AI Security Secrets Unveiled: NSA Tech, Zero Trust & 2025 Cyber Trends With Jason Rogers from Invary Artwork

Security Unfiltered

Cyber Security can be a difficult field to not only understand but to also navigate. Joe South is here to help with over a decade of experience across several domains of security. With this podcast I hope to help more people get into IT and Cyber Security as well as discussing modern day Cyber Security topics you may find in the daily news. Come join us as we learn and grow together!

All Episodes

Security Unfiltered

AI Security Secrets Unveiled: NSA Tech, Zero Trust & 2025 Cyber Trends With Jason Rogers from Invary

March 25, 2025 • Joe South • Episode 187

Send us a text

Struggling to secure AI in 2025? Join Joe and Invary CEO Jason Rogers as they unpack NSA-licensed tech, zero trust frameworks, and the future of cybersecurity. From satellite security to battling advanced threats, discover how Invary’s cutting-edge solutions are reshaping the industry. Plus, hear Jason’s startup journey and Joe’s wild ride balancing a newborn with a PhD. Subscribe now for the latest cyber trends—don’t miss this!

Chapters

00:00 Navigating Parenthood and Professional Life
02:53 The Startup Mentality: Decision-Making and Adaptability
06:13 Blending Technical Skills with Sales
08:58 Background and Journey into Cybersecurity
12:10 Establishing a Security Culture in Organizations
14:51 Collaborating with Government Entities
17:47 Understanding NSA Licensed Technology
23:06 Understanding Application and Server Security
25:01 Exploring Zero Trust Frameworks
28:57 Bridging Government and Private Sector Security
31:27 The Role of Security Professionals
33:55 Innovations in Cybersecurity Technology
38:05 Invariance in Security Systems

Support the show

Follow the Podcast on Social Media!

Tesla Referral Code: https://ts.la/joseph675128

YouTube: https://www.youtube.com/@securityunfilteredpodcast

Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast

Speaker 1: 0:53

How's it going? Jason, it's great to get you on the podcast. You know we've been planning this thing for a little bit, you know off and on, and now it's kind of like on my end it's kind of a mad dash to get stuff done before my next kid arrives. It's like very hectic on my side.

Speaker 2: 1:11

Well, thanks for having me, Joe. It's great to be here, we're excited for it, and congratulations. By the way, it's an exciting time.

Speaker 1: 1:18

Yeah, it's an exciting time to get back into the suck, as I call it. It's just like a blur of those first couple months, you know.

Speaker 2: 1:27

Yeah, absolutely, and then you forget about it later so you can do it again, right? Yeah, not too bad. That first five-hour night sleep after about six weeks old is perfect.

Speaker 1: 1:39

Oh man, yeah, Like it's interesting. You know I never thought that like I would be able to, I guess, adapt, you know, to the lack of sleep. But you know I wear like a fitness tracker. I wear two fitness trackers, one's a whoop and one's an Apple watch. Right, so in my whoop it tells you you know your recovery percentage, right, like how recovered are you, how, how good you should be feeling throughout the day so you can put in, you know, more work, or you know better workouts, whatnot. And you know, in the very beginning I mean it'd be like zero percent, you know, because you're on three, four hours of sleep, right, you know, um, it's just so brutal. But after a couple weeks my body was like well rested, after four hours of sleep and I'm like man, this is, this is wild.

Speaker 1: 2:24

and I'm up at 4 am like wide awake with this kid right it's uh, it's the craziest thing, but then, like by noon, I'm like crashing.

Speaker 2: 2:32

You know I need an hour nap or something sure, for sure it's a lot like running a startup, actually at the same time about the same amount of sleep.

Speaker 1: 2:40

So yeah, yeah, I I feel like I don't know. I, you know, so I do consulting on the side, Right, and I really try to limit how I market it so I don't get that much work coming in Right, but I could imagine, you know, like focusing more on it and it's, it's literally like having a newborn, you know where. You're just constantly doing stuff, you're constantly, you know, changing and whatnot, right, Like it's. It's hectic. From what? From what I understand, you know.

Speaker 2: 3:14

Yeah, for sure. And for me to just constantly thinking about how to move the ball forward, what needs to happen next, concern about the problems that are out there and how you can solve them faster. So your brain's constantly going, but that's also the exciting part of it, right? So you're solving new problems and helping people out, so huge motivating factor to spend that time.

Speaker 1: 3:47

Yeah, it's fascinating because it takes a certain kind of mentality to run a startup. I feel like run a startup and be somewhat successful, bring in any, of course, to have that vision and know what needs to get done, get it done and all that sort of stuff. You're kind of like raising a child, as you're raising this business, so to speak, one that can step into any problem, make a quick decision and move on to the next problem, right, and maybe the decision you make is wrong and that's fine. You're the one that takes ownership of it. You're the one that you know lives with it and whatnot. Maybe you readjust, recalibrate, make another decision to make the right choice and whatnot.

