December 9, 2024 • 41 mins
Tune in to the first episode of SIEMple Talks with host Augusto Barros as he sits down with Scott McCrady, CEO of SolCyber. Together, they dive deep into the evolving role of Managed Security Service Providers (MSSPs) in modern organizations. From their origins in device management to becoming strategic partners in cybersecurity, this episode explores how MSSPs provide advanced threat detection, 24/7 response capabilities, and valuable security guidance during "peacetime." Learn how MSSPs are changing the game for businesses of all sizes.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:09):
Welcome to Simple Talks, the new podcast by
Securonix.
I am your host, augusto Barros.
Today is the first edition ofSimple Talks and our first guest
is Scott McCready, ceo of SolCyber.
Scott is an old friend ofSecuronics and it's an honor to
have him here with us.
Scott, why don't you say hi andintroduce yourself and Solcyber
(00:33):
, of course?
Speaker 2 (00:33):
Yeah of course.
Thanks, Augusto.
Always a pleasure.
You and I talk relativelyregularly, but to be the first
guest is always a cool thing Toeverybody out there.
Scott McCready, CEO founder ofSoulCyber.
I've been in the managedsecurity services space most of
my career, because I wasactually an engineer by trade
(00:54):
and training and, just byhappenstance, when I came out of
university, there was a worldof web hosting was getting
started and security was tryingto be figured out.
For those who have been around,a minute, I got my teeth.
Got my teeth on the old Nokiaappliances where you'd hit one
for checkpoint and two for ISSreal secure and I was deploying
(01:14):
those all around the world forEDS.
At the time we didn't know whatto do with the data and so EDS
had a lot of Knox networkoperating centers really cool
NASA things, where you pull thescreen back you see all the big,
huge screens.
But there was no such thingreally as a SOC, and so I
started setting up securityoperation centers for them,
which led me into working for acompany called RipTech and
(01:37):
Symantec, which was the veryfirst MSSP Back in the day SIEMS
, if anybody's familiar withSIEMS.
But SIEMS are the tools thattake the data, that do the
analytics.
They were so heavy that yousort of had to.
They were difficult to put ontoenterprises, even large
enterprises, and so we gotstarted in managing firewalls
and then data collectionanalytics like very early stages
(01:59):
of ML, in order to try to findwhen malicious actors were
getting into organizations.
So it's been a great run.
Speaker 1 (02:08):
Right, yeah, you know you triggered some kind of PTSD
on me.
Here mentioned kind of Nokiaappliances.
I remember staying kind of inthose cold data centers in the
middle of the night trying tofigure out what to put on the
ARP tables to make the loadbalance work.
Everything is coming back now.
Speaker 2 (02:27):
We didn't have Google yet that sort of believed that
data centers didn't have to be55, 60 degrees.
So you'd wear these big, hugejackets and be inside trying to
figure out how to make all theinternal networking work.
Speaker 1 (02:40):
Yeah, it was going to be fun times.
I think one thing that I'd liketo ask you kind of you kind of
being with a service providerand in the cybersecurity space,
many organizations are oftenkind of looking into that
(03:02):
discussion about doing thingsinternally versus relying on
service providers.
So what is the actual value ofa managed cybersecurity or
managed security serviceprovider?
What do you think is the majorvalue that an MSSP can bring to
a customer?
Speaker 2 (03:22):
Sure, I think it's really morphed over time and
part of the reason for SoulCyberis we're trying to continue to
morph it.
But if you think about maybelike three or four buckets.
The first one is large,sophisticated organizations.
They oftentimes have thecapability to do sort of
everything they need to do froma security standpoint, but
(03:42):
they're also in a position tohave the financial advantage to
be able to say it would behelpful to have a set of people
who do this all the time as asecond pair of eyes to make sure
that we're not missingsomething, and to consume the
stuff that the MSSP provides.
So I think large organizationsthat really are looking for, you
know, belt and suspenders tomake sure that things are
working.
The second type of organizationis an organization that says,
(04:07):
okay, I've got a couple of goodpeople, but I definitely don't
have 24 by seven.
There's no way I'm going tobuild it, it doesn't make sense
to have it, I'm not going tohave staff people over the
weekend.
It's just not, you know, doinghigh level security, detection
and response.
It's just not something that isour.
You know, all of us went tobusiness school like our.
You know, stick to the knitting.
(04:28):
It's not core to what we do,and so they're looking for
someone that can really tellwhen something bad happens, you
know, especially off hours,weekends, things like that and
so those are pretty linear valueprops, which is like we need.
We have a reason.
That's very clear.
I think.
The third type, which is wherewe spend a lot of time, is
(04:49):
organizations that have a coupleof good people but they're
looking to up-level theirsecurity sort of more
holistically.
Sure, they want to be able tohave advanced detections.
They need people that arereally good at doing response.
They need a set of skills thattraditionally a large
organization would hire out, orstaff from four or five or six
different people.
They need skills across those,but they're never going to be
(05:12):
able to get that in the twopeople that they hire.
The third group is saying I needthe detection and response, but
I also want somebody I can call, ask questions to, I can tap
them on the shoulder, I can getadvice around other things.
We call it peacetime.
So if you assume and the datasort of shows that you know you
(05:32):
get most organizations have sortof one-ish type of sort of more
aggressive type of attack amonth.
They've got a lot of othertypes of attacks that you can
block.
But outside of that, how is theMSSP helping them?
And I think that's really thethird area which is saying okay,
there's a lot of other thingsmost organizations are looking
for advice and information about, and I think that's the third
(05:54):
value piece which is okay.
In peacetime, how do wecontinue to ratchet that
security program into a betterplace?
Speaker 1 (06:00):
Yeah, I love this piece that you mentioned about
during peacetime and I believeif we look into the MSS pieces
as different generations, Ithink the first generation was
basically that device managementkind of thing, and I think that
was because we inherited thatmodel from the old telecom times
.
So it was kind of oh, thecompany's going to do and manage
(06:21):
services for telecom devices,so OK, you're going to manage
that box, making sure that thelights are still blinking, et
cetera, and then we move intomanaging alerts.
Ok, the box spits out an alertand then you call someone to do
something with that alert.
But I'm happy we are movingbeyond that point.
And I think this point youmentioned about the peacetime
(06:45):
advice and also probably holdingthe hand of the customer when
they're trying to do or to takea more continuous improvement
approach, it's something thatwasn't something that was there
in the past and I think it'sreally increasing the value of
MSSPs these days.
Speaker 2 (07:09):
Customers will say you're a modern MSSP.
I think third generation may bea great way of phrasing it up
too.
Speaker 1 (07:15):
That's right.
Or the old question about MDRor what MDR is.
I think, if we start seeing, Iwas still a Gartner when MDR
started to become more popularand it was interesting to see
how the R piece came into play,because before that you couldn't
imagine unless it was part of amajor IT outsourcing contract,
(07:40):
like those with EDS, ibm, hp,etc at that time.
But usually you wouldn't seethe service provider putting
their hands on the environment.
I think at MDR kind of hadchanged that kind of quite a lot
.
Speaker 2 (07:54):
But this too, like I remember when we first we were
at Symantec, and so they werelike, hey, can you do something
with Symantec endpointprotection?
And we're like, well, the onlyoption we have is to hit the
button that says scan themachine.
There's not a lot of value wecan add.
And so that was really thegenesis of the transition of the
endpoint tech to be able to doobviously EPP and EDR, but the
(08:17):
detect piece but also theresponse tooling.
But in order to do the response, well, you have to have people
that know those pieces.
But ironically, one of thethings with MDR- you get is.
it's manage, detect and respond,and so a lot of customers that
use it say the response is greatfrom other people, but who's
doing the management and thedetection piece right?
(08:37):
And so to your overall pointit's been great that there can
be higher levels of servicedelivered through the tooling,
because there's some greattooling out there these days.
Speaker 1 (08:47):
Yeah, I think the EDR was really almost a big
difference in the moment,because how would you respond
into a customer environmentbefore EDR?
I think EDR brought thosecapabilities where you could do
something in the customerenvironment.
It was not just kind ofbringing someone physically
there right With a USB drive ora disc, right For us, right For
(09:11):
a little more time around.
Speaker 2 (09:12):
yeah, Scripts right.
I mean, if you think back to,like you know, the Mandiant days
, they would land on site andthey'd have a bunch of scripts.
They would run right.
And so EDR was like this youlike this process.
That over time was like okay,how do we take the scripts and
move it into somethingproductized?
That is actually much moresophisticated.
Speaker 1 (09:35):
I think we see the MSSPs have evolved quite a lot.
And there was something that Inoticed.
