Episode Transcript
[00:00:15] Speaker A: Welcome to KB on the Go. This week I'm coming to you From Cisco Live 2024 at the Melbourne Convention and Exhibition Centre where AI is taking center stage in driving the future of technology. Here in Melbourne, we're surrounded by the buzz of innovation and industry leaders all exploring how Cisco's latest technologies are enabling us to work faster, safer and smarter. Stay tuned for the inside scoop from some of the world's leading experts presenting at Cisco Live 2024 here in Melbourne as KBI Media brings you all of the highlight.
Joining me now in person is Raj Chopra, SVP and Chief Product Officer, Security Business Group at Cisco. And today we're discussing being an AI first company. So, Raj, thanks for joining and welcome.
[00:01:09] Speaker B: Thank you.
[00:01:09] Speaker A: Okay, so Cisco's security cloud vision as an AI first company. What do you mean by that?
[00:01:17] Speaker B: So I'm going to give you my tagline and then I'll hopefully explain a little bit. To be in today's world a successful networking company, you need to be a security company. Because last time I checked, nobody wanted an insecure network. To be a security company that accounts for all of the different exceptions that exist in our daily lives, enterprise or personal, you need to be an AI company because the complexity is too big for you to capture that tribal knowledge in some set of logic expressions. So you need the benefit of machines and hence AI. And then to be an AI successful AI company, you need to be a data company. So when we talk enhanced, the asset that we all know as Splunk, now part of the Cisco portfolio. So the arc really starts from us being a successful networking company leading us all the way to being very thoughtful, very, very methodical about data. And in between is the, is the work that we're doing with AI.
[00:02:22] Speaker A: Okay, so I heard Dave west on Main Stage yesterday talking about to be this company or to be data company. Security company. Makes sense. What do you mean by methodical data?
[00:02:32] Speaker B: Yeah, being methodical about the data means that there is a large volume of context that needs to be brought to bear. So I'll give you a an example, made up example, but an example nonetheless. You start to see, let's say, some activity on the network that you're not quite sure. Is it really Raj accessing the board materials tomorrow is the earnings announcement. Is it really Raj accessing this? That's one part of the context, which is what we are seeing right now in the systems. But the larger context may be Raj also booked a flight on United Airlines and he's in Australia, by the way. Two weeks ago, he Got a new phone, so he has a new Authenticator app. He has failed seven logins for a variety of reasons over the past month. Should Raj have access to the board materials? Not can Raj have access to the board materials? Today's security construct ask and answer the question, can Raj access board materials? Based on my job role, based on whatever. But the real question to ask is, should Raj be able to access the board materials given all of the complexity of my activity over the last days, weeks, months, and that is what the context and methodical bringing together of the data to develop that context helps us provide an answer to the question, should Raj access this material? Not can Raj access this material?
[00:04:04] Speaker A: So what happens if people don't have methodical data on their side?
[00:04:11] Speaker B: You end up making, with the best of efforts, you end up making substandard decisions. And what that leads to is that usual risk in the day to day activities of that particular user because you're not exactly keeping track of whether this access is fit for purpose. This activity is fit for purpose, but you're doing something today just because it was done yesterday. So you make substandard decisions, you end up making substandard decisions.
[00:04:41] Speaker A: Okay, so I want to get into something now that is quite topical, which is responsible AI everyone's talking about. It depends on who you ask. I want to know how is Cisco approaching responsible AI? And then I want to zoom out to what does this actually mean? Because there's different definitions of it, but also there are now examples on, you know, the driverless car, you know, the whole biases come into certain things that I find very interesting area.
[00:05:15] Speaker B: Yes. So first, the responsible AI is a, is a principle by which we've been developing AI based products in Cisco for years. There is a published manifesto, you can Google or search for Cisco and responsible AI takes you to the trust portal. You can, and you can go through all of the details, the principles that we follow and these are reflected in our development methodology. So this is not a statement of intent, this is a reflection, this is a codification of our development practices. Right. So this is not a sort of airy fairy statement, but how we develop software. Case in point, I'll give you a couple of data points. I think Dave also mentioned this, but we do today billions worth of minutes of translation, spoken word translation into written text in WebEx, billions of them every month. There is exactly zero bytes of meeting minutes that are used for training the models that convert. Because spoken word in a meeting is specific to the customer, it is not for us to use that Material for training our models.
Every bit of training that we do for these models that can now translate from spoken word into written text from 120 different languages without using a single byte of customer voice data. Every bit of the data is synthetic. So we never, ever use customer data to train our models to do transcription from spoken word to written. And this is at a very, very large scale. Right now, fast forward to some of the other things that we're doing as we're developing capabilities, let's say in a product that we called XDR Extended detection response that gets used in the, what is called the Security Operations Center, SOC centers now in that we do want to use Cisco, Talos has done incident response for thousands of customers over tens of years. The best practices, not names of customers, but best practices have been distilled into playbooks of what happens when certain incidents show up. If some activity happens, what's the corrective action for us to take? Right? This is fully anonymized. It's not like it has attribution to a particular customer. That data, that anonymized data is something that we have blended into our AI models. So that is benefiting that Talos tribal knowledge, so to speak, which was captured in documents and PDFs and whatever over the course of thousands of incident responses is now available to every single one of our customers. Because this is a playbook that they can utilize anonymized data being used for practical use for all of our customers. Right? That's another example of using data responsibly. Then we have bespoke models, which is our own documentation, which is public documentation. But using that to say, instead of when somebody looks up, how do I change, I don't know, the NTP setting, some acronym setting in my product. This is public information, right? And so if you search for it right now, the best answer you're going to get is, well, go to this manual, right, some manual. And then you're coming to page 47, section three forward or whatever and like, great, thank you very much. Instead, from this public information, instead of you being sent down this rabbit hole, it literally just tells you, here are the steps you need to follow. And below it is an attribution. If you really want to go read it on your own, here is a link, click it and you can get to that detail. But taking the toil, right? And maybe some people will do, maybe some people won't. People just need to form their confidence. So maybe in the early days they will. So I'm giving you three models where One is completely synthetic data being used, right. To build, train fully, service our models. Second is anonymized content that is used for general practice and benefit of customer base. And then there is public information which is out there in the domain that is being brought together in a way that becomes very usable without the toil of having to thumb through manuals and whatever else people end up doing today.
