Practical AI – Episode #294
AI is changing the cybersecurity threat landscape
with Gregory Richardson & Ismael Valenzuela from Blackberry
This week, Chris is joined by Gregory Richardson, Vice President and Global Advisory CISO at BlackBerry, and Ismael Valenzuela, Vice President of Threat Research & Intelligence at BlackBerry. They address how AI is changing the threat landscape, why human defenders remain a key part of our cyber defenses, and the explain the AI standoff between cyber threat actors and cyber defenders.
Featuring
Sponsors
Fly.io – The home of Changelog.com — Deploy your apps close to your users — global Anycast load-balancing, zero-configuration private networking, hardware isolation, and instant WireGuard VPN connections. Push-button deployments that scale to thousands of instances. Check out the speedrun to get started in minutes.
Notion – Notion is a place where any team can write, plan, organize, and rediscover the joy of play. It’s a workspace designed not just for making progress, but getting inspired. Notion is for everyone — whether you’re a Fortune 500 company or freelance designer, starting a new startup or a student juggling classes and clubs.
Eight Sleep – Take your sleep and recovery to the next level. Go to eightsleep.com/PRACTICALAI and use the code PRACTICALAI
to get $350 off your very own Pod 4 Ultra. You can try it for free for 30 days - but we’re confident you will not want to return it. Once you experience AI-optimized sleep, you’ll wonder how you ever slept without it. Currently shipping to: United States, Canada, United Kingdom, Europe, and Australia.
Notes & Links
Chapters
Chapter Number | Chapter Start Time | Chapter Title | Chapter Duration |
1 | 00:00 | Welcome to Practical AI | 00:35 |
2 | 00:35 | Sponsor: Fly | 02:45 |
3 | 03:33 | AI standoff | 02:20 |
4 | 05:53 | The problem to solve | 02:30 |
5 | 08:23 | Cybercrime rising | 04:49 |
6 | 13:12 | Blackberry's role | 06:59 |
7 | 20:22 | Sponsor: Notion | 02:14 |
8 | 22:52 | AI in the ecosystem | 06:44 |
9 | 29:36 | Gartner hype cycle | 06:20 |
10 | 36:09 | Sponsor: Eight Sleep | 02:31 |
11 | 38:49 | There are no replicants | 09:47 |
12 | 48:36 | Upcoming changes | 05:52 |
13 | 54:36 | Outro | 00:46 |
Transcript
Play the audio to listen along while you enjoy the transcript. 🎧
Welcome to another episode of the Practical AI Podcast. I’m Chris Benson, I’m a Principal AI and Autonomy Research Engineer at Lockheed Martin, and with me today I have two guests that are going to join in the conversation. They are both from BlackBerry. One is Gregory Richardson, who is Vicepresident and Global Advisory CSO at BlackBerry, and there’s also Ismael Valenzuela. Did I get that correct?
Yes. Thank you, Chris.
I normally have Daniel for that. And he is Vicepresident of Threat Research and Intelligence at BlackBerry. Gentlemen, welcome to the show. Thank you so much for joining.
Honored to be here, Chris. Thank you.
Thank you, Chris.
Really glad to have you. We’re going to talk today all about security, and threats, and issues like that. I know that there’s a blog post to get us started, and I’ll let you guys kind of take it from there, that you have on the BlackBerry blog… That was the “AI standoff: Attackers versus Defenders.” And I know Daniel was the first person to see it and said, “We’ve got to get these guys on the show.” And then ironically, he was not able to get here today, and I know he’s disappointed about that… But I wanted to kind of start off, and kind of – can you tell us a little bit about the topic in general, before we dive into the specifics, and the landscape, and who does it affect, and why should they care?
So maybe it has to do a little bit with our backgrounds as well. I cannot really say I’m an expert in AI. Well, I cannot really say I’m an expert on anything. And the more I spend time in this industry, the less you feel you know, right? But I can say my career has been mostly dedicated to cyber defense. I started on the offensive side, but then I quickly moved into the - well, not quickly, but over years, I moved into the defensive side. So I’ve seen both sides, and I still like to pick on the offensive side to learn from it. I call that Think Red, Act Blue. Think as an attacker to become a better defender.
So obviously, when I was writing about this, I had to bring the AI flavor to it. Like, is AI going to represent an advantage to attackers or defenders? And we usually get that question. So I wrote this from a cyber defense perspective, and that’s what you see there.