I was in one of those eventforums forums that kind of have
kind of those big kind ofboardroom discussions with
multiple CISOs right and theytalk about their problems et
cetera and there was somethingthat happened in the last
discussion I was part of and Inoticed that there were really
(10:00):
kind of very large enterprisesin that room.
There were really very largeenterprises in that room.
Many of them, if not most, wereactually relying on MSSPs.
That struck me as different,because a few years ago I think
it was common to see mid-marketor the average organization
(10:22):
relying on MSSP, but there wasalways this of this impression
that the larger organizationswould do things by themselves,
right, but then kind of in thatroom I had this kind of large
number of large organizationsthat were actually relying on
MSSP.
Why do you think this ishappening now?
Speaker 2 (10:41):
Yeah.
So the irony is so take anylarge organization and let's
assume that they haveessentially enough budget to do
whatever they really need aroundsecurity.
Whatever they feel is important, they're going to be able to
get the budget because,relatively speaking, for a large
company it's a relatively smalldollar amount.
Come to find out is, even ifyou have four or 500 people in
(11:04):
your security organization ormore, there's still a set of
skills and capabilities that iskind of hard to have on demand
all the time, Right?
So think of it as, as we usedto joke, like the security team
was a baseball team, right?
So you had your your pitcher oryour batter, who is like
(11:24):
world-class, like, you know,all-star player, and then you
had your a few people that werereally solid, and then you had
other people that are reallygood because they're still
professional level baseballplayers but they're not going to
the all-star league every year,and so getting access to the
talent and then getting accessto the consistency and the
repeatability is something thata lot of these organizations
(11:45):
backstop themselves with.
So what we joke about is it'ssuper sexy when you find
something like really nefarioushappening and you catch it and
you get them out of theorganization.
That is super sexy.
But there's a sad reality ofsecurity operations which is
really what we do, which is alot of what we do is very unsexy
(12:05):
.
So it's this consistency ofrepeatability of the program
that is a lot of time whatorganizations are paying us to
do.
And so I make this joke like doyou know, running phishing
simulation, security awarenesstraining, super basic, everybody
can do it.
We do it for a lot of companiesbecause they just got to a point
where they're like it justdoesn't make sense to have my
(12:26):
people doing that.
And so I think what's happenedover time is that these large
organizations have gotten a lotsmarter about the use of their
resources and the ability tobackstop those resources with
managed security servicesproviders, because they just
know it makes sense.
Because they just know it makessense.
Sure, it's great that they havepeople that can be looking at
dashboards and reviewingincidents, but does it make
(12:50):
sense to have them do that allthe time?
Or does it make sense to takesome of those resources and
shift them left and pushsecurity more into the
productization of their serviceofferings that they're building
that, their SaaS or somethinglike that?
And so we see a lot more ofthat happening in organizations
trying to get their smart,talented people into the higher
value aspects of security andthen maybe a little bit less out
of the day-to-day operationalprogrammatic aspects.
Speaker 1 (13:14):
Perfect.
You mentioned something aboutthe different skill sets and
specialization.
I remember when we were writingthe first edition of, we wrote
a document back in Gartner a fewyears ago.
That was how to build your SOC.
One of the things that wementioned in that document was
every SOC these days is anhybrid SOC.
It is because of all the skillsets that you would need,
(13:38):
depending on what type oftechnology is affected by a
breach, by an incident, andeverything that could happen in
your organization and all therequirements now related to
threat intelligence collection,et cetera.
You need these services, thisalmost satellite services around
your SOC.
For the situations where youneed to debug an Android malware
(14:00):
, we will have an Androidmalware reverse engineer on the
bench just waiting to bedeployed.
We can probably count on thefingers the types of
organizations that will havethat type of resource.
I think that for those cases,for the large organizations,
that was something that we usedto see already those satellite
services that will come tocomplement the core of the SOC
(14:25):
that you have there.
But what surprised me in thatlast discussion was that these
large organizations were alsointerested in relying on service
providers for those corecomponents as well, and one
thing that I believe is one ofthe main reasons there is the
(14:47):
increasing complexity of thetool set.
With Securonix, we have our SIMUPA.
It's a secure operationsplatform.
We do everything to make theuser experience the best
possible, but it still does alot of things.
(15:08):
The complexity is there andanyone that will come, any
competitor, will come and say wecan eliminate that complexity.
They're just lying.
There is an intrinsic level ofcomplexity in what our solution
does and I think my impressionis these large organizations are
starting to think like oh, thelevel of complexity that the
(15:29):
core components of my SOC haveis so high that I need someone.
Regardless of having theability to do that on my own, on
my needs to customize things tomy business, I still need
someone that will manage thatcomplexity for me.
Speaker 2 (15:46):
That's right.
I think you're right.
The care and feeding of thetools these days is
significantly higher than itused to be.
So back in the day we were allnetworking people and we would
figure out how firewalls work,because we could sort of
understand that.
But you think about the careand feeding of a complex SIM
that has user behavior analytics.
That is not trivial.
You think about the ability todo response, like deep level of
(16:09):
response on an EDR tool.
That is not trivial.
That is significantly moreadvanced than the old AV tools.
You think about SOARintegrations and API
connectivity and the ability todo response across a wide
variety of different types ofcomponents.
You think about UEBA and how itties into identity and then you
say, okay, well, if that'stying into identity, then how do
(16:30):
we look at fraud and tie in aprocess to a response capability
?
And so I think the ability tohave people inside of an
organization that understand allthose components is challenging
.
Especially I love the Android,like reverse engineer, android
malware, especially when they'renot a regular function Right,
and so obviously organizationslike us can have people that do
(16:52):
that for different companies.
So we get a lot more.
We get them off the bench rightthey're.
They have a higher level ofutility because they can be
utilized against a variety ofdifferent companies, and that
really is, is useful, and so youcan get a broader skill set at
your fingertips as anorganization by using somebody
like us.
It's funny, because we stillrun into sort of, especially in
the mid market.
(17:12):
No, you know, a thousandemployees, two thousand, five
thousand, or they'll still havea few people that want to do it
all.
We're're like knock yourselfout, go for it.
Then, after a while, they'relike it's great that I can do it
all, but it is also nice to beable to call somebody.
Speaker 1 (17:26):
I think that's a similar scenario of build your
own stuff, the same in UPA space.
I've seen many organizationslook at the tool set that they
have for data management, foranalytics, and say, hey, I will
build my own.
I don't need an off-the-shelfsolution for this.
They will go, they will do allthe effort.
They can say you know what it'sworking, but it takes a lot of
(17:49):
effort.
That's right.
I got to go back to the shelfbecause there's a lot of
complexity at work behind thescenes than many times these
organizations do not realizeit's there.
That's right.
We're talking about servicesand how they can help
organizations, but there isanother component that is now
(18:12):
essentially in all discussionsabout security operations or
maybe security in general.
That is AI.
But I think we're hitting 20minutes, so probably I'm allowed
to say AI by now.
Yeah, but what do you see asthe role for AI and how it will
evolve on the context ofsecurity operations?
(18:34):
Is this the end of the sock aswe know it?
How do you think this thingwill evolve?
Speaker 2 (18:41):
Obviously a topic that comes up all the time, and
it makes sense that it comes upin our world because we're a
people-heavy business.
I mean, running securityoperations and having security
operations centers involves alot of people.
It involves people at weirdhours, at weird times of the day
.
You've got to have people thatare sharp at three in the
morning.
How do you do that?
And then also there's a lot ofinstitutional and sophistication
(19:06):
in hunting down knowledge.
So when you see a set of dataand a set of alerts, how do you
validate that?
And how do you validate andthen figure out who it actually
is?
And do you need to get theattribution?
Is this a nation state orsomebody else?
So it's just a lot of work.
There's a lot of training thatgoes into all these pieces, and
(19:28):
so it's a natural place forpeople to ask does AI?
So I think to me, obviously,the key piece is the adversaries
are gonna be using AI, alreadyare using AI.
So we already know that theaggressiveness, the breadth and
the cleverness of the adversaryis going to get more
sophisticated because of AI andthey can throw stuff at the wall
(19:52):
and see if it sticks fasterthan we can, sort of like
properly plumb AI through anoperations center.
So what do we know?
We know that they're going toget better.
They're going to get moresophisticated, probably find
more zero days.
They're going to be able tohave breakthrough and breakout
of of machines that they haveaccess to faster.
So then the question is, whatare the defenders do?
Well, I think you're going tosee AI sort of in in the onion
(20:14):
model.
So the first is going to be inthe tooling.
I mean, you got you guysalready do stuff in it, some of
the other tools that we use.
So you're going to see it insophistication of the analytics,
first of all, out of thevariety of different tools.