[00:09:53] Speaker A: And that would be the benefit of having the source. So you could cross check it. Because again, if there was so much data out there that said the you.
[00:10:00] Speaker B: Want it to be explainable. If somebody asked the question, why are you saying this? Why are you telling me this? You need to be able to say, here's why.
[00:10:08] Speaker A: So the part that's interesting about this is, and I've spoken to many people about this, one of which who is on the World Economic Forum for the AI Board, spoke to me about this when I was in Vegas recently around hallucinations. But then for example, going back to the source, imagine if there was 50,000 sources out there that said the sky is orange. And therefore when you ask ChatGPT, for example, what is colors of sky? And it came up with this, do you think? And then it led back to the source which is fabricated. How are people going to be able to discern that? And I know that they're trying to validate certain sources, but what does all make sense of that? Because this where it gets interesting, especially for the younger generation who won't be able to understand and discern to do their own research and you know, and to be able to look at the source and validate it or not.
[00:10:59] Speaker B: So this is the third leg of the whole thing. So we talked about data, then we talked about AI or training AI models. And then the third thing is how do you defend these models? Okay, so you mentioned about younger generation, like if this is my source of information and it's hallucinating consistently and persistently, how do I know any better?
So there are typically three phases in which models are developed. The first part is when I'm building these AI models, am I training it on diverse enough data? Next to you, there are what, Granny Smiths and some other apples sitting right?
Right. So these are round and they're colorful. If all I trained my AI model on was round, colorful things and I presented at a tennis ball, it would say that is also an apple.
[00:11:55] Speaker A: True. It's the shape.
[00:11:57] Speaker B: The shape, right. Because AI is very different than how traditional software has been written. The way traditional software was written.
If this, then that I give this Input, I get an output. I don't know the output, but I know the input and I know my logic. In AI, it's flipped. I already know the answer. I have to now build my hypothesis that this answer shows up consistently when I presented a new input. Okay, let me say it slowly one more time. Right. So if this, then that's exactly what you said. Right? Correct thing. So I write my logic, I give it input, it will consistently give me an output. I don't know the output, but it'll consistently give me the same output.
[00:12:41] Speaker A: Sure.
[00:12:41] Speaker B: Okay. AI is different. I already know the answer. Okay, Now I need to give it enough input and work my hypothesis such that it shows this output consistently. So what needs to happen? If we were looking for apples, right. We'd have to present at oranges and tennis balls and basketballs and whatever. Round, circular, colorful things.
Enough of them so that when a new input is provided, it doesn't hallucinate. It has seen it before and the weights have been appropriately assigned.
[00:13:16] Speaker A: Wow, that's complicated though.
[00:13:18] Speaker B: But. And here comes the part. It is complicated for you and me, but it's not complicated for machines.
[00:13:24] Speaker A: Well, that is true, yes. Yeah.
[00:13:27] Speaker B: And that is the power of AI that remember now we're talking about I don't know what the input is going to be. I do not control the input. Unlike software development, where I control the input. This could be literally anything. I might be walking down the aisle here and there is a certain round, colorful thing. Is this an apple? I don't know what it is going to be. Right. So first thing that you need to make sure is that has this model been shown enough diverse data that it's not going to hallucinate? Is it proper?
[00:13:59] Speaker A: But how would you define diverse enough?
[00:14:02] Speaker B: So the way it happens is when you present. So there are actually scores. I'll not go into that. But there are measurement scores. It is a very deep topic. It's called Elo lo. You can look it up, but that's how you measure whether the outputs are good or not. From this. But has it been trained on enough? Diverse data is a matter of how large your model needs to be. So for ChatGPT, it needs to be in trillions of parameters. Right. But if you had a drone that was going around the oil storage systems, Right. Right now there is a person, once a month they rappel up and down on one of those oil containers next to the airport to look if the rivets are leaking. It's not an easy job.
[00:14:47] Speaker C: Right.
[00:14:47] Speaker B: But once a month they climb up and down and take pictures. And here is a drone that goes around, takes pictures, like five pictures every second. And you just compare. You can do it every day, you can do five times a day. That model needs to be very small. All it needs to know is how do the rivets locate this, the oil container, blah, blah, blah. It's not very large, so you can make it really small. You don't need to train it on a bunch of things other than all the crusty, peeling, pain, bad rivets, this and the other. But you don't need to tell it like, how does a submarine look, how does the sky look, how does whatever, Right. It's irrelevant. It's a small problem state set. So you can have small models, you can have large models, small models. You don't need to train it on that much diverse because it's fit for purpose, Right. Large models are more generic. You ask me anything, translate this to that, whatever. Right. So the, the diversity of training data that is required for it to not hallucinate is a function of how generic versus how specific do you want a model to be? Yes.
[00:15:57] Speaker A: Yeah. Wow. Okay. Yeah, that's interesting.
