Unified Entity Context

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
S1 (00:18):
So for around ten years now, I've been trying to
figure out where all this AI stuff is going, and
I want to talk about what I figured out so
far and what brought me to this conclusion. And I'm
going to do that by sort of taking you through
how I drunk stumbled my way along to this idea.
So background wise, I'm a security person going back to 1999,

(00:41):
spent my whole career doing that offensive security Pentesting web
Appsec threat modeling Vuln management. But I would say my
overall container is essentially security assessment. And going back like
15 years, when I do a security assessment for a customer,
I do it in an unconventional way. And this is

(01:02):
how I still do it today. I start with like
the CEO and the CEO and like the head of
legal and basically all the top people who like, run
the company, uh, from the very top level. And I
asked them essentially, what is the business? How do they
think about the business? What fundamentally do they do? If
they had to strip everything away? Like what would that

(01:24):
be like? What is the core of it? Right. And
I started getting into like what data comes in, what
comes out, what are their primary outputs. And then I
moved on to the next level of like senior management.
Then I moved through management. Then I talked to the
people on the actual ground who are like actually doing things.
And I start to hear discrepancies. I start to see overlaps,

(01:44):
I start to find all the patterns and I adjust
my questions accordingly. So I basically moved through the whole
structure in that way and try to figure out exactly
what that company is doing and how they're doing it.
So as I keep gathering more and more of this information,
I start filling in like this elaborate diagram for the company.
All their information flows, all their vendors where they're storing data.

(02:07):
And I start to notice things right. And ultimately I'm
figuring out like, what is this company actually look like?
And what's really fun is to have people come in
and so they modify the screen. They say, oh, that
actually doesn't exist anymore. Oh, you forgot this piece. And
invariably after, like the first day, people come in and
they start taking pictures. I'm like, what are you taking

(02:28):
a picture for? And they're like, this is the best
view of the company. I've never seen a clearer understanding
of what we actually do than this diagram here. Like
all the other ones are incomplete, so that's always fun
to see. So after a week or two of this,
I then do the technical assessment, and then I start
asking more and more questions to figure out, hey, so

(02:49):
isn't this a problem? They're like, oh yeah, that actually
is a problem. But the key idea is taking all
this content from all these interviews, including from the highest
level and the lowest level, and getting all that into
a single context so I can start asking questions. So
speaking of security, if you have a company or any
digital assets that you're responsible for protecting, I recommend you

(03:10):
check out one of my favorite companies ever going back, like,
I don't know, 10 or 15 years, which is Project Discovery.
So I've been using their open source security tools like
Sub finder, DNS, HTTP nuclei, and a bunch of other
tools from them for like ten years now. And they
just recently released a cloud solution that takes what I
was doing, like chaining all these commands together on the

(03:31):
command line. And it does it automatically for you. So
you come over here, you put in a domain that
you want to start with. We'll go with like Tesla
because they have an open security program. And you start
that and you start collecting tons of stuff on whatever
target you put in there. So in the background, it's
doing a whole bunch of discovery stuff on the target.
It's finding domains, sub domains, making sure those domains are valid.

(03:53):
It's finding the web applications. It's taking screenshots of those
like login pages. It's finding open ports. It's even getting
the tech stack for every service that you find. So
here are the type of results that you get from
the discovery. And from here you can actually launch a
full scan using nuclei and other tools. Okay. From here
we can actually go into remediation and start actually fixing

(04:13):
these things. So basically they started all these years ago
as Pentester and bug bounty and command line focused, and
now they brought all that functionality together into a full
vulnerability management platform. So definitely go check them out. It's
cloud CIO and thanks to Project Discovery for sponsoring today's video.
So separate from that in a completely different thread on

(04:36):
the consumer side, in 2013, I started to get a
picture of where I thought all this AI tech was going.
At the time I called it IoT, so I wrote
this book in 2016. It's kind of a crappy book.
I don't recommend you read it. Honestly. There's a blog
version of it online on my site, which you should
go check out. It's much better. Typography is much better

(04:58):
as well, so definitely go check it out there. But
the ideas are pretty decent. So the basic concept first
idea is you have digital assistants that know everything about
you and they advocate for you. Then the second piece
is everything gets an API, including people and objects and businesses,
and our digital assistants will also have that. And your

(05:22):
Da basically uses those services to interact with the world
on your behalf and then your Da. The third piece
is augmented reality. It will use all those different services,
all the data from those different APIs, to present to
you inside of your glasses or your lenses or whatever.
It is, the proper context for whatever you're doing, right?