Then the second place I thinkyou're going to see it is in the
ability to gather data.
So if you think of chat, gpt,what does it do?
It gathers data and it presentsit to someone in an easier to
(20:37):
consume manner.
So I think you're going to seethreat in the ability to detect
threats and detect unique typesof threats described to a SOC
analyst faster.
And so, hey, I see all thesealerts.
Ai says, hey, we've seen thatbefore.
Here's who it is.
It's most likely this nationstate or this type of attacker.
(20:57):
And this is how the TTP thetools and techniques and the
processes that they use andthat's how we validate.
So I think you're going to seethe data presented similar to
chat GPT, but think chat GPTthreat to an analyst.
And then I think the thirdthing which is going to be
harder to do is if you think ofan AI assistant for an analyst,
(21:18):
it would be great and most ofthe analysts would like the
process of saying, okay, isthere a mini me?
Right, that's an AI assistant,and I think that's going to be
harder to recreate.
But I think that would probablybe like step three as you plumb
through AI throughout the SOCoperation process.
Speaker 1 (21:36):
Yeah, I think that's going to work.
I was reading today a couple ofarticles about agentic AI and
how that can help on the SOC.
I think it's a promising space.
There's still a lot to go.
There is also the confusionabout what LLMs can do.
I think the impression of kindof cognitive capabilities that
(22:00):
we have from these things right,kind of throwing out kind of
very good text right Sometimesare deceiving because you start
believing that that's very large, auto-glorified, auto-complete
can actually kind of producedetection logic.
It may be able to for thingsthat, things that are very close
or related to the training dataset, but if you bring a
(22:23):
completely novel threat and askit to produce a piece of
detection logic, will it be ableto do that?
And that's something that Ibelieve we're still far distant
from and I think the humans thatare involved in detection
engineering, for example, theyare safe for now.
Speaker 2 (22:41):
Their jobs are safe.
Speaker 1 (22:44):
They would be far more productive because these
tools will help on productivity.
But a lot of that cognitiveload that you have in
translating what you're seeingfrom the threat behavior to what
you need to put together fromthe detection logic perspective
is still something that we canreplicate with a machine.
Speaker 2 (23:03):
So I think that term uses productivity.
I think we're going to see itimpact productivity faster than
any kind of impact to people asfar as, like you know, replacing
humans on the detect andrespond side.
So I think productivity is agreat way, is a great buzzword
that you're going to see.
I think that's going to be thefirst major place that you see
impact on the SOCs.
Speaker 1 (23:23):
Yeah, and if I can tie this back right to where we
began the conversation today, doyou think that technologies
leveraging more of these AIcapabilities can become a
competitor to managed securityservices?
Speaker 2 (23:40):
It's a great question .
Obviously it's something thatwe talk about in the industry
quite a bit.
I think what you're going tosee is the detection respond.
You sort of have to assume theattacker is going to get better,
so that means the detectionresponse is going to have to get
better, which is kind of hardto see.
How that disrupts thetraditional SOC capability
(24:02):
because you're still going tohave to have some layer of
people over the top of that.
But what I don't see and this iswhy I think call it third gen
managed services or modernmanaged services where a lot of
the strategy and support andtying into frameworks and all
these other things I don't thinkthat goes away.
I think maybe the MSSP hasbecome more consultative and a
(24:25):
little bit less primarilydominated by data analytics,
which is really where Gen 1 andGen 2 was.
Gen 1 was like hands-onkeyboard let's change all the
firewalls.
Gen 2 was data analytics.
I think you're going to see acombination of those two play
out with a more consultativeaspect, which is, I think, where
we are in Gen 3.
And you got to imagine that'sgot a few years to run.
Speaker 1 (24:48):
Right.
Do you think that AI can helpus with the skill shortage we
have on this space?
Speaker 2 (24:56):
This is one of those things where I think the skill
shortage is really a byproductof sort of the, the haves and
the have-nots.
I'm drawing a complete blank onthe, the famous line of the um
the poverty poverty line yes,sir, thank you, thank you, thank
you, and so we do for thelarger companies.
They're just sort of like theycan get the people.
(25:16):
It's just whether or not theywant to pay the price.
So you have that aspect we canget the people because we know
how to go find them and we cantrain them and all these other
things.
The third area is whether ornot companies sort of want to
take security seriously, becauseit's a lot of companies out
there trying to do bare minimumlevels of security, and so I
think the skill shortage is asolvable problem.
(25:40):
It really gets driven bywhether or not a lot of the
organizations that we work withand talk with want to solve that
problem, because you can getthat through leverage.
You can get that throughleverage of whether or not it's
AI or MSSPs or all these otherplaces, but I think there are
enough leverage points thesedays to really get ahead of that
.
Where I think we still do have askill shortage is what I'd call
(26:00):
the architect the smart,creative type person that really
has the ability to understandthe different tiers, and this is
sort of what everybody'slooking for.
It's like okay, do theyunderstand the heart of
architecture?
Okay, then do they understandcloud architecture, then do they
understand how security fitsinto it, and then do they
understand how you put securityinto the coding and so you can
shift all that left.
(26:21):
That is where I think, when wetalk security skill shortage, I
think that is a significant oneand we're still going to
struggle to see that.
And again, I don't know if AIsort of solves that or not.
Speaker 1 (26:34):
Right, I don't think it will solve it right, because
I think we will end up goingback to that discussion about
replacing humans.
But, as we mentioned before, itis a matter of productivity and
I always brought up when youhave those internal or those
large stocks with 20, 30 peoplethere, there's a point where the
(26:58):
CISO cannot go anymore right Togo up upstairs and say, hey, I
need more people.
There is a point where, kind ofthe right, either the board or
the CEO just laugh and said comeon, you have, I cannot have
more security analysts than Ihave people selling my product.
Right, that's right.
So, there is a point whereproductivity needs to improve
(27:18):
and I think that's really a verystrong component where AI will
help us, either for theorganization that does things on
their own, because they will beable to keep up to the threats
without becoming an unbearablecost center, and also for the
service providers, because thatwould actually help you with the
(27:39):
bottom line, but you canactually kind of deliver a
higher quality service and stillkind of being able to keep the
price in a in a reasonable level.
That's right.
Speaker 2 (27:50):
And that's really the key piece on our side is we
know that the pricing.
We have to keep it ascompetitive as possible, because
that's the only way certaincompanies can get into this.
They want better security, butthey still have to.
You know, it's a competitiveworld that they live in, right?
They're competing against otherpeople, so they're trying to
keep their costs down and, atthe end of the day, security is
a cost, and so I think that's areally big aspect is if we can
(28:12):
drive down the cost, especiallyfor, like you know, our world of
managed security services, thatRight.
Speaker 1 (28:24):
So far we've been talking about the defense side,
but I'm very biased toward thedefense side.
I think that we have enoughpeople talking about threats etc
.
But let me ask you how do yousee threats evolving, going into
the typical beginning ofparagraph, anything that you ask
, security for, chat, tpt itstarts with the evolving threat
landscape.
What does the evolving threatlandscape look for you?
Speaker 2 (28:49):
I'm sort of lucky because on my board I have a
variety of people that live andbreathe this, from an ex-general
, a four-star general, to peopleon the VC side.
In this conversation I ask alot.
I think there's a couple thingsthat are super interesting.
So one you look at, for betteror for worse, nation state
(29:11):
conflicts tend to engendercreativity.
When it comes to threats, youcan Russia and Israel around,
how people start trying to thinkabout threats, drones and AI,
and so just a the first thingI'd say is organizations we
(29:33):
talked to are asking us a lotmore, just like you are saying
OK, do we need to be worriedabout things that we've never
actually thought about in thepast when it comes to the modern
, because we can all see withour own eyes that things are
changing quickly when it comesto technology on the threat side
, so physical and cyber.
So I think that's just onething that we all are feeling,
(29:54):
and that feeling, I think,engenders some level of
uncertainty, which obviously allof us don't really like
uncertainty.
So first thing I'd say is that.
Second thing I'd say is, if youthink about the intelligence
that can be built into AI, forthe defenders it's hard to plumb
it through, because we have toplumb it through in a way that's
repeatable and processable.
If you're an attacker, you canliterally just say, okay, I'm
(30:17):
going to have artificialintelligence and a bunch of
different bots and agents thatcan talk to each other and say,
okay, I want you to go playcapture the flag, and you can
literally have them spinthemselves up and spin up other
patterns.
And so I think the thing thatterrifies most of the people
with whom we speak, and even onthe defense side and even the
tooling side, they get verynervous about what is that going
(30:39):
to look like, because we sortof don't know.