Speaker 1: 4:32

But I think that that's where a lot of people get hung up on. Right, and I see that even you know in nine to fives, right, where people are mulling over. You know different scenarios and whatnot. You know for myself like I go into it and it's like you know five minute decision. This is what we're doing, this is what I think we should do, this is why I think we should do it, you know, and if someone else disagrees with me, to tire up the tool, I'm not tied to it or anything, but still having that mentality really pushes things along, even if it's an incorrect answer or decision. At least you learned like hey, oh, that didn't work over there right, for sure, I'm gonna be open about that.

Speaker 2: 5:11

Yeah, you have to definitely be impatient, I think, and also, like you said, versatile and want to do all the things. I enjoy that, like, like in my role, you know, being able to jump from a deep technical conversation to a sales call, to all those things, and then, yeah, all that background of impatience that comes to it and making you know smart, quick decisions, and then, like you said, being able to react you know what did we learn? And then having a great team around you that can also move fast and react, and then having a great team around you that can also move fast and react that sort of always is what's driven me to a startup-like environment at the end of the day, because you like to move quick, you like to see that progress and the output of your work. You know constant reinforcement that you're doing great things.

Speaker 1: 5:56

How do you manage being highly technical and doing sales as well? Because that is, it's like two different sides of the brain, almost right, like that's how different the two things are. But then a good salesperson or a good tech person that does sales is able to meld between the two. And it took me a long time to kind of figure it out, and I think the best way that I was able to kind of get that thought into my head of how it should be is how I expect from an end user to interact with a vendor, right, what am I looking for from them?

Speaker 1: 6:26

I'm looking for straight up answers. I'm not looking for, you know, oh yeah, we can do everything under the sun. I'm looking for, you know, the stuff that they can deliver and whatnot. And so I kind of factor that in from like a sales side where you know the stuff that they can deliver and whatnot. And so I kind of factor that in from like a sales side where you know there's also like a business philosophy where it's like you say yes now, and then you figure out how to do it later, yeah, but like you have to be able to make that quick five second decision of is this even something that I can deliver, you know, and then start working towards it, even if you can't deliver it today.

Speaker 2: 6:59

Although you know that's kind of why having that spectrum of ability is helpful, right.

Speaker 2: 7:04

So you're making educated decisions in that there's a lot of context switching, so and that's you know, I tell people I meet that's a muscle you can build if you don't think you have it and it's just like lifting with weights, you know, and you can work on moving context and then it's hard at first and tiring and you get better at it and better at it. And also I think I'm maybe benefiting from where you know we're in the cybersecurity industry and so that sales is a lot of technical sales. And back to exactly what you said you know we look to provide value to customers in any conversation that we're having, right. So you know what is your problem, what are you dealing with? How are we helping? Is there something else going on? So you're bringing that technical expertise to that sales call the other day. You kind of treat them all like you know partners with you and you know collaboration of the good guys versus the bad guys, and then it kind of gets easier at the end of the day.

Speaker 1: 7:52

Yeah, that makes sense. Well, Jason, you know we kind of went off the deep end right into this business stuff, but we didn't hear anything about your background. So you know why don't we backpedal a little bit? And, you know, start with your background right, like what made you want to get into IT? Did you have experience with it? You know previously, or you know what does that journey look like?

Speaker 2: 8:11

Yeah for sure. So growing up loved computers. I so, growing up loved computers, started programming at an early age, I think on an Apple II, so don't age me there. And then you know, I just wanted to program, work on computers, went to college, graduated in the 90s, right before the dot-com boom and the Y2K stuff, and then had a technical career for a while, but always interested in product and then got interested in business and, thankfully, through a series of promotions and career, changes, able to kind of see the entirety of a business.

Speaker 1: 9:10

And then you know, before Invery you know I worked for Matterport from their like series D to their IPO. So spatial data company got a chance to do a lot of product engineering, temporary CISO and yeah, it's just that broad experience that kind of led me to the CEO role here at Inveri. So I'm a technical guy, programmer and probably discipline along the way you kind of learned it maybe as you went right.

Speaker 2: 9:24

Yeah.

Speaker 1: 9:24

Is that fair?

Speaker 2: 9:24

to say, yeah, and the products that we built. So you know, a long time ago I was at Motorola in their home division, working on around six product lines IoT and networking and there's always a security component in that and what you're doing. So it's kind of built into you right In your genes and your DNA, so to speak. And then you know, went on and did more consumer-facing IoT work, and then you know two aspects of security there. There's home security, so we're securing people's you know physical property and their life.