So before we dive fully into the article, what was driving the need? What are you seeing? You guys are both at BlackBerry; there’s clearly a need driving, addressing cyber. Tell us a little bit about how you see the lay of the world from a cyber standpoint, and what it is that – what’s the problem you’re trying to solve in the large?
Yeah, let me give you the contrasting kind of perspectives, because I actually didn’t know that Ismael, who I’ve worked with for many years now, even at different companies before BlackBerry - I didn’t know that you started on the offensive side and then switched to the defensive side. I am very much the opposite. Well, except for the switch. I started on the offensive side, and I remained on the offensive side.
The part that I am most intrigued by and always have been is what I call – well, what’s called attacker ontology. So I’ve always wanted to understand what makes the attacker behave like an attacker, so I can better defend. But my primary areas of research and areas of work and my primary focus has always been trying to anticipate what the attacker is going to do, so that I can help our clients strategize, etc. It’s always been – even before, and just from an AI perspective, cybersecurity has been using AI for well over 20 years. I’d say probably 30 years almost. So it’s not as novel as it is to the average layperson. But even before the popularization or the democratization of AI that we’ve seen in the last two, three, four years with companies like OpenAI etc. even before AI was so much in the forefront, I’ve been very intrigued with how we can build strategies that help customers, organizations, governments anticipate earlier what they need to be protecting against. And that’s kind of where my perspective comes.
So I didn’t contribute to the blog. I believe it was primarily Ismael’s blog, and maybe Ismael and his team… But my perspective on the blog was very much “How can we use AI to also help level the fields a little bit more?” It’s a constant battle with the fields going back and forth, and kind of who’s winning the race between attackers, cyber criminals, and defenders. So anything we can use to help balance that out, that’s always been my interest.
[00:08:22.16] I’m curious, before we fully dive into the AI stuff, can you describe – because, we have a very AI-focused audience diversely in that area, but a lot of folks maybe have never been really addressing cyber themselves. And when you talked about that, the ontology, and kind of talked about maybe some of the motivators that – what are these people out there? Who do they represent? What are they trying to do? …at a baseline, with or without AI. What are we dealing with in the world?
I remember – and again, I’ve been at this for a while; probably longer than most. I’m like your age, Chris, so I’m approaching 60 years old…
Old…
Yeah, exactly. Old, curmudgeony. “Get off my lawn!”
That’s right.
So I’m approaching that scary age of 60; at least it’s scary to me. So I remember a lot of things historically about the cybersecurity industry that give me perspective. One was, I want to say it was around 2010, ’11 or ‘12, somewhere around there… It was the first time that I noticed in the FBI’s threat intelligence report that they used to release every year, in that report around 2010, ’11, ’12 was the first time that they reported, the FBI reported that profits derived from cybercrime surpassed, globally, surpassed profits from heroin, cocaine, marijuana sales combined.
Wow.
And for me, that – and this was 2010, like I said. That to me was a tipping point. In my mind, I’ve built the narrative that right around then, or maybe a year or two or three before then, or after then, that’s when criminal organizations focused in on cyber crime… And it switched from being the harmless hacker in the grandma’s basement, thinking like a Kevin Mitnick type of a guy, who kind of started off that. For those who are in the cyberspace, they know the name. He was kind of like a “harmless” hacker. He was arrested. I think he might’ve been one of the first cases of a full-fledged arrest and conviction for cybercrime. But his cyber crime was always focused on “What can I learn? What can I gain from these things that I’m illegally getting access into?” It was less, if at all, it was not about “What can I financially gain?” Now, it is largely financially-motivated. I’ll let Ismael deal with this a little bit more, because this is his forte. He runs our threat organization. But from my perspective, it is largely based on what can we monetize.
Ismael, what do you have to add to that?
Well, the first thing is, I’m so happy to know that I’m the youngest one in the room, okay? [laughs] Says me with a white beard, right?
We’re all showing it a little bit, but… That’s okay. We’re on top of things, man.
But yes, so as Greg says, my team - our job is to characterize the adversary and to translate that into… We call it countermeasures. So think about you’re analyzing, or your goal is to design a vest to protect law enforcement, for example. So we analyze the weapons, we analyze their tools, we analyze their motivation, how they operate. And then we take all of that and we use this information to design the most effective vest to protect against those bullets.
But it’s not just about the bullets. It’s about who is using these weapons and what’s the reason they’re using them for. That’s the motivation. That’s really the key piece. And this financial motivation, as Greg has been saying, has been growing very fast. And that’s why we all know about ransomware, for example. But there’s a lot of other motivations that maybe we don’t talk about that much… Well, some of them we do. Espionage. Nation states, the so-called APTs, Advanced Persistent Threats, that we often see in the news, and especially right now around election times, there’s a lot of talking about this, manipulation of information by these nation-state actors. These are very well-funded, and typically they’re the most advanced of all of them. But there’s other motivations, too. There’s hacktivism.
