Unlocking the Future: AI is the Key to CISOs Top Challenges

today's keynote is Caleb SEMA speaking about unlocking the future AI is the key to seo's top challenges don't forget that you can ask questions via slido at bsf.org Q&A and without further Ado happy Cinco Deo and welcome to the stage

Caleb hello everyone um today I will be giving a very positive and hopeful talk about Ai and security uh isn't that a nice change right at a security conference um we will be focusing on real issues I call them sort of the seo's top challenges um and uh we're going to do some predictions around how will AI hopefully help solve some of these challenges so let's get started um first I want to set up some basic AI fundamentals uh for everybody I think we need to understand to set the stage to learn about what we're going to be talking about in order to make our predictions let's listen to a little bit about hey what are some of ai's

strengths and some of their limitations now what's really interesting about this is most people thought before sort of and by the way when I say AI I mean specifically generative Ai and in this talk specifically llms as AI but what's interesting is like most people thought around AI it would take all the menial jobs you know very simple tasks automation and things like creativity problem solving uh really great communication then synthesizing information would be the last kind of thing that any sort of AI would take and what's fascinating is it is actually sort of the first thing that AI actually have trended to be very good at um the limitations of course there are limitations and this is really

the view of AI as I think we see it today now one of the best quotes that I think sums up all of this very simp simplistically uh is this quote that someone told me which I I think is very true what is AI like it's a genius 13-year-old who is overconfident with a short attention span and no Street smarts uh if any of you who do prompt engineering or work with AI you're like yeah that pretty much sums it up uh but that's pretty fantastic in the fact that hey this is an interesting thing uh that you can work with so uh let's dig a little bit deeper in some of the fundamentals of AI

uh but in order to do so first I need to give a little bit of an analogy uh around us humans and about how we think or really how we learn things and this is a very rudimentary and I would say explain it like I'm five version of this uh by the way my daughter who is six is also in the audience and my son who is four so let's see if they if that actually this actually works um okay so let's think about how do we learn let's say a new skill so I'm going to take an example like like cross-site scripting uh since it is besides um you want to learn about cross-site scripting so

what's the first thing you do you start reading everything you can about it you read the tutorials go online maybe do a little bit of labs everything different angles different views different articles all of this is being processed by your sort of short-term memory the more and more that you read and the more that you go over it go over it and go over it and you iterate iterate and iterate the more you're looking really for the principles the foundations of what makes Crosset scripting a thing at the beginning they'll be very very distinct oh you can only do Crosset scripting in HTML and JavaScript right like when you're new you just only go by

what you have read but after you do enough iterations you start really condensing this down into what I call working memory this is sort of like abstracting it just a little bit synthesizing it just a little bit oh crosshit scripting is about inputting something getting it reflected back in some way and then what can you do with that and then over your iterations of time let's say working memory weeks months and months of studying cross-site scripting you start gaining more specialized knowledge so for example if you think about over a year of really working on cross- a scripting you can come to bsides and give a presentation as an expert on cross-site scripting you've really become a specialized

individual in your knowledge and then after you do that enough times over years and years of your knowledge it actually becomes part of your foundational fundamental knowledge I'll give you an example like I've been doing Security in over 20 years right it is part of my core it is part of my foundational knowledge what does it mean this means I can instinctively look at any new technology and any new thing and you start seeing the patterns and you start correlating and you start saying oh this does this this does this you you've got it to a point where it's become Instinct this is a little example and again very rudimentary about how we might learn a new skill so then your

question is well Caleb like what does this have anything to do with AI uh and let me get to that because llms today and AI today has some very similar patterns let me here's sort of how to think about this today we have context windows or context memory inside of LMS this is the equivalent of short-term memory it's our 64k of RAM is the equivalent I feel that we have today and then we also use working memory are our sort of equivalent of working memory what people are using is rag all right so or vector databases this is where people are saying hey I don't have enough context window size I'll save it into sort of my Vector database and then

