What were the main themes at BlackHat USA 2024? With respect to Cloud Security, maybe with a sprinkle of AI Security. Our team was on the ground at BlackHat and DefCon32 this year, we heard many talks and panels, spoke to many practitioner, leaders and CISOs and had the pleasure of recording some great interviews (coming soon!). This conversation is a distillation of everything we heard and the themes we saw.
Questions asked:
00:00 Introduction
01:15 A word from our episode sponsor, ThreatLocker
04:35 Resiliency in Cybersecurity
07:00 Commentary on upcoming US elections
09:42 Identity Centric Security
15:55 Cloud Security is getting more Complex
23:47 Growing importance of Data Security
25:42 Use Cases for AI Security
31:25 Shared Responsibility and Shared Fate
33:21 Is CSPM Dead?
37:32 The Conclusion
Resources spoken about during the episode:
BlackHat USA Keynote - Democracy's Biggest Year: The Fight for Secure Elections Around the World - https://www.blackhat.com/us-24/keynot...
Generative AI Misuse: A Taxonomy of Tactics and Insights from Real-World Data - https://arxiv.org/abs/2406.13843R
SAC 2024 Innovation Sandbox Finalist - https://www.rsaconference.com/library...
BlackHat USA 2024 Startup Spotlight - https://www.blackhat.com/us-24/spotli...
Ashish Rajan: Hacker Summer Camp or BlackHat 2024 was here just a couple of weeks ago and today in this episode we're talking about all the highlights and the themes that came out of BlackHat. Don't worry, we're not going to focus on all the AI announcements. There's a whole AI cybersecurity podcast that we're going to talk about all of that.
But in this particular episode, we're going to go through some of the highlights, themes, And to make it more interesting, we have live callers in as well, who shared their perspective on some of the topics that came up and some of the highlights that they also saw as part of the emerging field.
If you didn't get a chance to go to Black Hat or the Hacker Summer Camp, this is a great episode to catch up on the themes and you'll see around If you know someone who has not been to Blackhat and probably interested in knowing what the themes were from the Hacker Summer Camp in 2024, definitely share the episode with them.
And if you're here for a second or third time, I would really appreciate if you're watching this on YouTube or LinkedIn, definitely give us a follow, subscribe. But if, in case you're listening in, definitely drop us a review rating on iTunes and Spotify because it definitely helps more people find out about Cloud Security Podcast and gets some word out there.
So I hope you enjoy this episode of [00:01:00] Black Hat And definitely shout out to Shilpi Bhattacharjee, who's the other half of the Cloud Security Podcast, Cloud Security Bootcamp, everything Cloud Security we run and bringing in all her experience for what she learned as a themes from Black Hat and Hacker Summer Camp.
Enjoy the episode. Talk to you soon. Peace.
We interrupt this episode for a message from our episode sponsor, ThreatLocker. ThreatLocker is an endpoint protection platform that allows you what you need in your environment and blocks everything else, including ransomware. On top of this, ThreatLocker detect alerts you blocked cyber attacks and indicators of compromise like numerous failed malware executions Ditch your standard EDR tools and secure your organization today with ThreatLocker at www. threatlocker. com
Hey, what's up everyone? Today's topic is about Hacker Summer Camp and what we basically found as highlights from it.
So I've got Shilpi on the other end. With that said, Shilpi, over to yourself to introduce yourself first, please.
Maybe if you're going to start it there.
Shilpi Bhattacharjee: Yeah, definitely. I'm Shilpi for those of you who don't know me, I am the not the face or the beard behind Cloud Security Podcast and AI [00:02:00] Cybersecurity Podcast.. I often introduce myself as someone who does all the boring things in the background. But yeah, like I wear many hats in the business, but yeah, I just make sure that things keep ticking along.
Ashish Rajan: Awesome. And now after that beautiful intro of basically not being the beard person in the thing but we want to start off, we're going to talk about a BlackHat, which is a couple of weeks ago. We were lucky enough to go to DEF CON 32 and Black Hat a couple of weeks ago.
So Shilpi obviously you being the guiding per light over here as well, as always what do you want to kick it off with?
Shilpi Bhattacharjee: Yeah, so I think I just wanted to set the premise that we will primarily be talking about Black Hat. We will touch a little bit on DEF CON, because I don't think you can really talk about Black Hat US without talking about DEF CON, and also there is BSides Vegas and Diana Initiative that happens around that time.
