From Military Emergency Response To Cyber Security Guru - Brad LaPorte Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

From Military Emergency Response To Cyber Security Guru - Brad LaPorte

November 18, 2024 • Joe South • Episode 176

Send us a text

Brad's journey from sci-fi enthusiast to cybersecurity expert is an unconventional path filled with unexpected twists and valuable insights. Hear firsthand how his initial pursuit of engineering took a dramatic turn following 9/11, leading him to the military and into the Signal Corps, where his foundation in cybersecurity was forged. Discover how his experiences at SecureWorks highlight his dedication to diversifying the cybersecurity workforce by recruiting and training talent from varied backgrounds, making this field accessible to all with a passion for tech and a willingness to learn.

Step into the high-stakes environment of cybersecurity as Brad shares gripping tales from mission deployments where every second counts. Feel the adrenaline of operating in high-pressure situations and the critical role certifications play in carving out a successful career in this field. Brad sheds light on the diverse backgrounds of cybersecurity professionals, illustrating how police officers and others transitioned into this field, proving that aptitude and determination often outweigh traditional education in achieving success.

In the face of rapid AI integration, organizations encounter new hurdles with shadow IT and unsanctioned applications. Explore the intricate landscape of AI security threats and the pressing need for secure implementation, as Brad outlines the challenges posed by AI's rise. With over 92% of organizations facing data breaches from unauthorized apps, the urgency for robust security measures is palpable. Concluding with ways to connect with Brad and Morphysack, this episode promises a treasure trove of insights and a peek into future conversations on emerging AI threats.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1: 0:54

How's it going, brad? It's great to get you on the podcast. We've been working towards this thing for a while and we've had some pickups along the way, of course, but I'm glad you're here.

Speaker 2: 1:05

Yeah, it's an honor and a pleasure. I appreciate it. Yeah, absolutely.

Speaker 1: 1:09

So, brad, why don't you tell my audience how you got into IT, what made you want to get into security, into the security space? Right, and I start everyone off there is it kind of fills you know two purposes, right? I have a lot of CISOs, directors, managers that listen to this, a lot of experienced professionals, right. So it kind of opens up who Brad is to them. And then it also shows my younger audience that is trying to get into IT, maybe trying to get into security. It shows them your background, right. So they can maybe match that up and say, hey, if he did it, I'm coming from a similar background, maybe I can do it too, right?

Speaker 2: 1:51

I will kind of Tarantino this and say, you know, start with the ending first and then we'll go back to the beginning. So I will say that if I can do it, anyone can do it. I did not originally start on the it path by any means. I always loved sci-fi, I always loved technology. I was always a tinkerer, like going back to when I was a kid, you know, I had the ge clock radio that everyone had the brown one with like the little buttons, and I would basically take it apart and put it back together again. My dad would yell at me and be like what are you doing? And I would overclock my Apple II and everything else. I would say maybe above average. Tinker took apart my first computer when I was a teenager, just wanted to know about technology and was always just super curious about everything and how the world operated. But I did not know what I wanted to be when I grew up and when I, you know, in the 90s, and all that when I was, you know, going through doing, you know, applying to colleges and trying to figure out okay, where, where do I go? Do I go in the military? Do I not go in the military? What career do I pick? Um, what do I do? Ultimately, my dad convinced me to go into college and then I ended up, uh, starting in engineering because I wanted to do math things and do engineering, hated it, switched to business, ended up going into the military because of 9-11 and ended up getting a military scholarship, went in the army and what and what they assigned me? I originally wanted to be a pilot, took three flight physicals and failed the third for vision, and then got assigned the Signal Corps, which is basically where cybersecurity now sits, and IT and all that, and got thrown into it. And then, as a young 22-year-old lieutenant and officer, I was in charge of basically one of the first, what was known as a quick reaction force, or basically a rapidly deployable team to go around the world and basically respond to natural disasters and dealt with the uh influenza scare. We'll call it a scare now, but the influenza outbreak that almost turned into a pandemic back in 2007. I was there in Thailand during Cyclone Nargis, which was a Category 4 and devastated and lost hundreds of thousands of lives during that time period.

Speaker 2: 4:09

While I was learning all that, there was no real books, I was very limited in terms of certifications and training and there wasn't any real degrees out there to learn all this stuff and we were responsible for securing our networks. I mean, it was basically a mobile deployment center. So if you know how the federal emergency management agency works, or fema or red cross, they typically have their own command centers. I used to run those command centers and eventually I ended up getting reassigned or an expanded role, not really stopping what I was doing, but basically doing cybersecurity for the military intelligence. While doing this and that basically was summed up the first kind of four, really six years of my career as the Army and eventually moved on to what's now SecureWorks and built out a lot of their different capabilities.