I'll be able to retrieve this information with some level of accuracy and then people are now using whether for wrong or for right fine tuning to start making this equivalent of specialized knowledge okay if I take this open open model I fine-tune it I can get a a more specialized version a cyber security expert a cross-site scripting expert this is how I'll do it and then you've got your foundational knowledge itself which of course is not trainable at all so when you look at this the the difference of course is that each of these phases in AI today is very distinct and very manual there is no carryover from Context to rag to to fine-tuning to your foundational model

this does not happen everything is manual everything is specific and everything is done in a certain order in a certain way however when you start looking at where AI is going in the next year or two years the goal is to go towards the way that we learn so when you start thinking how do llms or AI start learning on their own you start thinking about things like hey continuous or constant fine-tuning and what does that mean perhaps that means similar to computers is hey my shortterm memory or my Ram gets a cache which then may get save to hard drive and this happens automatically and so when you start thinking oh as we move forward

does this goal start happening this is the start sort of press uh uh things that we need to think about as we start making guesses and predictions around how it's going to affect cyber security okay now we've got the fundamentals down this allows us to make some predictions and I actually wouldn't call this much predictions uh around AI itself this is why I've titled this what is here today but is coming tomorrow which is most of these things that I'm about to walk you through are actually here today they're just not really disseminated widely and they're not ubiquitously in our organizations but everything that I talk about here there is already research discussion and if not already products that are

executing on these things so first expanded context awareness today we are working in terms of short-term memory very small amount of memory really the equivalent of again you think old back computer days 64k of ram what we really want is we want 16 gig of RAM and then how do we get that oh this my don't mind my kids uh I predicted uh 10 minutes so this is about right uh thank bye Neo um okay so think about context awareness this is really key right today we've got Gemini with a million token cont text or a million and a half token context but what we really need to start thinking is what if you could have large

large amounts of Windows for example could I pass in a gig of log data into my llm and have it analyze this this is really key because in order for llms to start processing real-time data context windows will get bigger um continuous self-improvement this is what we sort of talked about previously this model or thought about continuous fine-tuning bye [Laughter] Ava um continuous f with I brought my kids because I don't think they know that I do anything so this is like uh the [Laughter] example uh they they lasted about where where I predicted um so think about continuous self-improvement this is this is the ability to fine-tune or learn so take for example the log when I'm

processing real- time data data if I have an llm where it's prompt says hey you're this you're processing log data you need to look for these kinds of things and I'm shoving gigs and gigs and you're just constantly this is the lm's job constantly looking at log data log data log data why should it not start thinking about oh hey I know what my job is I know what I'm good at I can start moving and freeing up my context window and start moving this into more generalized specialized knowledge and then when this starts happening automatically it becomes really fascinating how llms will move forward third localized intelligence uh models are getting smaller and cheaper all the

time you already seeing this apple just released their models uh for what they're going to be doing for on device models you're seeing things that were you that are let's say s say three billion token three billion parameters or 7 billion parameters that are now the equivalent of 70 billion parameter models these things are getting smaller more efficient they're going to be on your watches your phones and by the way don't just think about consumer uses think about Enterprise uses so if these models are local and small and efficient they should be running in your containers they should be running in lambdas like these things are going to start getting to the positions where they can monitor and look at things much

much smaller and much more specialized scale which also leads to the next one which is deciding and acting models right now you see it's a lot of translation it's a lot of creation but when they start making decisions and acting and giving tools so so for example if I give an AI user bin what happens and by the way to all of you guys who I know this is a security talk like all the fear all the all that's coming in your heads please keep it uh I get it I get it but uh you have to understand uh this is coming right so that that is an entirely separate talk of how to secure these

things um and then finally low cost and high performing cost of these things especially at in Cur is going to be driven down drastically um let me give you an example on high performing today The Cutting Edge is around 600 tokens per second that you're going to get on an LM and that is by companies who make specialized chips for this we know for a fact that in the next year or so easily these things are going to think reach speeds at a 100,000 tokens per second so if you think about how instantaneous these things will perform it becomes really thought-provoking around what can be accomplished okay so now I've set sort of this base Foundation what is AI today

how can we start thinking about where this is going tomorrow and now we need to think about well what this what will this enable the Enterprise what will this change when we think in the next couple years um first we need to focus on the Enterprise because we're we're security security is based on the foundations and and what will change in Enterprise says what will change in sec so these are the things just off by the way off the top of my head that I believe will change in the Enterprise as these things start happening first and foremost uh all you know this in every Enterprise me meetings is where decisions happen this is 90% of when how

an Enterprise makes decisions where it goes and its lifeblood is all based in meetings for Better or For Worse nobody likes them but that's the way that it works but this thing all meetings will be absolutely recorded analyzed and notak by AI I have been using an AI Note Taker for six months and it is phenomenal um there is no doubt in my mind that in a year every Enterprise will mandate or at least just for most meetings that these note takers will be present because now what we're doing is we're going to take this eeral data that normally was just in and gone a decision made in one gone in the next these things will start getting recorded and