But you can imagine like if Iwere putting my you know, black
hat side on, that would be theway I'd go about it.
I'd start playing capture theflag games with AIs and pulling
out the processes of whatthey're doing, and I think the
ability to do that at speed andat scale is something we've
never, ever seen.
And so I think you're going tosee the ability to have more
(31:02):
successful attacks because ofthe fact that you can really
dial into primary levels ofbeachhead locations, whether or
not that's socially engineeredVAI or whether or not that's
actually technical gaps that areout there.
The ability to scan the internetwe all know is fast.
Can you do that faster?
Can you see?
Could you see if somebody fatfingers RDP somewhere?
(31:24):
Can you know about thatinstantaneously, versus actually
getting lucky because youstumbled across it on a scan
that you're running?
So I think all of that is goingto lead to faster and more
sophisticated threat attackpatterns and I think it's TBD on
how we sort of defend againstthose.
What's your take on it?
You live in this space too.
(31:44):
Similar feeling, have adifferent take on it.
Speaker 1 (31:52):
Yeah, it is a similar feeling, I think.
First, there is one thing Iusually kind of am conservative
in terms of expectations of bigleaps in capabilities for threat
actors, because usually whatthey need is just going to be
able to be slightly better thanthe defenses.
So they usually will not putmuch effort into developing
(32:14):
capabilities when they do notneed those.
They're very cost-effective ingeneral.
But an interesting thing and Ithink you referred to that is
the threat actors with AI intheir hands.
They have the luxury of beingable to put that AI to work and
to learn from its mistakes whileit is attacking the entire
(32:37):
internet.
So it just kind of, as I said,throw it out and say, okay, go
find something to breach and ifyou are locked out or if you
lose access, learn from that andkeep going.
They have almost the entireinternet as a play field to
learn and to maximize theresults of the techniques, et
(32:59):
cetera.
So having actors that will takethat approach of a massive use
of this entire target area thatis the internet to make these
models, or these maliciousmodels to learn how to attack in
a more efficient manner, thatcan really become more serious.
You'll see script kids evolveinto an APT level of
(33:24):
capabilities in a very shortperiod of time and how we will
react to that as a defense sideis something that we really need
to put a lot of thinking tofind how to best address that.
It's still being productive, aswe were saying before, that's
right.
As we were saying before,that's right.
(33:46):
Let me go lighter here, scott.
We are kind of getting close tothe time here.
I was kind of on LinkedIn one ofthese days and I found an
interesting post from SoulCyber.
Right, there was a quote thereand kind of asking for people's
perspectives.
Right, it was saying as theworld is increasingly
interconnected, everyone sharesthe responsibility of securing
(34:07):
cyberspace.
So he was asking okay, how doyou interpret this quote in your
daily work?
Right, what's this one smallaction everyone can take to
contribute to a more securecyberspace?
What would be your answer forthat?
Speaker 2 (34:25):
There's a couple things that I'm like.
These are like the basic basicswhich a lot of people don't
don't, do you know?
First of all, ironically, mfais still something we talk about
to organizations all the timeand I talk about it to people
all the time, which ismulti-factor authentication, for
I'm assuming your audience,like this, is podcast number one
(34:45):
.
So but for, if they don't know,but it's the ability to have
some sort of third party textmessage or say you know, ability
to validate that you are whoyou say you are when you're
logging into stuff.
It's probably the the biggestbang for your buck that you can
get out there, as far assomething inexpensive that's and
you can.
That applies both to people andorganizations.
(35:08):
And so because a lot of timespeople are like, well, you know,
I'm not goldman sachs, I can't,I can't afford this cool whiz
bang security thing.
But you know, everybody can domfa, whether or not, that's, you
know, at your home, on your ownpersonal you know work account
or your own personal accounts orobviously inside your work
organization.
And so to me that's that's sortof the starting point for a lot
of like.
How do you move forward whenyou look at some of the
(35:29):
standards like NIST or any ofthese other standards, amazing
stuff.
But you're always like okay,what is what gets me to 80?
What's gets you that Paretoprinciple Like, what is it that
I can do first that gets me thebiggest bang for my buck?
And so that's sort of the way Itend to think about it.
What about yourself?
What's the easiest uptake?
Speaker 1 (35:49):
You know, I think the interesting thing now that you
asked me and I was starting tothink about the response and I
noticed how my response for thatquestion has evolved over time
as well, because I believe thatif you asked me that, probably
say 10, 15 years ago, I wouldprobably say make sure you have
kind of passwords on everything.
(36:10):
Kind of authentication isenabled everywhere, passwords
and individual accounts, right.
So if you think kind of a longtime ago, kind of the
administrator accounts onWindows and half of the company
kind of was using that thingright and it is interesting to
see that that's probably notsuch a prevalent problem anymore
, think of the practices aroundidentity and access control have
(36:31):
evolved substantially to thepoint that now, when you think
about what would be the nextfirst advice to give, we think
about multifactor authentication.
That's pretty interesting.
It probably could be somethingthat would be part of a group of
tips or a set of advice to give, but it was probably later in
(36:54):
the list and today it's probablythe first thing that we'll put
there.
I think there is one.
We have probably a more maturescenario today where, okay,
people have all their individualaccounts right, kind of
authentication is enabledeverywhere, but password is not
enough anymore, right.
So now there's another thingthat has to be done.
(37:14):
But there is also a scenario ofkind of the threats evolving
right, kind of where we're goingto just have in passwords,
right, it's not enough anymore.
So the pressure has also kindof increased substantially.
But to try to finish on abetter light right, instead of
just kind of talking aboutthreats, is our technology
(37:36):
evolved as well, in the sensethat enabling multi-factor
authentication is not somethingthat is so challenging as it
used to be, right?
Remember kind of having tointegrate to integrate the old
secure ID tokens in yourenvironment before, and the
authentication systems were notcompatible with that.
It was a pain.
Speaker 2 (37:54):
You lose one, you have to remail it.
The whole process was just adifficult process.
Speaker 1 (38:00):
The entire logistics around the physical tokens and
distributing them.
You're providing that to asupplier and you have to get
that back.
Now.
We've all heard how practicalwith the cell phones, with the
authenticator apps, etc.
The higher standardizationlevel as well.
It's not like you're movingfrom one supplier to the other
(38:23):
and now everything is different.
You have to replace software,so that's a good thing.
Speaker 2 (38:28):
I think that's a great way to sort of like we are
working really hard, like we asa cybersecurity community to
try to make we sort of recognizethat it's hard for humans, like
security is not where we wantto spend all of our time as
humans, and so we're trying tofigure out ways to make the
processes of securing stuff mucheasier for everyone, and I
(38:50):
think that's a really, reallygood thing.
And it's one of those thingswhere you can see it very
clearly If you've been in thespace for any length of time
it's way easier to secure thingsin a manner that is much less
intrusive, much less invasiveand easier for everybody to do,
easier for the admins, easierfor the people designing it and,
most importantly, easier forthe people to consume it.
(39:11):
It's great that the communityas a whole continues to say how
do we make this easier?
Because we know that we'regoing to have a better uptake if
we do.
Speaker 1 (39:21):
I'm happy that you're saying that, because we should
be recognizing this more often,because I think in our space,
because you're dealing withthreats, it's always all doom
and gloom.
Now they can do this, now theycan do that, but come on, see
how easier it is to performcertain security actions and to
implement certain controls todayversus how it was some time ago
(39:43):
.
We did a pretty good job, Ithink, as a community.
Speaker 2 (39:48):
It was funny because we actually spent a decent
amount of time talking withcustomers about single sign-on
and just how to make that easy,because they're like I didn't
realize it was as easy as it is,and we actually helped them
explain to them that it'sprobably way easier now than
even five years ago and the lasttime they sort of looked at it.
And so you know kudos to theentities, and then you can see
customers sort of like catchingon to the fact of, okay, a lot
(40:09):
of the stuff that maybe washeavy and difficult appears to
be a lot easier these days.
Speaker 1 (40:14):
Right, perfect Scott, not on burples but we managed
to get to the end here in a verygood note, in an optimistic
tone.
Right're not just gonna go onand kind of cry and let's have a
drink and forget aboutcybersecurity.
We're all doomed.
No, we're not on that point.
I think that we are finishinghere and with a perspective.
(40:38):
Right, the things are improving.
I think that's always good.
So I'd like to thank you forbeing our first guest here.
Conversation with you is alwaysamazing.
We could keep going for hoursand hours, but really appreciate
your time and we should get agood rest of 2024.
And I hope 2025 will becontinuous to be fun in our
(41:00):
cybersecurity space.
Speaker 2 (41:02):
Augusto, thanks for having me.