Speaker 2: 4:59

But I had no idea and really I just go on deployment after deployment. I always had a book with me and always had. You know, google really wasn't a thing back then. So whenever I can get my hands on you know, through other folks and when I say books I mean like manuals, really boring long Cisco manuals on like how routing works, and then you know it's pretty limited in terms of you know what the army had to offer in terms of training. You know I could basically take a computer and put it back together again and do some basic routing when I started but and configure like outlook. That was about it.

Speaker 2: 5:34

And then, you know, basically fast forward over the past 20 years and, uh, 20, you know, going on 20 plus, and it's been an interesting journey for sure, uh, and worked with a lot of different others in terms of kind of building all that out, um, at secure works. You know, it was kind of really interesting because, because one of the things that we talked for the podcast was, like, you know, kind of work with others, helping them get into the, the space, and kind of what we did at secureworks was we were trying, you know, the stock manager, uh, and I was basically working with my peers and trying to figure out like we need we need to hire people and expand and grow. Secureworks is, you know, was one of the leading MSSPs or managed security service providers at the time and it was really difficult, like we would find people outside of college and not really have any experience. I was hiring, you know, some of my people that I hired at someone I was in Rhode Island time. I hired someone out of Florida that was working at a Publix as a bagger and they would basically train, you know, was learning cybersecurity themselves. I was like, if you're willing to relocate up here, we'll train you, we'll teach you how to be an expert. You know, they became one of the top threat researchers in the industry and arguably one of the top 1%.

Speaker 2: 6:54

And then another was, you know, a general manager at UNOS and just wanted a career change and knew the opportunity. What a lot of people don't realize is you can actually make 20% more doing a similar job in cybersecurity than if you're doing marketing in cybersecurity or applicable field. You actually can make 10%, 15%, 20%, if not 30 percent more in this field, just because it's in such high demand.

Speaker 1: 7:21

So it's it's been an interesting journey.

Speaker 2: 7:23

Certainly a lot more. We probably do a podcast just on the early days. But um, yeah, that's kind of how I got thrown into.

Speaker 1: 7:29

It wasn't by choice, right so tell me, tell me about what that was like on that QRF team. What was the workday like? Right, Are you going from nine to five or are you going until you hit a certain point and then you're studying, you're reading a book, right to learn those different skills and whatnot. What does that look like?

Speaker 2: 7:58

that look like. Yeah, I don't think I slept. The first four years I was in the military, the short version. Luckily I did it when I was in my 20s and not my 30s and 40s, but um, it was. I was in charge of six different teams and basically over 100 soldiers in terms of different, you know, billions of dollars of equipment, and basically two teams were on standby, two were on rest period and two were basically in training or basically ramping up for the next cycle. So at any given moment, two people were ready to go and we basically were trained, like, whether it was boat, rail, vehicle or air, like we would basically figure out how to.

Speaker 2: 8:36

From a logistics perspective, we have to be anywhere in the world within 54 hours, and so you have to figure out I mean literally measure it down to, you know, bringing printers and measuring out all of the paper that you need toilet paper, because you're going out into really remote, completely disaster area. You're not going to have power, you're not going to have clean water, you're not going to have the internet is going to be what you bring with you because we're deploying with satellites, and so basically what it was was, um, uh, how the vehicles, we, we had basically our trucks and on the back would have like a shelter unit and in that you'd have, you know, pretty much a data mobile. It was a mobile data center is what it was. And then we had basically different satellite systems that would connect to different military networks and, if needed, some of the deployments as I got into more of the top secret levels we used commercial bands as well and it worked alongside three-letter agencies, depending on the mission bands as well, and it worked alongside three letter agencies, depending on the mission. And you know, especially in if they're an allied nation and there's a natural disaster element, intelligence becomes incredibly key, as well as cyber security elements, and people don't realize that when there's a natural disaster that happens, so part of it is being on standby and so you're until the stuff hits the fan.

Speaker 2: 9:56

You know you're, we're, we're kind of on easy street, so to speak, in terms of you know, it's kind of a what we call being in, like basically the garrison, and we would do like our day-to-day training. We'd do maintenance. Everything had to be tip-top, like ready to go on the plane, like that day, if needed, my bags were packed and ready to go, like that day, if needed, my bags were packed, I'm ready to go, like I'd leave it in my trunk, kind of scenario where, like at any given moment, I had to be at the airport to go where I needed to be. Really, what it breaks down to is every free moment that you get. You gotta remember, like the internet isn't what it was today, like you're not sitting on YouTube. Youtube didn't exist. Google wasn't like mainstream, like people actually sat around and like read books. You know it was not a side phone inside, we were just living in the moment. I mean, some headpads really didn't come out until later in the early, the later, early 2000s, if that makes sense.

Speaker 2: 10:49

But you know the first couple of years. You know you're dealing with us. You know basically, uh, remote areas and, and you know, basically rubble. You know you don't want to bring your nice stuff most of the, the clothing and gear that I had got tore up um, yeah, it's interesting to to kind of see that and you fit it in like you're on the plane for you know some kids. You know eight, six, like eight. You know I love I was stationed in hawaii.

