October 22, 2025 • 35 mins
In this episode, Josh Lupresto speaks with Tony Lauro, Senior Director of Security Technology and Strategy at Akamai, about the critical issues surrounding cybersecurity, particularly focusing on shadow IT and complacency. They discuss Tony's journey into cybersecurity, the importance of understanding the basics, and the role of micro-segmentation in enhancing security. The conversation also covers Akamai's cloud solutions, the emerging field of AI security, and the need for organizations to remain vigilant against next-gen threats. The episode concludes with insights into Akamai's roadmap and future directions in cybersecurity.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
Welcome to the podcast designed to fuel your success selling
technology solutions. I'm your host, Josh Lopresto,
SVP of Sales Engineering at Telaris, and this is Next Level
Biztech. Everybody, welcome back.
We are here still in, you know, Security Awareness Month,
(00:22):
October, Spooky, scary, lots of good, bad stuff, fun stuff to
talk about insecurity. So we're down the track still.
Shadow IT isn't the villain. It's about complacency and
everything that that entails. So on with us today.
We've got the senior director ofsecurity technology and strategy
for Akamai, Tony, Lara. Tony, welcome on man.
(00:43):
Hey, thank you, Josh. Thanks for having me on.
We, we, we got a lot of stuff. You, you guys got a lot of stuff
to talk about at Akamai. So we, we got to jump in, walk
us through. First of all, for anybody that
doesn't know you, just a little bit about your background, how
you got into this role over time.
I I feel like I read something on your bio that you went to law
(01:03):
school. Like walk walk me through how we
got here. Well, I was going to go to law
school. I was studying law and then kind
of figured out that somewhere along the way I was like, man,
computers are really kind of a thing.
You know, the Internet came around, you know, maybe 8 years
earlier and it was one of those things where I was like, you
(01:28):
know, I really enjoy technology.I've always played on computers.
We had ATRS 80 and a Commodore 64 growing up, so we had access
to stuff because my dad was a a nerd as well.
So I, you know, kind of switch majors and started focusing on
connectivity, networking. And funny enough, early on in
(01:51):
the late 90s, I worked for AUS based telecom provider and I was
like, who are our security people?
And they're like, well, it's these the grey beards, the units
guys right now. The irony is now I'm becoming a
grey beard in my older age. But so I was like, well, let me
do this. Let me make like that, you know,
a bi weekly meeting that goes over all the hardware that we
(02:15):
have within the company and thenall the software revisions that
are on those that hardware. And let me compare it to bug
track that just came out and let's identify if there's any
glaring vulnerabilities in the services and the software that
we're using. So did that and kind of I was
like the security awareness person for, you know, a little
(02:37):
over a year and then we had an attack and they're like, who's
the security guy? They're like Tony?
So I got to triage the attack and build out kind of the
response plan or I was building out the response plan kind of
loosely before then. And that's kind of how I got
into security. So I've been doing cybersecurity
and operations since the late 90s and this is just something
(03:02):
I'm passionate about and love talking to people about it.
Love it. Walk me through maybe a lesson
learned right in these last 10 years back then.
I mean, whenever just either a lesson that you've had that that
maybe a great mentor has given you or something that you went,
oh man, I got to not do that again.
I'm going to I'm not going to forget that.
Give me something lessons you got.
(03:24):
Yeah. You know, I think one of the big
lessons, and I think this is a lesson for all of us really, is
the idea that you're going to get distracted.
You're going to get distracted with the latest news in the
media, maybe even the latest technology.
But the, the hardcore truth is that this, the basics and
(03:46):
understanding the basics and really focusing on doing those
well and doing those right is probably the number one lesson
I've learned over the years. Because you can, you can spend a
lot of cycles trying to, you know, be up with the latest and
greatest, or you can really focus on doing the basics right.
And lots of times in life in general.
(04:08):
That's a really great methodology to follow.
I like it. I like it.
It's the same one. We had a great, we had a great
kind of sales trainer guy kind of, you know, motivational
speaker come in and he was Kobe Bryant's, you know, guy for a
little while. And that was one of the things
he would constantly ask Kobe Bryant, like, what are you
doing? Why are you always doing free
(04:30):
throws? I mean, you're like the number
one guy in the world right now. And that was the exact same
thematic. It was if I can't be good at the
basics, why would I practice a dunk or why would I do this if I
can't get a free throw, right? If I can't get a jump shot,
right? So yeah, we get distracted.
Great, great theme. OK, so when when we think about
(04:52):
complacency, we think about shadow IT, we think about all
these things, right? Inevitably customers need help
with the technology. That's why we're all here and
you guys have a ton of stuff as I was trying to think of OK,
what do what do we want to talk about?
I went all right, I got to I gotto figure out how to whittle it
down because we only have so much time.
So, so let's let's establish, I've got three things that I
(05:12):
want to start to unpack a littlebit within your guys's tech
stack. But let's let's take into
consideration for a second that people already know you for two
great things. You guys have an incredible CDN
platform, DDoS web application firewall that's that's known.
And, and maybe I'll have you seethat just a little bit.
(05:33):
But there's three things that I want to talk about here and
maybe you can kind of set the stage.
I want to talk about micro segmentation today.
I want to talk about an offeringthat you guys have called Lenode
and about AI security. So set us up, set us up a little
bit for the foundation, for anybody that doesn't know who
Akamai is, how you've gotten to where you're at, and then we'll
(05:54):
move into some of these products.
Sure. You know, it's an interesting
story. It was the research project
based out of MIT in the late 90s.
And the idea was how do we solvethe worldwide weight?
And that means you open up, you get online, you go online, and
then you dial up a website and you go make a pot of coffee
(06:16):
because it took so long for everything to load.
So the original founders of Akamai built out a content
delivery network, which puts servers closer to where all the
users in the world are. Now, the interesting aspect that
came about pretty quickly is that, you know, if I'm going to
a popular social media website and I'm in Singapore, I'm going
(06:37):
to hit a knock on my edge serverright down the street from me in
a in a little Kolo building. There's probably a stack, you
know, of, you know, a couple 1000 servers there.
But the attackers, if they attack that social media
website, they're hitting the servers right down the street
from them geographically. So this was a very quick kind of
(06:57):
turn around where we said, man, if someone's attacking a website
that's on Akamai, the security policy for that website can be
enacted before the data request ever leaves the local geography
that the request begins from. So when you think about this
from a web application security perspective, doing web app
inspection is slow. Well, not if you distribute it
(07:19):
across hundreds of thousands of servers around the world.
And D Dos, man, D dos is massive.
You've got this funneling effectof all these pipes coming down
into one and then causing an outage.
Not if you can stop those attacks where they began instead
of letting them, you know, kind of build and and funnel.
So that was kind of the founding, you know, kind of idea
(07:43):
around the security stack of Akamai.
And then as you kind of see how,you know, you probably say, man,
if you guys are seeing, we see about 1/3 of the world's web
traffic every day. So we're gathering telemetry and
intelligence. Who's attacking who?
Are they doing it in a novel way?
Is it something we've never seenbefore?
Or can you gain insights about an attack against someone else
(08:05):
when they come to your front door?