[00:12:36.29] We have seen groups like Anonymous in the past, like many others, that they would target organizations just because they make money, I don’t know, selling records. And they think that’s evil. But at the end of the day, cyber is just a weapon. It’s a weapon that can be used for good, it’s a weapon that can be used for evil. Same as AI, right? AI is just one more tool in the arsenal of any of these people. So that’s why I like to talk about the motivations, because it helps us to understand what’s the purpose of using a tool, in this case like AI, in this cyber war, if you want.
So how does BlackBerry – can you kind of layer in BlackBerry, having kind of given us that landscape of what you’re looking at in the world? How does BlackBerry start layering into this? What are your interests in that capacity, and what are you trying to accomplish?
Good question. Well, so we have been in the world of securing communications for quite some time, and I think everybody remembers…
A few years, yeah.
…those BlackBerry devices. We don’t do devices anymore, but we do software to protect devices; not just phones, but also endpoints all over the world. And specifically, my team, what we do is to, as I mentioned before, try to characterize these attackers to be able to protect customers. And this takes the form of products, it takes also the form of services, from endpoint software to zero trust network access, to high military-grade encryption to secure communications, to even software to manage a crisis. It could be instant response, like the environment is on fire, the attacker is here and we need to remediate that. Or it could be even like a natural disaster.
So when we talk about threats, we just even go beyond just the cybersecurity threats. That’s a high-level overview. I don’t know, Greg, if you want to go deeper into that.
I don’t know if I’ll go deeper. I might [unintelligible 00:14:34.29] off of one of the branches. The side of BlackBerry that I’m maniacally focused on is really just, I want to say, purely the cybersecurity part. So obviously, BlackBerry does a lot of other things. We have our automotive and IoT section/segment that’s very, very, very large, probably a billion-dollar business in and of itself, with operating systems that run in any car that has anything digital in it etc. The part that I’m focused on, though, is pretty much purely my area of expertise, which is cybersecurity.
So what we’ve been doing from my side of the house is helping customers build their defenses in a way that allows them to do something that I call preemptive security. If you remember in my earlier preamble, I referred to - you know, we need to be able to predict what the attackers are going to do, so that we can defend against it. I help my customers strategize around building those platforms, those tools, those combination of different tools to do exactly that.
The nuance of it with cybersecurity is, just because of organically how the industry has grown, and VC investment, and a million other reasons, we’ve sprawled very much into - you know, there’s thousands of tools to get the job done, and there’s probably thousands, if not tens of thousands of different little aspects that need to be protected in the average organization. You might have endpoints, the computers. You might have servers. You might have a network. You might have stuff up in the cloud. You might have operational technology, or IoT technology. All different aspects, that all need to be protected, that all require completely different tool sets.
[00:16:26.20] That sprawl has made it difficult for customers to have a homogenous approach to “How do we defend against it all?” Ismael can probably talk more about one of the things that attackers do, I want to say very, very, very well, is attack the gaps between our tools. So if they detect that you have a great tool that is the foremost tool on protecting computers, your endpoints, but your network stack is a little bit weak, they’re going to attack right in the middle of that network stack, and gain access to the endpoints. Vice versa, if they see your network and your endpoint is rock-solid, but you have a weakness over in the cloud, you’re going to start seeing cloud attacks.
What the industry has not been very good at that, BlackBerry is trying to help resolve, is how do we help customers pull all of that telemetry in to be able to get, as I said, a homogenous view of everything that’s attacking them, and everything they’re doing about defenses across all those little silos. That’s what I help my customers strategize on.
And my customers vary from governments - I’ve met with the government of Morocco a couple of weeks ago - to large corporations, the biggest banks in the world, the biggest airlines in the world, etc. It just spans the range, but all of them have that problem. The most mature organizations have well-developed tools that are unintegrated, and the least – the SMBs, which are also our targets, our customers, have oftentimes less developed security stacks, but the problem is the same. Even if they say “Well, we can make an investment in this one little tool”, then they have their gaps and they’re not being able to ingest all of that intelligence that they have.
