea that that's the thing that mythos is doing for them, like vibe coding automatically, magically vibe coding a patch. I don't believe that that is the case, based on having read the anthropic release a number of times, nor do I necessarily think it's anything we would want it to be doing right now. You want humans in the mix, even if, like, they are vibe coding something, you then want to have a verification process. We're not ready for, and we will be in the future, but we're not there yet. We're not ready for AI discovery, AI patching, AI testing, AI routes, right? Like, and that's where we will get to, but it's not where we are now. So, today, what's likely to happen is you're going to get an accelerated pot of discovery. It comes with some triage and some verification, which is good, because it helps with prioritization. So, it's, you know, it's been verified, you know, there's exploitability, those kinds of things. And then you can prioritize, but you still need people to come up with a patch, which is going to slow way down because of the volume, and you have to go through the whole process. So I think that when we talk about resilience, the challenge that we have in this country, where we are talking about this ransomware thing, bringing it back to the ransomware thing, and the concept of resilience is this country and developed countries have a lot of legacy technology.

Raghu N  22:44

Yeah.

Jen Ellis  22:45

And what AI discovered vulnerabilities is particularly a problem for where we are particularly lighting ourselves on fire is legacy technology.

Raghu N  22:55

Yeah.

Jen Ellis  22:56

And countries that don't have a ton of legacy technology that are not as entrenched will not be in that same deep, deep well of hope. So I kind of feel like when we look at all of this and we think about that ransomware problem, I think we're going to see a lot more discovery of opportunity for attackers and a lot less ability for us to address the problem, both from a vendor point of view and from an end user point of view. End of life and unsupported products has been going to become a much bigger issue, and I don't think we have a plan for that.

Raghu N  23:35

I love how you connected all those, all those things together. In fact, basically did my, did the hard work for me, so I'm just here listening now. I'm just, I'm just a listener. That's cool. That's great, right?

Jen Ellis  23:47

I talk too much. I like it. I like it. That's why.

Raghu N  23:51

Jen, that's why I wanted you on the podcast. I knew it just make this episode so easy for me. I think that point about the fact that there is so much legacy technology out there, right, and you can use whatever, whatever term, however you want to define legacy, that's that's really up to you, right, or up to each sort of individual organization, etc. right. So now, and the other thing that you said was that, while kind of maybe way into the future, the whole sort of the way the these frontier models are developing, but also like the open weight, open weight models are equally sort of getting more and more capable. Is that we will get to that point where what we deliver product wise is much more secure than it's ever been, right? So essentially that place where it's more secure, so it will typically it'll be shipped with less bugs, less vulnerabilities, etc. etc. Potentially, I mean, that's kind of like the, that's the, that's the hope, but, but what you said was that, like, before we get there, there is, of course, this huge cliff or huge valley that we need to cross, right, which has got great depths, so in terms of the. Here and now, right, and particularly because there are so many unknowns in this, like we don't know what's going to be discovered, right? Once it's discovered, we don't really have a complete handle on the exposure, we don't then know when those things will be patched, if at all, right? So, with we're given these are the things that security leaders, architects are kind of probably getting their wrapping their heads around what is kind of the here and now actions that organizations can take, should take in order to just make themselves more robust for this coming. I think some, I think CSA had said, like the Von Kopalips.  

Jen Ellis  25:39

Oh, yes, people have been saying Von pocket.

Raghu N  25:40

Yeah, yeah.

Jen Ellis  25:41

And there are other terms that are being used as well, but yes, I like to think of it as a tsunami, tsunami.

Raghu N  25:46

That's the word, that's the word.