Speaker 2: 11:22

You know just to get to japan or to get to thailand or get to korea, south korea or anywhere, or the philippines, you know, it takes 18 hours and people don't realize that. Nine to twelve direct flight to japan, and then it's another nine to twelve to get to Southeast Asia, depending on where you are. And all that, sure you can get on a, and we didn't always have the ability to get on a military aircraft because, believe it or not, despite us having a primary mission, we didn't have dedicated aircraft and things were constantly being sent over to Iraq and Afghanistan. We were ramping up and supporting the, the two wars, so we sometimes it was where we got there, and sometimes we got there before the equipment did. But at least we could be liaisons, we could be advisors and and and advise folks.

Speaker 1: 12:14

Yeah, yeah, I asked that because, uh, you know, there's a lot of people, a couple friends of mine actually right, they always say I'm so busy, I can't do it, I don't have time and this and that right, um, and I'm just sitting here, well, you don't want it bad enough, you know.

Speaker 1: 12:32

I mean, like, plain and simple, like you just don't want it bad enough.

Speaker 1: 12:35

Like, like you, you want, you want the money, right, you want the flexibility, you want the ability to do something else, right, but you don't, you don't actually want it right, because if you actually wanted it, like you would figure out how to optimize your sleep so that you're sleeping less hours and that you're, you know, spending more time studying or doing whatever you need to do to get this done right.

Speaker 1: 13:00

Like I can give you the roadmap, I can give you the plan, but at the end of the day, if you're not going to do the work, if you're going to keep on claiming you don't have time, you know it's never going to happen, right? And so, like it's always important, I think, to point out, right when I have people like yourself on right that are very much, you know, self-starters, that you, at some point in time, you saw and you were like, hey, I want to get into this right. Like I want to learn, I want to know as much as I possibly can about this area. You know, when you saw that, when you identified that, you went for it. You know, and a lot of people are missing that part.

Speaker 2: 13:40

Yeah, and I have a lot to say about that. So, like when people would say, oh, I didn't get a good night's sleep last night, I'm like every mission that we had we didn't sleep the first 72 hours and it's like you're on the plane you're going. We would sleep on the plane getting there because there's only. But even then, like sometimes we didn't because, depending on the mission, we didn't have all the like. We were reviewing the material on the plane, like like we would get the map, you would get our kit, and it'd be like here are the maps of ireland. That's what it looked like before the natural disaster. You can see the river and all that's not there anymore.

Speaker 2: 14:15

But uh, yeah, at least figure it out when you get there yeah, you figure it out when you get there, but like part of it's like you're writing the operations order and the execution plan and everything like on the plane we would have our standard like packing list and like we would do like last minute packing and and all that you know. But you know we're it, you know we it's. You have to be there in 54 hours. So that means that like every second counts leading up to that moment when you hit ground. That's when the fun begins and then from there that's when the like we kind of cut it off at 72 hours because you start to get loose, you know. Then you start to become a safety hazard, so and you get micro sleep and all that. But really it's you're pretty sleep deprived in the first couple days and once you get the internet flowing and phones going and people can operate, then you can kind of take a breather. But yeah, it really is typically something that that that ends up happening. I mean your adrenaline's pumping so hard because you know it's life and limb, so spare the gory but not everybody's alive when you get there. But it's that scenario I would say I have.

Speaker 2: 15:24

You know, a couple of people a month could reach out to me and they're like you know, you helped me break into cybersecurity. So, like a little known fact, I've actually worked with three different police officers over the past couple years to help them transition, because there's been a lot of pressure on police officers as I've been so nice to them over the past couple years, a lot of good trends of mine. They're like yeah, I gotta get out of here. It's not safe. Defund, the police is killing me, everyone hates me. I want a purpose, you know, I want to make money for a living and you know I'll give them the answers to the test. And they're not.

Speaker 2: 15:57

You know, I'd say I love helping those types of individuals because they you know they wouldn't because they have kind of that, that military mindset or that warrior mindset in terms of like, I'll do anything it takes to accomplish my mission. Now I'd say nine times out of ten I talked to somebody in college or you know, know, they're a younger demographic, they're really in there. You know people that like, hey, can you help out my son? Or can you help out my friend? All he does is play video games on his couch. And it's like OK, well, I'll talk to him. And it's like, hey, this is what you got to do to succeed, and then, like they instantly get nauseous and don't do anything. Yeah, it's like you know, one of the things I like to do is show people uh, so there's a. You just go to google and type in uh, security certification roadmap. Paul jeremy has built this beautiful diagram in terms of kind of basically how, uh, all the certifications and there's over 400 and a huge thing yeah, 400 and something.