Speaker 2: 9:55

But then the software itself obviously needs to be highly secure. There's a lot of private information there, so we put a lot of attention and focus and learning into that. And then at Matterport, if you don't know, it's a spatial data company, so they digitize physical places in the 3D data, a lot of IT and, as a responsible person for their platform, I have big customers saying I have very important information in your system. Person for their platform, I have big customers saying I have very important information in your system. Tell me why that's secure, right? So, again, I think it's probably good for any organization to have the security practices built into all of the operations, especially in engineering. And, yes, there are specific security rules and cyber rules and CISOs and things. But if you create a culture around security, it helps and I certainly think we did that and that's how I learned and ended up ultimately being responsible and eventually running a cyber company.

Speaker 1: 10:45

Yeah, I feel like a lot of companies make the mistake of not really establishing a security culture around their security program and they just start kind of dictating different security principles. And they just start kind of dictating, you know, different security principles and things that they want, you know, done and secured a certain way. Right, like it's good in theory, you know, because you're thinking from like a technical perspective and whatnot, but you know, when it comes down to it, like that's a difficult way to go about it, you know there's easier ways. I feel.

Speaker 2: 11:19

Yeah, for sure. And at the end of the day, you know your customers deserve it and will demand it, and so you know you have to make sure it's embedded inside your processes, your culture, like I said, to make sure that you're serving them correctly. And I think if you have that attitude about it, you know you can do well. And you know, sometimes a mandated checklist, you know those are just hey, the box is checked A little different than actually. You know, for me, if I'm standing in front of a customer and they're saying you know how do you do X, y or Z, I want to be able to explain that to them, have them have that confidence in the organization and what I'm saying is super important, much different than like a checkbox on a compliance looser.

Speaker 1: 12:00

Okay, it's interesting. Yeah, you know, I feel like I feel like the industry as a whole is kind of, you know, in limbo right now, almost right. Everyone kind of wants to push forward to this new technology of like AI, right, but security hasn't really caught up with. How do we do good security around AI, right? Is that? Is that something that you're also seeing in the industry?

Speaker 2: 12:29

Yeah, we talked to partners about it. I mean, I didn't vary. What we do is we ensure that the core of the system is free from advanced persistent threats, so that your operating system, your kernel, down to your hardware. And you know, in the AI space a lot of people are, like you know, trying to figure out what do I do to secure this? And you know the data, the inference data, the metadata, your training data it's one of the most valuable assets a company has and you know, maybe haven't put a lot of thought into what am I doing to deter that. And so we work with DoD, intel customers and then commercial customers, so some of the most sensitive AI frameworks, and we learn from them and how they use our technology to ensure that.

Speaker 2: 13:11

But I do get a lot of questions. I think you're right Beyond AI, I think the problem that we're facing is our attack surface is just expanding exponentially. And I'm sure you're right Beyond AI, I think the problem that we're facing is our attack surface is just expanding exponentially, and I'm sure you're familiar and I talk about it a lot the threat cycle where the attack surface expands and then the attackers find a way to exploit it and then we as defenders figure out they did that, try to stop them, but then we're repeating the cycle already because something else has changed and so getting in front of that a lot of what we talk about and vary in what we need to do. I think very relatable to your comment there. I want AI. The features and power of it are amazing, right, but if I don't secure it, you know, a customer's put inference data in there that has their personal information and gets stolen. Somebody steals my weights or messes up my weights and now it's giving out bad, improper information. All kinds of things can go wrong.

Speaker 1: 14:00

So there's a lot to do for sure, yeah, talk to me about your not your experience with the government, but like working with them, right as like an outside party. I have a little bit of experience with that and it was always very interesting seeing like who who tries to, you know, push you around a little bit, and it's like like the levers that are being pulled and the locations that you go to. I thought the locations part was probably the most fun part for me, right, like like okay, flying to this airport, drive these directions, you know, don't even give you an address, and yeah, you show up and you're like am I at at the right place?

Speaker 2: 14:40

Sure, I mean so at a very. You know, our software is based on a license that we have of technology from the NSA and then we have a collaborative research agreement with their laboratory for advanced cybersecurity research. On top of that we also of course, do business with entities in the government, sometimes through a prime. So like I probably shouldn't say but the large primes that are out there into those programs. So a lot of experience across that board, I would say. And, to be honest with you, in my background we've done work in government before and supporting things at those different companies I mentioned. But here it's a lot more intimate and with the NSA relationship and our collaboration agreement it's really, I feel, like the good guys collaborating, meaning that coming into it I wasn't sure what to expect, but they're really just security engineers there to kind of make sure we're doing the right things with the technology and that we're helping each other.

Speaker 2: 15:33

I find that very rewarding. I think that the goal is to protect all of us, right, and that's sort of what's driving the research, the conversation, the work that we do, and everything else is kind of secondary to it. So I found that interesting. And then you know, on working with the customer. They are very thorough. You know there's weird timelines and systems and things that you have to do, and we can get into all of that.