It says something about the industry - and I’m going to shoot at my own job now… It says something about the industry that a strategist at that level, focused on those types of problems, is even needed. You don’t have that in the medical industry, as far as I know. You definitely don’t have that in, for example, the automotive industry. There aren’t integrators that need to help you with how to integrate your car to work properly. You go to Ford, you say “I want an SUV”, they give you the whole SUV. They don’t say “Buy the motor here, and then go down the street and get four tires, and go across the way and get a transmission. You glue it together, you make it work.” They give you the whole thing. Cybersecurity doesn’t do that. We don’t give you the whole thing, so that necessitates a cross-section of strategists like myself and the team that supports me to go out and actually help customers parse through this web of tools that they’ve built.
You probably don’t go to cybersecurity industry events. I do. Ismael does as well. Ismael speaks at many of them. The amount of vendors on the expo floor… I remember going to RSA 13 years ago or so - a handful of vendors. It was a small convention. Now? It’s literally thousands. Three, four, five thousand vendors.
40,000 people last year.
That’s a lot.
And dude, I thought it was big. I went to a conference called Gitex. Holy spook. Almost a million people at Gitex, at a conference talking about technology. It was crazy insane. The amount of booths - I think it was 40,000 vendors. Insane that there’s an appetite for all of these tools, and customers are gobbling them up. And it makes their environment more complex, and that’s where we oftentimes come in.
And noisy, too. There’s a lot of noise in this industry.
Break: [00:20:11.18]
Okay, so as you guys have watched the industry explode, and you’re dealing with these things that other industries don’t necessarily have to address; you talked about kind of just the sprawl of assets to defend, and the gaps between them, and the fact that there are so many tools addressing different components… I would imagine that’s quite a challenge, which is one of the reasons I’m sure the industry has gotten as big as it is.
As you’re looking at that and you’re starting to see these new things - and when I say new, meaning some of the more recent tools on the AI realm and stuff like that, as cyber experts, how is AI starting to layer into this ecosystem? How do you see that? What are the pros and cons, the risks and threats that it creates? Can you tell us a little bit about how those two converge?
Yeah, as Greg mentioned before and explained really well, that this is an industry that is always like chasing the new shiny. What’s the new thing that can solve all of my problems? And there is no such a thing. It’s a lot more complex than that. And every time that we try to find that single tool, that silver bullet, we often fail, because of a lack of an understanding of how all these things need to come together.
So we’re in the middle of that hype, and now the tool is, of course, AI. And I would say even more specifically, LLMs, generative AI, because we know, and you guys on this show know well, that when we talk about AI, it’s not one thing. It’s a lot of different things. For example, at BlackBerry we have been using for many years, coming from the Silence engine, from the Silence days, a predictive AI engine. We know we’re talking about predictive machine learning, essentially.
And I remember – well, I wasn’t at Silence at that time, but some of my colleagues that were told me that they were at BlackHat, I think probably 2016, or something like that. They were talking at BlackHat about this, and a lot of people were like “Oh, that’s not possible. You’re selling smoke. That’s not the way you detect malware.” Fast-forward to today and everybody understands that you cannot fight malware with signatures.
I mean, in our report - and we produce these reports on a quarterly basis - we talked about the latest increase in the last quarter. We’re talking about a 53% increase in unique pieces of malware. I don’t know if the audience is familiar with the concept of a hash, or a fingerprint. You take a binary blob of data and you create a fingerprint or a hash of that, and that says “Okay, that’s unique.” Different hashes, different files. So we’re talking about over 11,000 pieces of unique malware per quarter that we have seen with our telemetry. How in the world are you going to create a database or maintain a database –
It’s an unscalable issue.
[00:25:45.04] It’s unscalable. So predictive machine learning helps us with that, and it’s been helping us for many years to have really, really good detection of these type of things. Now, LLMs can also be useful, for different things. So once again, I think the summary is AI is a useful tool in the hands of defenders. It is also used by attackers, and we can maybe get into that if you want… But I would say that once we go over this hype cycle that we always have in this industry, we’ll probably understand that it’s just one more tooling in our arsenal, and that we need to remain problem-focused. Just because we have a solution to a specific thing, it doesn’t mean that it’s going to be the solution to absolutely everything. But of course, it helps.
Yeah, I’ll comment on that if I may, Chris.
Sure, absolutely.