You already know about it because there's a shared
collective intelligence. So when you start looking at
micro segmentation as a little pivot here, you say, what kind
of threat intelligence can we gather and identify about how
the devices in your environment talk to each other and create a
(08:26):
policy map around that? So that if something were to
happen, like you accidentally click on a malicious link or or
execute malware, we can immediately identify this looks
different based on all these other pieces of information we
have. And then kind of limit the the
scope of the expansion of that bad effect in your environment.
(08:48):
So if it's malware, it only infects one machine.
Ransomware infecting one machineis a lot harder to say.
Give me a $1,000,000 bounty versus if it affects, you know,
3000 of your servers. Let's let's think about that,
right? So for the advisors that are
listening, maybe they're walkinginto somebody that has a very
limited security team or it's just antiquated security.
(09:13):
So let's think about maybe what you see commonly.
Maybe we get into an example here.
But, but, but I want to think of, OK, it what is micro?
Some organizations might not even understand what micro
segmentation is. They might say, like, well, you
know, we got some cool Cisco gear and we put AVLAN up and the
accounting server is not on the same server that the guest Wi-Fi
is. Isn't that micro segmentation
(09:33):
is, is that enough? So maybe walk us through why
that's not enough to your point,I think you, you know, you were
starting to go there a little bit and then maybe is there an
example that we can kind of think through of, Oh, here,
here's what they had, here's whythat didn't work, and here's
what this did. Yeah.
The main problem with traditional segmentation
(09:53):
techniques is usually around Vlans and separating devices
logically across different network IP space and then maybe
creating rules that say this network can't talk to this
network, right? The problem with that is 1.
As environments grow and get more complex, the, the logic in
(10:17):
which you start doing that separation starts to break down.
For instance, if I am a pen tester, so I'm simulating A
hacking technique, right? I get into the network from your
computer, Josh, because I tricked you somehow.
Sorry about your luck. And then, yeah, right.
And then now I have access to dowhat your computer can do on the
(10:40):
network. So I might not be able to talk
to the finance servers, but the finance servers use a shared
database that one of the apps you use also communicates with.
So now I go to that database server, I get access to that,
and now I talk to finance. This is how red teams move
across networks. And generally speaking, I've
actually heard it put this way, attacks happen so easily within
(11:04):
a network, not because of the squishy inside and kind of, you
know, you know, the, the M&M with the sauce, the gooey center
or the soft chocolate center example.
But because devices talk to eachother within the network,
because that's how business getsdone, right?
You can't not have the devices talk to each other.
So the attackers really just follow this logic by scanning,
(11:26):
seeing what you can already talkto, compromising and then
rescanning, right? So micro segmentation,
specifically software defined micro segmentation puts an agent
or some kind of visibility on each of these workstations and
each of these servers and it builds out a map.
What does the normal communication process look like,
(11:46):
Josh, from your computer, the app that you use, even down to
who started that process on yourcomputer talking to that
database server or from a serverperspective, how, how did that
device, you know, how did those services start up?
Who's connecting it to it? What resources, shared resources
does it connect to? And then it creates kind of a
(12:09):
visual map that you can now create policy around that says,
hey, we know this is how these applications actually work
because come on a time, I've been this person where they're
like, hey, the auditors are coming in, where's our
application data flow diagram? And I'm usually kind of going
through my notes. I'm like, oh, I have a Visio
(12:29):
diagram I built six months ago when the app was deployed.
And that's all I have as far as documentation.
So from a visibility and observability perspective,
having a live view of how devices talk to each other and
an auditable view gives you a lot more leverage to really
create meaningful policy as opposed to just kind of hoping
(12:51):
that what you put in place at one time continues to work over
time. Awesome explanation.
Let's let's put a bow on it withone question.
Everybody loves everybody that listens to this loves the
discovery questions, right. So let's, let's presume that I
got some customers in my base that have some antiquated
security. You know, maybe they think
they're Cisco Asas are enough, even though they're 19 years end
(13:11):
of life. What's the what's the discovery
technique where we know there's lack of segmentations, There's
maybe Vlans are enough kind of mindset.
If you're giving a question to an advisor to then go ask to
some of their prospects that have this, what is that golden
question to uncover? Yeah.
I mean, first of all, I love Cisco Asas.
(13:32):
They've done an amazing job. So can't can't knock them.
But I think a good discovery question is if you were to be
audited right now and I were to ask, show me how everything on
your on your network talks to each other and start at the
(13:53):
network port and protocol level.Then go to the application level
and then go down to the process level.
And make, you know, make sure that the SVC host, that EXE in
your, in your on your server is spawned by a proper, you know,
DLL, a proper process instead ofa malicious malware process,
(14:14):
right, that's been embedded there.
If you can't tell me all of those things, you don't have the
observability of your environment.
You're kind of looking for the problem based on the bad effect
that the problem creates in yourenvironment instead of
proactively being able to identify that there's a problem.
I think that's kind of the, it'sreally kind of like, show me,
(14:34):
you know, the moment we do like a proof of concept or proof of
value with this type of technology, the, you know, the
brain starts turning and the eyeballs open up real wide.
They're like, wow. I mean, just the discovery
process has shown me so much more than I currently have
visibility into. I mean, that's a huge draw for,
(14:55):
for customers to be able to see that.
And it's and it's useful becausenow you can actually do
something about what you didn't know was there.
So as my kids would say, if yourauditors come in and you can't
do this, you're cooked. So you're so good.
I love you. I love your question.
Sure. Awesome.
All right, let's go on to let's go on to the next product here.
(15:15):
Talk to us about what Lenote is.How did that come about?
Where does it fit? What does it do?
What's the problem that it solves all that good stuff?
Yeah. So Lenote is a optimized cloud
delivery and compute platform. And the way that this came
about, we acquired Lenote a few years ago and it was kind of
(15:36):
built on a problem set that Akamai wanted to solve itself.
We're a big multinational company.
We've got over 12,000 employees.We needed to build our apps to
be highly performant and highly secure, closest to where the
users that were using it actually lived.
And we ran into some problems where, you know, you say, hey,
(15:57):
we've got these compute regions,we've got an East Coast and a
West Coast compute region with our other cloud provider that we
are using. And then something happens to
the East Coast region and everyone gets, of course, thank
God, everyone gets failed over to the West Coast for a
delivery, right and for their apps and everything.
If you built it that way. So 1 you have to contract for
(16:19):
all those availability zones, but two, now your East Coast
users are going traversing the whole country all the way to the
West Coast for that app to function.
And that created a lot of issues.
So we saw a really great opportunity to say what if we
were to have a cloud platform and compute platform built on
(16:41):
the backbone of the Akamai delivery platform.
So we're already serving, you know, the, the, the Olympics,
the NBA final four, all the biggest media events in the
world go across Akamai. If your kids download, you know,
games where they're building a wall while they're battling each
other, that game gets delivered across Akamai, right?
(17:03):
So these are real great opportunities for us to say we
could build a cloud delivery platform and compute where
customers can build their their tools and and their apps that
they want to build across a platform that is multi
geographically diverse. So instead of having 2
(17:24):
availability zones, for instance, in the US, we have 7
and soon 12, right? So that when you're building
something, your users can get access to that.