So a lot of the themes and stuff will be taken from everything together. I also wanted to say that, Of course, like in everything 2024, there were AI themes. We do have the AI Cybersecurity Podcast and we are going to be launching an [00:03:00] episode on that specifically talking about the AI themes in at Black Hat.
So we will touch on them loosely. But I think I'm going to try really hard not to get into them too much, just so that episode is not a repeat. But I really think you can't have too many conference conversations in 2024 without talking about AI. Unfortunately. And also there is, and as we have the conversation, I'm pretty sure people will start to see that there is a blurring of the lines that is happening with cloud security, AI security and the whole ecosystem.
Because a lot of the things, do transcend across both of these disciplines and also as an organization or enterprise, which is a lot of the BlackHat audience, they're not just looking at cloud security or not just looking at AI security at a particular point in time. So there's definitely themes.
So that's just to set the premise. So I think we'll be talking about, what the themes were, why those were the themes. What were the interesting things that we, came across. We obviously have a lot of behind the room conversations. So we did a lot of recording as well.
We actually had some really [00:04:00] interesting interviews that were recorded at Black Hat which will be coming on Cloud Security podcast and AI Cybersecurity podcast. So we are very lucky that we not only get to see the conversations that happen. on the conference floor. But we also get to talk to a lot of interesting people.
So our intention is to really share that holistic view, not just what is seen in talks. So without further ado, like I do want to get started on the themes and they're not so much themes that are probably publicized or themes that, we'd see, but just talking to a lot of people during the conference, but also reading a lot of the stuff and listening to a lot of the talks that happened.
In my mind, I think these were the big themes, and they may not be the most buzzworthy themes for 2024 for Black Hat, but I'd be curious to hear, Ashish, what your take is and also the take for anyone who's actually listening in as well. The big one, and which probably is something that we've used in cybersecurity for a long time, but I think it's resurfaced and obviously to set the premise going into Black Hat, obviously we had the CrowdStrike outage and that was [00:05:00] really top of mind for everyone.
So the whole concept of resiliency Was something that was spoken about a lot. So in a lot of the talks, in a lot of the vendor messaging there wasn't as much, definitely, there was still AI driven and, all the AI supported kind of conversation, but I think a lot of people were leaning into the risk and resiliency conversation for cybersecurity.
And I think it came through a lot because of, what had happened with CrowdStrike and the impact that it had on organizations and how it really tested the resiliency of not just the cybersecurity community, but also vendors, but also, organizations that were using it.
Ashish Rajan: It definitely is something that to what Shilpi said was a good test of resilience for a lot of organization.
And that came out as a theme to what Shilpi is saying as well. I would, although add that it is something that we all consider as whether the BlackHat is a primarily, I would say for people who are on the offensive side of security, like the pentesters and. people who are technical CISOs.
I feel a lot of them, I was fortunate enough to meet a few CISOs who used to be technical, but now lead a team [00:06:00] and they were finding all these interesting things to encourage their team to be building a lot more in terms of, Hey what is something that I can take back to the team? That is quite crucial.
And I would say resilience would be still be number one because as security people, we're expected to have high availability, like CIA, the triad that you all believe in confidentiality, integrity, and availability. Availability probably is the most important one that resiliency kind of, at least in my mind, goes towards, especially after the CrowdStrike incident and definitely the good job done by the CrowdStrike people.
The impact was definitely felt all over the world. But definitely a good reminder for building resiliency and that kind of came out of the theme as well.
Shilpi Bhattacharjee: It was more somewhat sort of a theme thing because it did get mentioned in the keynote as well.
So Jen Easterly, who's the director for CISA as well, she did a keynote as she normally does for these events. And I think the two main topics that came out of that. the conversation that she had was around resiliency, very much talking about the CrowdStrike [00:07:00] outage. But also I think, and this probably is not so much thematic of BlackHat, but I think it's also where the environment is at the moment.
The U. S. elections. So that was another thing that a lot of the speakers and keynotes and panels did touch on because there is obviously some concern around how will cybersecurity be impacted. So something that Jen Easterly did mention is that she does feel that the election infrastructure is the most secure that it has ever been.
So she is obviously confident in that I think the flip to that. And this is more of a personal opinion from my end is also we are for the first time. I think it's in the U. S. Election at a time that A. I. Is as mature as it is. And I know we are about to release an episode on AI Cybersecurity podcast, where we went through the Google report of generative AI misuse, and it does go and talk about a lot of things like, a deep fakes and ways that, AI can be used to manipulate a lot of stuff.