I don't know when this getsreleased, but obviously we're
coming up on Thanksgiving whenwe recorded it, so hope you have
a good Thanksgiving and, toeverybody out there, hope you
had a good Thanksgiving and youhave a great Christmas and New
Year's as we head into theholiday season.
Welcome to Simple Talks, the new podcast by
Securonix.
I am your host, augusto Barros.
Today is the first edition ofSimple Talks and our first guest
is Scott McCready, ceo of SolCyber.
Scott is an old friend ofSecuronics and it's an honor to
have him here with us.
Scott, why don't you say hi andintroduce yourself and Solcyber
(00:33):
, of course?
Speaker 2 (00:33):
Yeah of course.
Thanks, Augusto.
Always a pleasure.
You and I talk relativelyregularly, but to be the first
guest is always a cool thing Toeverybody out there.
Scott McCready, CEO founder ofSoulCyber.
I've been in the managedsecurity services space most of
my career, because I wasactually an engineer by trade
(00:54):
and training and, just byhappenstance, when I came out of
university, there was a worldof web hosting was getting
started and security was tryingto be figured out.
For those who have been around,a minute, I got my teeth.
Got my teeth on the old Nokiaappliances where you'd hit one
for checkpoint and two for ISSreal secure and I was deploying
(01:14):
those all around the world forEDS.
At the time we didn't know whatto do with the data and so EDS
had a lot of Knox networkoperating centers really cool
NASA things, where you pull thescreen back you see all the big,
huge screens.
But there was no such thingreally as a SOC, and so I
started setting up securityoperation centers for them,
which led me into working for acompany called RipTech and
(01:37):
Symantec, which was the veryfirst MSSP Back in the day SIEMS
, if anybody's familiar withSIEMS.
But SIEMS are the tools thattake the data, that do the
analytics.
They were so heavy that yousort of had to.
They were difficult to put ontoenterprises, even large
enterprises, and so we gotstarted in managing firewalls
and then data collectionanalytics like very early stages
(01:59):
of ML, in order to try to findwhen malicious actors were
getting into organizations.
So it's been a great run.
Speaker 1 (02:08):
Right, yeah, you know you triggered some kind of PTSD
on me.
Here mentioned kind of Nokiaappliances.
I remember staying kind of inthose cold data centers in the
middle of the night trying tofigure out what to put on the
ARP tables to make the loadbalance work.
Everything is coming back now.
Speaker 2 (02:27):
We didn't have Google yet that sort of believed that
data centers didn't have to be55, 60 degrees.
So you'd wear these big, hugejackets and be inside trying to
figure out how to make all theinternal networking work.
Speaker 1 (02:40):
Yeah, it was going to be fun times.
I think one thing that I'd liketo ask you kind of you kind of
being with a service providerand in the cybersecurity space,
many organizations are oftenkind of looking into that
(03:02):
discussion about doing thingsinternally versus relying on
service providers.
So what is the actual value ofa managed cybersecurity or
managed security serviceprovider?
What do you think is the majorvalue that an MSSP can bring to
a customer?
Speaker 2 (03:22):
Sure, I think it's really morphed over time and
part of the reason for SoulCyberis we're trying to continue to
morph it.
But if you think about maybelike three or four buckets.
The first one is large,sophisticated organizations.
They oftentimes have thecapability to do sort of
everything they need to do froma security standpoint, but
(03:42):
they're also in a position tohave the financial advantage to
be able to say it would behelpful to have a set of people
who do this all the time as asecond pair of eyes to make sure
that we're not missingsomething, and to consume the
stuff that the MSSP provides.
So I think large organizationsthat really are looking for, you
know, belt and suspenders tomake sure that things are
working.
The second type of organizationis an organization that says,
(04:07):
okay, I've got a couple of goodpeople, but I definitely don't
have 24 by seven.
There's no way I'm going tobuild it, it doesn't make sense
to have it, I'm not going tohave staff people over the
weekend.
It's just not, you know, doinghigh level security, detection
and response.
It's just not something that isour.
You know, all of us went tobusiness school like our.
You know, stick to the knitting.
(04:28):
It's not core to what we do,and so they're looking for
someone that can really tellwhen something bad happens, you
know, especially off hours,weekends, things like that and
so those are pretty linear valueprops, which is like we need.
We have a reason.
That's very clear.
I think.
The third type, which is wherewe spend a lot of time, is
(04:49):
organizations that have a coupleof good people but they're
looking to up-level theirsecurity sort of more
holistically.
Sure, they want to be able tohave advanced detections.
They need people that arereally good at doing response.
They need a set of skills thattraditionally a large
organization would hire out, orstaff from four or five or six
different people.
They need skills across those,but they're never going to be
(05:12):
able to get that in the twopeople that they hire.
The third group is saying I needthe detection and response, but
I also want somebody I can call, ask questions to, I can tap
them on the shoulder, I can getadvice around other things.
We call it peacetime.
So if you assume and the datasort of shows that you know you
(05:32):
get most organizations have sortof one-ish type of sort of more
aggressive type of attack amonth.
They've got a lot of othertypes of attacks that you can
block.
But outside of that, how is theMSSP helping them?
And I think that's really thethird area which is saying okay,
there's a lot of other thingsmost organizations are looking
for advice and information about, and I think that's the third
(05:54):
value piece which is okay.
In peacetime, how do wecontinue to ratchet that
security program into a betterplace?
Speaker 1 (06:00):
Yeah, I love this piece that you mentioned about
during peacetime and I believeif we look into the MSS pieces
as different generations, Ithink the first generation was
basically that device managementkind of thing, and I think that
was because we inherited thatmodel from the old telecom times
.
So it was kind of oh, thecompany's going to do and manage
(06:21):
services for telecom devices,so OK, you're going to manage
that box, making sure that thelights are still blinking, et
cetera, and then we move intomanaging alerts.
Ok, the box spits out an alertand then you call someone to do
something with that alert.
But I'm happy we are movingbeyond that point.
And I think this point youmentioned about the peacetime
(06:45):
advice and also probably holdingthe hand of the customer when
they're trying to do or to takea more continuous improvement
approach, it's something thatwasn't something that was there
in the past and I think it'sreally increasing the value of
MSSPs these days.
Speaker 2 (07:09):
Customers will say you're a modern MSSP.
I think third generation may bea great way of phrasing it up
too.
Speaker 1 (07:15):
That's right.
Or the old question about MDRor what MDR is.
I think, if we start seeing, Iwas still a Gartner when MDR
started to become more popularand it was interesting to see
how the R piece came into play,because before that you couldn't
imagine unless it was part of amajor IT outsourcing contract,
(07:40):
like those with EDS, ibm, hp,etc at that time.
But usually you wouldn't seethe service provider putting
their hands on the environment.
I think at MDR kind of hadchanged that kind of quite a lot
.
Speaker 2 (07:54):
But this too, like I remember when we first we were
at Symantec, and so they werelike, hey, can you do something
with Symantec endpointprotection?
And we're like, well, the onlyoption we have is to hit the
button that says scan themachine.
There's not a lot of value wecan add.
And so that was really thegenesis of the transition of the
endpoint tech to be able to doobviously EPP and EDR, but the
(08:17):
detect piece but also theresponse tooling.
But in order to do the response, well, you have to have people
that know those pieces.
But ironically, one of thethings with MDR- you get is.
it's manage, detect and respond,and so a lot of customers that
use it say the response is greatfrom other people, but who's
doing the management and thedetection piece right?
(08:37):
And so to your overall pointit's been great that there can
be higher levels of servicedelivered through the tooling,
because there's some greattooling out there these days.
Speaker 1 (08:47):
Yeah, I think the EDR was really almost a big
difference in the moment,because how would you respond
into a customer environmentbefore EDR?
I think EDR brought thosecapabilities where you could do
something in the customerenvironment.
It was not just kind ofbringing someone physically
there right With a USB drive ora disc, right For us, right For
(09:11):
a little more time around.
Speaker 2 (09:12):
yeah, Scripts right.
I mean, if you think back to,like you know, the Mandiant days
, they would land on site andthey'd have a bunch of scripts.
They would run right.
And so EDR was like this youlike this process.
That over time was like okay,how do we take the scripts and
move it into somethingproductized?
That is actually much moresophisticated.
Speaker 1 (09:35):
I think we see the MSSPs have evolved quite a lot.
And there was something that Inoticed.
I was in one of those eventforums forums that kind of have
kind of those big kind ofboardroom discussions with
multiple CISOs right and theytalk about their problems et
cetera and there was somethingthat happened in the last
discussion I was part of and Inoticed that there were really
(10:00):
kind of very large enterprisesin that room.