And your customers, obviously, as they're building their apps
and building their edge compute and all their virtualization,
everything they want to build, it can be done.
So on a platform that's a lot more diverse and a fraction of
(17:48):
the cost. Let me not forget to mention
that part. So, so should we be thinking of
you as the same way we think of a traditional infrastructure
hyperscaler play? Do you want to be thought of in
that, like, hey, think of us forthis, but we have all these
other things that you're inevitably going to need because
we've got vertical integration across the board.
Is that how you want advisors tothink of you beyond what they
(18:08):
may know as a cDNA whack? You know, those kind of things?
Yeah, that's absolutely right. You know, the idea of Akamai as
a platform and as a partner, youknow, with, with the advisors as
they're building out these relationships with their
customers, we can do so many different things.
It doesn't all have to be done at once.
As the company that you're working with matures, we have
(18:32):
capabilities that can help them mature along with that process,
right. And Oh yeah, as we look at the
risk on the Internet, right, If you use the Internet to run your
business, it's not there for your business.
It's a public platform, right? So all the things that come
along the the risk that comes along with the Internet, we can
(18:52):
share telemetry with the biggestcompany in the world that we're
protecting and blocking attacks for.
You can take advantage of that. When that same threat actor
comes to your front door, you can say we've already seen it.
We're just going to drop that traffic on the floor and not
even have to deal with it. So that collective intelligence
is part of that story as well. I love it.
Yeah. Let us not only let us help you
(19:14):
build the infrastructure, but let's leverage the power of the
LAF, The LAF leverage the power of the segmentation.
So let's block these threats before they even make it to any
considerable part of your core infrastructure.
It's a, oh, by the way, we blocked this for you.
You can still go on your lunch meeting.
You're welcome. Here you go.
Your life would have been reallyhard without this, like flex.
(19:35):
I love that. Yeah, that's the idea.
Instead of the 2:00 AM phone call, you see a report the next
day that says, hey, we blocked one of the largest attacks we've
ever seen and you never even heard about it.
I love it all right final product here I am I'm under my
quota for today I know we're recording this early in the
morning so I'm under my quota today for the amount of times
(19:56):
I've said AI so let's talk aboutAI security.
You guys you guys have a ton here.
It is pretty unique and this is a thought that's on everybody's
minds, right? We've got agent kits, we've got
open AI doing product releases. We've got all these other guys
doing product releases. This thing is moving 1000 miles
an hour and everybody's trying to build, trying to design.
(20:16):
We're helping people design leftand right.
So from a. AI security, What is the play
with Akamai? Yeah, the play, I mean, you're
right, everyone's talking about AI at RSAA.
Couple years ago, maybe people were talking about Zero Trust or
Sassy, but you could throw a stick up in the air at RSA and
(20:37):
it would come down and hit a person in the eye and it's
almost 100% guaranteed that thatperson would have been talking
about AI when that stick hit them, right?
It's, it's wild. But what we found out kind of
building out this technology, talking with our customers, we
found out that security around AI is not a new problem, right?
(21:01):
It's not a new problem to solve.You look at the concept of just
say you have ALLM in the background, this is the
database, a data set, and then you have a user interface, maybe
a chat bot. This sounds a lot like SQL
injection, right? I can make a request into a
database and if you don't sanitize that input and validate
the output that comes out, there's your SQL injection.
(21:23):
Now I've got access to somethingI shouldn't have access to.
So firewall for AI, which we've developed, sits in front of a
large language model and it watches to sanitize those
inputs. Is this request, does it look
like you're trying to bypass guardrails?
Does it look like you're doing something malicious in nature?
(21:44):
And by the way, all these data sets have their own guardrails.
But at the Generative Red Team hacking challenge at Defcon,
DEFCON 30, so it's 3-4 years agonow, the average time to bypass
guardrails was 42 seconds. So, you know, not going to put
any context around that, but Needless to say, additional
(22:04):
security is probably needed, probably a good idea.
So watching the input that goes into the input request that goes
into the data set. And then of course, upon
response, am I getting a valid response?
Am I getting a response that's leaking PII information?
So you can identify the PII thatyou don't want to share the
content types, etcetera and say this looks like whatever
(22:26):
happened in the front end that we didn't catch, we're going to
catch it on the response back tomake sure we're not sharing, you
know, sensitive data. And you can also have it look
for things like hallucinations, toxic responses, sometimes
tricking a data, you know, an LLM into saying something, you
know, malicious in nature. Heck, you know, big airline in
(22:49):
the upper North America region, they had someone tricked the
chat bot into quoting them $0.00for an itinerary and they
legally had to honor it because that is a legal entity of their
business, right? So there's a lot of manipulation
that can happen. And firewall for AI sits in
front of those systems and validates the input and then
also watches that that output that response to make sure that
(23:12):
it's it's legit. I I like this because you know,
everything is about trust And toyour point, like you talked
about earlier, micro segmentation, you know, you
might, you might want to get in and then try to find the
accounting server. You can't find the accounting
server, but you know that the accounting server trusts my
user. So go after me or go after this
other thing that has a system oftrust seems like AI to your
(23:35):
point, foundationally than all the other problems.
It's it's not any different, butbut what where I think the
opportunity in lies here. I think of things like this and
our advisors listen to things like this and go, OK, who do I
talk to about that? Like who really needs that?
Is that this customer? Is that that customer?
I think it's kind of like when we started early on, when we
started the security practice, we would talk to end customers
(23:57):
that partners would bring us into and they would say, I'm not
big enough. I'm not a big enough customer to
care about, you know, needing this MDR thing like isn't Norton
enough or isn't McAfee enough? You know, that that kind of
thing, like signatures are great.
And the reality was, no, if you have an IP address or you fog a
mirror or you're on the Internet, you are a target,
right? And so taking that's AI took a
(24:19):
mindset shift for that. And it was a very slow and
methodical journey. And, and now I think AI what,
what are your end customers? Put yourself in the shoes of
what your end customers are after.
They're after getting more dailyactive users on their platform,
more monthly active users, more customers.
However you want to frame that up and how do you get there?
You get there with speed, you get there with rapid development
(24:41):
and you get there with whatever you got to do to get people on
the platform and do consumption and use your minutes right.
Everything has been driven aboutconsumption.
So are there great tools out there that help label and
classify data? And we talked about that a lot
and we've sold a lot of those deals.
Absolutely. To your point, who's checking
the math? How do we, how do we check the
math now on somebody's? I, I built a great chat bot.
(25:05):
I didn't have one before. I'm so excited about my chat
bot. And my chat bot has access to my
knowledge base and my database and my tooling.
I've got to imagine that this iskind of a fit for everybody.
If your customers are chasing AIand they're being told and
you're helping them how to implement AI successfully.
It just feels like this wedges into every one of those
(25:25):
conversations, doesn't it? It does.
And you know, like I mentioned, the the first venture into AI
for most companies has been chatbots, right?
Because it's easy to consume. It's easy to figure out what
that use case looks like. Hey, I'm going to offload
request to my help desk to my mycall center and when you have a
(25:47):
chat bot answering questions, itkind of simplifies the the human
workload with an organization and that saves money, right?