So definitely that was the center of a conversation of a lot of things. And I know it's not so much the resiliency part, but it's, I'm just. leaning into what the [00:08:00] main themes were from the keynotes and it was definitely something that a lot of people were talking about because it is like imminent and it's happening by the end of the year
Ashish Rajan: For people who remember the Hillary Clinton and Trump election, and when the whole email hack happened, and that was like the sole thing that was used by the opposition to kick off a few things, it's great to hear coming back from there almost four years later, there is a sense of, Oh, the election system in the US was a lot more resilient in terms of infrastructure. That's also good to hear. So hopefully none of that happens, but only time would tell in terms of if there are impacted, but to what you said in the Google report that came out on the impacts of what this could look like, there's definitely a lot of research.
Number one was I think for memory, if I'm serving it it's the number one is political reasons for using AI attacks, and a lot of them actually had deep fake as a method as well. Yeah, there you go. Another form of resiliency. Now that our AI does audio, video, and text as well. Definitely building some resiliency on multimodal, but that's a lot about [00:09:00] resiliency.
What was the next theme?
Shilpi Bhattacharjee: So the next theme and also, sorry, before I go on to the next team, I think it'll be interesting. And I think this was just a fun thing that I took away from, which I think the audience might appreciate is that they also had the chief cybersecurity and operations officer for the European union and also the UK national cybersecurity center.
And I'm sorry if I've mispronounced that and Felicity Oswald. And I think the funny thing is they mentioned that a lot of the elections that happened in their region. So in the UK and Europe are still based on paper ballots and manual counting. So that was an interesting kind of I was like, yep, in this day and age.
But then again, with all the digital stuff that's happening. I don't know whether that's the better route or not, but it's the whole human versus machine thing that we've been talking about. So quickly jumping onto, the next theme. And I guess this has been like a theme for, I think, many years.
And it's just one of those, I feel it's always been there and people say it's important, but somehow, I don't know whether we've gotten any better at resolving it as this whole identity So identity centric [00:10:00] security or, identity being like the centerpiece that again this year. And I think more so with the AI piece.
And I know I did say I don't mention AI too often, but I think it just is going hand in hand. A lot of it is identity based because everything that we do to access, identity has become more important with cloud. Obviously it became quite important and I feel it's like just put more weight onto this.
So this year we have seen a lot more vendors in that space. We are hearing a lot more conversation in that space. There's also been more breaches that are coming out from identity related issues. So things like your credential compromise. So I think that conversation is definitely happening and that was definitely one of the themes.
That was there. If you look at a lot of the talks that were there, a lot of people are talking about access and identity as part of one of the key themes. I will make an interesting point a little bit later on about how the themes have leaned into BlackHat as well as RSA this year, especially with like startup ecosystem.
But I think I'll lean into that a little bit later. [00:11:00] But yeah, identity. And I know she, she started a career in identity. So I think it's a love and hate thing for you. And I've only been in cybersecurity for not that long, but I feel like it's one of those things that sounds really simple to solve, but I know it's not, and it remains the bane of many people's lives.
Ashish Rajan: The impact identity has as this being called the new black in the space that is the external perimeter.
The first thing people get access to, I think A lot of people have also diversified their conversation about identity to like, if we were walking on the show floor on BlackHat in fact, even just having conversation with identity folks, a lot of the challenges came across more from human versus non human identity, which now that I guess for, I wouldn't say cloud is becoming a standard cloud is still I think the quarterly report from Amazon called out that only 75 to 85 percent is on premise, whereas the 25 to 15 percent is actually on cloud and the remaining may come on cloud. Thanks to [00:12:00] AI. It's really interesting to see identity was being brought up as challenge and not because of what you might think from a technical perspective.
Like we all figured out, why don't we just use an industry standard like SAML, but the challenge is coming more from a perspective that it's what the normal standard for infrastructure in today in most enterprise looks like is there's multiple cloud providers is that now I have SAML, I have MFA, but I also have third party users who have access to a hardcore credentials.
I also have , my API is being interacted with by third party, which have access token API keys now secrets are not just username passwords. These days there are API tokens, access tokens, multiple. I think there's someone, I was reading a stat somewhere that are like 10, 000 kinds of secrets that you can potentially find on GitHub if you were to search for it.
And that is just not username password. There's a lot more to it. AWS access keys, another one, Azure access keys, like the list goes on and identity has [00:13:00] become even more complex, but the biggest piece I think which was probably not addressed by a product and I don't think can be addressed by a product is the confusion of responsibility.