Speaker 2: 16:59

Certifications from beginner, intermediate to expert. These are certifications and any one of these certifications could be at a minimum, 80 hours, if not 800 hours, and studying, depending on the level of complexity, whether it's hands-on or not and where you're starting from. So it's, it's a major commitment and I show people it's like, hey, this is mount everest, like you can get there and most companies will pay. You know, not for all of them, but you know, anvil, I never. I maybe paid out of pocket once for one of my certifications. I was able to get the military and, uh, you know, secureworks, ibm, others to pay for certifications.

Speaker 2: 17:36

As I go along, you have different like grants and things like that and the ways around it.

Speaker 2: 17:40

There's tons of, tons of free information and certifications that you can get out there, a lot of non-profit stuff. Cisco has their academy, um, just stuff like cyber break, good stuff out there in terms of just tons of research. But like I show them this and they're like, no, I can't. And typically I start people and I say, hey, just look at CompTIA and start with A+, go to Net+, go to Security+, you'll have enough that you could start working at like a internet service provider place and you can, you know, basically get work at a health desk effectively and learn the ropes and then get some experience and then, once you have one or two years under your belt, then you go somewhere else and at SecureWorks we would take people with zero experience and train them. We actually almost prefer it sometimes, because we get people out of school sometimes and they have a master's degree in computer science and they don't know the difference between TCP and UDP, like you got to be kidding me how do you, how do you, how did you, how, how, how is that?

Speaker 2: 18:46

You just literally wasted your entire, your entire, you know, really postgraduate education, education, yeah there's a thousand dollars at a top tier school and you didn't learn a damn thing, so it really comes down to aptitude and you know, like I said, I hired, you know, people that worked at a supermarket, that worked at a restaurant, that did different walks of life, and just police officers.

Speaker 2: 19:12

you know some of those elements are translatable and transferable, so you're not necessarily starting from scratch. You know it really comes down to the fortitude and really rolling up your sleeves and putting the work in and it's that perspiration that you have in terms of sweating it out and and doing it and and I, whenever, when I was starting, I really like fully immersed myself, like I was learning a language, literally learning binary, uh, and and hexadecimal conversions and all of that and and learning how to do the packet analysis component, but really treating it like I'm fully immersed in learning Spanish or French or any language, and that's really the best way to learn anything. And I would follow newsletters and podcasts. I mean, podcasts weren't super readily available 20 years ago. They really took off over the past five, 10 years. But whatever you know, whatever was available, sans had their you know their news bike feet. You know tons of after 2010,. Things started to really come out in terms of like open source and having a lot more information readily available that you could get your hands on stuff.

Speaker 1: 20:32

Hmm, yeah, it's. It's always interesting, you know, when someone comes to me and, you know, says that they want to get into security, how do they do it and whatnot, I actually take the approach of trying to convince them to not get into it.

Speaker 1: 20:46

Right, Because if you're so easily swayed by what I'm going to tell you? You probably shouldn't, you know, waste your time getting into it. You know, like I was telling a buddy of mine, shouldn't, you know, waste your time getting into it. You know, like I was, I was telling I was telling a buddy of mine and he, you know, owns his own franchise of some business and whatnot and he really enjoys it. Right, and I was telling him how a group of developers I'm talking about, you know, 150 developers at my day job were trying to convince me to put in an exception that would essentially bypass our entire WAF. Right, they knew what they were doing, but they were wording it in such a weird way that I was asking a lot of questions, right, and so, because I didn't understand what they were asking, I didn't understand the reason. I didn't understand, like, any of what they were trying to say, because they were literally trying to just bully me into accepting it.

Speaker 1: 21:37

Right, and it was. It was literally 30 minutes of me asking questions, right, and then it finally got down to the, down to the answer where they couldn't escape it, and they were like, oh yeah, we just want to get around this whole thing and I'm sitting here like these are adults. Yeah, these are. These are grown, grown adults. We're paying them good amount of money, right, and they're trying to get around our security tools that are protecting them from themselves to some degree even, which is which is frustrating right in and of itself, and having to respond in a very I I'll say stern way, right, like respond in a very stern way saying no, we're not doing it, you need to suck it up. I don't care how much time this is going to cost you or anything else like that. Like you need to figure out how to handle it. And if you have a problem with it, I'll just bring it up to your director, right, because that's who I got the approvals from. That's who told me you had the time. It was your director, it was your VP, it wasn't anyone else, it wasn't your manager.

Speaker 1: 22:38

My buddy, though, who's not even interested in getting into security, he heard that story and he's like, yeah, I would never. I would never want to be in that industry. I don't blame him. It takes a certain kind of person to really look at that and be like, yeah, but it's worth it, you know, and that's who I want in the industry, you know, because there's a lot of people that get burnt out. You know, you got to be able to be mindful of your mental health and whatnot, right, and maintain that properly. But it's a great field that really anyone can get into if they want to get into it.