Speaker 2: 15:56

I kind of think about it, though, as kind of walking through mud, where you're always making progress.

Speaker 2: 16:01

It's slow, but they also, you know, some of the brightest individuals are in those programs, really looking at the scope of things, and I think a lot of the requirements, the compliances that we in the commercial world have to adhere to, are coming out of this work that's happening in a lot of these places, where we're thinking about it to the next level, figuring out how to make it scale, economical, efficient, and then bringing those things back to mind or back to the expecto.

Speaker 2: 16:27

And it's a community. The commercial world does it too. But that's kind of what I see when I work with these entities is, you know, obviously it's a serious thing, but it's also a partnership where we're working together, sharing ideas. Sometimes it's even a disagreement. So a lot of times we talk about the walls that we put in place to secure our infrastructure versus the verification that those walls are doing what they're doing. Relationship there Nobody can get to my kernel versus I zero trust world where maybe somebody could, so we better verify that a persistent threat actor isn't there, great conversations to have, and that's kind of been my experience, you know, working in those communities.

Speaker 1: 17:07

So what is NSA, licensed tech? I think that's the term that you use there. Well, what is that? I've never heard of that before.

Speaker 2: 17:17

Yeah, and I don't know if your listeners have heard of any kind of tech transfer. So normally you think about it in terms of university. So the university, a professor, will do some research and come up with some patents and that's their IP, and you're like, hey, I think I can make a product out of that. And then you license essentially those patents from them and you pay royalty back. Turns out the NSA has a tech transfer office as well. So you can go Google search NSA tech transfer and there's a series of patents and things that they have out there that they're willing to license to individuals.

Speaker 2: 17:49

So part of our founding team is a professor of EECS at the University of Kansas who does work in trusted computing, sometimes with DARPA, sometimes with NSA, and then our CTO PhD in this space. So we were familiar when this technology came up and said, hey, we're willing to license this out. And there again you create a relationship that says, hey, I have a business plan, I think I can use this technology for the greater good, and then you just negotiate a license. They get small royalty back on money that we make, as an example, and from there sometimes they don't always have a collaborative research agreement we happen to do that as well in the space that we're in entrusted mechanisms. To do that as well in the space that we're in entrusted mechanisms, but yeah, it's just like going to university, but you go to a government entity as well and, to be honest, again, before this I would have been like I don't know about that.

Speaker 2: 18:40

I would do it again in a heartbeat. Very, very smart, bright people, very great technology and in our case, when I looked at it, I'm like we find threats that are underneath a lot of things. Right, our demonstration is usually somebody running a bunch of security vendors, and I can still get past that and to me I was like this needs to get out there. Right, this is a technology that needs commercial scale and you know that's part of their mission too. So it was a great I hate to use the word synergy, but a great synergy, I think in what they were able to offer and what we were able to do.

Speaker 1: 19:19

Yeah, that's really interesting because you're talking about one of the top one or two intelligence agencies in the world and they kind of have that collaborative experience with the public sector which is, or private sector, which is. It's fascinating, right, because typically when you hear about something like that, you're hearing about it from, you know, one of the Israel's. You know 8,200 group people, right, that left the service allegedly and now they formed this company and they're doing, like amazing things. You know, like that's that's like the only time that's the closest thing that you really hear of that.

Speaker 1: 19:56

You know, in this space, in this world, I'm going to have to look into you know, their, their patents and their offerings, because I'm actually getting my PhD right now in in satellite security and a part of it is actually utilizing zero trust in a secured architecture format to secure communications within the satellites for preparing it for, like, quantum encryption you know, a post-quantum world, right. So getting that, getting that would be very helpful, because I'm sure that they've already looked at something like that, right, and they kind of just need someone to run with it to some extent, and that's definitely something that I'm looking to do, right, because now that I'm in my PhD and I'm doing the research and everything I'm starting to, I always think you know five years out, right. So now I'm thinking of, okay, well, what do I do with this? You know, what do I? You know where do I see this going, and stuff like that, right? So that's all a part of it as well.

Speaker 2: 20:51

Yeah, for sure I mean a lot of need for what you're doing. So thank you for doing that. Number one. And you know, to give you a sense of, like, the people behind this stuff, you know they are also the originators of Secure Linux, se Linux and to open source, and so really they're just security engineers, like I said, and then this is my view, so I don't represent them at all, but I don't know what rules or restrictions they have around publicizing what they do. I know it's not as easy as it is, like it may be a university, especially a private one, where you control, and so I think it's just maybe a lack of exposure and they need more exposure to create that benefit for more people. But yeah, definitely worth checking out. And, to be honest with you, I'm sure the other agencies have similar programs, not as familiar with them, but I would definitely look at at those opportunities as well.