There were really very largeenterprises in that room.
Many of them, if not most, wereactually relying on MSSPs.
That struck me as different,because a few years ago I think
it was common to see mid-marketor the average organization
(10:22):
relying on MSSP, but there wasalways this of this impression
that the larger organizationswould do things by themselves,
right, but then kind of in thatroom I had this kind of large
number of large organizationsthat were actually relying on
MSSP.
Why do you think this ishappening now?
Speaker 2 (10:41):
Yeah.
So the irony is so take anylarge organization and let's
assume that they haveessentially enough budget to do
whatever they really need aroundsecurity.
Whatever they feel is important, they're going to be able to
get the budget because,relatively speaking, for a large
company it's a relatively smalldollar amount.
Come to find out is, even ifyou have four or 500 people in
(11:04):
your security organization ormore, there's still a set of
skills and capabilities that iskind of hard to have on demand
all the time, Right?
So think of it as, as we usedto joke, like the security team
was a baseball team, right?
So you had your your pitcher oryour batter, who is like
(11:24):
world-class, like, you know,all-star player, and then you
had your a few people that werereally solid, and then you had
other people that are reallygood because they're still
professional level baseballplayers but they're not going to
the all-star league every year,and so getting access to the
talent and then getting accessto the consistency and the
repeatability is something thata lot of these organizations
(11:45):
backstop themselves with.
So what we joke about is it'ssuper sexy when you find
something like really nefarioushappening and you catch it and
you get them out of theorganization.
That is super sexy.
But there's a sad reality ofsecurity operations which is
really what we do, which is alot of what we do is very unsexy
(12:05):
.
So it's this consistency ofrepeatability of the program
that is a lot of time whatorganizations are paying us to
do.
And so I make this joke like doyou know, running phishing
simulation, security awarenesstraining, super basic, everybody
can do it.
We do it for a lot of companiesbecause they just got to a point
where they're like it justdoesn't make sense to have my
(12:26):
people doing that.
And so I think what's happenedover time is that these large
organizations have gotten a lotsmarter about the use of their
resources and the ability tobackstop those resources with
managed security servicesproviders, because they just
know it makes sense.
Because they just know it makessense.
Sure, it's great that they havepeople that can be looking at
dashboards and reviewingincidents, but does it make
(12:50):
sense to have them do that allthe time?
Or does it make sense to takesome of those resources and
shift them left and pushsecurity more into the
productization of their serviceofferings that they're building
that, their SaaS or somethinglike that?
And so we see a lot more ofthat happening in organizations
trying to get their smart,talented people into the higher
value aspects of security andthen maybe a little bit less out
of the day-to-day operationalprogrammatic aspects.
Speaker 1 (13:14):
Perfect.
You mentioned something aboutthe different skill sets and
specialization.
I remember when we were writingthe first edition of, we wrote
a document back in Gartner a fewyears ago.
That was how to build your SOC.
One of the things that wementioned in that document was
every SOC these days is anhybrid SOC.
It is because of all the skillsets that you would need,
(13:38):
depending on what type oftechnology is affected by a
breach, by an incident, andeverything that could happen in
your organization and all therequirements now related to
threat intelligence collection,et cetera.
You need these services, thisalmost satellite services around
your SOC.
For the situations where youneed to debug an Android malware
(14:00):
, we will have an Androidmalware reverse engineer on the
bench just waiting to bedeployed.
We can probably count on thefingers the types of
organizations that will havethat type of resource.
I think that for those cases,for the large organizations,
that was something that we usedto see already those satellite
services that will come tocomplement the core of the SOC
(14:25):
that you have there.
But what surprised me in thatlast discussion was that these
large organizations were alsointerested in relying on service
providers for those corecomponents as well, and one
thing that I believe is one ofthe main reasons there is the
(14:47):
increasing complexity of thetool set.
With Securonix, we have our SIMUPA.
It's a secure operationsplatform.
We do everything to make theuser experience the best
possible, but it still does alot of things.
(15:08):
The complexity is there andanyone that will come, any
competitor, will come and say wecan eliminate that complexity.
They're just lying.
There is an intrinsic level ofcomplexity in what our solution
does and I think my impressionis these large organizations are
starting to think like oh, thelevel of complexity that the
(15:29):
core components of my SOC haveis so high that I need someone.
Regardless of having theability to do that on my own, on
my needs to customize things tomy business, I still need
someone that will manage thatcomplexity for me.
Speaker 2 (15:46):
That's right.
I think you're right.
The care and feeding of thetools these days is
significantly higher than itused to be.
So back in the day we were allnetworking people and we would
figure out how firewalls work,because we could sort of
understand that.
But you think about the careand feeding of a complex SIM
that has user behavior analytics.
That is not trivial.
You think about the ability todo response, like deep level of
(16:09):
response on an EDR tool.
That is not trivial.
That is significantly moreadvanced than the old AV tools.
You think about SOARintegrations and API
connectivity and the ability todo response across a wide
variety of different types ofcomponents.
You think about UEBA and how itties into identity and then you
say, okay, well, if that'stying into identity, then how do
(16:30):
we look at fraud and tie in aprocess to a response capability
?
And so I think the ability tohave people inside of an
organization that understand allthose components is challenging
.
Especially I love the Android,like reverse engineer, android
malware, especially when they'renot a regular function Right,
and so obviously organizationslike us can have people that do
(16:52):
that for different companies.
So we get a lot more.
We get them off the bench rightthey're.
They have a higher level ofutility because they can be
utilized against a variety ofdifferent companies, and that
really is, is useful, and so youcan get a broader skill set at
your fingertips as anorganization by using somebody
like us.
It's funny, because we stillrun into sort of, especially in
the mid market.
(17:12):
No, you know, a thousandemployees, two thousand, five
thousand, or they'll still havea few people that want to do it
all.
We're're like knock yourselfout, go for it.
Then, after a while, they'relike it's great that I can do it
all, but it is also nice to beable to call somebody.
Speaker 1 (17:26):
I think that's a similar scenario of build your
own stuff, the same in UPA space.
I've seen many organizationslook at the tool set that they
have for data management, foranalytics, and say, hey, I will
build my own.
I don't need an off-the-shelfsolution for this.
They will go, they will do allthe effort.
They can say you know what it'sworking, but it takes a lot of
(17:49):
effort.
That's right.
I got to go back to the shelfbecause there's a lot of
complexity at work behind thescenes than many times these
organizations do not realizeit's there.
That's right.
We're talking about servicesand how they can help
organizations, but there isanother component that is now
(18:12):
essentially in all discussionsabout security operations or
maybe security in general.
That is AI.
But I think we're hitting 20minutes, so probably I'm allowed
to say AI by now.
Yeah, but what do you see asthe role for AI and how it will
evolve on the context ofsecurity operations?
(18:34):
Is this the end of the sock aswe know it?
How do you think this thingwill evolve?
Speaker 2 (18:41):
Obviously a topic that comes up all the time, and
it makes sense that it comes upin our world because we're a
people-heavy business.
I mean, running securityoperations and having security
operations centers involves alot of people.
It involves people at weirdhours, at weird times of the day
.
You've got to have people thatare sharp at three in the
morning.
How do you do that?
And then also there's a lot ofinstitutional and sophistication
(19:06):
in hunting down knowledge.
So when you see a set of dataand a set of alerts, how do you
validate that?
And how do you validate andthen figure out who it actually
is?
And do you need to get theattribution?
Is this a nation state orsomebody else?
So it's just a lot of work.
There's a lot of training thatgoes into all these pieces, and
(19:28):
so it's a natural place forpeople to ask does AI?
So I think to me, obviously,the key piece is the adversaries
are gonna be using AI, alreadyare using AI.
So we already know that theaggressiveness, the breadth and
the cleverness of the adversaryis going to get more
sophisticated because of AI andthey can throw stuff at the wall
(19:52):
and see if it sticks fasterthan we can, sort of like
properly plumb AI through anoperations center.
So what do we know?
We know that they're going toget better.
They're going to get moresophisticated, probably find
more zero days.
They're going to be able tohave breakthrough and breakout
of of machines that they haveaccess to faster.
So then the question is, whatare the defenders do?
Well, I think you're going tosee AI sort of in in the onion
(20:14):
model.
So the first is going to be inthe tooling.
I mean, you got you guysalready do stuff in it, some of
the other tools that we use.
So you're going to see it insophistication of the analytics,
first of all, out of thevariety of different tools.
Then the second place I thinkyou're going to see it is in the
ability to gather data.
So if you think of chat, gpt,what does it do?
It gathers data and it presentsit to someone in an easier to
(20:37):
consume manner.