(05:45):
And finally, the last piece is once you have a
company or a business or an individual or family or
whatever with sort of information about them presented at as APIs,
you could then take your AI, whatever the smartest AI
you have with the largest context, and sort of look
down at that entity that you're trying to manage, and

(06:08):
you could give it goals. You could say, I am
trying to achieve this in my family, in my business,
for my county, for my city, for my country. And
then your. I can sort of help you manage that.
So those are the concepts from the book. Then in 2018,
I got a job at Apple doing information security stuff.
But the team I came in with was actually a

(06:29):
machine learning team. So I had to refresh my horrible math,
and I went and did the full Andrew Ng machine
Learning course, which was on YouTube at the time, and
I ended up spending multiple years there at Apple building
out a security product, which they still use today. Pretty
happy about that. But, um, lots of practical experience of

(06:52):
using the ML stuff in the context of security. Um,
so really happy to have come in for that team
at Apple. Then in early 21, I left to go
build Appsec and Vulnerability Management at Robinhood with Caleb Sima.
And there I did a talk at Blackhat about building
vulnerability management based on company context and specifically asset management,

(07:18):
which turned out to be another sort of brick in
this path towards context. So after doing that, I decided
it was time to build things on my own and
do consulting stuff independently. So I went independent with unsupervised
learning in like August of 22. And that was just
a few months before ChatGPT came out. So obviously I

(07:39):
go absolutely insane when I see ChatGPT and I start
calling everyone I know. All my friends got that call,
my mom got that call, everyone got this call multiple times.
I was freaking out, basically saying drop everything, go do AI.
And the first place that my head went with all
this was thinking about the context that I would gather
in these security assessments and thinking about how I could

(08:02):
use this for security, obviously, because that's my background. But
I pretty quickly realized that this was bigger than just security.
It's actually more about the context first. So in March
of 23, I wrote this post called Sspca, which says
everything is about state policy questions and actions. Basically, you

(08:23):
have the current context for the company or the program
or the department, whatever it is you're trying to manage,
you have that current context. Then you have the policy,
which is what you're trying to accomplish. Then you have
the questions that you continuously want the answers to, and
then you have actions or what you know, what we

(08:45):
as people or I could take what we could do
to make that policy happen, make the desired state come true.
So with this, I start feeling like, okay, now I'm
starting to lock this thing in and make it more solid.
So that got decent traction, but I wanted to actually
demonstrate this. So I started working immediately on something more

(09:07):
practical as like a demo. So I did a talk
at Black Hat. I think the following year maybe, and
I put together this fake company called alma. And I
gave it tons of context for, like, everything about the company.
So its mission, how they differentiate from competitors, all their
different products, their goals, where they do business, the risk

(09:29):
register security team and its members and all their skill sets. Right.
The projects that they're working on, the list of applications
are it stack the dev teams, how they push code
like everything about this company. I put it into this file.
So now I can ask questions just like I do
in security assessments. And I was doing this using an

(09:49):
agent back in 23 to basically call this thing. And
the agent would look up all this different tools or whatever,
look at the context. And I could do planning for this.
I could do threat modeling, actually output reports. I could
write emails to auditors, I could respond to one off
security questionnaire questions because, you know, you have a problem

(10:11):
of like you have this database of security answers, but
the question always comes in different. This solves that. So
here's an example of a CISO making a statement about
no more connections to a particular resource. And we're asking
the question should this connection be allowed. And the AI
responds back that, no, this connection should not be allowed,

(10:31):
because the CISO said a minute ago that no more
connections to that particular resource. So you could do really
cool stuff when you have context. And throughout 23, 24
and now into 25, I've been building more and more
stuff that circulates around this central theme of context plus AI.