So I think that's kind of the interest in case of course
there's a lot further developments that are going to
be happening in the future. You know, you're a mortgage
(26:08):
company and I send a document tosomeone who's buying a house,
they sign the document, they send it back.
Can I validate that when they upload and, and send this
document back that they're not doing anything malicious that,
you know, all the required areasare signed, etcetera, right?
So there's a lot of different kind of use cases and different
(26:30):
businesses that these are going to start to that firewall for AI
is going to to fit into. So it's just, it's all about the
evolution and but building the foundation, like I mentioned
before, building the tool to work on behalf of the user
instead of just saying, here's ahammer, go build a house.
It's like, here's the framework,you know, they're ready built
(26:53):
walls, you just connect them together, that kind of thing.
So we're trying to take the the heavy lifting away from the
customer and provide them a platform where they can
modularly build out solutions with great technology to solve
all these different issues. As we get to the final couple
thoughts here, I want to get back to this theme we're we're
(27:15):
talking about it, but this themeof shadow IT, this theme of, of
complacency. So you know, we've got rogue
tooling that if we think about what our end customers are
dealing with, with all their employees, things like that.
So I think we'd look at, you know, as we look at AI in the
future, we see the the bad guys are using this the same way the
good guys are using it. So how does, when you think
(27:37):
about the next Gen. threats and you think about our customer,
our partners, their customers, where does complacency creep in?
Like how, how would you advise the advisor to think about, you
know, your customers and complacency?
Yeah. You know, actually it's kind of
funny that that's the theme, cause for years I've had people
(28:00):
say who's optimized biggest competitor and I would say
complacency, right? It's basically thinking I'm
doing enough already, this is not a problem, why would they
attack me that kind of situation, right?
I think the first example of howAI is being used from by threat
actors would be AI based bots, right?
(28:22):
So the idea that attackers can use bots to run automated
scripts to do things that they want to do didn't really become
as difficult of a problem to handle until most of the
requests on the Internet were API driven.
So AP is are, if you have a, youknow, your favorite Black Mirror
(28:45):
device when you hold it up to your face, that's sending an API
call back to an authentication service, back to any app that's
updating. It's all API calls.
In fact, almost every call out from an LLM calling to different
model repositories, etcetera, isan API call.
And AP is are used because they're lightweight and they're
built for automation. What else, what attackers love
(29:07):
to do is use AI to interact withthis automation.
We're already expecting it. So identifying and having
efficacy of how you identify what an AI bot is trying to do
against an API that's already expecting to see automated
requests is a very interesting. It's almost like a change in
(29:28):
scope, a dichotomy of, you know,threat actor techniques and
defender responses, right? So that's one big area.
The other big area, you know, when you think of the old school
Nigerian Prince scan e-mail, youknow, I've got $11 million.
I want to move into the United States.
You're the lucky person in Nebraska that I've picked out to
(29:50):
to help me, you know, get this transfer going days.
I can say, Josh, I'm going to scan LinkedIn.
I'm going to see the people you're friends with.
I'm going to compare that to your Facebook and say, oh, you
went out on a golf, you know, outing with Tony and a couple
other people. I'm going to now reach out to
(30:11):
Tony and say, Hey, this is Josh.Remember we went on that golf
thing. We did this podcast together.
I just need a little bit more info for something else I'm
working on. Do you mind sending me blah,
blah, blah, right. And that the, again, having the
telemetry to create those connected, those connective
tissues around your storyline now makes the Nigerian Prince
(30:33):
scam seem, you know, archaic. Now I'm going in with rich
details about relationships and friendships and all this stuff.
And attackers are already doing that.
And you can jump forward months or years and say someone heard
you on a podcast, they took yourvoice, they synthesized it.
Now I'm getting a phone call that as they talk, it translates
(30:55):
into your voice and it sounds even more real, right?
I mean, there's a ton of stuff going on there.
But ultimately to your to your earlier point and to the point
at the start of the show, the basics, the basics are are you
doing, are you practicing, you know, security awareness?
Do you understand when somethingseems out of bounds, out of
(31:17):
sorts? Why would you ask me to send you
$3000, you know, unless it was for a really good reason?
And do I have multiple means of of validating you are who you
say you are or this is a legit situation without, you know,
without having to do it in a rush because attackers always
make it seem like a rush so thatyou don't have time to think,
(31:40):
right? So the basics still have to be
handled even when the technologychanges.
I love it. Final thought then here to kind
of close this out. What what is on the Akamai road
map? Staying ahead of what's next.
This stuff is moving so fast. Where where do you want us to
think about over the next 6 to 12 months?
(32:00):
Anything different? Same thing, things to focus on
new products coming close it anyway you want.
Yeah. You know, one of the big things
that has been kind of an operational challenge for most
customers on the Internet is I've got all these tools and
they're all best in breed tools from great vendors that do great
jobs, right? That's not the the question.
(32:23):
The question is when I'm doing security and I'm bringing all
the security logs into a centralized location into my SIM
or log correlation tools, and this vendor says this is a bad
risk. The risk level is 10.
And then this other vendor says this is a bad risk.
The risk level is magenta. And the other vendor says this
(32:45):
is a bad risk. The risk level is F.
You got an F. Just the operational task of, of
bringing that data into a back end and trying to sort out and
normalize what the risk levels are is a huge problem.
Nobody, I don't know anybody that's talking about that.
Maybe some hardcore, you know, SIM vendors are, but when you
(33:07):
think of delivering security as a platform where customers have
access to all these different tools and they can build out in
a modular way the right stack ofsecurity that they need and Oh
yeah, all the telemetry for threat intelligence is shared
across those tools. That is a huge operational
(33:27):
hurdle that that Akamai has beenworking on for quite some time.
And we do a really good job of of doing that for our customers.
So that's on the operational side.
I think on the future side, I think the idea of AI and its
development, sharing threat intelligence across the
(33:47):
different tool sets, you know, Ialready mentioned.
But when you look into all the different areas that you have to
slice and dice and get observability into before you
can make a rational business decision, that's the other Ave.
that companies don't have a really good handle on.
You don't you? Don't you know, well, you
probably wouldn't be surprised, Josh, but how many companies
(34:09):
just say, yeah, we lose $100,000a month based on this, but we
don't want to curb it because the user experience could be
negatively affected and it's worth it to us, right.
So the risk tolerance is different for different
organizations, but being able to0 in and narrow down on working
as a partner with these companies to to fix those
(34:32):
problems that they've long thought were unfixable kind of
that's that's our goal for the future.
I love it. Great place to wrap it, Tony.
Awesome stuff, man. We could, we could go on for a
while. There's lots of things to talk
about here, but I, I, I appreciate you coming on man
Great stuff. My pleasure.
Thank you. Thanks a lot.
This was a great conversation and I hope the audience gets a
(34:55):
lot out of it. So thanks for having me, Josh,
I. Love it.
All right, everybody that wraps us up for today.
As always, don't forget these are these are dropping every
week, middle of the week early morning, whether you're on
Apple, you're on Spotify, don't miss out and use these tips to
talk to your prospects, your customers and let us know leave
us some comments, let us know what works and good stuff for
(35:16):
today. All right, that wraps us up.