[00:15:59] Speaker B: Okay, so now bringing back to how to be secure so that this is fit for purpose. One is making sure that the data that is being trained on is good, diverse enough that it gets to the right lo counts, elo counts. The second is there are biases that creep in because if all we showed this model of apples right, all we showed were fruits, that would be inadequate. We need to have lots and lots of different kinds of things in there. We need to show it berries and we need to show it, I don't know, watermelons for it to have enough of a diverse thing that it has seen so it doesn't start to say, if it is small in this size, then it's an apple, right? So you need to ensure that it is fit for purposes. You start suddenly feeding it images about leaves and trees and chairs and like, what? That's nonsense. Right? So that's the second part. So build train. And then the third one is where you start to ask questions and get answers back that need to be fit for purpose. So what does that mean? I have this model where I'm going to maybe use the drone example a little bit rather than the apples 1. In the drone example, I've got this model and I start to ask, like, show me how to make a bomb. Should it answer that question? Never. Never. Right. Then it goes around and says, it says, give me the best Paint that I can use for this oil tanker, oil container, whatever. Should it answer that question? I don't know. Maybe it should, maybe it shouldn't. Maybe it's biased. Maybe it's giving me the cheapest one. Maybe it's giving me the most expensive one. I don't know. Like, I don't know. But I can't determine that. But the person who's building that application can determine whether this model should answer that question or shouldn't answer that question. Right. So there are certain things that it should never answer. Show me how to make a bomb. Never. But can or should this model answer the question, what's the best pain to use? Maybe, maybe not, I don't know. But somebody needs to define whether this is fit for purpose to answer or not fit for purpose. That's the application developer, the person who made that application which says, I am responsible for the upkeep of these oil tankers, containers, whatever.
That's what they do today. If I'm the person who builds the application, I determine whether it is serving the purpose or not serving the purpose.
[00:18:32] Speaker A: Joining me now in person is Angelique Medina, head of Internet intelligence at Cisco Thousandeyes. And today we're discussing data in flight and the risk. So, Angelique, thanks for joining and welcome.
[00:18:42] Speaker D: Thank you. It's great to be here.
[00:18:44] Speaker A: Okay, so let's start. For people who are not familiar, what's your definition of data in flight?
[00:18:49] Speaker D: Well, when we think about data in flight, we think about all of the traffic that's flowing across the many, many networks that not only make up the Internet, but also private networks as well. So when a lot of people think about the Internet, they almost think about it as a utility where it's just sort of the pipe that's going from one place to the other. But the reality is that it's actually many thousands of networks that are interconnected together. And the way that these networks interconnect with one another is really based on a system of trust. So you're actually talking about traffic that's changing potentially many, many different hands from going from one place to another.
[00:19:25] Speaker A: Do you think as well, in your experience, Angelique, that people just assume the Internet, like, I can just start up Google and then I don't have to worry about what happens in the backend.
[00:19:33] Speaker D: I think that's the way that many people think about it. And it's very easy to think about it because it just sort of works. You know, you type something into your browser and then almost instantaneously you just get a Response, it comes up and you don't really think about everything that's happening under the hood. But the reality is that first, you know, you are effectively translating the domain name that you pop into your browser into an IP address. So that is a system that performs that. So you do a DNS lookup. So you're connecting over a network to those servers, you get a response, then you are connecting over again, many more networks to the actual web servers for the application or site you're trying to reach. Those web servers may be connecting to many more things on the back end to fetch data. So again, there's so much connectivity all happening under the hood. It happens very fast, but it's actually highly interconnected and interdependent.
[00:20:28] Speaker A: So with interdependency, obviously it can create issues on downtime, things not working, as we've seen in recent times, of interdependencies of systems that we're reliant on. What sort of concerns you around that then in terms of interdependency?
[00:20:45] Speaker D: Yeah, I mean, it's very interesting because when you think about a lot of the trends over the last, say, 10 years, there's a lot of concentration of services in actually quite a few parties, if you will. So you think about the big public cloud providers, you think about the major CDN providers. Oftentimes, when something goes wrong with any service, or whether it's a platform service or a network within any of those providers, it can have a very broad ripple effect because you may not even be hosting your application or services in a cloud environment. It just may be that you might be using one of their platform services under the hood. And when you think about, you know, availability of an organization's services, absolutely, there's a security element to this. But oftentimes with, you know, when you think about security, you know, issues and folks who may want to impact an organization's services, a lot of times they're trying to impact their availability.
And so, you know, availability can be really important to think about from multiple angles, not only in terms of protecting things that might be outside, but also in ensuring rigor internally so that you're not impacted regardless.
[00:22:03] Speaker A: Yeah. And I guess just following that a little bit more in terms of availability, imagine if the Internet just stopped working.
[00:22:08] Speaker D: Yeah, I mean, it is pretty frightening thought, for sure. And, you know, we have seen a lot of instances in which, like, there have been very broad outages, you know, or there's been widespread disruption and even think about things like submarine cables, you know, we're here in Australia. Now, it used to be that there was, you know, only a few cables even for example, on the west coast of Australia, and there were several more added over the last five, six years. And so there's greater redundancy. But you still have to think about that because I don't know that a lot of people realize that there's actually, whether it's submarine cables or terrestrial networks, a lot of Internet providers and cloud providers, they all use the same pipes effectively at the end of the day. And so if something were to happen to those, it can be very broad in terms of the disruption.
[00:23:01] Speaker A: I want to ask you now about data sovereignty. So in Australia it's a big conversation. There's probably a lot of companies out there that wouldn't actually know where their data is being stored. So what's your view then on that?
[00:23:15] Speaker D: Yeah, I think that's a very interesting one. We've seen that also in Europe as well, where there's considerations around that.