Like for example, a organization may assume that well, we have an identity team, so anything to do with identity that goes to the identity team. They look after username password. They look after implementing SAML, but would you say that password management is part of that? A lot of people are talking about, Hey, authorization being coarse grain is not good enough. It needs to be fine grained now.
There's so much deeper context now in the identity conversation and you see this spoken about quite a bit, but the reason why this can't be solved by a product is because it changes for different organizations. which is why most of the conversation on BlackHat for identity primarily revolved around, Hey how do I manage human identity and how do I manage non human identity?
Those were the two big pillars and then, Hey, can I do zero trust so that I can get rid of the password? So there was those three themes that came out [00:14:00] with that said, Shilpi, over to you. And that's all I thought I'll stop bitching about identity now.
Shilpi Bhattacharjee: You can't continue because clearly it is an issue or a topic that is becoming really important. And I don't think it's becoming important. I think it's always has been important, but I think it's just becoming more complex and the reliance of different things on it is becoming more like obviously with AI and with cloud security. So I definitely feel the industry is getting more serious about it. Definitely, as you said, there are like more sophisticated tools. People are thinking about it from different angles. And I think it actually might be a good point for me to say.
So I think one of the things that I was looking at, because I always get a little bit interested in like the innovation sandbox or BlackHat does the startup. I think they call Startup spotlight. Yes. In terms of what kind of startups are being picked up for these, because I think that's always a good sentiment about what are the interesting things that are coming up?
And it was really interesting to see that I thought about the themes before I looked at the startups and they all kind of align really well. So obviously with RSA, they have usually [00:15:00] 10 that were there. And overall, they were all in the AI space primarily, but there were also ones in cloud space, which were around cloud native detection and response cloud access governance.
So that's talking back again into the identity piece and also cloud investigation and response. So there was that. So It was really interesting to see that identity was still picked up and obviously AI, but I don't know if the AI pieces are being picked up because there's just more trendy, but I don't know, I'll let you guys be the judge of that but there was two identity ones for RSA, but even for BlackHat, so there were only four, they did have ones for data leakage, they did have an identity one, but more for LLM. So it was access control for LLMs, which was Knostic, which was actually the one that won as well. So overall, I think if you look at both of the ones where these startups or the innovation is being picked up, it's around AI, around identity, around data. And then also in cloud, and I know Ashish, you and I have been speaking about this, there's this whole thing [00:16:00] of incident response and detection that's coming up. And I think that speaks to the maturity in the cloud space. I think we've had a lot of conversation on the podcast this year and on automation, auto remediation, incident response, threat detection a little more complex conversations than what we used to probably three, four years ago, where it was all about misconfigurations and different settings on different services.
And that is one of the other themes that came out is that cloud security is getting more complex. It is still challenging, but the parameters have become much more difficult. And that's where we're talking about a lot of these, like more complex, like the tooling has definitely become more complex.
Like we have the CNAPPs plus plus, I don't know what stage it's at the moment versus what it used to be just a posture manager, a couple of years ago. So there's definitely that conversation, but then there's also this theme of automation. So with AI, obviously a lot of companies are looking at automation and AI driven, which I think in today's day and age with what AI can do does mean a lot of automation.
And obviously. A lot of people are talking about that as a solution for, okay, [00:17:00] we've got this cloud security environment that is becoming more complex. And how do we solve that? Obviously, we've got the shortage of skill gaps and all of those things. So automation is definitely a theme and it's been really interesting to see like how people are tackling that there's automation with regards to like secure coding. There's automation with regards to threat detection in the SOC space. So it's interesting like that's like an overarching theme. And I know I've not gone as I said at the beginning, like for buzzwords, these are more sort of boring things.
But my motto for this year is security is boring. And we do need to get the fundamentals, right? Like the more AI conversations that we've been in as futuristic as we would like to be, I think we still are on a journey of getting the fundamentals, right?
Ashish Rajan: Yeah, I also agree. So for people who are watching this or listening to this, I would also call out the fact that over the past three, four years so we've been talking about cloud security for the past five years.
And initially, a lot of conversation was floating around the whole, [00:18:00] hey, misconfiguration, let's pick that up. Hey, what's the next thing detection? Let's pick that up. And CSPM was that first acronym as Gartner called it out. The reason I bring this up is because initially CSPM was like the good starting point.