Speaker 1: 21:41

Yeah, probably, at least like the NSA and DARPA. You know that would be, uh, that'd be really interesting. Yeah, and you, you bring it up. Uh, sc Linux there kind of takes me back almost. Uh, I don't know, it was a.

Speaker 1: 21:54

It was an interesting experience, you know, like fresh out of college, handed this project and it has as the SC Linux on it, it was like, oh, what's SC Linux? Right, went down a rabbit hole for 18 months learning SC Linux. So by 18 months learning sc linux. So by the end of it, it was like, oh, yeah, you have to run, you know, these 15 commands to do this thing. Whenever someone at my company ran into an issue, they were like, just go to jail, like even the developers that were supposed to be deploying and, you know, integrating sc linux into our product. Like they would go to me and you know, be like, hey, like what's going on here? Like oh, yeah, well, you, yeah, well, you guys broke it this way, so you have to run these things and it'll allow it through. Like what a powerful solution, you know, in terms of just application security, server security, overall. You know, like I mean that's amazing what they built and then they released it out into the public. I couldn't believe it when I fully understood it.

Speaker 2: 22:51

Yeah for sure, and it's got its own language to it kind of right. So it is extensive and I think that shows I've used the word trusted mechanisms a lot and again, my opinion, not theirs. But you look at, how are we assuring We'll talk about zero trust in a minute, to kind of go back to your PhD work some interesting thoughts there. But how are we assuring we'll talk about zero trust in a minute, to kind of go back to your PhD work some interesting thoughts there. But how are we assuring the things that we are relying on? And so I think of Etsy Linux as, like a lot of work that they put in for boot time security. Right, they're like, well, you know, I need some assurance right At boot that I can trust kind of what's happened.

Speaker 2: 23:27

And then you know the technology we licensed was called kernel integrity measurement, we call it runtime integrity, but it essentially extends that to runtime and saying are the things that I believe to be true about this particular operating system always true? And so you're constantly challenging yourself back to zero trust. What are my assumptions right? So it turns out for a typical security vendor there is a really bad assumption that, like, the operating system is okay, because I have to ask it a bunch of information, right, you know? Give me the logs. Well, did an attacker in the middle alter those logs? You don't know. Tell me when a file was opened. Did it not tell you that a particular file was open? You don't know, and so even you know.

Speaker 2: 24:07

Going back to satellites and zero trust, a lot of times people think about authorization and authentication. Of course those are important, but you forget about assets and resources, right, so you can keep going down and then you're like that whole root of trust program and then we can talk about confidential computing and TPMs and things like that. All grown out of the thinking that I think was the genesis of SELinux. I think was the genesis of SELinux.

Speaker 1: 24:31

Yeah, yeah, it's. You know, I remember when, zero trust, when that, when that term was starting to be thrown around and kind of, I think maybe to some extent, zscaler like maybe coined the term or made it popular, right, yeah, and then it quickly turned into a framework, right, at least I view it as a framework, I think it's a framework. You know the, uh, the nist documentation. I don't use it as a framework, so I think it is now right. But, you know, with, with my research, it's like almost going down, like a rabbit hole. It's like, well, how zero trust do I need to make this thing right, to make it secure and completely trustworthy? Do I need a tiered architecture with the satellites right, where you have like a ring of satellites around the planet, you know, that then communicates to a higher level ring that has authentication mechanisms around their own, you know, that can authenticate these satellites. Well, how do I verify it? Well, that's going to talk to a dish, you know, back on earth, right, and that has to have its own verification system. It's, you know, it's interesting, right, because my background, I got my bachelor's in criminal justice and then I went and got my master's in cybersecurity, and you know, like you said, right.

Speaker 1: 25:45

Well, what's the authenticity of that log file? What's the authenticity of this system? Did it change, did it get removed, or everything like that? During my master's because it was a very hands-on program I mean, we learned about how to modify all that stuff, right, like we learned about the importance of log files, and my professor immediately said and all that goes out the window.

Speaker 1: 26:07

When you're hacking something, this is exactly what you do to modify it and make it look like the window. When you're having something, this is exactly what you do to modify it and, look, make it look like the way that you want it to look. And I mean, I'm being taught by, you know, nsa hackers and I say people that do forensics, I mean the smartest people on the planet, you know, and they're they're literally saying yeah, like last week I was doing this on a target and this is how I overrode it. They'll never know any different because they don't do this other check over here, and so you have to have all these checks in place. It's fascinating, fascinating stuff, how deep you can go with this technology, with this space. There's almost no limits.

Speaker 2: 26:41

Yeah, I know, you know there's a couple of things that stick out in my mind there.

Speaker 2: 26:45

So we're advised by a retired NSN individual who did a lot of the inventions that we talked about, and he likes to remind me that you have to think about how a computer works, and it's actually interesting how many cyber professionals and even software engineers sometimes don't understand how a computer works.