Senior director of security technology and strategy at
Akamai, Tony Lauro today's episode shadow.
IT isn't a villain. Complacency is I'm your host,
Josh Lapresco. Till next time, next level.
Biztech has been a. Production of Telaris Studio 19.
Please visit telaris.com For more information.
Welcome to the podcast designed to fuel your success selling
technology solutions. I'm your host, Josh Lopresto,
SVP of Sales Engineering at Telaris, and this is Next Level
Biztech. Everybody, welcome back.
We are here still in, you know, Security Awareness Month,
(00:22):
October, Spooky, scary, lots of good, bad stuff, fun stuff to
talk about insecurity. So we're down the track still.
Shadow IT isn't the villain. It's about complacency and
everything that that entails. So on with us today.
We've got the senior director ofsecurity technology and strategy
for Akamai, Tony, Lara. Tony, welcome on man.
(00:43):
Hey, thank you, Josh. Thanks for having me on.
We, we, we got a lot of stuff. You, you guys got a lot of stuff
to talk about at Akamai. So we, we got to jump in, walk
us through. First of all, for anybody that
doesn't know you, just a little bit about your background, how
you got into this role over time.
I I feel like I read something on your bio that you went to law
(01:03):
school. Like walk walk me through how we
got here. Well, I was going to go to law
school. I was studying law and then kind
of figured out that somewhere along the way I was like, man,
computers are really kind of a thing.
You know, the Internet came around, you know, maybe 8 years
earlier and it was one of those things where I was like, you
(01:28):
know, I really enjoy technology.I've always played on computers.
We had ATRS 80 and a Commodore 64 growing up, so we had access
to stuff because my dad was a a nerd as well.
So I, you know, kind of switch majors and started focusing on
connectivity, networking. And funny enough, early on in
(01:51):
the late 90s, I worked for AUS based telecom provider and I was
like, who are our security people?
And they're like, well, it's these the grey beards, the units
guys right now. The irony is now I'm becoming a
grey beard in my older age. But so I was like, well, let me
do this. Let me make like that, you know,
a bi weekly meeting that goes over all the hardware that we
(02:15):
have within the company and thenall the software revisions that
are on those that hardware. And let me compare it to bug
track that just came out and let's identify if there's any
glaring vulnerabilities in the services and the software that
we're using. So did that and kind of I was
like the security awareness person for, you know, a little
(02:37):
over a year and then we had an attack and they're like, who's
the security guy? They're like Tony?
So I got to triage the attack and build out kind of the
response plan or I was building out the response plan kind of
loosely before then. And that's kind of how I got
into security. So I've been doing cybersecurity
and operations since the late 90s and this is just something
(03:02):
I'm passionate about and love talking to people about it.
Love it. Walk me through maybe a lesson
learned right in these last 10 years back then.
I mean, whenever just either a lesson that you've had that that
maybe a great mentor has given you or something that you went,
oh man, I got to not do that again.
I'm going to I'm not going to forget that.
Give me something lessons you got.
(03:24):
Yeah. You know, I think one of the big
lessons, and I think this is a lesson for all of us really, is
the idea that you're going to get distracted.
You're going to get distracted with the latest news in the
media, maybe even the latest technology.
But the, the hardcore truth is that this, the basics and
(03:46):
understanding the basics and really focusing on doing those
well and doing those right is probably the number one lesson
I've learned over the years. Because you can, you can spend a
lot of cycles trying to, you know, be up with the latest and
greatest, or you can really focus on doing the basics right.
And lots of times in life in general.
(04:08):
That's a really great methodology to follow.
I like it. I like it.
It's the same one. We had a great, we had a great
kind of sales trainer guy kind of, you know, motivational
speaker come in and he was Kobe Bryant's, you know, guy for a
little while. And that was one of the things
he would constantly ask Kobe Bryant, like, what are you
doing? Why are you always doing free
(04:30):
throws? I mean, you're like the number
one guy in the world right now. And that was the exact same
thematic. It was if I can't be good at the
basics, why would I practice a dunk or why would I do this if I
can't get a free throw, right? If I can't get a jump shot,
right? So yeah, we get distracted.
Great, great theme. OK, so when when we think about
(04:52):
complacency, we think about shadow IT, we think about all
these things, right? Inevitably customers need help
with the technology. That's why we're all here and
you guys have a ton of stuff as I was trying to think of OK,
what do what do we want to talk about?
I went all right, I got to I gotto figure out how to whittle it
down because we only have so much time.
So, so let's let's establish, I've got three things that I
(05:12):
want to start to unpack a littlebit within your guys's tech
stack. But let's let's take into
consideration for a second that people already know you for two
great things. You guys have an incredible CDN
platform, DDoS web application firewall that's that's known.
And, and maybe I'll have you seethat just a little bit.
(05:33):
But there's three things that I want to talk about here and
maybe you can kind of set the stage.
I want to talk about micro segmentation today.
I want to talk about an offeringthat you guys have called Lenode
and about AI security. So set us up, set us up a little
bit for the foundation, for anybody that doesn't know who
Akamai is, how you've gotten to where you're at, and then we'll
(05:54):
move into some of these products.
Sure. You know, it's an interesting
story. It was the research project
based out of MIT in the late 90s.
And the idea was how do we solvethe worldwide weight?
And that means you open up, you get online, you go online, and
then you dial up a website and you go make a pot of coffee
(06:16):
because it took so long for everything to load.
So the original founders of Akamai built out a content
delivery network, which puts servers closer to where all the
users in the world are. Now, the interesting aspect that
came about pretty quickly is that, you know, if I'm going to
a popular social media website and I'm in Singapore, I'm going
(06:37):
to hit a knock on my edge serverright down the street from me in
a in a little Kolo building. There's probably a stack, you
know, of, you know, a couple 1000 servers there.
But the attackers, if they attack that social media
website, they're hitting the servers right down the street
from them geographically. So this was a very quick kind of
(06:57):
turn around where we said, man, if someone's attacking a website
that's on Akamai, the security policy for that website can be
enacted before the data request ever leaves the local geography
that the request begins from. So when you think about this
from a web application security perspective, doing web app
inspection is slow. Well, not if you distribute it
(07:19):
across hundreds of thousands of servers around the world.
And D Dos, man, D dos is massive.
You've got this funneling effectof all these pipes coming down
into one and then causing an outage.
Not if you can stop those attacks where they began instead
of letting them, you know, kind of build and and funnel.
So that was kind of the founding, you know, kind of idea
(07:43):
around the security stack of Akamai.
And then as you kind of see how,you know, you probably say, man,
if you guys are seeing, we see about 1/3 of the world's web
traffic every day. So we're gathering telemetry and
intelligence. Who's attacking who?
Are they doing it in a novel way?
Is it something we've never seenbefore?
Or can you gain insights about an attack against someone else
(08:05):
when they come to your front door?
You already know about it because there's a shared
collective intelligence. So when you start looking at
micro segmentation as a little pivot here, you say, what kind
of threat intelligence can we gather and identify about how
the devices in your environment talk to each other and create a
(08:26):
policy map around that? So that if something were to
happen, like you accidentally click on a malicious link or or
execute malware, we can immediately identify this looks
different based on all these other pieces of information we
have. And then kind of limit the the
scope of the expansion of that bad effect in your environment.