And I think in some situations of people who are moving into a cloud, it is still a starting point. But these days, if you are an established cloud provider, a CSPM just by itself is not enough to your joke about the CNAPP P lus, like nowadays people are adding if I were to describe a regular enterprise these days, outside of the whole AI projects that they're running at the moment, they have kubernetes, they have containers, they have your infrastructure, which is running as code in some parts of the businesses, they have infrastructure being rented by the cloud infrastructure being provided by the cloud. So IaaS, PaaS and SaaS and all of that.
The complexity of this has become so much that we've focused a lot more on misconfiguration and cloud somehow has become this [00:19:00] conversation about, Hey, how do I pick misconfiguration though? Cause that would help me reduce all the threats. But a reminder from all the conversations we had, we were lucky enough to have a conversation with folks who are from analysts from like Forrester, shout out to Allie and the conversation floated around the fact that.
It's great that it was a good starting point because initially a lot of us just wanted visibility, but where we are now where people have not put in the effort to understand what does an incident look like in the cloud context. It's the CSPM and the CNAPPs of the world, all the alerts from them are being sent to a SOC team. Now the SOC team has not been informed or has it's not, when I say informed, as in they've been informed that they're going to get the CSPM and the CNAPP logs, but they haven't been educated in what does a cloud threat look like and hey, which threat is a high was which I need to look at it right now and convert in from a security event to an incident versus what [00:20:00] event is something that is like a minor and a false positive without digging deep into the cloud world, whereas they come from extensive experience and on premise where they've done some deep research in every little corner of the organization.
So they know each application but moving to the cloud. They're now in this mix of, I have to understand Kubernetes. I have to understand AWS, Azure, Google cloud, Oracle cloud, IBM cloud, throw another one in there. So to what you called out, one of the reasons why we made incident response as a theme of the year for 2024 for Cloud Security Podcast was that one thing, because we found that A, CSPM is not an incident response tool because it doesn't give you the threat intelligence for it. It just tells you Hey, it looks like you have a lot of broken windows, but your front door is open as well. So which is not the incident response you want. You want to know, is someone trying to jump into my window or just on the ground floor or whatever?
That's that's the difference. And that's where the whole thing, like how [00:21:00] prepared am I to can I detect the fact someone came into my house when I'm sleeping, which is probably sounds like a very scary idea, but if, you get the picture, I think, and which is what keeps a lot of people awake in the conversation we had with a lot of CISOs as well as practitioners on the ground, a lot of their concern was around this part where A, They were concerned about the fact that, Hey, I don't know what I don't know.
I think, I don't know what my incidents are going to look like because the incident response playbook that I used to have worked really well for on premise doesn't work the same way in cloud. And then the added complexity to what you called out just before there's the identity and the human non human part.
And then on top of that, I have to do resiliency as well, but my staff is not trained enough to understand. What incident or what security event from a cloud provider is actually a high versus a false positive, because they didn't have to do that. That was the cloud security professionals doing it.
Now it's the SOC people looking at it. So that's where it's becoming I think Honestly, I think it's becoming a lot [00:22:00] more about now they are in that next phase for people who have adopted cloud for some time. Now they're starting to realize that, I think we need to also understand what kind of incidents coming.
So a hundred percent on the incident response as a theme to continue, whether it would automate and whether SOAR, which is still a SOAR topic as no pun intended. I'll be surprised if that actually continues to shine.
Shilpi Bhattacharjee: And I think a lot of the conversations that we've been having also, and also in the podcast, I think there's some episodes and I'm happy to share that if someone's interested has been like, we've been asking the question, like how has cloud changed? Cause I think cloud has been around for a while, but in the last five to six years, especially luckily because we've been running the podcast, we've really seen It's matured.
And it's at that point right now that a lot of organizations, especially the ones who have adopted cloud are deploying much more workloads in cloud. Obviously, there are a lot of them are looking at AI projects, they're coding faster. And I know we were having a conversation saying as you code more, you've got more workloads in the cloud that are deployed.
You have more stuff to secure and a lot of these things are happening much quicker now [00:23:00] because a lot of, our developers are actually using AI to do a lot of the coding. So stuff that probably used to take much longer is probably happening much quicker. So the pace of things have increased and just the nature of AI infrastructure is such that a lot of it is actually happening on the cloud.
So even though we try and talk about them separately. I feel there is a sort of a connection that's happening between these spaces as well. And there's been that real influence in terms of the identity space in cloud, the automation space in cloud, there's more than ever now an urgency for automation, because the thing is, it's just about being able to keep up. With the pace that things are being deployed in cloud infrastructure as code was part of the puzzle. And I think that was like the beginning of this conversation, but it is iterating and now people are looking at more pinpoint solutions. Like automated SOC has been one that we've heard a lot about this year.