(10:53):
So later in 23, I built this thing called threshold.
It's an app that takes over 3000 sources on the internet,
tells me how good the context is independent of the source.
And it basically uses context about me It so it
knows what I like. And it's using that as the
level of quality of the ideas, right? The novelty of

(11:17):
the ideas, the number of ideas and having them being
shaped in a particular direction. Right. And I could slide
this lever and it only shows me content that exceeds
a certain threshold of quality. Currently about to launch another
product called Same Page, which is an enterprise product that
helps companies manage pretty much anything based on their company context. Um,

(11:40):
doing a lot of stuff with security programs here. Another
thing I've had for like nine years now, or maybe longer,
is my attack service monitoring system called Helios. And it
started off as basically pure automations, right? This is like
directory stuff, Linux stuff, using a bunch of tools, mostly
from project Discovery and a bunch of custom tooling and

(12:02):
Python and Bash and stuff. So it was very kind
of like a dumb system, very effective. Very fast. Very good.
But what I've done now is I'm turning this into
a complete AI model, and I'm rewriting it to be
context central. So everything goes into a particular location and
I start operating on it from there. So once again,

(12:23):
it's actions running against context. And the last one I'll
mention is like a daily brief for myself. So basically
looks at all these different sources that I have for
like open source intelligence, national security, like really smart people
who could, like, tell what's in the back of a
truck looking at a satellite photo based on the fact
of like the tire treads that are in the grass.

(12:46):
So I follow, you know, hundreds of people like that,
and I know they have good signal. So what I
do is I bring that all together, I do analysis
on it using a bunch of AI, and then it
gives me like the President's Daily Brief. So now I
could say, oh, it looks like this might be happening, um,
which I can start thinking about. I could talk about whatever.

(13:09):
So all these separate areas are kind of loosely revolving
around this concept of context. And I so I feel
like or have felt like for a long time that
this is congealing. It's coalescing into this single theme. Right.
But a couple of weeks ago I'm like, this is
not quite it. This is not quite it. I'm close,

(13:33):
but not not quite there. And I think I have
a much simpler way of describing this now. And that's
what I'm calling this unified entity context. And of course,
that won't be the real name that gets used because
Gartner will name it something and that'll be the new name.
No big deal. If we look at security specifically and

(13:53):
we look at some use cases, we find some really
interesting patterns. So for like a SOC analyst you got
tons of different logs, you got threat Intel reports, you
got identity stuff, endpoint data, all these different sources for
incident response. You've got the same stuff you have to
look at, but it's more focused around, like the narrative,
determining the scope, the timeline, stuff like that. With Pentesting,

(14:16):
you're also gathering tons of data and then trying to
put the pieces together and figure out like what to
go after. Same with Red team, but you're even more
focused on a larger scope, more interested in like the
context of everything and the impact that you can generate.
And with vulnerability management, we need to understand the organization
really well. Otherwise, it's really hard to do remediation, which

(14:39):
is kind of the whole point, program management. You got
to have project management, budgeting strategy, time management, all those
things combined. GRC you have to know what we need
to be compliant with and why. And we have to
know what our gaps are in terms of like the
risk register vulnerabilities, stuff like that. So the common issue

(15:00):
with most of these, really all of these is that
you have to be able to see multiple parts of
the organization all at once in context at the same time,
and then connect those pieces together. This is why security
analysts and incident responders and red teamers are so valuable.
It's not the single task in the problem that's hard.

(15:22):
It's integrating all the different sources to be able to
actually do that task. And I'm going to go a
little deeper into vulnerability management to illustrate this point. Since
I've lived in that hellscape for so long. What is
it that's actually hard about vulnerability management? Is it that

(15:43):
we don't have enough vulnerabilities? Is it that our dashboards
aren't pretty enough? That is not the problem. The problem
is when you have a given vulnerability, what application is
it part of? What engineering team is responsible for that application?
What repo do they work from? What DevOps workflows do
they use? Like how do they actually push code? How

(16:06):
do they fix things day to day? What is the
best way to get a really good fix to the
right person that doesn't annoy them, which causes their manager
to call over security and say stop bothering me. You
might think this is easy to find that person, but
keep in mind things are changing constantly. Reorgs team changes.

(16:26):
Tools are changing like the whole company is constantly in motion.
So here's the question how much of our inability to
do a great job at vulnerability management for the last
15 years is a security problem, and how much of
it is actually an organizational knowledge problem? And now ask

(16:48):
that for other areas of security. Even crazier, it's not
just security. The software and services industries in general are
all based on asking specific questions to a specific set
of data and giving you an output in like a
kind of a specific type of UI, right? You have

(17:10):
HR data, right? You ask HR questions to the HR
data and they put that in an HR interface. Right.
Same with project management. Right. You have project management data.
You ask those questions. You put it into some sort
of PM UI. Do we really think that these things
are going to need their own separate databases and their

(17:31):
own separate APIs, their own separate tools, their own separate UIs?
I don't think so. I think that all goes away.
And what we end up with is this thing which
I'm calling unified entity context. So if you're an individual,
your history, your belief system, your aspirations, your favorite books

(17:52):
and music, past traumas, salary, high blood pressure, your friends,
your job, your career, family goals, upbringing, medical history. Your agenda,
your calendar, right, your financial goals for that particular day,
like what you're trying to do for this particular year,
getting ready for, you know, a half marathon, whatever it is.