(08:48):
So if it's malware, it only infects one machine.
Ransomware infecting one machineis a lot harder to say.
Give me a $1,000,000 bounty versus if it affects, you know,
3000 of your servers. Let's let's think about that,
right? So for the advisors that are
listening, maybe they're walkinginto somebody that has a very
limited security team or it's just antiquated security.
(09:13):
So let's think about maybe what you see commonly.
Maybe we get into an example here.
But, but, but I want to think of, OK, it what is micro?
Some organizations might not even understand what micro
segmentation is. They might say, like, well, you
know, we got some cool Cisco gear and we put AVLAN up and the
accounting server is not on the same server that the guest Wi-Fi
is. Isn't that micro segmentation
(09:33):
is, is that enough? So maybe walk us through why
that's not enough to your point,I think you, you know, you were
starting to go there a little bit and then maybe is there an
example that we can kind of think through of, Oh, here,
here's what they had, here's whythat didn't work, and here's
what this did. Yeah.
The main problem with traditional segmentation
(09:53):
techniques is usually around Vlans and separating devices
logically across different network IP space and then maybe
creating rules that say this network can't talk to this
network, right? The problem with that is 1.
As environments grow and get more complex, the, the logic in
(10:17):
which you start doing that separation starts to break down.
For instance, if I am a pen tester, so I'm simulating A
hacking technique, right? I get into the network from your
computer, Josh, because I tricked you somehow.
Sorry about your luck. And then, yeah, right.
And then now I have access to dowhat your computer can do on the
(10:40):
network. So I might not be able to talk
to the finance servers, but the finance servers use a shared
database that one of the apps you use also communicates with.
So now I go to that database server, I get access to that,
and now I talk to finance. This is how red teams move
across networks. And generally speaking, I've
actually heard it put this way, attacks happen so easily within
(11:04):
a network, not because of the squishy inside and kind of, you
know, you know, the, the M&M with the sauce, the gooey center
or the soft chocolate center example.
But because devices talk to eachother within the network,
because that's how business getsdone, right?
You can't not have the devices talk to each other.
So the attackers really just follow this logic by scanning,
(11:26):
seeing what you can already talkto, compromising and then
rescanning, right? So micro segmentation,
specifically software defined micro segmentation puts an agent
or some kind of visibility on each of these workstations and
each of these servers and it builds out a map.
What does the normal communication process look like,
(11:46):
Josh, from your computer, the app that you use, even down to
who started that process on yourcomputer talking to that
database server or from a serverperspective, how, how did that
device, you know, how did those services start up?
Who's connecting it to it? What resources, shared resources
does it connect to? And then it creates kind of a
(12:09):
visual map that you can now create policy around that says,
hey, we know this is how these applications actually work
because come on a time, I've been this person where they're
like, hey, the auditors are coming in, where's our
application data flow diagram? And I'm usually kind of going
through my notes. I'm like, oh, I have a Visio
(12:29):
diagram I built six months ago when the app was deployed.
And that's all I have as far as documentation.
So from a visibility and observability perspective,
having a live view of how devices talk to each other and
an auditable view gives you a lot more leverage to really
create meaningful policy as opposed to just kind of hoping
(12:51):
that what you put in place at one time continues to work over
time. Awesome explanation.
Let's let's put a bow on it withone question.
Everybody loves everybody that listens to this loves the
discovery questions, right. So let's, let's presume that I
got some customers in my base that have some antiquated
security. You know, maybe they think
they're Cisco Asas are enough, even though they're 19 years end
(13:11):
of life. What's the what's the discovery
technique where we know there's lack of segmentations, There's
maybe Vlans are enough kind of mindset.
If you're giving a question to an advisor to then go ask to
some of their prospects that have this, what is that golden
question to uncover? Yeah.
I mean, first of all, I love Cisco Asas.
(13:32):
They've done an amazing job. So can't can't knock them.
But I think a good discovery question is if you were to be
audited right now and I were to ask, show me how everything on
your on your network talks to each other and start at the
(13:53):
network port and protocol level.Then go to the application level
and then go down to the process level.
And make, you know, make sure that the SVC host, that EXE in
your, in your on your server is spawned by a proper, you know,
DLL, a proper process instead ofa malicious malware process,
(14:14):
right, that's been embedded there.
If you can't tell me all of those things, you don't have the
observability of your environment.
You're kind of looking for the problem based on the bad effect
that the problem creates in yourenvironment instead of
proactively being able to identify that there's a problem.
I think that's kind of the, it'sreally kind of like, show me,
(14:34):
you know, the moment we do like a proof of concept or proof of
value with this type of technology, the, you know, the
brain starts turning and the eyeballs open up real wide.
They're like, wow. I mean, just the discovery
process has shown me so much more than I currently have
visibility into. I mean, that's a huge draw for,
(14:55):
for customers to be able to see that.
And it's and it's useful becausenow you can actually do
something about what you didn't know was there.
So as my kids would say, if yourauditors come in and you can't
do this, you're cooked. So you're so good.
I love you. I love your question.
Sure. Awesome.
All right, let's go on to let's go on to the next product here.
(15:15):
Talk to us about what Lenote is.How did that come about?
Where does it fit? What does it do?
What's the problem that it solves all that good stuff?
Yeah. So Lenote is a optimized cloud
delivery and compute platform. And the way that this came
about, we acquired Lenote a few years ago and it was kind of
(15:36):
built on a problem set that Akamai wanted to solve itself.
We're a big multinational company.
We've got over 12,000 employees.We needed to build our apps to
be highly performant and highly secure, closest to where the
users that were using it actually lived.
And we ran into some problems where, you know, you say, hey,
(15:57):
we've got these compute regions,we've got an East Coast and a
West Coast compute region with our other cloud provider that we
are using. And then something happens to
the East Coast region and everyone gets, of course, thank
God, everyone gets failed over to the West Coast for a
delivery, right and for their apps and everything.
If you built it that way. So 1 you have to contract for
(16:19):
all those availability zones, but two, now your East Coast
users are going traversing the whole country all the way to the
West Coast for that app to function.
And that created a lot of issues.
So we saw a really great opportunity to say what if we
were to have a cloud platform and compute platform built on
(16:41):
the backbone of the Akamai delivery platform.
So we're already serving, you know, the, the, the Olympics,
the NBA final four, all the biggest media events in the
world go across Akamai. If your kids download, you know,
games where they're building a wall while they're battling each
other, that game gets delivered across Akamai, right?
(17:03):
So these are real great opportunities for us to say we
could build a cloud delivery platform and compute where
customers can build their their tools and and their apps that
they want to build across a platform that is multi
geographically diverse. So instead of having 2
(17:24):
availability zones, for instance, in the US, we have 7
and soon 12, right? So that when you're building
something, your users can get access to that.
And your customers, obviously, as they're building their apps
and building their edge compute and all their virtualization,
everything they want to build, it can be done.
