Interested in being a guest? Email us at admin@evankirstel.com
The digital landscape has reached a tipping point. In this eye-opening conversation with David Holmes, CTO for Application Security at Imperva (a Thales division), we uncover the alarming reality that machines now dominate internet traffic. For the first time in over a decade, bot traffic has surpassed human activity online – and a staggering 37% of all traffic is malicious automation.
Quantum computing's looming threat to our encryption infrastructure takes center stage as David explains the race to develop quantum-resistant algorithms before "Q-Day" arrives. The cybersecurity community faces the monumental task of gracefully transitioning the entire internet to new encryption standards that can withstand quantum attacks. Meanwhile, enterprises must focus on protocol agility, learning from past transitions to prepare for this inevitable shift.
The conversation shifts to the AI security paradox currently facing organizations worldwide. While companies rush to develop AI-enabled applications, most admit they haven't thought through security implications. Simultaneously, attackers are leveraging AI to create increasingly sophisticated bots that evade detection. This AI arms race extends to API security, where the programming interfaces powering our digital economy face growing threats. With the API security market expanding 27% annually, organizations must move beyond merely discovering their API endpoints to implementing robust security measures.
The recent Imperva acquisition by Thales has created a cybersecurity powerhouse combining Imperva's application security expertise with Thales massive global presence serving 100,000 customers across 30 industries in 100 countries. This strategic integration positions them uniquely to address the convergent challenges of quantum computing, AI security, and the bot-dominated internet landscape we now inhabit.
Want to learn more about securing your organization in this new reality? Explore how Talus and Imperva are helping enterprises prepare for both immediate threats and long-term security challenges. Connect with us today to protect your mission-critical applications in an environment where machines – not humans – dominate digital traffic.
More at https://linktr.ee/EvanKirstel
Episode Transcript
And I'm here at RSA with David from Talus David, how
are you hey?
Speaker 2 (00:05):
I'm great Happy to be here.
Speaker 1 (00:07):
Well, good to see you and you guys know a thing or
two about mission-criticalapplications.
Before that, maybe introduceyourself, your role, your team
within Talus, sure, sure.
Speaker 2 (00:17):
I'm the CTO for Application Security at Imperva,
which is a division of Talus,and I run a team of solution
architects who help customersprotect their web applications
day in, day out At Talus.
As you know, we're a hugeorganization with 100,000
customers around the world, 30different industries, 100
different countries.
Speaker 1 (00:39):
So that's a lot of ground to cover in a few minutes
here.
But what's on your mind, top ofmind, here this week at RSA?
Speaker 2 (00:46):
Two things.
One is probably the biggestbuzz is around post-quantum.
So if you're familiar with theconcept of quantum computers,
they could any day now or in afew years crack a lot of the
encryption that we use tobasically just secure the entire
Internet today, that we usedbasically to secure the entire
internet today.
(01:06):
So there's a huge effortunderway to make quantum
resistant algorithms and thengracefully move to those.
So tonight, in just a couplehours, we're hosting what we
call a PQC Palooza at I believeit's the High Regency Soma,
starting at 4.30.
I think there's still a fewspots left.
If you go to that today, you'regoing to see industry luminaries
(01:27):
like Dr Michelle Waska, dr ElGamal, talking about
quantum-resistant challengesaround it and how we move to a
safer world.
So that's one thing.
And then, if you don't mind, asecond thing is, of course,
artificial intelligence is notjust super cool and everyone's
(01:47):
using it for this and that, butthe attackers are using it too
and enterprises are gettingready to release AI-enabled
applications.
They want to know how to securethem.
So all of that is basically,what's going on?
Speaker 1 (01:59):
Wow, that's a lot to unpack, but we'll try to do that
.
So Q Day is approaching, yes.
What do we do to get ready,both as individuals and
organizations?
Speaker 2 (02:07):
large enterprises- sure, sure, um, an individual,
like consumer level, literallyjust sit back and let me experts
handle this, not what you'regoing to be doing.
You wanted to keep aware andyou're at the show.
Like I said, go to the PQCBelusa.
At the higher frequency, 430goes to 8 o'clock.
In an enterprise level, you'reprobably very, very aware that,
(02:32):
hey, this day is coming.
If you follow NIST, they havebeen releasing what you call
candidates for protocols thatare quantum resistant.
Now, this is a tricky spacethat we're in.
The good news is that we as acommunity, as a cybersecurity
community, have gotten betterabout being agile around what
protocols we're using, but alsoto have the ability to migrate
(02:55):
to different protocols quickly.
We went through this withbeautiful algorithms like RC4 a
long time ago.
It was very, very difficult tosort of swap those out, but now
we've gotten better at it.
We've gotten to shot one, etcetera, et cetera, et cetera.
Being agile and your ability toadopt new protocols safely is
(03:17):
what everyone should be focusedon as they get ready for a queue
day.
Speaker 1 (03:22):
Yeah, that's going to be fascinating to watch ready
for Q-Day.
Yeah, that's going to befascinating to watch Switching
gears to last year's Impervaacquisition.
I'm based in Boston.