And actually this fits in really well with the next theme. And I think people will start to now see like how it's all. related data security. So that was my last big theme. Data security was another one, [00:24:00] which I know if I reflect back to Black Hat last year, we did have data security conversations, but I feel like it's, again, one of those things that has, is being spoken about so much more, I think at the leadership level, like everyone knows at the end of the day, like you are protecting data.
That is, if I were to strip it all back, as organizations, as leaders, as enterprises, we are just protecting data. And that'd be data of our internal people, data of our customers. That is what we're trying to protect. And similar to identity, it's like a very simple thing. Everyone's yeah, I get it. Data is important. We need to protect it. But it is so complex because again we don't know where it's being stored, how it's being maintained, how what the entry points are. So that is becoming a real sort of a big piece of the puzzle. And that's something that was talked about quite a bit about, how can we do data security right?
And in a meaningful way, because similar to identity, it's one of those pieces that's quite complex. Most organizations have a lot of data. They have a sensitive data. There's a lot of regulation that goes around data. How do we work around this? [00:25:00] And I know we've had some really interesting conversations on the podcast about this as well.
But that was another big. Again, like none of these are buzzwords. None of these are things that you can go and it's not like zero trust. And again, I know zero trust is not a buzzword, but I think it became a bit like that a couple of years ago.
We obviously go in with a very biased approach. cloud and AI security lens. And cyber security is bigger than that. Obviously a lot of is now moving to cloud and AI has been the big thing on people's mind. So I'd be very curious to hear if someone else saw something completely different that we missed.
I would love to get that opinion as well. But yeah, so the last one for me was data security. That being a big theme is the data safe for use for AI and ML. How is data being used, classified, all of those different things
Ashish Rajan: I think it's worthwhile laying the context for a lot of people would be listening or hearing about AI, but a lot of people may not have even heard of what the use cases beyond the whole ChatGPT piece, maybe it's worthwhile at least peeling that layer off.
We specifically from the beginning, [00:26:00] Shilpi has been saying we won't talk about AI, but I think it's definitely worthwhile hearing how people are using AI and where a lot of the concerns were coming in, and I'm sure, so we're doing a whole episode on this, on the AI Cybersecurity Podcast, which is the sister podcast we have.
Ashish Rajan: But just to lay the playing field for everyone, the way people are using AI at the moment, there are three parts to it. It's from a security perspective. The first one, which I would say primarily is, Hey, is my employee using ChatGPT ,Anthropic's Claude or Open source LLM out there, or some, anything of that sort.
Which I would put heavily in that third party risk bucket. That is the first area that a lot of people are concerned about which some people are also calling a shadow AI. The second part people are concerned about is more on the side of hey, now that I have this data that I, I believe I need to go and at least do something with it.
There's a whole side of is my input clean enough, which means which goes back to Shilpi's point about data security being that theme. [00:27:00] People have a lot of data that they have collected for all these years. They have a real challenge of A, identifying that the data classification we have in our data policy.
Okay. Is that still applicable for the data that I've collected? Imagine if you're a government and you've been in existence for 20, 30 years. At what point do you draw a line and say that, okay, anything from more than 10 years ago, we're just calling it public. We would not look into it because the amount of money you need to spend to even go through that data and find out, Hey, is this data spread out anywhere else in the organization?
Or is this the only place where we have this data? There are questions about things that made sense 10 years ago, do not make sense right now as to be classified in a particular way. So there is the data challenges from two perspective. One is discovering the data and making sure it's classified in the way you want to, which comes at a cost and a lot of organization has to balance that.
The second one is more around once you've [00:28:00] identified it, you've discovered it to implement the security of it for the input and output that you put into a system like ChatGPT or whatever internal system you may be building for AI. That is a big problem for a lot of people in terms. So how do I sanitize the input?
So it does not put any sensitive, the output that I get, how do I make sure it's hallucination free? That was the second theme from an AI perspective on how that's being used and looked into. The third theme which was a lot was around the whole API access. A lot of usage of AI by developers is by using things like your co pilot.
Now, all of that comes in, it's an API call being made from your IDE or from whatever else into a Open AI API or another open source like Llama or whatever else they might be using. And the funny thing to quote, Shilpi here. The reports she was referring to GitHub came up with a report that 40 percent more code is being produced like 40 percent new code is being produced [00:29:00] as we speak on GitHub using AI, which was like another theme that was spoken about quite a bit, which is where the data security part of it led to is now we're in the stage where because of increased productivity the amount of code that was being produced, say in 2023, we almost have a 40 percent increase of that output in 2024, thanks to the AI co pilot system that we've gone down in the, which is a great thing, by the way, I'm not saying it's a bad thing, but what it also means is going back to Shilpi's third theme, SOC Automation, now we need a lot more automation to be able to deal with this at scale.