So on a platform that's a lot more diverse and a fraction of
(17:48):
the cost. Let me not forget to mention
that part. So, so should we be thinking of
you as the same way we think of a traditional infrastructure
hyperscaler play? Do you want to be thought of in
that, like, hey, think of us forthis, but we have all these
other things that you're inevitably going to need because
we've got vertical integration across the board.
Is that how you want advisors tothink of you beyond what they
(18:08):
may know as a cDNA whack? You know, those kind of things?
Yeah, that's absolutely right. You know, the idea of Akamai as
a platform and as a partner, youknow, with, with the advisors as
they're building out these relationships with their
customers, we can do so many different things.
It doesn't all have to be done at once.
As the company that you're working with matures, we have
(18:32):
capabilities that can help them mature along with that process,
right. And Oh yeah, as we look at the
risk on the Internet, right, If you use the Internet to run your
business, it's not there for your business.
It's a public platform, right? So all the things that come
along the the risk that comes along with the Internet, we can
(18:52):
share telemetry with the biggestcompany in the world that we're
protecting and blocking attacks for.
You can take advantage of that. When that same threat actor
comes to your front door, you can say we've already seen it.
We're just going to drop that traffic on the floor and not
even have to deal with it. So that collective intelligence
is part of that story as well. I love it.
Yeah. Let us not only let us help you
(19:14):
build the infrastructure, but let's leverage the power of the
LAF, The LAF leverage the power of the segmentation.
So let's block these threats before they even make it to any
considerable part of your core infrastructure.
It's a, oh, by the way, we blocked this for you.
You can still go on your lunch meeting.
You're welcome. Here you go.
Your life would have been reallyhard without this, like flex.
(19:35):
I love that. Yeah, that's the idea.
Instead of the 2:00 AM phone call, you see a report the next
day that says, hey, we blocked one of the largest attacks we've
ever seen and you never even heard about it.
I love it all right final product here I am I'm under my
quota for today I know we're recording this early in the
morning so I'm under my quota today for the amount of times
(19:56):
I've said AI so let's talk aboutAI security.
You guys you guys have a ton here.
It is pretty unique and this is a thought that's on everybody's
minds, right? We've got agent kits, we've got
open AI doing product releases. We've got all these other guys
doing product releases. This thing is moving 1000 miles
an hour and everybody's trying to build, trying to design.
(20:16):
We're helping people design leftand right.
So from a. AI security, What is the play
with Akamai? Yeah, the play, I mean, you're
right, everyone's talking about AI at RSAA.
Couple years ago, maybe people were talking about Zero Trust or
Sassy, but you could throw a stick up in the air at RSA and
(20:37):
it would come down and hit a person in the eye and it's
almost 100% guaranteed that thatperson would have been talking
about AI when that stick hit them, right?
It's, it's wild. But what we found out kind of
building out this technology, talking with our customers, we
found out that security around AI is not a new problem, right?
(21:01):
It's not a new problem to solve.You look at the concept of just
say you have ALLM in the background, this is the
database, a data set, and then you have a user interface, maybe
a chat bot. This sounds a lot like SQL
injection, right? I can make a request into a
database and if you don't sanitize that input and validate
the output that comes out, there's your SQL injection.
(21:23):
Now I've got access to somethingI shouldn't have access to.
So firewall for AI, which we've developed, sits in front of a
large language model and it watches to sanitize those
inputs. Is this request, does it look
like you're trying to bypass guardrails?
Does it look like you're doing something malicious in nature?
(21:44):
And by the way, all these data sets have their own guardrails.
But at the Generative Red Team hacking challenge at Defcon,
DEFCON 30, so it's 3-4 years agonow, the average time to bypass
guardrails was 42 seconds. So, you know, not going to put
any context around that, but Needless to say, additional
(22:04):
security is probably needed, probably a good idea.
So watching the input that goes into the input request that goes
into the data set. And then of course, upon
response, am I getting a valid response?
Am I getting a response that's leaking PII information?
So you can identify the PII thatyou don't want to share the
content types, etcetera and say this looks like whatever
(22:26):
happened in the front end that we didn't catch, we're going to
catch it on the response back tomake sure we're not sharing, you
know, sensitive data. And you can also have it look
for things like hallucinations, toxic responses, sometimes
tricking a data, you know, an LLM into saying something, you
know, malicious in nature. Heck, you know, big airline in
(22:49):
the upper North America region, they had someone tricked the
chat bot into quoting them $0.00for an itinerary and they
legally had to honor it because that is a legal entity of their
business, right? So there's a lot of manipulation
that can happen. And firewall for AI sits in
front of those systems and validates the input and then
also watches that that output that response to make sure that
(23:12):
it's it's legit. I I like this because you know,
everything is about trust And toyour point, like you talked
about earlier, micro segmentation, you know, you
might, you might want to get in and then try to find the
accounting server. You can't find the accounting
server, but you know that the accounting server trusts my
user. So go after me or go after this
other thing that has a system oftrust seems like AI to your
(23:35):
point, foundationally than all the other problems.
It's it's not any different, butbut what where I think the
opportunity in lies here. I think of things like this and
our advisors listen to things like this and go, OK, who do I
talk to about that? Like who really needs that?
Is that this customer? Is that that customer?
I think it's kind of like when we started early on, when we
started the security practice, we would talk to end customers
(23:57):
that partners would bring us into and they would say, I'm not
big enough. I'm not a big enough customer to
care about, you know, needing this MDR thing like isn't Norton
enough or isn't McAfee enough? You know, that that kind of
thing, like signatures are great.
And the reality was, no, if you have an IP address or you fog a
mirror or you're on the Internet, you are a target,
right? And so taking that's AI took a
(24:19):
mindset shift for that. And it was a very slow and
methodical journey. And, and now I think AI what,
what are your end customers? Put yourself in the shoes of
what your end customers are after.
They're after getting more dailyactive users on their platform,
more monthly active users, more customers.
However you want to frame that up and how do you get there?
You get there with speed, you get there with rapid development
(24:41):
and you get there with whatever you got to do to get people on
the platform and do consumption and use your minutes right.
Everything has been driven aboutconsumption.
So are there great tools out there that help label and
classify data? And we talked about that a lot
and we've sold a lot of those deals.
Absolutely. To your point, who's checking
the math? How do we, how do we check the
math now on somebody's? I, I built a great chat bot.
(25:05):
I didn't have one before. I'm so excited about my chat
bot. And my chat bot has access to my
knowledge base and my database and my tooling.
I've got to imagine that this iskind of a fit for everybody.
If your customers are chasing AIand they're being told and
you're helping them how to implement AI successfully.
It just feels like this wedges into every one of those
(25:25):
conversations, doesn't it? It does.
And you know, like I mentioned, the the first venture into AI
for most companies has been chatbots, right?
Because it's easy to consume. It's easy to figure out what
that use case looks like. Hey, I'm going to offload
request to my help desk to my mycall center and when you have a
(25:47):
chat bot answering questions, itkind of simplifies the the human
workload with an organization and that saves money, right?
So I think that's kind of the interest in case of course
there's a lot further developments that are going to
be happening in the future. You know, you're a mortgage
(26:08):
company and I send a document tosomeone who's buying a house,
they sign the document, they send it back.
Can I validate that when they upload and, and send this
document back that they're not doing anything malicious that,
you know, all the required areasare signed, etcetera, right?