And it really is in fact the case, and it doesn't that organizations need to be very mindful of this because even if they're working with a very large organization that might have data centers in different regions, it's not always the case that you can assume that your data is going to be moved into the correct region. And so you really have to understand where it's moving at any given time, effectively having a paper trail. And the way that we think about this is you really need to understand across every single network, every single router across the Internet all the way through to the destination, where is your traffic at any given time? Because we've seen this quite a lot where oftentimes traffic can go out of region when it really shouldn't, not only in terms of where it's destined, but also just sort of incidentally routed. And we've seen this with things like route leaks where it's very much an accident that traffic might get handed off where it shouldn't. And oftentimes a lot of organizations don't even realize that their traffic is being misrouted until something very public happens. So an example of this is like a few years ago there was a very small service provider in Nigeria and they started accidentally advertising themselves as a route to Google services. Now that is, you know, doesn't seem like a terribly bad thing. They couldn't necessarily handle all that traffic. So that wasn't great. But standing one of their peers was China Telecom, who was right kind of neighboring them. And the thing is that China Telecom doesn't pass Google's traffic. So all the traffic just started. They just started dropping all of Google's traffic. And that was really the first indication that folks had that there was this incorrect route that was propagating across the Internet. Now if China Telecom hadn't been dropping their packets, then folks may not have known for some time. So that is sort of an example of how a lot of these things happen much more frequently than folks realize. And oftentimes it's only if there's a performance issue or something quite catastrophic that clues people in to this happening. But again, it doesn't always, you know, manifest in that way, would you say as well?
[00:25:40] Speaker A: I mean, with security, it in general, like people are just struggling to keep their head above the water and keep the lights on. So it's like unless they have to look at something to your point around performance issues, no one's looking.
[00:25:52] Speaker D: Yeah, 100%. And I think that the other thing too is that even though as users we think about the Internet as like, okay, well, this has been part of our lives for a long time. When it comes to enterprises, they have historically had a very different kind of approach to how they network. So they had, you know, managed connectivity between say, their data centers and their branch offices and you know, they may have funneled all traffic through, you know, a central place that, you know, enabled them to kind of have their firewalls all there and to filter traffic and to ensure that they were very safe. So they weren't as heavily dependent on Internet connectivity. So a lot of these issues and concerns are relatively new to a lot of enterprise IT operators. And so this is kind of a new world that they really have to now understand that the Internet kind of functions very differently than it does in an internal private network. I mean, you think about it, the Internet was actually founded as like an academic network and it was built on this chain of trust. You just sort of agreed to peer with another provider and exchange traffic. It was never meant to have the same security mechanisms that we think are really, really important today.
[00:27:07] Speaker A: I've had other people that I've spoken to that I know saying that, you know, the Internet is still put together by sticky tape and duct tape?
[00:27:14] Speaker D: Absolutely, absolutely. That's a good way of putting it.
[00:27:16] Speaker A: But would you say that people's version of the Internet is like, it's this perfectly well oiled machine, but in reality, if you have a look behind the curtain to your earlier points, can be a disaster?
[00:27:28] Speaker D: Yeah, absolutely. You know, I think that we've made some strides in terms of route security. There's been some initiatives around RPKI where folks can effectively, you know, have service providers ensure that not just anybody can say that they're Google or say that they're Facebook and try to take their traffic. There have been strides, but the interesting thing about the Internet is that it's kind of a, it really is a community effort, if you will, because I can say, hey, you, service provider, make sure that, you know this route that you're receiving, go check it and make sure that it's something that belongs to who's advertising it. But it's really up to that service provider to do it. So it requires a combination of really every service provider on the Internet as well as the application providers too, working together to make this work. And so it's going to take time to get there, but there has been some progress. But in the meantime, you know, obviously I think enterprises need to be much more mindful that this is not, it's not the same as an enterprise private network.
[00:28:38] Speaker A: So maybe. Angelique, can you talk through maybe some of the risks associated with data route changes or maybe set the scene on like, what is a data route change for people that are perhaps unfamiliar and then the risks associated with that.
[00:28:50] Speaker D: Yeah, so routing on the Internet is really interesting. So I let's say that, you know, I'm Google and I'm advertising my routes to my service through maybe many different service providers that are connected to me. And then it's kind of like a game of telephone. Those service providers then announce to their peers and those peers announce to their peers. It really is sort of like this, hey, I'm, I'm advertising further out. Now, if I'm a service provider, I may have different options to get to, say, Google. You know, I have one provider over here, one provider over here. And the decision that I make on that is going to, there's going to be a number of factors. Some of them might be commercial. You know, maybe it's cheaper for me to send it one route than the other. Maybe one route is shorter. So that might be preferred. But in terms of like route changes, again, I'm really dependent on the providers who are sending their advertisements to me. And if something comes through to me that is illegitimate, you know, and is, you know, effectively there might be somebody who is trying to spoof or say that they are someone and that, you know, they, they have a route to the service and it really is up to the provider. If they accept it and they send it on, which we see quite often, then all that traffic can just go to them. I mean, that's kind of really almost how it works, you know. Well, it is how it works, you know. And so it's kind of interesting when we think about like those route changes. It really is about do you trust an advertisement that you've got or a route that you've got from somebody next to you. And because of that, really, routes can change on the fly. They're quite dynamic and like I said, they could change for legitimate reasons. You know, maybe there's a provider who thinks I have a shorter route to this service or maybe I'm taking an alternate path because, you know, I have more favorable kind of commercial arrangements with them. They can really just fluctuate quite a lot. But because of that, it's really important that organizations have really continuous visibility because sometimes those changes are legitimate and sometimes they're not legitimate. And so really because of that very fluid nature of routing across the Internet, it is one of these things that again requires a lot of vigilance to kind of ensure that traffic is going where it should at any given time.
[00:31:23] Speaker A: So what happens when it's not legitimate?