(18:14):
But then, just like with the security program, you can
ask all sorts of questions. Why is my relationship with
my mother in law not working? What can I do
to improve my health? Right. Different questions you can ask.
If you're a company. It's back to the same thing
that we collected with the Alma context goals. The state
of all IT systems. What are my Kubernetes pods doing?

(18:36):
What are all my EC2 instances doing? What's going on GCP?
I want all slack messages, current projects, team members, the
state of HR. How many people are we hiring? How
many people just left? Why did they leave? Desired IRR
for the company. All products that we have, our current
marketing campaigns, all of our competitors, marketing campaigns for their products.

(19:01):
This becomes the baseline for everything. Once you have that,
then you have the smartest AI you have with the
largest context. Look down at the entire thing and soak
it in all at once. Let's think about this from
the attacker defender perspective, because this is another way that

(19:23):
I came at this and I came up with this
thing called Acad, which is AI capabilities for attackers and defenders.
And the basic idea was figure out what the attackers
want to do to us, and let's just make a
list of those so we can defend against them. So
the number one question I get asked is essentially where
do I spend money for cybersecurity. And this Acad thing

(19:45):
is basically a way to answer that is you give
the answer of, well, you think about what they're about
to do to you and you make sure you can
respond to it. So that turned into this project where
I'm gathering tons of these attacker capabilities, and I'm building
a corresponding set of defender capabilities. And we're trying to
figure out like, how do these play off of each other?

(20:08):
So basically the attacker capabilities will be gathering a whole
bunch of data, right? The idea is that when you
run these attacker capabilities or when they run them against you,
they're going to put them into their own version of
your context. They're going to have a target unified entity
context for you, for you as the target, which is

(20:29):
you as a company. Right. And I thought it would
look like this. I thought the most important thing was
actually these capabilities are like the most important. And I'm like, well,
we obviously want to maintain that inside of a state bucket, right.
The unified entity context. So I thought that was that.
But after thinking about it a lot more, I think

(20:50):
it's actually this the accuracy and the freshness of the
target context is actually the most important thing because the
ability to attack and pivot and hinge off of all
this different stuff and, you know, go a different route,
be dynamic, do attacker things and defender things. It all

(21:12):
hinges off the quality of this context. So where this
all takes us is that the top priority of attackers
will be having better USC models of your organization than
you do. So it'll be a competition between your attacker
and you, between who has the most accurate and up

(21:37):
to date context for your company. And this is absolutely insane,
because the very next step is realizing that we have
this entire thing completely backwards. Instead of cybersecurity or finance
or whatever, being at the center, like in this diagram

(21:58):
with context and I being like, oh, how do you
add AI to cybersecurity? Oh, we should gather more context,
you know, so we could do cybersecurity better. Nope. It's
actually the opposite. The context of the entity is everything.
It becomes primary along with the AI that operates. Looking

(22:21):
down at that context, software verticals kind of go away.
Software and service verticals just become use cases. They become
modules on top of unified context. And here's a completely
crazy question to think about. And this is currently like

(22:42):
blowing my mind. It has not stopped freaking me out
since I started thinking about this. What if all of
our decisions are only hard because we actually lack context?
What if the fog of war Is the thing that
makes things difficult. Think about a junior analyst being asked

(23:04):
if some connection is malicious or not, and they've got
like 27 different sources they can pull from all these
different repositories Google Docs, slack or whatever, and you're just like,
have at it. Good luck. I need to know if
this is dangerous or not. This is going to be really,
really hard for a junior analyst, you know, with 1

(23:25):
or 2 years experience, even three years experience. But now
imagine a principal analyst comes along to assist the junior analyst,
and they build them this elaborate timeline of everything that happened.
They take all the logs, they study them for 27 hours,

(23:46):
and they build this giant, complex visual map. Then this happened,
then this, this log in CrowdStrike that maps to this
log in Palo Alto, blah, blah, blah. Connect all the dots. Oh,
this is when the attacker did this. This is when
the attacker did this. That's when this happened. So it
looks like this person is actually the same person as
that person. And you could see it clearly. Now can

(24:08):
the junior analyst answer this question. Yes they can. They
could probably just be like, what are you talking about?
Oh that's obvious. I mean, yeah, look, obviously it's malicious
because you see the story right here. It's a narrative.
It's a story because of the context. Now watch this.