Ismael touched a little bit, he kind of grazed over LLMs, and I’m glad you only grazed over it because of what I’m about to say. We think LLMs, as good as they are, and they have some excellent use cases and value, I think they contribute to a lot of the noise and the hype machines that we hear in the industry right now. I’ll speak specifically for cybersecurity. I am not yet convinced of the utility, the usefulness of an LLM, particularly for its natural language ability, ability to process things via natural language… I’m not sure that that was the problem we had. I speak to psych analysts, and chief information security officers literally on a daily basis. That’s my job. I can’t remember in the last 30 years doing this, that a group of operators, SOC analysts etc. have told me, “You know what would be great, Greg? We don’t know how to extract the data from our tools. If we could only say that in natural language, that would really help.”
That’s not the problem. The people that are doing these jobs in the SOCs etc. are very adept at their tools. They don’t have the problem communicating with the tools, and writing a parsing command, or a query or whatever, to extract the data. That’s not the issue. There’s other things that AI and machine learning can help with. Classification is a big one. Ismael has already referred to prediction. I think that’s a very, very big one, that is underutilized today.
But classification - how do we classify not only files and hashes, but behaviors, indicators of attack, indicators of compromise? How are we able to classify these three things that are connected together, or in the case of a cyber attack these 50 things, these 50 behaviors or indicators we find - how can we pull them all together and say “Listen, these all belong together. These 10 things that we’ve found on your network and these 15 things that we’ve found on your endpoint, and these 12 other things that we’ve found simultaneously, in the same temporal window in your cloud environment, they all belong together and they’re all part of one attack.” That classification process - I think that’s somewhere where AI can help, because that’s where the gap is. Taking the ton of data that comes in, that swamps our security operation centers with alert fatigue, parsing through that to “make sense of it” and kind of narrow it down to a few cases. And when I say few, that few may be thousands still, but it’s an order of magnitude or more drop from the tens or hundreds of thousands of events that you get. If you can drop that down to a significantly smaller amount of cases and then tackle those cases, that’s one of the problems that I see AI solving in cybersecurity extremely well.
It’s really interesting to hear you say that… And just as an aside for a moment, for our audience who is going episode to episode - this is a topic we talk about a lot. It sounds like you’re going through – you’re familiar with the Gartner hype cycle; it goes up over the top, maximal hype, people become frustrated, it plunges down in the trough of disillusionment, where they’re very unhappy, and they say “This stinks. I don’t want to deal with it.” And then people kind of take a second look and they go “Well, it’s good for some things, it doesn’t solve everything”, and they find their plateau of productivity where it’s actually useful. And it sounds like you’ve been going through that same process, like many other industries have, and you’re really practical. And you also drew out another point that I’d like to emphasize, and that’s that when it comes to generative AI and LLMs and such, we have a habit of forgetting that there are other techniques in the AI realm out there. Classification –
[00:30:28.01] Other ways.
Yeah, exactly. And you guys are like “We have other tools here that are really productive for what we’re doing, just maybe not the super-hypey part of it.” So I’m really glad that you shared that with us, because we are Practical AI on this show, and we’re trying to get people on track.
I’ll just give you an example of how absurd this is getting. I saw a large vendor - and I’m really tempted to say the name, but I won’t - that was showing how cool these generative AI is applied to the SOC. So the SOC, the Security Operations Center, they typically use dashboards, right? They have dashboards, and they’re looking at, for example, number of DNS requests, or number of alerts for these or for that. So there’s this dashboard and there’s a peak of activity at 7 p.m. So now - yes, the LLM is like “See, I saw a peak of activity at 7 p.m.” And I’m like “How much money are you paying for that?” There’s a large cost in this type of subscriptions. And I can easily train an analyst to catch that.
And that person can give you even more context, and have probably more intuition, more maybe even knowledge of the strategy. Talking about strategy, Gregory… And even more creativity than that.
So absolutely, you’ve got to know what the tool is useful for. It’s very useful for contextualization, summarization, pattern matching, generalization, hypothesis testing… I could go and say “Hey, based on all of these reports that I have written, and on all of these databases that I have, give me a”, I’m going to the offensive side, Greg… “Give me an emulation plan for emulating this threat actor.” And it’s not going to be super-creative, because it’s going to be based on things that have already been – the data that has already been gathered. But it will save me a lot of time, because I will not have to go through all of these documents myself, and have to extract all of these different things. So I may iterate over that faster, and get to that faster. But yeah, there’s a lot of hype.