[00:31:25] Speaker D: Well, I guess a few things can happen. One, as kind of gave you an example earlier, if it's not a legitimate route, for example, it could impact performance. So maybe traffic is going through networks that it really shouldn't who don't have the capacity to route that traffic. So it could cause loss, it could cause a very degraded experience for users. It could be something in the example I shared about China Telecom where the traffic is just black hole because, you know, they just drop that type of traffic. That is quite often a common one. In a BGP hijacking scenario where somebody might be advertising routes that they don't own because they don't actually have that destination server in their network, the traffic just will get dropped when it hits their network. But other times we see instances like a few years ago, AWS, their Route 53 DNS service was hijacked. Now that was a very sophisticated hijack in that the attackers effectively compromised small service provider in North America. And they then using that service provider system, started advertising themselves as AWS's DNS service. The reason that they were doing that was because they wanted people and they were filtering out anybody who was requesting the IP addresses for the Ethereum cryptocurrency site. They would then serve them an illegitimate IP address to go to. And then if they went to that IP address, it was spoofing the Ethereum.
[00:33:02] Speaker A: Service and they're putting their details in and Exactly.
[00:33:05] Speaker D: And so, you know, that is a serious security concern because now you're effectively, you know, again, it's sort of this spoofing thing. And if somebody is not, you know, very vigilant as a user, you have to remember that like, even as somebody like Ethereum, you're, you're kind of leaving your users vulnerable if you're not ensuring that their traffic is going to the right place. So it can be quite serious in its consequences.
[00:33:32] Speaker A: So I've seen another example, and you would probably know more than me, but I think it was a company in the US they sold like these really nice coats. And then apparently people were then calling that company directly, say, hey, like, I never, I never got my coat, like, I paid you all this money, like, where is it? And that's when they started to understand actually something's wrong here. So then that's too late then.
[00:33:55] Speaker D: 100%. Yeah. I mean it. And yes, like, there's a whole range of, like, possibilities in terms of somebody who's like, trying to impersonate. Right.
[00:34:05] Speaker A: You.
[00:34:06] Speaker D: Whether they're impersonating a brand. But quite often, you know, as I mentioned, these can have pretty significant financial consequences for an organization, reputational consequences, because, you know, in that case, obviously these particular individuals considered the company to really be at fault here. Right. And that can be difficult to repair when you're talking about a reputation, a brand reputation. Right. And so it really runs the gamut in terms of significant, like, financial reputational, privacy considerations.
So these are all things that, you know, there's certainly a lot for enterprises today to consider, especially from a security standpoint. But even in this particular case, there was no compromise to the actual, like, Ethereum servers. Right. Their internal systems weren't compromised. Right. That's what's so interesting about this type of attack.
[00:35:02] Speaker A: Sure.
[00:35:03] Speaker D: But they were impersonated. You know, these folks were able to convince them that they were themselves. And so that constituted a security issue nonetheless. So it's a very different sort of type of thing. A lot of folks really focus on, hey, I'm going to batten down the hatch, I'm going to ensure that my systems are very secure. And that's one of the reasons why it's increasingly harder to penetrate somebody's systems. It might be, in fact, be easier to just try to impersonate them and see where you get with that. Right. And so it's a very interesting landscape when you think about kind of not only the Internet, but just how the Internet operates. There's some very fundamental systems like DNS that are very foundational to how the Internet works. And they are often the target of issues. Like when we see DDoS attacks, they're very often targeted to things like DNS. Because if you take down DNS, you're not just taking down a single organization. You're potentially taking down hundreds, thousands of organizations. And so those are the things you kind of have to think about, like, where are those kind of fault lines? Or where are those, like, points where you really have to ensure that you're maybe redundant, that you're working with a party that you have a lot of trust in, or that your own systems are well secured.
[00:36:27] Speaker A: Joining me now in person is Matt Caulfield, vice president of product at Duo Identity. And today we're discussing Identity is the Newspan. So, Matt, thanks for joining and wel.
[00:36:37] Speaker C: Thank you very much, Karissa. Happy to be here. Happy to talk about identity.
[00:36:40] Speaker A: Okay, so on that note, what is identity spam? What does it mean to you and what's your version of it?
[00:36:45] Speaker C: Yeah, identity is the new spam is kind of a catchy phrase, right? What does that mean? Maybe 15 years ago, spam was a big problem for companies and for individuals. I remember it personally. Having a Yahoo mailbox or a Gmail mailbox was a big deal. Then along came all these email security companies. Kind of clean that up. It's not really an issue we talk about anymore. Identity, though, is very similar today in that you can think about it as attackers are kind of constantly knocking on the front door of all these accounts that are either your personal accounts or your corporate accounts. They're trying to make their way in almost in the same way that attackers used to send loads and loads of spam and phishing attacks via email. Now that's happening through the identity vector.
[00:37:23] Speaker A: Okay, so I have to ask. Look, identity in my experience is not necessary. I mean, I'm probably asking, you know, you obviously care a lot about identity, but do you think it's one of those things that just gets relegated a lot, like other cool things like scenes and socks? And they seem to be take the center stage. Identity doesn't strike me as a center stage main character energy.
[00:37:45] Speaker C: It does get relegated a lot. And it shouldn't be, to be honest. I've usually say, like, look, you know, network security is still important today, but really came into its own about 20 years ago. We've got next gen firewalls and network security really flourished 10 years ago. You know, maybe Endpoint Security, there are a bunch of vendors who came out around that time and really flourished this decade. 2020 is, I think, is the era of identity where people started waking up to the fact that hackers are no longer hacking in, they're just finding ways to log in. They don't need to go through the trouble of finding a zero day exploit on your operating system or in your router or in your network. They're simply logging in. And so identity, we're finding, is moving in terms of ownership from where it's been traditionally, which is part of it, into being under security. And so I think a lot of organizations are realizing that identity is just as important as a pillar of security as network security or endpoint security. Identity security is there as well.