Speaker 1: 23:17

It doesn't matter where you're at right now, like you mentioned, right, with those police officers who's busier than police officers, right?

Speaker 1: 23:24

I mean, like I tried to go into law enforcement out of college and I'm very glad that that did not work out. You know, I think I had, you know, no more than like two brain cells at the time, right, and the riots started kicking off and I think it was like St Louis or something, right, and I saw that and I'm like I just feel like I don't want to die doing a nine to five. You know, like I just I feel like I need to find something else I'm passionate about, right, like it just didn't add up to me. So I'm like, okay, let's go some other route, right, and then it just escalated from there. You know, it just got worse for them from there. But like, who has a more rigorous schedule outside of the military? You know, these guys are driving around, they're patrolling all day long. They're putting their lives on the line all day long and then you want them to come home, have family time, decompress and study.

Speaker 2: 24:17

I mean, that's a large ass, right yeah, it's tough, it really is, and I mean the biggest I mean that's why I left the military ultimately was it's. You know, it wasn't very safe and I knew that my body wasn't going to be able to keep up with it and, uh, still dealing with a lot of that and it's, yeah, it's tough, and and part of the problem with transitioning was the decompression. So, for all the uh, soon-to-be veterans or are currently veterans of, you know, either first responders or military, regardless of where you are in the world, you just have to be conscious of that decompression. Sickness is what I I call it when you go from being 100 miles an hour to not so much. That was our problem.

Speaker 2: 25:01

Being at that operational tempo for so long I forgot what normal was. I mean it's like drinking two pots of coffee every day down to nothing overnight. It's just like you go 100 miles an hour and just like, slam on the bra on the brakes and like and I started off as like a shift supervisor, I went from basically being in charge of all this stuff millions of dollars of equipment flying around the world in charge of 116 people seeing pretty much everything under the sun. It's like, you know, a junior level officer in the army to a first ship supervisor. It's a security operations center at Secure Works In charge of like six people. They're like oh, this is different.

Speaker 1: 25:48

Yeah.

Speaker 2: 25:50

And then it's like you start looking around, it's like, what can I fix around here? And then, before you know it, I ended up getting in charge of like 30 people and then moving up and then eventually moved to product management and then eventually ended up going more and more up the ladder. So eventually it ended up leapfrogging. But it was definitely a hard transition, for sure, mentally more than anything else, and it was I was I don't really knock 100 miles an hour for anybody to see that movie like american sniper. When, when kyle is is sitting there and he's in the doctor's office and kind of is, he's just sitting there and, like his, his blood pressure's through the roof and it's like, you know, that's, that's how you get hypertension, you get high blood pressure and uh, you just you used to that, uh, that temp that's just going a million miles an hour, but yeah, it really comes down to uh, dedication, dedication to your craft, um, and that's when it as a hiring manager, that's those are the things that look for.

Speaker 2: 26:54

And anybody that's ever worked with me before in my interviews I always used to ask a variation of this question, which was in one minute or less, tell me 10 things that you can do with a number two pencil. And typically I wouldn't hire anybody that didn't try to get all 10. And it's about the whole point of the. I don't really care what you're going to use the pencil for. It really breaks down to are you going to give up or not? And I've had people give up at five. I'm like you can't think of, you're just going to give up. You have 30 seconds left, and so if you can't get through an interview question for literally 60 seconds, then I think I started off doing 2 minutes to really like just different pros and cons to doing 1 minute versus 2 minutes. I'll sit there and I'll just be quiet the whole time and just like list off what they have. It's just interesting the answers that people give. It's just like an interesting question to ask. It really shows you kind of the how people go about a problem and how they they do it and you know the people that ended up getting 10 out of 10. Like you know, I've seen people write it off 10 out of 10 in 30 seconds. And those are the type of people you want to hire, because you know when the stuff hits the fan that they're going to be the ones that really push forward. Because really it comes down to problem solving.

Speaker 2: 28:22

If you have a custom routing issue in your Cisco firewall or whatever that you have custom rules that you've built. You're not going to find that on Google. You're going to find that in the Cisco manual. You built it. It's your bed. Why are you in it? So you're going to have to figure it out. You put custom code on your machine. Only you know that code.

Speaker 2: 28:50

It's like if you bypass the WAF and you built some custom tool or whatever to do X, y, z, given the example that you have, that's on you, that's shadow it, that's a. That's an unsanctioned app Like don't, don't be calling to help this, because you jail, broke your laptop, your device, so you could play some video game or watch sports on your work laptop or do something naughty Uh, sports on your work laptop or do something naughty uh, that's on you and that's like a systemic problem right now across the board, um, that like over I would say arguably over 40, if not 50 percent of organizations have this problem right now and it's it's probably even extensively higher because of, uh, all the adoption of artificial intelligence. So, like you'll, you'll look up and just like it's so much like what are the number one applications? And like it'll be like microsoft and it'll be, you know, adobe, it'll be whatever, and it's like, no, it's actually ai.