(24:29):
Maybe that doesn't even require a junior SOC analyst to
answer that. That could be an intern. That could be
somebody still in college who's barely learned any security at all.
And you're like, hey, so you're vaguely aware that there's
a security like concept and like, bad things are bad.
They're like, yeah, I guess it's like, well, what if

(24:50):
I showed you this diagram here and all these are
different logs that happened? Do you think that connection right
there is actually malicious? They're like yeah, obviously. So maybe
the problem isn't the difficulty of the task, but the
difficulty of filling in the context that paints the picture.

(25:16):
I think this is absolutely true. And it's why I
think unified entity context actually ends up being the most
important thing for the management of anything. An ice cream
truck business, the local city council group, right? A gardening collective, right.

(25:42):
A city government, a state, a country, a federation of planets. Basically,
I can use its understanding of the entity of the
thing that you care about to lower the difficulty of
most decisions because it can take snapshots of the current
state that's relevant to the decision that needs to be made,

(26:03):
and put it in context, in a timeline, in a
narrative that makes it obvious what you should do right.
If you think about the fog of war for like
a genius general. Oh, where's the enemy attacking? We don't know, sir. Okay.
How many troops do we have? We're not sure. We're
cut off from, uh, communication lines. How many troops do

(26:27):
the enemy have? We're not exactly sure. Somewhere between 10,000
and 100,000. Okay, cool. That requires genius of that, general.
That requires genius because they're operating in so much uncertainty.
When you bring that uncertainty down, you could pull a
private into that room and be like, okay, we know

(26:49):
the exact current state of everyone. What should we do?
And the private walks in is like, shouldn't we just
blow up that truck? Since that's the most important thing
and it has all the special plans in it, and
it has the special device in it. Should we just
blow that up? And everyone's like, yeah, exactly. That's exactly
what we should do. It requires genius. If you don't

(27:13):
have the information, it does not require genius if you do.
So the natural question is what does this mean if
this is correct? Well, if you're building a company, I
think you need to be thinking very carefully about how
to get access to unique data for your customers. You
might have the best phone management scanner, but if your

(27:35):
competitor partners with someone who provides unique data, or they
have unique data themselves for some other reason and they
have access to the customer's team structure, their GitHub repos,
their HR, you know, workday, they know employees coming, they
know all the org changes. They know all the dev pipelines.

(27:56):
They know which application corresponds to which dev team and
which developer. You are going to lose. It doesn't matter
how good your scanner is, if they know more about
the customer than you do, you're going to lose. So basically,
avoid getting beat by someone who knows more about the
customer's organization than you do. If you're in VC or

(28:20):
you're really any kind of investor, I'd be looking at
companies that are thinking deeper into this context and are
thinking about USC early, how to make it themselves if
they have to, how to partner with someone who's making
it up. I don't think you should look for people
who are trying to build the actual USC, because I

(28:41):
think that is so big, it's going to be most
likely the giant players that are doing it. But I
would say avoid betting on companies that ignore this deep
context threat and are probably going to lose as a result.
And if you're a defender and you're trying to figure out,
like what I do, I build. To improve my cybersecurity program,

(29:04):
you should start building your own unique context for your company.
Your attackers are going to have a version of context
for your company. They are going to have a unique
world model of you, and your version of that unique
world model needs to be better than theirs. And finally,

(29:26):
if you're just trying to figure out where things are going,
just imagine this whole AI state management, unified entity context
thing as a lens that you could use or not
use to interpret new AI developments. Basically, one way of
interpreting the news about AI that hopefully makes some sense.

(29:46):
Thanks for your time and I'll see you in the
next one.

All Episodes

Episode Transcript

Popular Podcasts

United States of Kennedy

Stuff You Should Know

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Unified Entity Context

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}United States of Kennedy

Stuff You Should Know

Dateline NBC

All Episodes

Unified Entity Context

United States of Kennedy