[00:38:44] Speaker A: There is one of those things being so challenging in terms of like, people are still using VPNs, people are still trying to figure out how to do mfa. So like, let's even go back to the consumer. How many times do people have to reset their password? They forget it. It's not strong enough. Like, that's annoying. It creates friction, right?
[00:39:01] Speaker C: Yes.
[00:39:01] Speaker A: So what's your view then on identity? Like, it's, it's not an, it's an easy thing for us to sit out here in our nice comfy chairs and talk about it, but in reality it's not as easy to implement, right?
[00:39:10] Speaker C: Yeah, for that very reason. Which is unlike networking or endpoints, there's a real human factor in this one, because this is how are you verifying that a person is who they say they are? How are you making sure that they have access to the things that they're allowed to have access to? There's that human element which makes it very difficult for both individuals and organizations to implement identity security. And so every company we talk to is sort of in their own different walks of life or all. They're all different parts of the maturity curve when it comes to identity. Some are just now trying to, as you said, adopt mfa, and they're just getting there. And some of the studies that we've done through Talos and through Duo have shown that we're doing pretty well in terms of MFA adoption. You know, most companies now have rolled out MFA to most of their users. That's great.
[00:39:57] Speaker A: Most companies in North America or globally, would you say?
[00:39:59] Speaker C: I'd say globally, sure. Certainly there are many who haven't. And we like to think too what makes that easy. But we've also found that even if you've rolled out basic multifactor authentication, maybe through an SMS on your phone or a Duo authentication application where you can press an allow button. You know, when something comes in. We're finding that attackers have found ways around those. Those are easy to fish. I can call you up and say, hey, I'm from the help desk. I'm trying to fix a problem with your account. You're going to get a code on your phone. Could you just read that back to me? And most people will fall for something like that and they'll give over that six digit code. Or, hey, you're about to get a notification on your phone. Could you just press the allow button or read off the code for me so I can understand who it is that's trying to log in? These are ways that attackers are using social engineering to bypass. Even if you have mfa bypass mfa. So we're starting to see the adoption, especially in more sophisticated organizations that care about identity security, phishing, resistant authentication. So that would mean biometrics using your fingerprint or face ID using device trust. So you can only log into certain applications from your work laptop because it's kind of assigned to your accounts. This combination of biometrics, passwordless logins. So you can't be phished as easily or can't give your password away. FIDO 2 cryptographic compliance. All of these things are coming together now for sort of a second wave of mfa. Now, to your point, though, not everybody's even gone through the first wave.
[00:41:20] Speaker A: First wave, meaning MFA or 2fa?
[00:41:22] Speaker C: Yeah, just the first wave. 2fa.
[00:41:24] Speaker A: Yeah. Wow. So using that example, when you say people get desensitized, so many notifications coming through, someone just keeps pinging, pinging, pinging. Eventually you're like, okay, allow. Because my kids are going crazy in the background, my wife's yelling at me. I'm just going to press Allow. And then we've got a problem.
[00:41:39] Speaker C: Totally. Yes. So MFA flooding and MFA fatigue. So these are two sides of the same coin. Flooding would be me sending you multiple MFA push notifications. And you see them on your phone and you press deny, deny, deny, deny, deny. And eventually it's 3am in the morning. You know, kids are screaming, whatever's happening, you've eventually relent and you press Allow. The other form of that is MFA fatigue, which is we're trained to, just by habit, press the allow button. When we see it on our phone, we oftentimes don't look at or scrutinize the details behind it and just say, oh, I'm, you know, it's middle of the workday. I've seen a lot of things. There must be some application that's Trying to re. Authenticate. I'm just going to go press the allow button.
[00:42:20] Speaker A: Exactly. And I think that that's something that even in my own company sometimes I'm like, oh, who's trying to access X system? And depends. Sometimes, you know, IP address isn't necessarily related to where I'm situated. But typically I do ask and it is someone legitimately trying to get into the system. So let's go back to the friction. So obviously we still need to ensure that we, you know, we're identifying who the person is and we're authenticating them properly. But you said before around, you know, biometric passwords, I've spoken at length on this show about that. What's going to happen then to the future perhaps of like password managers? What's their future look like?
[00:42:53] Speaker C: Yeah, I think there will always be a long tail of applications that will still be disconnected from the rest of the identity ecosystem and the only way to manage authentication for them might be a username and password. But my hope is that we use passwords for those applications that you simply can't remember and maybe use a password manager for those. But the vast majority of applications, say 99% of them that we use in the corporation, should be tied back to your single sign on system. So you don't need password managers, you simply have a single password for your corporate account and you can log in.
[00:43:25] Speaker A: Using biometrics and et cetera.
[00:43:27] Speaker C: Plus biometrics and multifactor authentication and all of those good things.
[00:43:31] Speaker A: Yes, but then I hear the consumer side of it, people saying like, yeah, but then I have to have all these things that I need to, you know, look at the, whether it's a token, it's the thing on your phone that you allow. It's, you know, you get a text message, you get an email. People seem that they get annoyed by that. So how do we implement security where it's secure in terms of identity but then also not impacting the user? Because again, you know, as security professionals, when I was one, historically you're there to serve the business rather than practicing security all day.
[00:44:02] Speaker C: Right.
[00:44:02] Speaker A: So where do you find that equilibrium between security and then of course allowing the business to operate?