Speaker 2: 27:00

Yeah, now down to disk and memory and the kernel itself and how it's getting that information to know that an attacker can circumvent you in these ways and it gets very asidary. The flip side of that coin and I'll toss it back to you is I think it's our job to simplify this for the enterprise and government space right, so it can get extended, right? So how do I ensure the authenticity of a particular thing implements your trust in an economic way? And that's kind of what we look at is from an organization of 20 people to an organization of a million people or however large you want to get to, how can we scale that and solve those problems for them super fast? So, as you're going through your research, I'm sure you're thinking about that too. Right, like you can do it once, but can you do it in times, and scale that.

Speaker 1: 27:49

Right, yeah, that's kind of that bridge between the government and the private sector. The government kind of. I mean, they'll create something, they'll spend millions of dollars to use it once on one target, or develop a whole framework or a tax framework off of something, right it kind of. They kind of pass it back from what it sounds like. Right with what you're saying, with the licensing or the patented, you know technologies that they have, right. They then turn it back and give it to the private sector to say, make this scalable, right, like we don't have that kind of. Maybe not that they don't have that capability, right, because when I think of, I'm thinking of smarts, intellect, you know that sort of thing, right, right, but their mission set isn't to make it scalable for everyone. Their mission set is to make it and work to protect America. And then from there, what goes on with it is beyond them, right, and that's a really that's a fascinating bridge that not many people talk about or even know about.

Speaker 1: 28:55

And to to your point, right with understanding the underlying, you know processes of computers and how it kind of operates, right, I'm? I'm not that deep, deep right, but I know enough to where I can start pointing in the right direction and things like that. And I have a friend who says he's very experienced in security, but in security longer than me for sure. He said as security professionals we typically earn our paycheck maybe two to three times a year, and what that means is that when no one else in your organization can figure out what's going on, it's typically the security guy that is the one that has to step in, because they understand the networking perspective, they understand the systems, the database, they understand the kernel level. Those are very difficult things to understand and the security person is the one that's typically pulling it all together, tying all the dots together, right, and that's a difficult thing and you really only learn that by going deep into these areas.

Speaker 1: 29:58

I feel like early on in your career to build that foundation. You know, like, for myself I didn't really understand virtualization until I sat down with an engineer and I said, okay, how is this tied together? Like, like, actually show me the port, the socket that is using. How do I terminate a socket, all that sort of stuff. You know going through it and I mean that took me a couple of years right To really understand it and you know be able to make my own troubleshooting deductions from it, you know Right, but it's a step that's really required if you want to be successful in this space.

Speaker 2: 30:37

Yeah, I mean in there, you know the interrelationships between all the systems and, as a security professional, having you're going to have to understand them does give you a leg up in in a lot of you know what's going on in the environment and helping you know lots of people out 100 percent. Um, so it's, it's more than just how our computer works. I think that's a good point. Right is, how does the system work together with all the computers in it, right? Yeah, and then being able to make those determinations and then you know at know, at least for me too, it's complex, right.

Speaker 2: 31:08

So you're like, oh my gosh, I need to make it better. And then you know there are folks out there that it's sometimes hard to hire. You know very exceptional professionals that can do that. So how can we help these people? And I think that's the problem that we face today and Mary tries to solve lots of other people are trying to solve. Is that we face today that Mary tries to solve, lots of other people are trying to solve?

Speaker 2: 31:29

Is, you know, I talk to CISOs all the time and they're busy and stressed all the time and they have a lot of pressure on them. You know, at the same time, and so clearly, as an industry, we have a lot of work to do to make that easier for them and stay on top of the innovation that's happening. So, all the way back to AI, right, like, and I see you. So I was like, oh, I got to have an AI. It's so powerful for, you know, maybe a large retail chain, I have to do it. But now there's this whole other set of interrelationships and problems I haven't thought about in zero trust. And boy, what am I going to do to put that together, I think, thought about in zero trust. And boy, what am I going to do to put that together? I think that's great. As you're going to your phd work, you know, as we're thinking about how do we scale this for you know, commercial use and the technology license, those things that go into it, which is how am I making this easier? How am I solving exponential problems for those people? Um, so, we can get in front.

Speaker 2: 32:23

I don't know if you're a star wars fan. Are you star wars? Okay, so the scene where they're in the trash compactor yelling at Lady, get on top of it. Almost every day I'm talking to somebody and they're underwater. I'm thinking about that line of like get on top of it so you're not buried in the trash, right?