Jen Ellis  25:53

But in my head is the Pampers ad that calls it a Punami, which is just stuck in my head, so I think that might also be extremely on point, though, so, like, I think that the reality is that, you know, I think that organizations need to be looking at what legacy they've got in place and thinking about what their plan is to replace and what that looks like, and I know it's hard, I know it's really easy for me to say, and it's really hard to do, and you know, in reality it's expensive to an extent. One of the things that I wonder about is if there's a way that we can make keeping legacy expensive, like you know, could we tax depreciating technology, right? Like it's a, it's a crazy idea that will probably make people really unhappy, and I, yes, insert HMAL here, but I, but I think that, like, we do have to start really actively doing something about legacy systems. I think this is to an extent where we say, you know, think about whether you can migrate to the cloud, because you're more likely to get off legacy if you can do that, but again, not all cloud systems are made equally. Think about which cloud vendors you're looking at, and think about whether they're likely to be investing appropriately in security and in the most up-to-date technologies, right? Like, I think these are the things that we need to think about is who are the vendors we're working with. What are the technologies that we're relying on? Like, we, I work with an organization that talks a lot about, like, our trust in technology. Like, in the future, we'll be able to trust technology, and I'm always saying to them, we trust technology today, we just shouldn't, but we do, because we don't have a choice. Being trusted and being trustworthy are not the same thing, right. And what we want is to get to a state where technology is truly trustworthy.

Raghu N  27:28

Yes.

Jen Ellis  27:29

and today, and like, don't be wrong, it's not about the technology, it's about how humans use and abuse it, but there are things that vendors can do, and there are things that operators can do to make it more trustworthy. So I think every organization should be looking at the systems that it relies on and evaluating what the risk associated with them is, and thinking about what a plan for updating looks like. Right, I don't think we have an option but for to do that. I think there needs to be a lot of collaboration and thinking about what the practices are going to look like, because right now, what we have, like, and I will hand it to Anthropic, like, the way that they've gone about this is actually probably the, I, the ideal way that we would want to see a vendor go about it, recognizing that this is the reality of where we are today, right? Like, in an ideal world, we wouldn't have to deal with this giant cliff, but it is what it is, like somebody was going to be first, and you know, while the attackers don't invest in making their lives more complicated and expensive than they need to, because that's one less Ferrari or Lamborghini or gold chain, they do still look at how they can embrace new methods where they're where there is opportunity to exponentially increase profit, right. And so we have reason to believe that people are working on developing this, even if it isn't your cyber average cyber criminal, even if it is adversarial nations. Yeah, people are working on this stuff. So it's good that Anthropic was arguably first. It's good that they've worked it through in a way where they're working directly with vendors and they're being quite transparent. It's bad that the stuff got leaked, that's a real bully problem, and we wish that hadn't happened. And this is what happens in tech, unfortunately. I think that there does need to be collaboration to understand that this is just the pointy tip of the scheme. The rest is coming, and I heard John Ellison, who is one of the leaders at NCSC, the other day, say that it will only, the technology will only get better from here, right? Actually, arguably, the worst the technology will ever be, because it's the first generation, and that's exactly right. Like, we have to think about the acceleration that we're going to see. So, as an industry, the tech sector has to think about how it wants to respond to that, we've spent the last 10 years talking about SBOMs and, and talking and talking and talking. We love admiring problems. We got to start adopting solutions, right? Yeah, your gender and you make stuff, it doesn't. Matter whether you're offering your customer an SBOM or not, but you should certainly have them internally. You should certainly know what's going into your product, and you should certainly be doing an audit of what could be dealt with, what could be updated. And I have heard vendors say, well, actually, for us to update this thing, like to use the newer version of this compiler, this library, whatever it is, this thing that we're really relying on, we would have to completely recode the product. Time to start having those conversations, guys. Like, this is where the rubber hits the road, right? Like, you, and also, by the way, software liability is something that most governments are now much more in favor of, and we are going to see CRA, the Cyber Resilience Act, we’re introducing it as a reality. Yeah, let's be honest, like, as a vendor, the times are changing. You've got to figure out how to get ahead of this, or at least catch up with it, maybe we're putting it on that, right?