Speaker 2: 29:46

It's just no one's talking about it. They're, they're using it to to, basically as a competitive edge against their own um team, to to make you know they'll be assigned a project and they'll do it five times faster because they used, uh, an ai tool to do it, and but they're not going to admit that they use an ai tool for and that's that's kind of what's happening is, people are using these unsanctioned apps, these web apps all I have to do is open a chrome browser and do that and now we're getting to really scary stuff where you have, um, you know, ai avatars that are like really hard to discern, like as it starts to feel it.

Speaker 1: 30:24

yeah, I actually I know someone that very recently had someone you know interview and and apply for their company at open role, right, and they passed the interview, they got hired and someone else basically showed up and had you know something. They had something going on with their screen where it looked like the person that had interviewed, but the answers that they were giving were just like completely off the wall. You know it was. It was wild, Like they thought that they they must have had you know some AI, you know, like listening in on the conversation and telling them what to say and stuff like that. It was pretty crazy. I've heard of that but I've never talked to someone that has actually gone through that and experienced it firsthand.

Speaker 2: 31:16

AI is turning into a crazy world where everything now has a significantly higher attack surface yeah, and it's gone through the roof, and part of what's driving this forward is, um, obviously the economy. So the last two years have not been very forgiving. You're really the post, we're definitely the post-co economics. So we had basically the massive boom that occurred in 21, 22. And then mid-22, we started to kind of hit a critical point. We saw sales cycles take longer, purchasing decisions were greatly reduced, budgets were reduced. A lot of layoffs, a lot of trimming of the fat, a lot of shift towards rapid hyper growth, towards better margins and better profitability, a lot of hoarding of cash.

Speaker 2: 32:07

The introduction of open AI you know the Q1 of 23,. They really started to take off and then like really is the only way to get like funding right now is you have to have an AI store, and it's been that way for over two years now. So hat tip to the investment community for being that forward-thinking that. You know, going back to 22, you had to have an ai story in order to influence them. So over 80, if not 90 percent, of all tech companies and cybersecurity companies have to have it's part of the roadmap to have ai embedded into their solution. So it's like a board mandate and and then concurrently, from an adopter perspective, over 80% of organizations are evaluating it in some way, shape or form and it's a bell curve in terms of that maturity level and what's driving a large portion of it is sales and marketing, as well as operations. It's a lot of low-hanging administrative tasks, but some companies have gone all in and everything has to be AI-driven or AI-assisted, depending on what they do for a living. And part of the problem and Gartner's kind of devoted a whole subdivision of studies. So folks that don't know who Gartner is, it's a research analyst firm. They do market insights and they're the leading provider, so they have this space where they track basically AI and the trust behind it and the overall adoption and basically the challenges that we're running into is over 80% of organizations are evaluating this and unfortunately, like one third of all implementations are resulting in a data breach because of the expanded attack surface.

Speaker 2: 34:02

So we're rushing towards this goldmine. It's kind of like the early days of the internet there was no protection and we're implementing things like this and now we have scenarios where, like Anthropic, which is the OpenAI competitor, their new bot that they have, quad, controls your entire computer. Does that sound safe to you? I don't know. I don't even understand why that's even remotely a good idea. I understand the use cases of it, but just because you should doesn't mean Just because you could doesn't mean that you should. And it was a similar issue with Microsoft and their AI co-pilot. When they launched it out, they were taking screenshots of your desktop.

Speaker 2: 34:47

Uh, talk about an invasion of privacy and a violation of gdpr and all the other privacy rules and protections. Part of the problem is because of this rush, that this giant gold rush and and drive towards ai and and efficiency profitability, you know, without any kind of forethought, is not to give the ramifications of this. So it's resulting in data breaches. It's resulting in, you know, stolen intellectual property, data exfiltration. It's resulted in a lot of these impacts.

Speaker 2: 35:19

You know over one third of these implementations have resulted in that lot of these impacts. You know over one-third of these implementations have resulted in that kind of issue. And then that's compounded by the, the challenge of like it's being forced upon you in terms of so, like I'm an adobe user and like, all of a sudden, like the ai assistant pops up, it's like I didn't enable you, I do legal stuff. I don't want that. No, separate. No, I don't want to have the default opt-in, I don't want to have the default opt-out. And then there was another issue with LinkedIn, where they were using all of the data for their AI mechanism and tool and their learning capabilities.

Speaker 1: 36:02

I don't want that.

Speaker 2: 36:03

And then even NVIDIA was caught scraping YouTube data and YouTube video for their AI. It's like I don't want my own videos on YouTube getting scraped and embedded in your NVIDIA AI system, sorry. So there's no rules and regulations anymore. And Gardner came out and said that basically over 92 percent of uh of organizations have some form of unsanctioned apps that are running in their environment. That's, that's very scary statistic and it's not slowing down and it's leading over into the, you know, basically being used for social engineering.