Now it's no longer the fact that, Hey, I have a team that I can look after this. It's also more about am I equipped enough as a team or as an organization to measure the amount of output that my developers producing and do I have the team that I can actually review whether it's infrastructure changes, application changes, application security changes, pentesting changes, you [00:30:00] can just add on to the list.
And I think that's where a lot of concern about data is coming from as well. Because the more code that is being, not scanned or not looked into, that gives a higher risk as well. But Shilpi that's all I wanted to say about data security. And I promise I would not talk to him anymore about AI. That was the only thing I just wanted to add the layer for people.
Cause I think it's like, when people talk about AI, it's very easy to get lost in like, where are we? And the example that I call out over here is that a lot of the use cases are still pretty much on. I have a lot of documentation, which I plug into a natural language processing, ChatGPT, LLM kind of version, Gen AI.
There's definitely a lot of use cases for that, but there's also a lot of use cases where the insurance companies, as well as the legal organizations have had massive advantage. Customer care services have definitely had seen a lot of advantage.
I'll stop talking about AI, but you had your themes, Shilpi.
Shilpi Bhattacharjee: Yeah, no, so I think those are probably the big four themes that came out for me. And if you will, to [00:31:00] look at, the kind of training that was being given or the breakout sessions that were happening, they were all around these themes.
So there was identity and access management, how to do that well. Data protection. So again, leading into what you have just said threat detection and response. So that has obviously been a really big theme for us this year. And I know a lot of leaders and CISOs who we've been speaking to, like that is quite high on their radar.
So I'm glad to see that there was training around this as well. There's still that notion of shared cyber security responsibility. And I think that conversation again, leading back to, like the big scale outages and stuff. I think that always. poses a question. And I think last year we were talking a lot about supply chain security.
I think what people have probably matured to, and which is probably the realize, and I know one of our guests this year, rather than saying actually it was Vijay Bolina from Google DeepMind. He said, rather than saying shared responsibility, it is shared faith. And I truly believe that at the end of the day, as much as we want to like, say, oh, it's the, our supplier where there has been an issue.[00:32:00]
The reality is that when something happens, everyone does have to share everything that comes from it and triage that in that way as well. It is being revisited in terms of, like how people are thinking about it. Obviously there's still like the SBOMs of the world that's happening and accountability on people to provide what open source information they're using.
But I think it's just the way that leadership and organizations are looking at it that yes, as much as we do need to hold our suppliers accountable and understand what they're putting into the software at the end of the day, if something does happen, we do have to like, it does impact us. We do have to triage it.
So it does that shared fate, which I really liked the way he coined that. That is, I think that's the Google's way of talking about it. Endpoint security. That was another one that there was a bit of training around. And I know that is again something that we have spoken a little bit more on at cloud security podcasts.
It's interesting cause I think a lot of the conversations that we've had through the year, we're already in August which is really crazy. But yeah, And then when I reflect on what's happening at BlackHat from a cloud security perspective, like [00:33:00] a lot of the themes are consistent, like people are talking about these things like endpoint security.
I know it's not something that we spoke a lot about if I reflect back to, like a couple of years ago, but this year I definitely believe that, that's something we've spoken about. I think what may be valuable, Ashish, is if you wanted to share maybe some insights. I would love to hear from endpoint security because I know you've had some really interesting conversations there.
But also in terms of identity, like how have you seen identity mature in 2024? Because you've seen it from I think you've been doing identity for even before you had a beard.
Ashish Rajan: And before I was jumping in cloud as well. I think maybe I'll cover identity. I'll also cover the CSPM space, which I think is dying because I've been talking about it.
And I think it's killing different acronyms. I think it was something else a couple of years ago. Yeah. Yeah, I've definitely killed one already, and which has died, from what I understand, but essentially the idea over here was like, and for people who are probably, I'm going to age myself over here, but for [00:34:00] people who had to put in their resume that, hey, I know Word, PowerPoint, Excel.