One of the things that I – and again, I’ve been in this industry for almost 40 years, so it’s pretty much the only thing I’ve done professionally, since I came out of college. So I’m very passionate about it, in case that’s not extremely evident to your audience yet. Therefore, I also tend to look at myself and my industry with a really - sometimes a bit of a harsh lens. So I’m going to say something now that might be applicable outside of cyber, but I see it from inside of cyber. And we gut ourselves. We do legit harm to ourselves by feeding – and when I say “we”, the vendors primarily… By feeding into the hypecycles and selling stuff that we know good and gosh darn well are absolute smoke and mirrors, or have limited usefulness, but they sell well. The notion of “We’re going to have an AI-powered SOC, and you’re not going to need SOC operators anymore. All these analysts, you won’t need them. You’re going to get just less analysts, because the AI is going to do all of that for you.” The more we hype that up, the more you get that Gartner hypecycle where people try it, and they go “Holy cow, this doesn’t work this way at all. I still need the humans.” The humans add, as Ismael said, context, and awareness, and situational strategy, not to mention things like morality, which AI is terrible at.
Now, can the AI do bulk volume of data processing? It absolutely can. And that’s one of the places we should lead into. I’ve touched on things like vision, and some of the more esoteric parts of AI that we don’t speak about every single day… So I’m not limiting it to prediction classification and large language models, but I’m just saying, large language models are amazing. I use them regularly for processing anything having to do with language, whether that’s code language, indicator language, or spoken/read language.
[00:34:26.18] One of my very practical things that I do with almost every piece of content I’m attempting to digest now is I try to get the audio, and I run a transcript. Send it to Whisper, send it to whatever API, give me a transcript of it, analyze the transcript for me, give me some key talking points… What are the things that I said? What are some tweetable lines that I want to broadcast out? What are some key quotes that I said? And I build my brand on social media, and I flavor my other talks with that content that I’ve said already. I’m going to do it with the talk that I’m doing right now. That’s why, in addition to as a backup, I’m also recording my own audio here, so that I can extract that.
So I use LLMs. They have utility, but they’re not the end-all panacea, “Oh, my God, they’re great. We should throw everything at an LLM.” The more we do that, I think the more we do intrinsic harm to the industry, and most importantly to our customers’ ability to defend themselves. Because the threat actors are not – at least I don’t see the threat actors out there building a hype cycle. I see them out there efficiently sharing threat intelligence, and leveraging it to build new, novel attacks, so that there’s unique ways that they can get their objective, which is monetize weaknesses in our environment. We are not as maniacally focused on our task at hand as that yet.
Break: [00:35:56.14]
So Greg, that was great kind of explaining how you’re approaching that, trying to keep the AI practical, trying to have the right AI in the right place, and great call out for the fact that so many other industries, there is a proclivity in your industry to also do the kind of “AI in everything”. You used the phrase “selling smoke and mirrors” and stuff, and you guys working really hard to productively give solutions and strategies that are not built around the hype side of all this. Could you dive into a little bit more of that? And also, Ismael, if you could also address a bit about the blog itself that you wrote, so that we can draw some of our listeners into that, and they can also read that as they’re finishing up the episode, and understand that. I’d really appreciate that. So kind of both the what are you doing in that practical sense, and what are you producing for your customers? And then kind of how is the blog contributing to that?
Do you want to start maybe with the blog, and then Greg, you can talk about the solutions we’re building? Yeah, so the blog is essentially trying to address the hype that we were just talking before, and saying “Okay, so what is AI being used for? …by the attackers.” Let’s start with that.
Some people may think that “Oh, attackers are crafting this malware that is autonomous”, that it just goes out and finds a vulnerability, a zero day… We call zero day in this industry something that we haven’t found yet. It’s novel. Nobody knows about that vulnerability. Now this autonomous agent is going to exploit it, it’s going to get into the company, steal the data, ransom the environment, and… No. Then you wake up. There’s no such a thing. Not as of today, at the very least.
I think we’re talking about – I’m going to say I’m probably around the same age. You probably remember Blade Runner, the original one.
Of course.
With replicants. There is no replicants as of today. There’s deepfakes. That’s a different thing, that could look like humans. That’s the closest thing. But there’s no autonomous agents that can do all of these things. Or we don’t see people that – I don’t know, like you are training dolphins for your entire life, and then all of a sudden, now because of AI, you can hack into companies and make a lot of profit out of that. Probably not. So what we see is a type of system that uses a tool essentially for the initial phases of the attack. And that means that they’re getting a lot better at writing phishing emails.
We have seen an increase in phishing emails with language that’s non-English, for example. Before, we would see some of these Eastern European organizations or Russian criminals sending emails in English that was like broken English. And you could quickly spot them and say “Oh yeah, this is phishing or spam.” These days, everybody speaks not only perfect English, also perfect Japanese. We have seen an increase in the number of phishing against Japanese companies, or other languages that hardly would be used by these cyber criminals. And that’s a clear use of LLMs.