Speaker 2: 36:41

It's being used for phishing and, um, you know it's it goes right down to the layers of business email compromise, but right down to uh, I mean, I don't know if you've ever used a technology device in the past couple months, but, um, automation is everywhere. Like every day, I get like spam calls, I get spam, I get spam email. Linkedin is now flooded with this crap. It's like overwhelming amounts and it's like really clever, every phishing email is now a spear phishing email. It's like, is this real or not? And it's like, and it's really difficult, and part of what I do on the side is, you know, part-time work is expert witness. So if you ever watched the movie my Cousin Vinny, so it's like you get on stand and basically you evaluate and provide an expert opinion To show you how far I've come. You know, now I'm actually I've had several cases with Fortune 500 companies and part of the cases that are coming up now is um fraud using ai and basically I've listened to recordings and listened to case files and things like that where um ai was used to really what they do.

Speaker 2: 37:55

It's interesting. So these tools have the ability to um, unfortunately, listen to, like this podcast, podcast or a YouTube video or any kind of snippet of your voice and then create an avatar for it. And then what they'll do is they'll call in a bank, bank of whatever, and basically they'll get your information from the dark web or whatever, piecemeal it together so they have your banking information or whatever enough information for them to call in and socially engineer the uh and user and mimic your voice and then, like I've actually listened to the recordings and the, the defendant or plaintiff in this case, if they're suing the bank or whatever, it'll actually say on there like, like that, that's not my voice. And then you know part of the problem is the detection of that is not at the level it's actually hit. The technology creating it is so like 10, if not 100 times more advanced than the detection mechanisms. So what do you do to prevent against these things? Because the technology is evolving so fast, but the prevention mechanisms aren't there.

Speaker 1: 39:00

Yeah, you said it pretty well, right, it seems like everyone is racing towards this thing, but we don't know the implications. We don't know. I mean, we kind of know the implications, right, but I feel like AI is still in its infancy, right, and we're running into all these issues, all these security problems, and I haven't heard a really good answer. Forancy, right, and we're running into all these issues, all these security problems, and I haven't heard a really good answer for them, right, like, the core question is how do I take an AI model or an LLM, put it into my company's environment and use it to assist my employees to do better work for the environment? But how do I do that in a secure way? How do I ensure that, if they put you know private data into it by accident or intentionally, that it's protected, right, how do I ensure that no one else can query that data?

Speaker 1: 39:54

All these different things, right, we don't have any answers for them right now, and all of the things that you and I just mentioned are all like huge breaches. Yeah, of these different regulations that you know, companies pay, companies pay, I mean banks pay billions of dollars to get around, like those regulations to make, not even to get around, but to make sure that they are you, you know, abiding by those regulations, you know, to the fullest extent. So now we're going into a situation where it's like, yeah, that $2 billion that you just spent on security for your organization, yeah, it's probably going to have to, you know, five X, I mean that's that's insane.

Speaker 2: 40:37

Yeah, it's absolutely insane. Yeah, it's absolutely insane. I mean, we're trying to at Morphosec this is why I love the company is we're trying to at least mitigate a sliver of this larger problem. A large portion of it ends up landing on the endpoint. So that's where we sit. It's an agent-based solution, but we basically help with kind of getting visibility down at the endpoint level. And how we kind of go about it is we identify different vulnerabilities in terms of that and different to control. We monitor and validate that security controls are working properly. We identify high-risk software. Security controls are working properly. We identify high-risk software.

Speaker 2: 41:22

So if you don't want this to run in your environment, you have the ability to detect those mechanisms and then provide mechanisms on who is that? So if you're bypassing a WAF or you're bypassing a mechanism, the endpoint's going to pick it up and then any kind of misconfigurations that are there. So those are the four major tenants and it's all on a continuous basis. It has to be continuous, can't be just like a routine scan, and so we call that basically adaptive exposure management, being able to basically have visibility with that. So that's kind of like the outer ring of like what we call basically a blast radius resiliency and currently, like adaptive cyber resiliency, is another way to think about it. And if you think of a blast radius, whether it's an earthquake, so we're talking about natural disasters. Basically, the more and more you can reduce that blast radius that's contained to a smaller circle and you can really mitigate the impact that you have. So it's just that endpoint, or that application or that subsector that you're basically monitoring and implementing and really you want to be able to prevent that infiltration from happening.

Speaker 2: 42:29

So we have something called infiltration protection as well. So we're looking at the different memory components, we're looking at the privilege escalation, we're looking at credential theft protection, hacking tool mechanisms. So if you're using a certain AI tool that's been flagged as malicious or known to create these different avatar mechanisms, then being able to mitigate the different ways that these attacks can get in, like prompt injection or executable code execution or executable code for manipulation of memory so we might not be able to stop the first kind of components. But from the actual infiltration or impact perspective so actually hitting that point and where it's actually going after your crown jewels, it's going after the intended target then we have the certain layers, and so the last layer that we have is impact protection and mitigating against that as well.