These days, you don't see anyone put Word, PowerPoint, Excel in their resume. It's expected that, Oh, you already would know how to use Word. Even if it's Google Word or Microsoft Word or whatever, you will know something about how to use a Google doc. The same way with the CSPM space, I think it's almost expected that every product that is in cloud security should already have the basic CSPM capability, which is basically identifying misconfiguration. Now the detail of how it does it work, whether it's agent base or agent less or whatever. More than that, it's the importance of the fact that it's given knowledge that everyone would require some basic level of misconfiguration monitoring.
And that's basically the security posture. It should be default in every security product out there for the simple context that, Hey, now that we have Cloud providers doing it. We have, I guess a lot of people actually have free CSPM as well.
Shilpi Bhattacharjee: I know CSPM is dead sounds pretty cool, but I would say it's it [00:35:00] is maturing, like it's becoming something that is just like it's expected that you have some sort of posture management if you are deploying in cloud. . I was just thinking about this while we were having a conversation. I can't remember the last time we were talking about S3 buckets. And two years ago, that's all we were talking about, misconfigured S3 buckets. So I think it's just a maturity that would be expected as people deploy more.
And they tick off, the low hanging fruits. I think it's just becoming Like CSPM is just becoming much more evolved. If you were to think of it as an anime character, it's just got a lot more shields and gears for anyone who's like into games. It just, it's evolving and it's becoming much more.
And that's why, like I say, CNAPP plus plus But I don't even think it's CNAPP because if you speak to a lot of people, Vendors, they're building things that have so many things latched onto the CSPM. And if you're looking at organizations and leaders, they are bringing in all these tools to try and make this behemoth of whatever will resolve their issues at their end.
So I think it is just not enough for most organizations and it's in its pure [00:36:00] form. So I don't know. Gartner may come up with it another acronym.
Ashish Rajan: People are realizing security's job is to have the full context when they respond to a SOC incident. From an LLM perspective, like the, a lot of the conversation focused around the fact that, hey, when I if, right this moment, if I had an issue that I had to work on, the few ways I can look at it would be, hey, okay, I need to figure out, is this a cloud problem?
Okay, I found out my S3 bucket is open to the internet. Oh, what else does it have access to? Oh, it seems to have access to a virtual server or EC2 instance as they call it. But that virtual server is running an application which happens to be container that is running a application that is not internet facing but have a vulnerability.
How do you know if this is a high, low, or not too high medium? But ASPM brings that context together for it talks to your Cloud security. It talks to your app sec from a static analysis perspective. It talks to your supply chain from a open source vulnerability [00:37:00] perspective as well.
But essentially, it's that holistic view for how big is this issue apart from me? In my isolated team, just looking at that cloud vulnerability versus, Oh, I have the cloud context. I have the app context. And as a SOC person, can I look at this and go, is this a high, or is this a medium or a low risk? And should I turn this event into an incident?
Because now that I see that S3 bucket also has connections to a container, which somehow has sensitive information in there as well.
Shilpi anything else to add from a Black Hat keynote perspective or?
Shilpi Bhattacharjee: I think, there's always more conversations to be had, and there is definitely the overall sentiment of, like we've spent the last few years finding all the issues and vulnerabilities and misconfiguration, and I think, especially with the increased like productivity and coding and all of that, and also all these misconfiguration and cloud security tools, the overarching theme. Who's going to fix these things. And I think that's what a lot of people are talking about. Like, how do you [00:38:00] prioritize what is actually important? We had a really nice interview with Lily from Roku recently, who spoke about like the auto remediating of all these configurations, because when you do get so many alerts and it's very similar, like for cloud when you get all these alerts, but if you look at coding, secure coding, you get all these prompts saying, Oh, what you've coded is incorrect.
Overall, people just want to know, yeah, and good, you're telling me all these issues in my cloud deployment or in my coding. But who's going to fix it? How are we going to go about it? How do we triage? And I think that is overarchingly the sentiment because people are feeling overwhelmed, cyber security teams and leaders.
So I think that's going to be really a theme. And I think it's a great conversation to have because as much as we want to know, cyber security is not about just highlighting issues. It's about like making sure like together we can fix things as well. Yeah great way to sum that up as well.
With that note,. I appreciate your tuning in, listening in, and I will see you soon.
Ashish Rajan: Thank you for listening or watching this episode of Cloud Security Podcast. We have been ready for the past five years, so I'm sure we haven't covered everything cloud security yet. If there's a particular cloud [00:39:00] security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp definitely reach out to us on info at cloud security podcast.tv
By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast called AI cybersecurity podcast, which I run with former CSO of Robin Hood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT, and everything else continues.
If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well. So you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.