Now, in terms of coding, there’s a lot of debate. It’s very controversial. Can you learn coding from scratch, or can’t you just use this to create code from scratch, and it’ll do these things? Probably not today. These models are getting better, but I still find out that every time I ask any of these agents to create some code for me, I still have to understand the code, understand what I’m trying to do, and being able to refine it and to tune it. Also, bear in mind that these models are crafting things based on the training that it has received, based on previous data that is already known. Therefore, when Greg maybe talks about predictive solutions and AI, that makes us also even more successful in the use of our AI, because we have trained these models with everything that has been seen in the past as well.
So at the end of the day, I think that AI is not going to be that much of an advantage to attackers. There’s always a little advantage, but just because they’re attackers, because they take the first step, and you’re on the defense side, and you don’t know if they’re coming tonight, or if they’re coming tomorrow morning, or if they’re coming next month. You may anticipate that, and that’s where my team does threat intelligence, which is looking at the geopolitics, looking at the weather forecast, what are the clouds signaling. And then based on that, you adapt your threat model. But you’re always one step behind, by nature. That’s what defense is about.
But even though defenders may have that temporal advantage, I think when used properly by defenders, the field could be leveled, and AI could be effectively used to do more things at scale, especially when you have a solid strategy.
It’s interesting that Ismael referred to updating our threat model, and he drew that analogy back to, you know, like the weather; like you look at the clouds, and based on what you see in the clouds, you react accordingly.
[00:43:56.28] You might pack an umbrella, or something along those lines. I think that’s such an apropos analogy, because interestingly, as a kid in the ‘70s, growing up in the Caribbean, in a hurricane zone, I remember sitting around the big box TV in the living room… I think it was even black and white at one point, because I’m old and curmodgeony, as I said earlier… And watching the predicted hurricane track for some storm that left the western coast of Africa that’s barreling towards the Caribbean islands. My island is a small five mile by seven mile island. We could get - and routinely got - decimated by a hurricane. So if a hurricane is coming, you need to know.
Those predictive tracks, with the little circles, and saying the storm looks like it’s going to go there - those in the ‘70s already were drawn and calculated by AI. It was one of the first very widely used use cases for predictive AI. So it’s interesting that Ismael uses that as an analogy, because that is exactly what we’re doing. We’re taking a use case that was well developed with weather prediction, and that’s what we’re applying to attacker prediction.
So you asked how we can apply this to the customer environment. One of the things that I am maniacally focused on right now is helping customers, as I said earlier, draw this all together. So I’m not going to get into product names, because this isn’t a sales pitch, but we’ve just developed something in the category called a managed extended detect and response tool set. And what’s unique about our approach to that - that approach and that space is not unique at all. It’s been existed. Just about every large cybersecurity vendor has something that plays in that space. What’s unique about our take on it - we are heavily focused on regardless to what your security stack consists of, that’s what we’re going to ingest. Most of the other vendors use an XDR type tool to say, “Listen, to get the maximum benefits out of our tool, you should really be using all of our stuff. So you should get our firewall, you should get our endpoints, you should get our cloud stuff, and then it’s going to be maximized.” Our take is different. Our take is we understand that you, the customer, probably struggle with two things: a widely diverse ecosystem of security tools, and the second thing, especially for medium to smaller companies, you’re probably struggling with finding the human resources to do these jobs. So we have a managed solution where our threat analysts, our security analysts, our well-trained human experts, combined with predictive AI, that as Ismael said, has been well trained on sensors, and sensor data, and threat data that we’ve been receiving for the last 10, 15 years… That’s how we are able to not just ingest all of the data, classify and recognize that this is an attack that we’ve seen before, even if it’s using novel and brand new, unseen before malware, and then provide you defensive strategies against it. That’s how I believe BlackBerry can help the market, the customers the most.
I’ve mentioned that I started on the attacker side. I was never an illegal attacker. I started as a pen tester, and then pivoted into reversing code, and doing some other things like that… And I went from there. But most of my career was on the customer side. I proactively switched, or maybe was convinced to switch to the vendor side, probably about 10 years ago, because I saw that gap. I saw that as a customer, I could buy all of these new widgets and toys, and it really wasn’t making me more secure. So I came to the vendor side to try to influence the vendor defensive motion and product strategy to put out more products that legitimately can help customers solve those two problems: the manpower problem, the diversity of toolset problem.