[00:44:09] Speaker C: Right, right. Yeah. There's sort of a thin line between security and usability. Yes, we like to paint a picture. That duo is like right at the intersection. It's that brand that's kind of known as being both usable but also secure by default. But it's a very thin line to walk. It's very easy to fall into being Too secure and too much friction, which takes you away from usability. If you stray too far into the usability side, you start losing some aspects of security. So it's about just finding that right balance. One of the technologies that I'm most excited about is passkeys. Just because this is a thing that consumer applications and consumers can adopt in their everyday life to unlock applications using a fingerprint or using a face ID on their phone rather than using a password at all. And we're starting to see passkeys start to show up in the enterprise world as well, where we can use passkeys as a way to log into enterprise applications. And it's very low friction. It's easier than it is to use a password because you're just using a fingerprint.
[00:45:02] Speaker A: And I guess the parallel to be drawn to that would be when you open up your iPhone with your, your face and how annoying is it? I have to put my, you know, my code in if it doesn't recognize my face, for example.
[00:45:12] Speaker C: Exactly. So I think we're going to start to see more companies and more vendors leverage those technologies that are already built into your mobile device. And the technology is very good. It helps avoid deep fakes and some of these AI things that's built into the technology, we just need to leverage it in the corporate and consumer settings, not just for unlocking your phone, but for doing many other things.
[00:45:31] Speaker A: But we're doing these sort of initiatives, Matt. It's. You have to do it bit by bit. You can't just roll it out and then see what happens. So what would be your approach to saying, okay, we've got to do the first wave and the second.
[00:45:40] Speaker C: Yes, it's a journey. So everybody is in a different place. Some people are just starting on that kind of multifactor authentication journey, identity security journey, and some people are further along. I'd say, look, if you don't have any form of two FA or MFA on your accounts, start with that. Some MFA is better than no mfa. But once you're there, once you have basic mfa, make sure you're connecting all of your applications to your single sign on system. You don't want a bunch of islands of identity that you're managing individually should all be tied back to your single directory, single sign on system. Whether you're using Duo or Microsoft or Okta or Ping doesn't matter, just connect it back to the SSO system and then from there you can start getting a little bit more advanced. You can do things like start automating identity lifecycle so when someone joins the organization, they automatically get access to the application they need. And when they leave the organization for whatever reason, they get those applications taken away and their account deactivated. These are, you know, basic block and tackle things. And then from there start adopting sort of second wave multifactor authentication, biometrics, passwordless, phishing resistant.
[00:46:43] Speaker A: So going back to when someone starts a company, what about how do you manage, like privileged account management, for example. So I come in, I randomly have access to a system I shouldn't have. I mean, I've worked in enterprises before and it's like, why does Caruso have this level of access? We need to go and investigate them. There's whole teams of people looking at this stuff manually. What's going on there?
[00:47:01] Speaker C: Yes, so there's a lot of exciting innovation in that space. Cisco recently announced Identity Intelligence back in February, which is a product that I'm intimately involved with that takes a data first approach to identity security. So yes, we need to put stronger MFA in place. Yes, we need stronger authentication, but you can't assume that's always going to work or you set it up properly. You need a compensating control there that's providing monitoring. So what Identity Intelligence does and what we see a lot of organizations starting to do is collecting this treasure trove of information that's inside of the identity systems. These single sign on systems spit out hundreds and thousands of logs every minute of people logging in. We can see which user is logging into which application, using what device, through what network, all that information. Yes, we can start processing with AI to understand, all right, this looks good and normal and secure. Or it doesn't. And if it doesn't, we can raise a flag and send that to the, to the SOC and they can take action.
[00:47:56] Speaker A: And then what happens? And isolates that person immediately or like what?
[00:48:00] Speaker C: It depends on the company. Some people don't want to get into a career limiting move where they automatically turn off access for the CEO. So there's usually a human in the loop these days. But I think we'll get to the point eventually where these things are more automated. We can at least automate today just re authenticating you like, hey, we saw something weird. Let me just try to re authenticate you, force you to log in one more time. I think eventually we might get to the point of quarantining an account automatically if we're certain that it looks like it was compromised.
[00:48:29] Speaker A: So for example, if they know I've gone on vacation, it looks like someone's leveraging my credentials in a weird place to log into something that's privileged, like a finance backend or something like that. You were saying that my account would automatically be quarantined. Is that.
[00:48:45] Speaker C: Yes, exactly.
[00:48:46] Speaker A: Well, you said you're moving. Sorry. Towards that automatically being quarantined.
[00:48:49] Speaker C: Right. Today we have a human in the loop for all of these things. Just because, like I said, you don't want to lock out the wrong person at the wrong time. But you can imagine, yeah, an attacker signing in while you're on vacation. You know, maybe you're in finance and your quarterly earnings are in a couple days, and they go into the finance system, they take that information out, and they can do a little bit of insider trading. That's kind of scary. And you don't want that to happen. And so be on the monitor when an account is taken over and what they're accessing, and look for those anomalies like, okay, this is strange. This person's logging from a new device, from a new location to an application that they shouldn't have access to. You know, maybe during quarterly earnings, things are more locked down. They're trying to access the finance system. Maybe that shouldn't be happening. So, like, let's raise a flag on that and have somebody take a look at it.
[00:49:29] Speaker A: So going back to, you know, all the logs and the data, or data speaking to American, from what you're talking and what I'm hearing, that you're saying, they say, take a blueprint of someone, like, in the type of role that I do. And they're going to say, all right, these are all the systems you typically get. This is the type of access that you get. Are you sort of going to be mirroring it off Carissa's identity? Because based on someone else that's already working there, Is that how that works in terms of the PAM side of things, but then also managing if someone's stealing my credentials, et cetera.