Speaker 2: 32:39

Yeah, you know, the behaviors that we do are interesting, and really what attracted me to the technology when I saw it at the NSA is, instead of, like, looking for bad things, which we need to do, this kind of flipped the script and this thing. No, I'm just telling you that everything is doing what it was supposed to be doing, and so, of course, the absence of that means that something bad has happened, but what that means is I don't have to go look for a thousand unique threats, I have to just go look for one alteration to proper behavior. And so that's how our minds think and work is like. Am I solving these security problems for the world? How can I apply different frameworks, techniques, thoughts around zero trust in such a way that reduces the number of tools, the amount of time, the amount of decision-making that these folks have to have?

Speaker 1: 33:29

Yeah, yeah, that's really interesting, you know, staying on top of the technology evolution, right?

Speaker 1: 33:38

That reminds me I was doing some work. I was doing some consulting work on the side with a state-run, you know, government institution with a state-run government institution, and they wanted to have an AI model that ingests all of the safety infrastructure, safety security of their state and they wanted to have it to where you could ask it questions of what are the top five bridges that are at the highest risk of collapsing within the next three years, so they can prioritize properly, right, because they were getting all of this data in, but by the time they would get to the critical stuff, it might have been too late, it might have caused more issues, they might have been spending more money when they shouldn't have been, and so they were creating it and they said, yeah, we're almost done with it, but we just realized we didn't even like check if we secured it, like we kind of need to create this as a copy and paste sort of thing, where it's like, hey, you just copy this JCP project and you paste it over here and it has all the security controls built in and whatnot, and so we need you to come in and tell us you know how to do it best, right, and it's a really I mean, it's an interesting text, right, because where else am I going to get that sort of experience? You know what other opportunity out there will I get to look at an AI model that's doing that sort of thing and see how do I secure it, how are you authenticating to it and all that sort of stuff. It's really fascinating and, to your point too, trying to stay on top of it. That's like a day job in and of itself, just trying to stay on top of this stuff we keep.

Speaker 2: 35:20

Cyber is a big industry and it's good for a company in cyber, but really it's bad for us as a world and a waste of GDP in some cases, and so it keeps getting worse. I don't know if that's exactly true, but you and I could probably try statistics, that kind of show that things are getting worse. But I think it just comes down to what can we do to be in front of the attackers? And there's a lot of things. It goes from security and design, so kind of what you're saying. I shouldn't have maybe made the system before I secured it, but that has to be easier. I mean, there's a reason people aren't doing it, so it's expensive, it's hard, maybe it's not taught. So there's that part. And then the solutions that we have have to be innovative in such a way where I don't have to have tools upon tools and spend enormous amounts of energy, time and to figure things out. So you know I'm very interested. You know AI is a big portion of that right, both protecting it and then using it for those things.

Speaker 2: 36:12

But to me that's the challenge. We have to A also communicate better as the good guys, right, I get to work with universities and government entities and commercial entities all the time. So I'm lucky. I don't think lots of people have that opportunity. I'm like Lots of people have that opportunity. I like you. You sound like you know. You had that luck in your experience too. So how can we get your listeners, more people, to be involved with you know, larger groups of people in a non-competitive way where we're all just trying to to get ahead, to get on top of the pot, stay on top of it, yeah we, we've, we've kind of danced around it, but why don't we circle back, so to speak, to your company, right?

Speaker 1: 36:50

What's the name of your company? What are you guys trying to solve, and how are?

Speaker 2: 36:53

you doing it? Yeah, sure. So it's Invari, short for invariance and we ensure the security and confidentiality of systems and we start at the operating system, because that's the core of assumptions being made. That isn't validated today, down, as I mentioned, to hardware and validating. For instance, if you're aware of trusted execution environments and confidential computing, they are meant to ensure that when you're on a VM, only users of that VM can see that memory and it's encrypted in such a way where the host or other VMs on that can't see it. Is that hardware doing what it's supposed to be doing? So we do a lot of proper behavior attestation at runtime, so a lot of that boot time security we extend to runtime, again based on, you know, that technology that we licensed from the NSA. And then, real quick on how we do it at a high level, I'll talk about the operating system for a second.

Speaker 2: 37:40

So it turns out that we can map in a graph, a graph, data structure behaviors of an operating system. It's about a million data points of data structure objects, relationships, code sequences, and I think about them as constellations. So you think about a million data points. That's a lot, but if you think about, like our night sky constellations, big Dipper. I know where it's at, I know where it should look like. It has an invariance to it, right. So if I look up and it's changed location, changed shape, something's gone terribly wrong. We don't probably have a lot to worry about.

Speaker 2: 38:13

So it turns out with software it has some of those invariants built into its design. So the kernel is designed in such a way that has these invariants in it that you can map. It's a lot of the IP that we've got from NSA has that definition of those invariances. So we baseline an operating system and then at runtime we never have to have seen that machine before we grab that same map very efficiently, pull it up and then essentially compare the constellations and see, hey, are they doing anything different? And if so, that difference is probably almost assuredly an attacker implanting themselves in the middle of one of those data structures huh, yeah, that's um, that's really fascinating.