So I think you're going to seethreat in the ability to detect
threats and detect unique typesof threats described to a SOC
analyst faster.
And so, hey, I see all thesealerts.
Ai says, hey, we've seen thatbefore.
Here's who it is.
It's most likely this nationstate or this type of attacker.
(20:57):
And this is how the TTP thetools and techniques and the
processes that they use andthat's how we validate.
So I think you're going to seethe data presented similar to
chat GPT, but think chat GPTthreat to an analyst.
And then I think the thirdthing which is going to be
harder to do is if you think ofan AI assistant for an analyst,
(21:18):
it would be great and most ofthe analysts would like the
process of saying, okay, isthere a mini me?
Right, that's an AI assistant,and I think that's going to be
harder to recreate.
But I think that would probablybe like step three as you plumb
through AI throughout the SOCoperation process.
Speaker 1 (21:36):
Yeah, I think that's going to work.
I was reading today a couple ofarticles about agentic AI and
how that can help on the SOC.
I think it's a promising space.
There's still a lot to go.
There is also the confusionabout what LLMs can do.
I think the impression of kindof cognitive capabilities that
(22:00):
we have from these things right,kind of throwing out kind of
very good text right Sometimesare deceiving because you start
believing that that's very large, auto-glorified, auto-complete
can actually kind of producedetection logic.
It may be able to for thingsthat, things that are very close
or related to the training dataset, but if you bring a
(22:23):
completely novel threat and askit to produce a piece of
detection logic, will it be ableto do that?
And that's something that Ibelieve we're still far distant
from and I think the humans thatare involved in detection
engineering, for example, theyare safe for now.
Speaker 2 (22:41):
Their jobs are safe.
Speaker 1 (22:44):
They would be far more productive because these
tools will help on productivity.
But a lot of that cognitiveload that you have in
translating what you're seeingfrom the threat behavior to what
you need to put together fromthe detection logic perspective
is still something that we canreplicate with a machine.
Speaker 2 (23:03):
So I think that term uses productivity.
I think we're going to see itimpact productivity faster than
any kind of impact to people asfar as, like you know, replacing
humans on the detect andrespond side.
So I think productivity is agreat way, is a great buzzword
that you're going to see.
I think that's going to be thefirst major place that you see
impact on the SOCs.
Speaker 1 (23:23):
Yeah, and if I can tie this back right to where we
began the conversation today, doyou think that technologies
leveraging more of these AIcapabilities can become a
competitor to managed securityservices?
Speaker 2 (23:40):
It's a great question .
Obviously it's something thatwe talk about in the industry
quite a bit.
I think what you're going tosee is the detection respond.
You sort of have to assume theattacker is going to get better,
so that means the detectionresponse is going to have to get
better, which is kind of hardto see.
How that disrupts thetraditional SOC capability
(24:02):
because you're still going tohave to have some layer of
people over the top of that.
But what I don't see and this iswhy I think call it third gen
managed services or modernmanaged services where a lot of
the strategy and support andtying into frameworks and all
these other things I don't thinkthat goes away.
I think maybe the MSSP hasbecome more consultative and a
(24:25):
little bit less primarilydominated by data analytics,
which is really where Gen 1 andGen 2 was.
Gen 1 was like hands-onkeyboard let's change all the
firewalls.
Gen 2 was data analytics.
I think you're going to see acombination of those two play
out with a more consultativeaspect, which is, I think, where
we are in Gen 3.
And you got to imagine that'sgot a few years to run.
Speaker 1 (24:48):
Right.
Do you think that AI can helpus with the skill shortage we
have on this space?
Speaker 2 (24:56):
This is one of those things where I think the skill
shortage is really a byproductof sort of the, the haves and
the have-nots.
I'm drawing a complete blank onthe, the famous line of the um
the poverty poverty line yes,sir, thank you, thank you, thank
you, and so we do for thelarger companies.
They're just sort of like theycan get the people.
(25:16):
It's just whether or not theywant to pay the price.
So you have that aspect we canget the people because we know
how to go find them and we cantrain them and all these other
things.
The third area is whether ornot companies sort of want to
take security seriously, becauseit's a lot of companies out
there trying to do bare minimumlevels of security, and so I
think the skill shortage is asolvable problem.
(25:40):
It really gets driven bywhether or not a lot of the
organizations that we work withand talk with want to solve that
problem, because you can getthat through leverage.
You can get that throughleverage of whether or not it's
AI or MSSPs or all these otherplaces, but I think there are
enough leverage points thesedays to really get ahead of that
.
Where I think we still do have askill shortage is what I'd call
(26:00):
the architect the smart,creative type person that really
has the ability to understandthe different tiers, and this is
sort of what everybody'slooking for.
It's like okay, do theyunderstand the heart of
architecture?
Okay, then do they understandcloud architecture, then do they
understand how security fitsinto it, and then do they
understand how you put securityinto the coding and so you can
shift all that left.
(26:21):
That is where I think, when wetalk security skill shortage, I
think that is a significant oneand we're still going to
struggle to see that.
And again, I don't know if AIsort of solves that or not.
Speaker 1 (26:34):
Right, I don't think it will solve it right, because
I think we will end up goingback to that discussion about
replacing humans.
But, as we mentioned before, itis a matter of productivity and
I always brought up when youhave those internal or those
large stocks with 20, 30 peoplethere, there's a point where the
(26:58):
CISO cannot go anymore right Togo up upstairs and say, hey, I
need more people.
There is a point where, kind ofthe right, either the board or
the CEO just laugh and said comeon, you have, I cannot have
more security analysts than Ihave people selling my product.
Right, that's right.
So, there is a point whereproductivity needs to improve
(27:18):
and I think that's really a verystrong component where AI will
help us, either for theorganization that does things on
their own, because they will beable to keep up to the threats
without becoming an unbearablecost center, and also for the
service providers, because thatwould actually help you with the
(27:39):
bottom line, but you canactually kind of deliver a
higher quality service and stillkind of being able to keep the
price in a in a reasonable level.
That's right.
Speaker 2 (27:50):
And that's really the key piece on our side is we
know that the pricing.
We have to keep it ascompetitive as possible, because
that's the only way certaincompanies can get into this.
They want better security, butthey still have to.
You know, it's a competitiveworld that they live in, right?
They're competing against otherpeople, so they're trying to
keep their costs down and, atthe end of the day, security is
a cost, and so I think that's areally big aspect is if we can
(28:12):
drive down the cost, especiallyfor, like you know, our world of
managed security services, thatRight.
Speaker 1 (28:24):
So far we've been talking about the defense side,
but I'm very biased toward thedefense side.
I think that we have enoughpeople talking about threats etc
.
But let me ask you how do yousee threats evolving, going into
the typical beginning ofparagraph, anything that you ask
, security for, chat, tpt itstarts with the evolving threat
landscape.
What does the evolving threatlandscape look for you?
Speaker 2 (28:49):
I'm sort of lucky because on my board I have a
variety of people that live andbreathe this, from an ex-general
, a four-star general, to peopleon the VC side.
In this conversation I ask alot.
I think there's a couple thingsthat are super interesting.
So one you look at, for betteror for worse, nation state
(29:11):
conflicts tend to engendercreativity.
When it comes to threats, youcan Russia and Israel around,
how people start trying to thinkabout threats, drones and AI,
and so just a the first thingI'd say is organizations we
(29:33):
talked to are asking us a lotmore, just like you are saying
OK, do we need to be worriedabout things that we've never
actually thought about in thepast when it comes to the modern
, because we can all see withour own eyes that things are
changing quickly when it comesto technology on the threat side
, so physical and cyber.
So I think that's just onething that we all are feeling,
(29:54):
and that feeling, I think,engenders some level of
uncertainty, which obviously allof us don't really like
uncertainty.
So first thing I'd say is that.
Second thing I'd say is, if youthink about the intelligence
that can be built into AI, forthe defenders it's hard to plumb
it through, because we have toplumb it through in a way that's
repeatable and processable.
If you're an attacker, you canliterally just say, okay, I'm
(30:17):
going to have artificialintelligence and a bunch of
different bots and agents thatcan talk to each other and say,
okay, I want you to go playcapture the flag, and you can
literally have them spinthemselves up and spin up other
patterns.
And so I think the thing thatterrifies most of the people
with whom we speak, and even onthe defense side and even the
tooling side, they get verynervous about what is that going
(30:39):
to look like, because we sortof don't know.
But you can imagine like if Iwere putting my you know, black
hat side on, that would be theway I'd go about it.
I'd start playing capture theflag games with AIs and pulling
out the processes of whatthey're doing, and I think the
ability to do that at speed andat scale is something we've
never, ever seen.