[00:49:56] Speaker C: Right. So we're looking for patterns. We look at a lot of information, both who you are, what are the attributes about you, what department are you in, who's your manager, what's your role or job title in the organization. We'll also look at what is the policy associated with your account. So if we look into the identity systems, we can see, okay, Karisa has access to applications A, B, C and D. And we can also see your behavior. You usually access application A on Mondays and B on Tuesdays. We can take the information about who you are, what you have access to, and what you're doing with that accessibility in order to create what we call. You call it a blueprint. We call it a user 360 view to understand you from all angles, from a bunch of different systems about who you are, what privileged access you have, what regular access you have. So if we see a deviation from that, we can flag it.
[00:50:43] Speaker A: Do you think as well, from what you're saying, this will reduce, like credential stuffing, for example?
[00:50:48] Speaker C: I don't know if it will reduce attackers attempting credential stuffing, but I do think it will help us detect attempts at credential stuffing. And we're already seeing these capabilities build into tools like Duo to detect credential stuffing more, more readily. Yeah, faster when it. When. Right when it's happening, maybe, rather than after the fact. Credential stuffing, you know, great way in order to take over the first factor, credentials for an account. Hopefully somebody's putting in place multifactor auth. But if we can say, hey, we see a lot of credential stuffing in your organization, it helps motivate the need for implementing stronger forms of multifactor as well.
[00:51:22] Speaker A: And do you come across that often in your experience?
[00:51:24] Speaker C: Quite a bit. We will run identity assessments. So as part of our identity security offerings, you know, we do this identity security assessment. Well, we'll come in and we'll take 30 days of data. It's all read only. So we're just pulling data in, we're analyzing it. And oftentimes we do find attacks in the wild. We don't always find a smoking gun of a compromised account, but we can give you a profile of. These are the types of attacks that your organization faces and from where. So we see credential stuffing, we see session hijacking, we see users sharing authenticators, sharing devices, and we paint a picture for the customer around. This is the type of thing that you're up against.
[00:52:00] Speaker A: So, Matt, from your experience, why would you still say. And I know, like, again, as I said earlier, it's easy for us to have this chat that's harder to implement. Why would you still say identity is still so challenging though?
[00:52:12] Speaker C: Yeah, like, why haven't we fixed this quite yet? And why is it so hard to get right?
[00:52:17] Speaker A: I was thinking that, but you said it, but yes.
[00:52:19] Speaker C: Yeah, it's difficult. Part of it is the human element, which we mentioned already, which is we're not dealing with patching a server. Right. A server can't really argue with you if you're patching it. People are a little bit more difficult to deal with. And it's difficult to change their behavior. So that human factor is probably the hardest thing to change to get them to adopt more mature ways of doing authentication and changing their day to day behaviors. So we need tools that are very easy for them to adopt and feel very natural as part of their day to day work. So that's a piece of it. I think the other thing is that attackers continue to evolve. So just as much as the tools are evolving and they're becoming more user friendly and more secure by default, you know, passwordless and things like that. At the same time, attackers, with the pandemic, you suddenly have companies enabling people to work from home. They're already doing that, but they're also enabling attackers to work from home. You have all these remote access technologies where anybody can access anything from anywhere. Well suddenly anybody mean to anybody, anybody on the Internet can access anything from anywhere. And so we've seen a rise in identity based attacks just because this is the easiest way for attackers to get in. And we're seeing a lot more and more of that lately, especially with people on LinkedIn. You're able to do reconnaissance on, hey, I'm going to search for everybody in this organization who's part of the IT department who has a Microsoft certification or a Cisco certification. And that's going to lead me to the network admin or maybe the identity admin pretty readily. And then I can go target them with social engineering. I can pretend to be their relative or a coworker or somebody from the help desk or the IT department and call them up and try to harvest their credentials so that you can use them.
[00:53:59] Speaker A: So I just want to end maybe on one last question. You said obviously challenges because of people and how they are there. You know, we can't configure human beings as much as we'd like to. You said you want stuff to feel more natural. What does natural look like in your eyes?
[00:54:11] Speaker C: Right. We want ideally, you know, your ideal workday, sit down at my desk, open my laptop, either show my face to the camera or I put my fingerprint on the fingerprint scanner and that's it. Throughout the rest of the day, I'm logged in. The trust is established from, you know, 9am or 8am Whenever you start your day, 7am Whatever it is and it carries with you throughout the day. Of course, if you walk away from your system and you lock it, you know, of course you'll have to re authenticate when you come back to it. But other than that, we don't want every little application throughout our day, interrupting our flow. Nothing drives me more crazy than I'm trying to do something and then suddenly I get distracted and I can't remember what I was doing in the first place. So just staying secure and then staying out of the way is the ultimate goal for how we do that. And so Duo has that capability with something called Passport that we announced back at RSA in May, which just makes it so that you can do exactly that. You log in with a fingerprint to your laptop, and then throughout the day, you're not reauthenticated again. It's remembered.
[00:55:08] Speaker A: Just a rudimentary question. I'm just curious to know, in terms of, like, if you had company, 50,000 seats and everyone's getting logged out, what would be the reduction in the productivity of people going down? The help desk forgot my password. I don't know. Now I'm over it. I'm going to get a coffee. Of just purely being logged out. I mean, I've done it. But imagine multiplying that by 50,000 people that, you know, 20 seconds here and then can then add up.
[00:55:30] Speaker C: Exactly, yeah. Five seconds here, 10 seconds there. It adds up dramatically throughout the day. We're starting to do those types of studies. I don't have an answer for you yet, but my expectation is that it's not trivial. There's probably millions of dollars a year wasted in the average company on just trying to log in and dealing with the authentication issues. That's a guess, but I wouldn't be surprised.
[00:55:53] Speaker A: And there you have it. This is KB on the go. Stay tuned for more.
