What is AI's role in modern cybersecurity? Ashish sat down with Amol Mathur, SVP & GM of Prisma Cloud at Palo Alto Networks to talk about how cybersecurity is evolving in 2024. Amol spoke about the shift in threat landscapes and how attackers are increasingly targeting cloud infrastructure due to its critical importance. The transition from traditional enterprise SOCs to ones that natively understand cloud constructs and technologies and the challenges and solutions in bridging the cloud knowledge gap.
Questions asked:
00:00 Introduction and a bit about Amol
00:34 How has the Cloud Threat Landscape changed?
01:37 Code to Cloud to SOC
04:48 Role of AI in Cybersecurity
07:30 Which AI is right for your Cybersecurity Team?
Ashish Rajan: [00:00:00] Welcome to Cloud Security Podcast. Today we are talking about, I want to say AI and cybersecurity, but I got Amol. Hey man, thanks for coming on the show.
Amol Mathur: Hi there.
Ashish Rajan: Can you tell us a bit about yourself and where do you work and what are you doing in cybersecurity, man?
Amol Mathur: So I've been in cybersecurity for a little over 20 years.
Started as a member of a red team doing hacking into everything from applications to physical buildings, and then switched over to building cybersecurity products in, application security and widely enterprise and cloud security. At the moment, I work at Palo Alto Networks where I run the Prisma Cloud, which is Palo Alto's cloud security speedboat.
Ashish Rajan: How has the threat landscape from what it used to be to in 2024, where are we?
Amol Mathur: Typically, and this is just not for cloud, but threat landscape follows where all the important stuff is. Because whether you're hacking for notoriety or whether you're hacking for financial gain, you go after places where there is mission, critical workloads, mission, critical applications, sensitive data that you can sell on the dark web and so on.
So over the last sort of five years, cloud [00:01:00] really started going mainstream and the COVID pandemic like hyper accelerated that journey where customers are building, migrating their tier one revenue generating regulated applications in the cloud regulators are becoming more comfortable with it.
So as a result, the threat actors are squarely going after cloud infrastructure and cloud applications. So we have seen a big surge in the frequency and sophistication of attacks against the cloud environment. Now, the attack might start with someone getting social engineered on their enterprise laptop, but then eventually they pivot off and move into the cloud because that's where the crown jewels are.
Ashish Rajan: A lot of people were talking about the whole code to cloud movement for some time where IAC kind of became that default and now I feel I'm making a prediction here, but like it feels like it's going from code to cloud to SOC based on what I'm hearing from most people. And I don't know, where do you stand on that whole thing?
Amol Mathur: We have the most comprehensive code to cloud platform, which we, launched about 18 months back, but we fundamentally believe that for an enterprise, and we hear this [00:02:00] from customers all the time, protecting an enterprise is now equally becoming as protecting the cloud , because organizations are largely in the public cloud, especially when they talk about the critical applications.
So enterprise SOCs, a few years back, the cloud used to be on the fringe. Enterprise SOCs didn't really understand cloud constructs, cloud technology. So when they had to do any kind of incident response or incident triage, they would either pull someone in who understood the cloud or try to log into different cloud tools to understand, Hey, what exactly is going on?
So what we realize is that to truly get a handle on threat detection, incident response, incident management, bring that meantime down to sub minutes. You need to natively understand cloud constructs and cloud technologies. For example, there is an incident against a cloud workload. That alert shows up in your security operations platform.
There are some containers, some identities involved. If you want to truly understand in a very rapid way that For example, when was this identity created? What does this identity have access [00:03:00] to? What is this workload? What is the criticality of it? What is running on that workload? Rather than calling someone who understands cloud or logging into another solution, imagine if you natively had all the context available.
Yeah. And go a step further and say you don't even have to ask for the context because AI and guided investigations is already telling you what the relevant context should be that you should be asking for. That's the journey that we are envisioning, so that from a threat detection and incident response and secure operation standpoint, it's all natively integrated.
Ashish Rajan: One of the conversations that I've been having with a lot of people about this code to cloud to SOC transition has been the fact that most organizations have had SOC for years. They are well equipped in the whole, hey, I know on premise really well, I know applications really well, I know attack path really well there as well.
But there's genuinely a lack of cloud knowledge gap as well in that SOC layer. And I think that's like in most of the conversation we have as CISOs. It's okay, that's like, how am I going to take this workforce and make them cloud friendly for lack of a [00:04:00] better word. So they understand the cloud attack context as well.
Do you see that change as well? Or what are you seeing people do in that space?
Amol Mathur: Today it's the cloud. Now we see AI coming in. Tomorrow it'll be some other technology. Yeah. Now, SOC operators, whether it's tier one or tier two operators, they can't become experts in every new piece of technology that comes out.
So what we fundamentally believe is, they are smart people working in the SOC, but the tools need to be intelligent enough to give the SOC operators all the necessary needed context at their fingertips. And with AI, they need to even, know what context, even before the operator is asking you, so that the operator can effectively do their job at scale.
It's less about teaching the operator about every single piece of technology that's in the enterprise, because that's not feasible or possible. But how can the right tools give you the context at your fingertips, basically.