Speaker 2: 43:24

So it's kind of like a three-layer in-depth approach to preventing these types of attacks, as well as things like ransomware or preventing ransomware in advanced-level attacks, regardless of what you have operating on your environment. So it's kind of like a standalone element in addition to other endpoint security or application security type elements that you have, and really what it breaks down to is you have basically an ai war happening right now. So all of the offensive tools and defensive tools are all ai driven. Now, well, that's a threat model versus a threat model. So what happens when that cat and mouse game comes to a head and you have to have that layer, that safety net, that additional layer that protects against that, and that's kind of like where we come in and the core value problem that we have within the vein of at least AI security.

Speaker 1: 44:21

It's a different approach. It's interesting, yeah, you know, when you put it like that right, like we have defensive and offensive tools with. Ais that are going up against each other. It's like a recipe for disaster. Almost right it is.

Speaker 2: 44:36

Well, yeah, and if you look at like I don't want to pick on any leading vendors or anything like that, but something pointed to the podcast, but they're all toting the same narrative that you know we have the special the super-duper AI that's coming in and we have all these algorithms and all that and we're able to detect the things that no one else can and all these other things, and it's like, okay, what if?

Speaker 2: 45:01

what if I? What if, as a threat actor, I poison that algorithm and I'm able to get in there and basically manipulate that and change your signatures. That's how. That's why AV traditional antiviruses is a dead and obsolete solution is because threat actors figured out how to change the signature types. And one of my favorite stories is early on, I was doing some forensic analysis and I noticed that a threat actor changed kind of the mechanism of just to simplify it, this is spam stop. And it changed it as like this isn't spam, this is ham.

Speaker 2: 45:40

It's something that's simple. And then you modify the signature, because not everybody listening here is super technical. But you think of the way the rule set is written. It's that simple. If you change the algorithms and the main elements of that, you're able to tamper it. You're able to bypass it. Every security tool now can be bypassed.

Speaker 2: 46:03

So what happens? Where's that safety net? And it has to be something that's not ai driven, that has that layer of the actual layer of protection that protects against it, especially if you're going all in on one vendor, because then you lose that heterogeneous diversification of having multiple vendors. You, you know, because you know, unfortunately, with some of the bigger players, you have one AI, like yeah, there's subsets of that, but I mean, it's really one mothership that's running the whole scene by design. So you know, if you poison that lake, then well, unfortunately all the water's poisoned and we're just waiting for that Armageddon day to happen.

Speaker 2: 46:44

I think the recent CrowdStrike event that happened in July is a good testament of how just that was. Like maybe 1% of what could have happened. Take a vendor that's equally as big, make make the blast radius that much bigger. You know what if they'd gone after? Uh, what if that wasn't? What if that was a malicious attack? What if they went after, like the core mothership? How bad that would have been. And then what happens if it was a solar wind step event where that went undetected for months, if not years. Right, what the ramifications?

Speaker 1: 47:22

are yeah, we're going into uncharted territory, right, but it'll be interesting, right. It creates a lot of opportunity for people to separate themselves and stand out from the rest of us that know a little bit more AI, that have that specialty, that have that knowledge that companies will be able to capitalize on because they desperately need that skillset. So it's a it's an interesting, it's an interesting time for sure in it overall. Well, you know, brad, we're, we're, unfortunately we're at the end of our time here. I'll I'll have to have you back on. It was a fascinating conversation. I love how you know we went through everything. I thought it was really interesting.

Speaker 2: 48:13

But before I let you go, how about you tell my audience you know where they can find you if they wanted to reach out and connect, and where they can find Morphysack? Yeah, for me the best place is LinkedIn, so drop me a connection, happy to connect and talk there. And then for Morphosac, just reach out on our website so you have a contact us on there and happy to have a chat, teach you more about our solution and learn more about us. You can follow us on social media or on LinkedIn. On Twitter, all the major sites and Twitter. And now it's X. Sorry, an X. And then it's gonna be really hard for me to learn that.

Speaker 2: 48:48

But x and um for linkedin awesome. So thanks for having me. Yeah, I hope it's good to catch up.

Speaker 1: 48:53

Yeah, yeah, absolutely, um, it'll. It'll be interesting, I wonder, uh, we could probably do like a part two about, like emerging ais and how to protect against them and whatnot yeah, absolutely, I'd love to do a deep dive.

Speaker 2: 49:07

So pick a topic and I could talk about this stuff all day long I've gone a long way in in 20 something years now.

Speaker 1: 49:14

Yeah, yeah, definitely, well, thanks everyone. I hope you enjoyed this episode.

People on this episode

Joe South

Host