Speaker 1: 38:55

It's interesting how something like this hasn't really hasn't really existed for the most part, you know, up until now, right, because I'm thinking back to when I was like managing you know bit nine, before they got bought out by vmware and everything else right, where you know you would have to do research into the process, into the service and how it's actually, you know, hooking in everything. And I remember sitting there being like can't someone just put something together where, just you know, builds a model off of this, like there's no way that microsoft doesn't know what their os is doing and the expected services and stuff like that, like why can't we just, you know, have that and then map off of that? You know, and it's um, when you build it in like that, you know you're starting with security in a very good place. I mean, how much better can it get from there?

Speaker 2: 39:53

Yeah, there's other layers to it. If you could say, push a button and know that your entire system is doing only what it's supposed to be doing, you would do that right.

Speaker 2: 40:00

As opposed to the flip of like running a bunch of software to look for bad things. I think traditionally it's been mathematically hard to prove and do so. Like I mentioned Dr Alexander, one of our founders, he spends a lot of his research time mathematically proving attestation and trusted mechanism techniques, so we know there can be true. And then now you have to make it perform at scale. Again, going back, I don't want to say or know how much time it is they spent researching this just for kernels, but it's probably quite a bit right. It's a lot of IP that went into what to measure, how to measure it. You know we put our own IP on top of that. So you do have to make it scale and I think if you think about bespoke applications then they get unique right. So you have to know a little more about them. So now there's a relationship, I think, with the developers of those applications and metrics that they know are important.

Speaker 2: 40:50

But it also turns out, at least from our perspective, the relationships between applications and the kernel also have an invariance to them, and so, like I'll use the log4j example, when it got exploited it used different code paths and sequences that it normally doesn't do Effectively, in my opinion, violated an invariance of the purpose of the design of that particular application.

Speaker 2: 41:17

So I don't know, are you familiar? I'm sure you're familiar with the Rockford JX player from a few years ago, so you can start thinking about it like that and then I like to think about it as you're a really cool person and then putting layers of blankets on you. I don't have to make you 100% warm right away, but if I can add a lot of value by making you slightly warmer over time, that's worth doing. So start with the kernel. We moved up on Linux to eBPF, which a lot of security and network optimization companies are using, so we're making sure it stays secure because it turns out it's being attacked quite a bit. And then moving up to applications, by looking at the relationships with things that we know have strong invariance to them at the same time. So traditionally it has been typical computational, but fortunately we found a way to make it super performant, which you have to when you run on some of the platforms that we run on. It has to be non-invasive to the mission of that machine.

Speaker 1: 42:07

Right, yeah, that's really interesting. And then being able to potentially hook into it to create basically blocks in the system and secure it further, and things like that, it's a fascinating space. I feel like Bit.9 was one of the first players in this space and it kind of died off right and everyone has tried to kind of build a product around. You know that sort of functionality, right, of having that in-depth look at your system and building in you know, like what you said, the invariance of, hey, this is so far, you know, outlying and what's normal for your system. We should look at it more, you know, and building in that sort of functionality. It's really fascinating.

Speaker 2: 42:55

It's closely related to anomaly detection right, which also has a lot of value.

Speaker 2: 42:59

It's deep in knowing what's supposed to happen, right. So sometimes with anomaly detection it's a lot of investigation. I don't know if you've experienced this, like in my, my teams myself. You get a lot of fatigue right and so you don't know, right, and so that's like for us. We tell our customers if you get a signal that you don't have integrity. That is a step one. There's no need to investigate that right. That is like, and we've proven that over and over and that's kind of sneaked in the work that that came before us as well, so we've benefited from that. But I think that's where we need to get to, where I can tell a forensics person or a response person this is a fact, essentially, and why I know it's a fact, and then that gives them a much quicker ability to respond and then they don't have to worry about the noise in and around.

Speaker 1: 43:47

Yeah, yeah, that makes a lot of sense. Well, you know, Jason, we're basically at the top of our time here. You know it was a fascinating conversation. I think we're definitely going to have to, you know, have you back on and, you know, potentially even have on. You know, some of the advisors that you were mentioning that are doing some of that research. I think that would be really interesting, really fascinating, to hear from them as well. Yeah, we'd love to do that. Yeah, yeah, absolutely. Well, you know, jason, before I let you go, how about you tell my audience, you know, where they can find you if they wanted to connect with you and, you know, learn more about your company and whatnot?

Speaker 2: 44:22

Yeah, sure, so it's invaricom I-N-V-A-R-Ycom. You can reach me at jasoninverycom or infoinverycom. I'm happy to answer any questions or help anybody out.

Speaker 1: 44:32

Awesome. Well, thanks everyone. I hope you enjoyed this episode Cool.

People on this episode

Joe South

Host