So there's a lot of different kind of use cases and different
(26:30):
businesses that these are going to start to that firewall for AI
is going to to fit into. So it's just, it's all about the
evolution and but building the foundation, like I mentioned
before, building the tool to work on behalf of the user
instead of just saying, here's ahammer, go build a house.
It's like, here's the framework,you know, they're ready built
(26:53):
walls, you just connect them together, that kind of thing.
So we're trying to take the the heavy lifting away from the
customer and provide them a platform where they can
modularly build out solutions with great technology to solve
all these different issues. As we get to the final couple
thoughts here, I want to get back to this theme we're we're
(27:15):
talking about it, but this themeof shadow IT, this theme of, of
complacency. So you know, we've got rogue
tooling that if we think about what our end customers are
dealing with, with all their employees, things like that.
So I think we'd look at, you know, as we look at AI in the
future, we see the the bad guys are using this the same way the
good guys are using it. So how does, when you think
(27:37):
about the next Gen. threats and you think about our customer,
our partners, their customers, where does complacency creep in?
Like how, how would you advise the advisor to think about, you
know, your customers and complacency?
Yeah. You know, actually it's kind of
funny that that's the theme, cause for years I've had people
(28:00):
say who's optimized biggest competitor and I would say
complacency, right? It's basically thinking I'm
doing enough already, this is not a problem, why would they
attack me that kind of situation, right?
I think the first example of howAI is being used from by threat
actors would be AI based bots, right?
(28:22):
So the idea that attackers can use bots to run automated
scripts to do things that they want to do didn't really become
as difficult of a problem to handle until most of the
requests on the Internet were API driven.
So AP is are, if you have a, youknow, your favorite Black Mirror
(28:45):
device when you hold it up to your face, that's sending an API
call back to an authentication service, back to any app that's
updating. It's all API calls.
In fact, almost every call out from an LLM calling to different
model repositories, etcetera, isan API call.
And AP is are used because they're lightweight and they're
built for automation. What else, what attackers love
(29:07):
to do is use AI to interact withthis automation.
We're already expecting it. So identifying and having
efficacy of how you identify what an AI bot is trying to do
against an API that's already expecting to see automated
requests is a very interesting. It's almost like a change in
(29:28):
scope, a dichotomy of, you know,threat actor techniques and
defender responses, right? So that's one big area.
The other big area, you know, when you think of the old school
Nigerian Prince scan e-mail, youknow, I've got $11 million.
I want to move into the United States.
You're the lucky person in Nebraska that I've picked out to
(29:50):
to help me, you know, get this transfer going days.
I can say, Josh, I'm going to scan LinkedIn.
I'm going to see the people you're friends with.
I'm going to compare that to your Facebook and say, oh, you
went out on a golf, you know, outing with Tony and a couple
other people. I'm going to now reach out to
(30:11):
Tony and say, Hey, this is Josh.Remember we went on that golf
thing. We did this podcast together.
I just need a little bit more info for something else I'm
working on. Do you mind sending me blah,
blah, blah, right. And that the, again, having the
telemetry to create those connected, those connective
tissues around your storyline now makes the Nigerian Prince
(30:33):
scam seem, you know, archaic. Now I'm going in with rich
details about relationships and friendships and all this stuff.
And attackers are already doing that.
And you can jump forward months or years and say someone heard
you on a podcast, they took yourvoice, they synthesized it.
Now I'm getting a phone call that as they talk, it translates
(30:55):
into your voice and it sounds even more real, right?
I mean, there's a ton of stuff going on there.
But ultimately to your to your earlier point and to the point
at the start of the show, the basics, the basics are are you
doing, are you practicing, you know, security awareness?
Do you understand when somethingseems out of bounds, out of
(31:17):
sorts? Why would you ask me to send you
$3000, you know, unless it was for a really good reason?
And do I have multiple means of of validating you are who you
say you are or this is a legit situation without, you know,
without having to do it in a rush because attackers always
make it seem like a rush so thatyou don't have time to think,
(31:40):
right? So the basics still have to be
handled even when the technologychanges.
I love it. Final thought then here to kind
of close this out. What what is on the Akamai road
map? Staying ahead of what's next.
This stuff is moving so fast. Where where do you want us to
think about over the next 6 to 12 months?
(32:00):
Anything different? Same thing, things to focus on
new products coming close it anyway you want.
Yeah. You know, one of the big things
that has been kind of an operational challenge for most
customers on the Internet is I've got all these tools and
they're all best in breed tools from great vendors that do great
jobs, right? That's not the the question.
(32:23):
The question is when I'm doing security and I'm bringing all
the security logs into a centralized location into my SIM
or log correlation tools, and this vendor says this is a bad
risk. The risk level is 10.
And then this other vendor says this is a bad risk.
The risk level is magenta. And the other vendor says this
(32:45):
is a bad risk. The risk level is F.
You got an F. Just the operational task of, of
bringing that data into a back end and trying to sort out and
normalize what the risk levels are is a huge problem.
Nobody, I don't know anybody that's talking about that.
Maybe some hardcore, you know, SIM vendors are, but when you
(33:07):
think of delivering security as a platform where customers have
access to all these different tools and they can build out in
a modular way the right stack ofsecurity that they need and Oh
yeah, all the telemetry for threat intelligence is shared
across those tools. That is a huge operational
(33:27):
hurdle that that Akamai has beenworking on for quite some time.
And we do a really good job of of doing that for our customers.
So that's on the operational side.
I think on the future side, I think the idea of AI and its
development, sharing threat intelligence across the
(33:47):
different tool sets, you know, Ialready mentioned.
But when you look into all the different areas that you have to
slice and dice and get observability into before you
can make a rational business decision, that's the other Ave.
that companies don't have a really good handle on.
You don't you? Don't you know, well, you
probably wouldn't be surprised, Josh, but how many companies
(34:09):
just say, yeah, we lose $100,000a month based on this, but we
don't want to curb it because the user experience could be
negatively affected and it's worth it to us, right.
So the risk tolerance is different for different
organizations, but being able to0 in and narrow down on working
as a partner with these companies to to fix those
(34:32):
problems that they've long thought were unfixable kind of
that's that's our goal for the future.
I love it. Great place to wrap it, Tony.
Awesome stuff, man. We could, we could go on for a
while. There's lots of things to talk
about here, but I, I, I appreciate you coming on man
Great stuff. My pleasure.
Thank you. Thanks a lot.
This was a great conversation and I hope the audience gets a
(34:55):
lot out of it. So thanks for having me, Josh,
I. Love it.
All right, everybody that wraps us up for today.
As always, don't forget these are these are dropping every
week, middle of the week early morning, whether you're on
Apple, you're on Spotify, don't miss out and use these tips to
talk to your prospects, your customers and let us know leave
us some comments, let us know what works and good stuff for
(35:16):
today. All right, that wraps us up.
Senior director of security technology and strategy at
Akamai, Tony Lauro today's episode shadow.
IT isn't a villain. Complacency is I'm your host,
Josh Lapresco. Till next time, next level.
Biztech has been a. Production of Telaris Studio 19.
Please visit telaris.com For more information.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com