Raghu N  30:51

Actually, just, just one thing, right? So, as you said, right, so this is very much like, yes, obviously, we've kind of all been, whether it's shaken or excited, or had that, oh shit, moment around the announcement from a few weeks ago, but you're right, this is still very much like this is the start, and this is the worst that capability is going to be, right? The newer models, etc. are going to go so much better, so much faster, so much cheaper, because that's the other thing, at the moment it's fairly costly to essentially like use methods, like the costs a huge amount of tokens, so do you think that, and so, and kind of connecting this to something that a key theme coming out of RSAC a few weeks ago, where as much as organizations are excited about having AI within security products, they still want that human in the loop, right? So, do you think again in the short term with attackers probably saying, "Right, I want to automate the hell out of this, right, as much as possible, but defenders still very much saying, "I still want a human in the loop to be able to take the, yeah, that's the right thing to do. Do you think we're also going to see a divergence of that asymmetry that exists today, initially, before things close back together.

Jen Ellis  32:03

Maybe I think that we have a view that attackers want to automate things, perhaps more than they do, and I don't know, like, I, I don't start my day off by chatting with my local cyber crime group and asking what they're thinking about doing.

Raghu N  32:14

You should.

Jen Ellis  32:15

I wish, like, it would, it would make it, I would, it would make me so much more knowledgeable for these, these cool, but I, I just kind of think that we have seen ransomware groups walk a thing back before, right. We've seen keys get given, not because a ransom was paid, but because an attack went away that didn't wasn't expected, right. HSC is a really great example of this back in, in 20, in 2020 right, the the Irish Health Security Committee.

Jen Ellis  32:46

And, and it got hit, and my guess is that shutting down every hospital during a major pandemic in a country was probably a little too close to something that might have been considered an act of war, right? Right, so like I think the people who provide the safe, however, for the particular attacker group might have gone, “nope, too hot.”

Raghu N  33:07

Yeah.

Jen Ellis  33:08

It's entirely possible that that attacker group just also, you know, grew an amazing conscience and thought, "No, no, this is a terrible thing to do." But I seem to think that they've hit other hospitals all the time, so I'm less skeptical about that. There's a big difference between one hospital and multiple hospitals, though. Obviously, but yeah, so we've seen we've seen attackers have to walk things back, which makes me think if you have a somewhat symbiotic relationship with your, you know, your host nation and you exist in a political landscape, and boy do we right now, then maybe automating the hell out of everything isn't something you want to do. Maybe you still want a human loop. You might want to automate the actual light mechanics of the thing, but you might still want to have a human providing oversight, you know? Again, choosing which way you throw that piece of dynamite, right? Choosing which lake you stand in front of. And so I think we have this idea that they're going to go fully automatic and we're not, and I'm just not entirely sure I believe that's true, but again, I don't know, it's supposition. I also think that I think that that you're right, though, it is, we do have asymmetry, and that asymmetry is not going to go away, you know, I can remember in the very early days of working in security, hearing someone say, like, a defender has to be right every minute of every day, an attacker just has to get lucky once, and that is true asymmetry, and it's not gone away, it's not changed, it never will, you know, that is the reality of this dynamic, and so I don't, I, yes, it will be asymmetric, but I don't know whether the gap is going to get bigger. Maybe I think what happens is defenders and attackers are always in an arms race. That doesn't change, right? They leverage AI, we leverage AI. I think it'll be a question of who has the easier job there, and arguably they do, but I think. Think that it's less about whether we know how to make tools or leverage tools, and more about the dynamics that are at play around adoption, right? Like, we see the security poverty line, it exists today, we see that nations that have a high level of small to mediums struggle to invest. We see that even big companies that are investing massively underestimate what the impact can be, right? Like we've all seen the stats around the JLR attack and know kind of what the delta was, or and same with MNS, right, between what they were prepared for and what actually happened, you know, there is that whole thing of like, oh, they were negotiating insurance, and it was for like 30 million total, and it was costing 50 million a day, or whatever the hell the numbers are. Right, don't believe they were those numbers, I have a terrible memory. Go and Google it, it's there for you on the internet. But yeah, so I think that that is more likely to be the thing that holds us back, right from a defensive side, is it's less about whether or not we're capable of leveraging AI. We've been working on ML in security solutions for a really long time, and there's no reason to think that they can't figure out how to use, you know, ML AI effectively given the opportunity to do so, although I will say research on this is expensive, that is a thing for people to know.