And so I think you're going tosee the ability to have more
(31:02):
successful attacks because ofthe fact that you can really
dial into primary levels ofbeachhead locations, whether or
not that's socially engineeredVAI or whether or not that's
actually technical gaps that areout there.
The ability to scan the internetwe all know is fast.
Can you do that faster?
Can you see?
Could you see if somebody fatfingers RDP somewhere?
(31:24):
Can you know about thatinstantaneously, versus actually
getting lucky because youstumbled across it on a scan
that you're running?
So I think all of that is goingto lead to faster and more
sophisticated threat attackpatterns and I think it's TBD on
how we sort of defend againstthose.
What's your take on it?
You live in this space too.
(31:44):
Similar feeling, have adifferent take on it.
Speaker 1 (31:52):
Yeah, it is a similar feeling, I think.
First, there is one thing Iusually kind of am conservative
in terms of expectations of bigleaps in capabilities for threat
actors, because usually whatthey need is just going to be
able to be slightly better thanthe defenses.
So they usually will not putmuch effort into developing
(32:14):
capabilities when they do notneed those.
They're very cost-effective ingeneral.
But an interesting thing and Ithink you referred to that is
the threat actors with AI intheir hands.
They have the luxury of beingable to put that AI to work and
to learn from its mistakes whileit is attacking the entire
(32:37):
internet.
So it just kind of, as I said,throw it out and say, okay, go
find something to breach and ifyou are locked out or if you
lose access, learn from that andkeep going.
They have almost the entireinternet as a play field to
learn and to maximize theresults of the techniques, et
(32:59):
cetera.
So having actors that will takethat approach of a massive use
of this entire target area thatis the internet to make these
models, or these maliciousmodels to learn how to attack in
a more efficient manner, thatcan really become more serious.
You'll see script kids evolveinto an APT level of
(33:24):
capabilities in a very shortperiod of time and how we will
react to that as a defense sideis something that we really need
to put a lot of thinking tofind how to best address that.
It's still being productive, aswe were saying before, that's
right.
As we were saying before,that's right.
(33:46):
Let me go lighter here, scott.
We are kind of getting close tothe time here.
I was kind of on LinkedIn one ofthese days and I found an
interesting post from SoulCyber.
Right, there was a quote thereand kind of asking for people's
perspectives.
Right, it was saying as theworld is increasingly
interconnected, everyone sharesthe responsibility of securing
(34:07):
cyberspace.
So he was asking okay, how doyou interpret this quote in your
daily work?
Right, what's this one smallaction everyone can take to
contribute to a more securecyberspace?
What would be your answer forthat?
Speaker 2 (34:25):
There's a couple things that I'm like.
These are like the basic basicswhich a lot of people don't
don't, do you know?
First of all, ironically, mfais still something we talk about
to organizations all the timeand I talk about it to people
all the time, which ismulti-factor authentication, for
I'm assuming your audience,like this, is podcast number one
(34:45):
.
So but for, if they don't know,but it's the ability to have
some sort of third party textmessage or say you know, ability
to validate that you are whoyou say you are when you're
logging into stuff.
It's probably the the biggestbang for your buck that you can
get out there, as far assomething inexpensive that's and
you can.
That applies both to people andorganizations.
(35:08):
And so because a lot of timespeople are like, well, you know,
I'm not goldman sachs, I can't,I can't afford this cool whiz
bang security thing.
But you know, everybody can domfa, whether or not, that's, you
know, at your home, on your ownpersonal you know work account
or your own personal accounts orobviously inside your work
organization.
And so to me that's that's sortof the starting point for a lot
of like.
How do you move forward whenyou look at some of the
(35:29):
standards like NIST or any ofthese other standards, amazing
stuff.
But you're always like okay,what is what gets me to 80?
What's gets you that Paretoprinciple Like, what is it that
I can do first that gets me thebiggest bang for my buck?
And so that's sort of the way Itend to think about it.
What about yourself?
What's the easiest uptake?
Speaker 1 (35:49):
You know, I think the interesting thing now that you
asked me and I was starting tothink about the response and I
noticed how my response for thatquestion has evolved over time
as well, because I believe thatif you asked me that, probably
say 10, 15 years ago, I wouldprobably say make sure you have
kind of passwords on everything.
(36:10):
Kind of authentication isenabled everywhere, passwords
and individual accounts, right.
So if you think kind of a longtime ago, kind of the
administrator accounts onWindows and half of the company
kind of was using that thingright and it is interesting to
see that that's probably notsuch a prevalent problem anymore
, think of the practices aroundidentity and access control have
(36:31):
evolved substantially to thepoint that now, when you think
about what would be the nextfirst advice to give, we think
about multifactor authentication.
That's pretty interesting.
It probably could be somethingthat would be part of a group of
tips or a set of advice to give, but it was probably later in
(36:54):
the list and today it's probablythe first thing that we'll put
there.
I think there is one.
We have probably a more maturescenario today where, okay,
people have all their individualaccounts right, kind of
authentication is enabledeverywhere, but password is not
enough anymore, right.
So now there's another thingthat has to be done.
(37:14):
But there is also a scenario ofkind of the threats evolving
right, kind of where we're goingto just have in passwords,
right, it's not enough anymore.
So the pressure has also kindof increased substantially.
But to try to finish on abetter light right, instead of
just kind of talking aboutthreats, is our technology
(37:36):
evolved as well, in the sensethat enabling multi-factor
authentication is not somethingthat is so challenging as it
used to be, right?
Remember kind of having tointegrate to integrate the old
secure ID tokens in yourenvironment before, and the
authentication systems were notcompatible with that.
It was a pain.
Speaker 2 (37:54):
You lose one, you have to remail it.
The whole process was just adifficult process.
Speaker 1 (38:00):
The entire logistics around the physical tokens and
distributing them.
You're providing that to asupplier and you have to get
that back.
Now.
We've all heard how practicalwith the cell phones, with the
authenticator apps, etc.
The higher standardizationlevel as well.
It's not like you're movingfrom one supplier to the other
(38:23):
and now everything is different.
You have to replace software,so that's a good thing.
Speaker 2 (38:28):
I think that's a great way to sort of like we are
working really hard, like we asa cybersecurity community to
try to make we sort of recognizethat it's hard for humans, like
security is not where we wantto spend all of our time as
humans, and so we're trying tofigure out ways to make the
processes of securing stuff mucheasier for everyone, and I
(38:50):
think that's a really, reallygood thing.
And it's one of those thingswhere you can see it very
clearly If you've been in thespace for any length of time
it's way easier to secure thingsin a manner that is much less
intrusive, much less invasiveand easier for everybody to do,
easier for the admins, easierfor the people designing it and,
most importantly, easier forthe people to consume it.
(39:11):
It's great that the communityas a whole continues to say how
do we make this easier?
Because we know that we'regoing to have a better uptake if
we do.
Speaker 1 (39:21):
I'm happy that you're saying that, because we should
be recognizing this more often,because I think in our space,
because you're dealing withthreats, it's always all doom
and gloom.
Now they can do this, now theycan do that, but come on, see
how easier it is to performcertain security actions and to
implement certain controls todayversus how it was some time ago
(39:43):
.
We did a pretty good job, Ithink, as a community.
Speaker 2 (39:48):
It was funny because we actually spent a decent
amount of time talking withcustomers about single sign-on
and just how to make that easy,because they're like I didn't
realize it was as easy as it is,and we actually helped them
explain to them that it'sprobably way easier now than
even five years ago and the lasttime they sort of looked at it.
And so you know kudos to theentities, and then you can see
customers sort of like catchingon to the fact of, okay, a lot
(40:09):
of the stuff that maybe washeavy and difficult appears to
be a lot easier these days.
Speaker 1 (40:14):
Right, perfect Scott, not on burples but we managed
to get to the end here in a verygood note, in an optimistic
tone.
Right're not just gonna go onand kind of cry and let's have a
drink and forget aboutcybersecurity.
We're all doomed.
No, we're not on that point.
I think that we are finishinghere and with a perspective.
(40:38):
Right, the things are improving.
I think that's always good.
So I'd like to thank you forbeing our first guest here.
Conversation with you is alwaysamazing.
We could keep going for hoursand hours, but really appreciate
your time and we should get agood rest of 2024.
And I hope 2025 will becontinuous to be fun in our
(41:00):
cybersecurity space.
Speaker 2 (41:02):
Augusto, thanks for having me.
I don't know when this getsreleased, but obviously we're
coming up on Thanksgiving whenwe recorded it, so hope you have
a good Thanksgiving and, toeverybody out there, hope you
had a good Thanksgiving and youhave a great Christmas and New
Year's as we head into theholiday season.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.