I see the amazing work you guysdo in healthcare IT
organizations.
Tell us more about theacquisition and how it's going.
Sure, sure.
Speaker 2 (03:36):
So the acquisition of Imperva by Talus closed in
December 2023, so not even ayear and a half old now.
In the Imperva business,there's always been the data
security side of the houseselling data security, database
monitoring, file accessmonitoring.
Those solutions very, very muchcomplemented the Talus data
(03:59):
security solutions.
That was an obvious integrationpoint there and everyone was
very, very excited about that.
But Talus also got theapplication side of the house,
the application security side ofthe house, which is business
they didn't have before FromImperva's perspective.
Imperva now gets access toTalus's huge partner network
(04:20):
6,700 partners.
Speaker 1 (04:21):
Wow, that's fantastic .
So you have so much going on.
Here.
You have a new report aboutbots, bad bots in particular.
Yes, and tell us what some ofthe key findings were.
What were some of the outcomes?
Speaker 2 (04:33):
I'm so glad you asked about that.
So we just released the 2025bad bot report, which looks at
database from 2024.
We got a ton of media hitsabout this.
The most significant finding,and the easiest one to remember,
is that this year automatedtraffic on the internet has now
surpassed human traffic.
So traffic generated by botsshort for robots or some kind of
(04:57):
automation now more significantthan humans.
Now, this isn't the first timeit's happened, but it's the
first time it's happened in overa decade.
So that's one thing.
Another significant finding isof all traffic, of all traffic,
37% is malicious automation.
Wow, right, that's almostfour-tenths, right, that's
(05:19):
almost four out of ten packetsthat goes by is malicious.
That's something else to bemoan.
Speaker 1 (05:28):
I guess Well scary stuff.
The other thing you're deeplyinvolved with is API security.
Tell us about your work thereand some of the good work you're
doing with customers.
Speaker 2 (05:38):
There's a ton of interest around API security.
We actually mentioned this inour bad bot report, because a
very interesting intersectionaround API security is attackers
using AI not API AI to attackapplications.
And we know they're using AIfor two reasons.
One is and we know they'reusing AI for two reasons.
(05:59):
One is, as we classify thedifferent bots out there, we
classify them as simple, mediumand advanced.
Simple being it self-identifiesas I'm a malicious bot, like
I'm hacker tool X Medium wouldbe.
It tries to emulate a browserand it advances.
It really really does try tohide and pretend to be human.
(06:22):
This year, the middle part isalmost enough.
Wow, because people who knownothing about launching a bot
can now use AI to go do that,and the people who are really
good can use their AI to makethemselves look even more human.
So it's increasing both at bothsides of the spectrum.
Now the advanced ones they'remuch more starting to attack
(06:45):
APIs.
So an API is a programmableinterface, say, to your data or
your services.
More and more of the world isbecoming APIs.
Very often, an application thatyou might use on your phone, or
even a web application, isreally just talking to
application programminginterfaces.
On the back side, attackers arecatching on to this and now
(07:06):
launching different attacksagainst API.
So every customer we talk tothey know they have to do
something about API security andthat market in itself is
growing by 27% per year, wow.
Speaker 1 (07:19):
Yeah, we live in an API economy, so it's time to up
our game there.
So Talos, as a company, investsa ton in R&D.
And what's next for you?
What are you excited about therest of the year as we head out
of RSA?
Speaker 2 (07:33):
That's a good question.
So there's all that work that Italked about on post-quantum
and that's a decade long process.
To be honest.
We're maybe five years intothat and the data security
people have that underway On myside.
On the application securityside, a lot of API security.
The whole world has been tryingto build their inventories and
discover all their API endpoints.
Now they want to do somethingabout actually detecting and
(07:55):
securing them.
So that's basically the shortto medium term.
Longer term, everyone knowsthey're going to be releasing
some kind of AI applicationright Almost every single
customer we talk to and when weask them how do you think you're
going to secure that?
Speaker 1 (08:11):
They all say the same thing.
Speaker 2 (08:14):
We haven't got that far in our thinking.
So there's a lot of design workand trying to stay on top of
all of the AI developments.
Speaker 1 (08:21):
Well, we're wishing you success.
We're all behind you.
We need your support and yourhelp, and onwards and upwards.
Thanks, david.
Speaker 2 (08:28):
Thanks for having me Take care.
Popular Podcasts
True Crime Tonight
If you eat, sleep, and breathe true crime, TRUE CRIME TONIGHT is serving up your nightly fix. Five nights a week, KT STUDIOS & iHEART RADIO invite listeners to pull up a seat for an unfiltered look at the biggest cases making headlines, celebrity scandals, and the trials everyone is watching. With a mix of expert analysis, hot takes, and listener call-ins, TRUE CRIME TONIGHT goes beyond the headlines to uncover the twists, turns, and unanswered questions that keep us all obsessed—because, at TRUE CRIME TONIGHT, there’s a seat for everyone. Whether breaking down crime scene forensics, scrutinizing serial killers, or debating the most binge-worthy true crime docs, True Crime Tonight is the fresh, fast-paced, and slightly addictive home for true crime lovers.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.