Raghu N  36:29

Yeah.

Jen Ellis  36:30

There is an implication to the customer, and again coming back to that poverty line problem, security is expensive, and there is always that challenge that when you're asking people to invest in security, it's not like saying to somebody like go put in a disability ramp or put in a fence or go put in locks, like that is a payment you make, you budget for it, you do the work and the payment is done.

Raghu N  36:53

Yeah,

Jen Ellis  36:54

security isn't like that, it's like you're asking people to exponentially pay, yeah, like you make pay do this much this year, that much next year, and you're just going to increase it over time. Yeah, that's called maturity, baby, right? Like, it's that's a hard thing.

Raghu N  37:09

Yeah, so if we, if we look back, right, if we think about the pandemic, COVID 19 pandemic, and at that time it really resulted in like the takeoff of sort of ZTNA sassy right, and that sort of due to the complete migration to work from home, etc. So we had sort of that blow up of a particular security technology security category. Do you see kind of the the mythos news and the the essentially the follow up from that? Do you see that that is going to drive the adoption of particular security practices or drive the adoption of particular security capability that the industry has generally been sort of dawdling on for a while. Do you see any sort of seismic change in what we deploy or how we deploy it?

Jen Ellis  37:58

I don't know is the answer, and I think, like, look, lots of people want to tell you exactly what's going to happen right now, and I think probably most people don't know the actual answer. I have heard people start talking much more intentionally about the fact that we have to move away from a patch model, and I agree, I just don't know what that means, because, like, I think one thing that people kind of had in mind was, like, hey, if you work on a basis that you're never trusting systems, it doesn't matter, like, you work on a basis that technology is never trustworthy, but the reality is, like, as much as, like, people want to invest in models that make that work. You can't run it through to the nth degree. There's always a piece of technology you have to put your faith in in some way, and then there's always a human in the mix, and the human is the weak point, right, aided by the technology. So I don't know that I fully see how we can totally say we'll abandon the idea of patching, but if people have an idea for that, like, good, because we do have a huge problem, and by the way, like the things that we put in place in recent years to aid with patching, so something like the Known Exploited Vulnerabilities catalog, Kev, which I'm a huge fan of, this it's gonna get overwhelmed now, yeah, and actually, like, this is a Kev killer. Unfortunately, I mean, I like saying careful is fun, but I, other than that, I'm not happy about it. Yeah, so I do think like we have to change our fundamental thinking, and I again, like I just really think like people need to look at the legacy problem way more. I think that this means that liability will probably become a more realistic thing, and that will probably become, come in faster. So, like, you know, I think people will start exploring what legal boundaries that are for software liability, and I also think the concept of software liability will change as we start to think about AI as an autonomous entity as. Outside of human engagement, so I think that's a really interesting thing, just from a completely nerdy policy point of view, but I, but in terms of, you know, the problem that we always have in security is that the market dynamics do not work in the right direction, right? We face a lot of first incentives that encourage the wrong kinds of behavior, and while something like Glasswing puts a ton, I didn't say mythos, then just to keep people on their toes, while it puts a ton of pressure on and shines a giant spotlight onto companies to say, like, do something different, do something different, the cost of adopting change, or even the difficulty in knowing what the right change is means I'm not sure that we will see like a massive pivot, but I hope we will. I hope that that is the thing that will happen, but I can't help be cynical and just say I think we're in for a lot of pain before we see any positive, like I again, as you said, there is that potential that in the long run we will have much cleaner developed code and much cleaner tested code, and what gets released will be better. The problem is it's always the human in the mix. Yeah, and no matter how far back you track it, you always start with a human.

Raghu N  41:18

I don't know. I don't know if that's like depressing in a way. Let’s, we'll wrap up in a few moments. Okay, so, so given that you've taken us into that dark place, it's also your responsibility to provide some hope and some light, okay? Right. So, like, okay, so I agree with sort of what you, what you've laid out there, right, but what is then like the sort of three, three or five simple things that organizations can do today to better prepare themselves for kind of that that roller coaster we're about, we've just sat down on kind of, I feel like we're sort of at the big one at Blackpool. It's just ratcheting up, ratcheting up to the top before it lets gravity take its course. So, what do we do as we buckle in?