Ashish Rajan: Interesting. Would you say in the context of AI because you've been talking about AI so much. I'm curious. How do you see the AI sort of evolve in this cyber security world? Obviously we're at an event here [00:05:00] and we've heard a few announcements, but I'm curious from your perspective now that I've understood. Okay, there is a knowledge gap in the SOC tier and sounds like AI could be the potential answer here as well.
Where do you see AI play a role in cyber security moving forward?
Amol Mathur: We look at AI from two lenses. There's Precision AI and then there's Generative AI. Precision AI has been around for many years. This is your machine learning models, your statistical models, supervised, unsupervised, and then generative AI everyone knows is the new thing that's been around for just the last year and a half.
Now, the application of these two AI constructs, we look at it from three lenses. Number one is securing with AI, which means how can you do far superior threat detection, so that incidents can be caught and responded to much quicker. Number two is securing the AI. So now you've got a bunch of applications using generative AI components.
How do you get visibility around it? How do you understand the posture of it? And then finally have runtime detection of all the evolving AI attacks. And the third one is, how do you simplify cybersecurity [00:06:00] by using AI? That's where generative AI is playing a really key role. So whether it's guided investigations, whether it's being a assistive remediation, whether it's summarization, the ability to connect datasets and create complex queries by an operator simply asking a question in english or multiple languages.
Those are the areas where we see AI playing a significant role in getting amazing outcomes for our customers.
Ashish Rajan: Interesting. And do you almost feel like the hesitation a lot of people have is we have a lot of what do you call hallucination challenges that people have been talking about? And people, when they hear about Gen AI, they're like I'm like how are we going to make sure that my SOC analyst is not working on something which is going to send them to the wrong rabbit hole?
Because they have to deal with network security, cloud security, they have their own SOC challenges as well. How do you see this play out in that kind of world in those because there's a lot more than just cloud security today.
Amol Mathur: Sure. In Gen AI, its hallucinations. In Precision AI , there's always false positives and false negative problem.
So yes, as [00:07:00] an organization, that has deep expertise and a big research team, we're constantly focused in measuring the efficacy of our solutions, which means that we have people looking at the output coming out of whatever, whether it's Gen AI or Precision AI to see whether this is actually, Right or wrong.
And we are building guardrails in place, especially when it comes to Gen AI. And that's where we get the confidence before we release products out that, hey, is this, within that high nineties of accuracy where this can drive effective outcomes for our customers.
Ashish Rajan: One thing that was interesting for me specific conversation around how AI can empower network security, SOC as well as cloud security was around, the security leaders who are listening to this conversation watching this, they're obviously hearing a lot of AI from a lot of people. Where do you see this I think differentiation for them to help make that call for what AI is the right one for cyber security for them?
Amol Mathur: Even before Gen AI, like AI, ML in threat detection has been around for a while. And you're right as A buyer of these products is very hard because everybody's using the same [00:08:00] terminology in terms of having these, buzzwords in their security detection stack now, obviously the most ideal way would be that you're super sophisticated and you do proof of concepts of all these technologies run them through the ringer of extremely sophisticated threats and so on but the average organization is very hard for them to do that, right?
Yeah in absence of that you need to really look at some basic fundamental principles of the philosophy behind using AI by different vendors. So number one to really have effective a I which, has high efficacy. You need to have a lot of data to train that AI model, right? Good data, bad data that is labeled properly.
Fundamentally understanding how does an organization have data at scale so that the efficacy of the model is only as good as the underlying data. If you let's say, Vendor A or product A, it has 500 customers, right? Mid size. Some enterprise versus another company that has 60, 000 customers in a wide range of very large enterprises to mid market that gives you a sense of, okay, what data do you [00:09:00] have access to build your AI models?
And then, you have to really ask the right questions around the maturity of the security research team that is informing the data science and analytics team on what are the threats that are out there that they need to build machine learning models around. So those are the things that I would, ask serious questions around if I was a buyer of AI based detection technology to really pass through the noise and understand who's sci fi versus who's real AI.
Ashish Rajan: That's a good way because I think the data is what makes the difference where some of the newer players in the market may not have a lot of data to work through, but for people who have been working in this space for a long time, have a lot of threat intelligence data, they definitely can do a lot more in terms of, not just they have a data set to work with that can help build the accuracy instead of just someone claiming that can have accuracy.
Amol Mathur: And even for people who have data because we have gone through this pain. It is not something you can perfect overnight. You can write a regular expression rule. It is quite deterministic. You can tune it, in a couple of days. But when you talk about AI, it takes time. It takes a lot of data, a lot of customer feedback to really understand if [00:10:00] you have perfected a technology or not.
So it's not something that you can very easily crack.
Ashish Rajan: Yeah, agreed. Awesome. Now, thank you so much for sharing that. Where can people find more about all the stuff that you guys are doing and the products you're building to make AI and cybersecurity more accessible for people.
Amol Mathur: Yeah. Obviously, go to paloaltonetworks. com across net sec, cloud security and our security operations platform. There'll be links to sign up for the early test drive of our AI products. Nice. And of course, get information on all the new stuff that we are doing there.
Ashish Rajan: Awesome. Yeah. Thank you so much for sharing that. Thank you so much.for coming to show as well. Thank you.
Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on info at cloudsecuritypodcast. tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about [00:11:00] everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT and everything else continues.
If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.