[00:48:05.14] The amount of times I am told by a customer “Greg, we’ll rip everything out and put in whatever you tell us”, that’s infinitesimal. It has happened. I have had a couple of greenfield customers that said “Listen, none of it’s working. Take it all out and help us replace it.” But that’s rare. Most of the customers either have financial constraints, time constraints, or some other constraint, so they need to make do with what they have. Let’s build a toolset that allows customers to use what they have, and maximize the value they extract out of it.
So as we wrap up here, and you’ve done great kind of level-setting how you guys are able to add value for your customers in this realm… This is such a fast-changing arena. You’ve got AI playing at some productive place in your approach, your strategy, and your solutions… But this is a fast-changing world that we’re dealing with. As we wind up, do you have any thoughts from either of you, or both of you, about what you’re expecting to see over the next few years? How you think things will change, what that outweighs a little bit looks like.
Yeah, so I’ll get started. I think we’re going to see more deception used by attackers leveraging AI, especially with deep fakes. I think that’s a very powerful application of AI to offensive capabilities. We already see a trend in the increase of volume and scale. I think that’s one of the key things that AI also enables attackers with, which is the augmenting their existing capabilities, Make them scale. But that’s exactly what defenders can do as well. But the main thing is starting with the definition of the problem. I think that’s the most powerful question you can ask as a defender. “What is the problem I’m trying to solve?” Because AI, nor any other technology, it doesn’t really change the mission of your organization. Are you a hospital, a small hospital or a large hospital? Your goal, your mission is to protect the citizens, the people that go to have care. And you don’t want this environment to get ransomed, and admissions to be done by pen and paper, so people could effectively die because they didn’t get admitted to the hospital. That’s the kind of thing that we’re looking at here. We’re protecting critical infrastructure, protecting the school where our kids go to.
So AI doesn’t change the mission of your organization, AI doesn’t change even the approach, the strategic approach to cybersecurity. You just need to find out where are the areas that can help you to scale, and maybe cover some of the gaps that you have. And I think we talked a little bit about that, but improving detection and response times, disrupting attacks at specific places of the attack chain, giving you the ability to contextualize a lot of data to give you some – I’m a firm believer in the human-machine teaming; to give you some input so now the human can, with that information, take an action. And then also the models, the machine learning models, learning from that to effectively combine that human-machine teaming. That Blade Runner, or in this case, the replicant, that takes the best out of both worlds. That’s kind of my vision about that.
I’ll chime in on that as well. The top five companies in the world by market capitalization right now are tech companies. All founded or co-founded by individuals with heavy technical background. This is very unique in this era that we find ourselves in now. This is changing leadership in a way that we – leadership, entrepreneurship, and just vision and strategy in a way that we haven’t seen before.
I think we’re at a unique precipice to where we can maximize some technological applications that 10, 20 years ago we wouldn’t have even been having the conversation. The technology was there, it was readily available, like AI that was written in textbooks in the late 1950s… The technology has been there. It’s being popped into the forefront now because of that seismic shift where the biggest companies are tech companies. So my daughter, who’s 15 years old, is very tech-savvy. When I was 15 years old, I was an oddball because I was tech-savvy. They looked at me like I had three heads.
So what do I predict? I predict we’re going to see acceleration in how those types of use cases and opportunities, and candidly, business opportunities are going to appear… But I also see - so there’s always the positive and the negative.
I see a risk, a huge risk of moral and character failures at the level of those leaders who have an unbalanced sense of high technical prowess, but potentially low morals, potentially low leadership acumen, potentially low spiritual acumen. There’s an opportunity to balance that out as well. Personally, that’s where my focus is. That’s how I met Daniel from this podcast, because we’ve spoken at events, or met each other at events where we’re trying to talk about those types of topics. “How do you pull together technology and other things that are more from a moralistic perspective, and help – have the technology, but balance that out, and vice versa?” I think that’s where we’re going to have to be very cautious that we don’t over-rotate, and end up accidentally… I’m not talking about politics now at all, but end up accidentally handing the reins over to people whose gifting got them to a place where their character potentially could not sustain them. And I think we’re at a very big risk of that. So those are the two things that I see for the future, both opportunity and risk.
Fantastic insights from both of you. Gentlemen, thank you very, very much for coming on the show. It was a great conversation. I learned a lot. And I hope I can – as things progress going forward, I hope you guys will come back on and give us updates on where cyber is going forward. Loved having you on the show. Thank you.
A pleasure. Thank you, Chris.
Thank you, Chris.
Our transcripts are open source on GitHub. Improvements are welcome. 💚