Jen Ellis  42:14

Well, so I will tell you, the simplest thing is to recognize none of this is simple, honestly. And I think actually that's one of the problems we have. We always talk about it as if it is, like in the ransomware space, you know, going back to where we started. Anybody you look at, any company you go to, say, what are the things that people should do, and they saw there's five things: you should have offline backups that you check regularly, you should patch regularly, you should have email filtering, you should do security culture work, identity and access management, and we, the way we talk about it, makes it sound like you go into your office on a Monday and you're like, right, let's get this patch management going, and then on a Tuesday you're like, time to tackle identity and access management, and oh, Wednesdays for email filtering, hump day, you and I both know that's not how these things work: one, they're all expensive; two, they're really complex; three, they take ages; and four, you have to maintain them in perpetuity. So, there is no simple, and we always want to make it sound as if things are simple. I think the things that you can do are genuinely know what you have and know what its status is. It's not a simple thing, and I'm not going to pretend it is, but know what you have, and be aware whether you're a vendor or an end user organization. Know what you have. Think about what resilience means to your organization, right? Like, what does that actually look like for you? What does contingency look like? Is there a way for you to get off legacy systems, or to minimize legacy, or to air gap, or to, you know, whatever, to do something that minimizes that risk? Prepare, so like, have a plan. It's probably actually the simplest thing on the list, but it's not. Again, it's not simple. It's multi-stakeholder investment of time that takes a long time. And once you have a plan, you should be testing it regularly to make sure that you've identified where all the gaps and glitches are. It actually does make a difference to your ability to respond. No, if you have insurance, I'm not telling you to go get it, but know if you have it, and if you do know what it covers. I think the problem is, though, like all of the things are complicated. There is nothing that I can tell you to do from a security point of view that's not.

Raghu N  44:32

Yeah.

Jen Ellis  44:32

And I know it sounds like I'm really being a negative fancy, and part of it is that I spent last week at Cyber UK, and you know, and I do feel like there's a lot coming, and there's a lot in our path, and I do feel like the attack surface continues to expand and accelerate, right. And so, like, yes, I'm being a bit of a negative Nancy. The flip side of that, though, is we have never, ever, ever had as much focus on cybersecurity as we do now. We've never had as many people who want to support it, who want to push it forward. We need, I mean, I know for an organization regulation is a burden and as expensive, but the fact that there are that many people, that many policymakers focused on this issue and working together, like we've never had as many conversations about regulatory harmonization as we do now, that in and of itself is a, is a new day, right? It's a positive, I think. There are the worst thing you can do for a problem is ignore it and let it flourish in the darkness. The fact that we are shining a very bright light on this, and actually the fact that our incredibly terrifying political landscape makes it feel more urgent. These are things that we can use, right? This is actually, in some way, a positive, but that means the time to act is now. Take the momentum and run with it. Use it. You're right, we've ratcheted it up, but you know what happens after you ratchet up? You have the drop and you build momentum, so that you can go up the next one. Yeah, and that's really kind of what we need to do now, like we are on the ride, and we have to take advantage of it.

Raghu N  46:06

Well, you know what, I love the way you landed that, so I think that is the perfect place for us to wrap. Jen, again, thank you so much for accepting our invitation to be on the podcast. Thank you for absolutely bringing your A plus plus game, and just, just love this conversation. Thank you.  

Jen Ellis  46:27

Well, thank you for listening to me ramble. I appreciate it. And I think for those who are counting, I think we got to like at least a solid eight mythos references. So, yeah,

Raghu N  46:36

I kind of play bingo here. I play bingo here, that's what I'm doing when you're talking, right? Yeah, exactly. Bigger card resilience, right? AI, usual ones.

Jen Ellis  46:52

Yeah, absolutely fantastic.

Raghu N  46:54

Well, thanks so much, Jen.

Jen Ellis  46:56

Thank you.

Raghu N  46:56

Thanks for tuning in.

Back to top
Read more