will be available and will be communicated this will happen and again I I hear the privacy and security thoughts I know I know I know the fear is there um number two wikis Enterprise data that we know is like our lifeblood of what goes on inside of an Enterprise they're great but what's the big problem they're never up to date AIS will start making self-updating wikis that is almost a brainer the fact that it will know and understand some versions of truth will help document these things and keep these things up to date number three uh management reports who here likes to write management reports like no hands okay good uh this I think like when you think about management

reports so like let's just take an engineering example well hey are we really making our projects are we making progress on our okrs well like I need to go generate a report says Hey engineer doing your work well let me check J tickets let me flow that up into some story let me write a report that I hand to my manager who then conal a bunch of other reports who rewrites it again for their manager for someone to say oh it looks like we're doing things right like this is a massive waste of time um and like I actually think AI is going to be very good at being able to do this is the Enterprise will change number four

this will take a little bit of reach but local agents or oracles for every area of expertise AWS and in Amazon is already doing this right where you're going to have a specialized model for AWS that says I know exactly how AWS Works what it does the actions that are needed and I understand your specific environments and the data in your environment and I can be the Oracle of that I can answer and do questions and give you the information you need no longer do I need to say hey engineer go figure out what has privileges around this asset this thing will say not only do I know what privileges it has I can tell you down the line who has those

privileges what groups what groups will then inherit in order to have privileges to this access this will happen think about this for identity think about this for emails think about this for jira think about this for Salesforce these oracles are the equivalent of API end points and what would be really fascinating if these oracles can then start talking to each other okay that's what will change that's my sort of prediction in the organization the next biggest partner of security is engineering so what changes in engineering uh number one I think code and Cloud will become self-documenting already AI is way better at doing uh comments engineering comments than Engineers are so if you take a function call and you

write a comment for this and say hey here's my sort of comments for the function goal and think about that abstract it to then comments to the classes abstract it to comments and story around the libraries abstract that to the application there is no question that now anytime an engineer can change code those stories and comments about how the code worked can be reflected automatically so you can see a document and documents that are built that will reflect the ongoing changes in that code and how that application works similar of course with Cloud because that Oracle will help do that I think you know you've all seen a lot about uh visual studio and about co-pilot and all of the

great things that are happening in this world um you're starting already like when any language everything's about libraries the Lego block and the building blocks that are built coding is all about just how do we glue those things together in order to get what we want I think we're going to start seeing a real Resurgence here around requirements which today most people don't write requirements at all um and and if they do they never are kept up to date but when you start getting where requirements are the things that are key for the AI to start generating the code blocks this then starts getting to requirements as code uh you know trademark pending uh but like this is this is like think

about this also as remember Ruby on Rails like oh it was great because it has this great framework that you can automatically do similarly an example you're going to start doing this on new projects you'll start interacting you'll build a requirement stock it will kick off new projects in a way better way and also even modifying existing projects I also think Integrations will be automatic uh AI is very good at being able to say here's a documented API here are the calls in order to do that can you at least generate me a prototype calling client Library it will do a pretty good job right not perfect but again we're thinking a couple years here

I think this will just happen automatically and by the way if you can self-d doent the code you can also look at the apis you can create the libraries and the other AI can use the library because it's an agent all of a sudden Integrations become way easier so think about product one that should have integrated in product two I think this no longer means an engineer writing code finally uh I talk about localized Mo U models as well think about this in operations like if you go talk to a you know like a u an infrastructure engineer around their on call and their instant response they're like hey 50% of the time the way to fix things is reboot it

or respawn the container kill the instance like that is literally these things this is like why do you need some Junior engineer going and doing this and figuring this out I think models will run locally figure this out and for you and think about this at scale across Enterprises okay now we've got fundamentals of AI how it can impact the Enterprise and the organizations finally uh we get to the security uh portion of the talk so the seo's top challenges uh this by far is the number one question I get asked a hundred times a day hey Caleb so what are the top challenges that you have hey what are the biggest issues that you deal with as a ceso if

there are any cesos in here you know what I'm talking about I would ask you to raise your hand but I don't want to make you a Target so you don't have to uh but like VCS and Founders and vendors what are your problems Caleb what are your problems Caleb so I going to answer this question with finality I'm going to give you the answer to that question that has not changed five years ago and will not change from five years from now are you ready for this make sure you get your phones ready you're allowed to take photo of this cuz you're going to go to a ceso at RSA and say hey are these your

top problems and they go yes are you ready this is this no more you don't need to ask this question here are the cesos top challenges reporting Talent relationships budget and management this are the top challenges they're not very unique by the way to uh security uh oddly enough there's no real uniqueness to these problems and they will never change that's just the way that it works uh of course listen I this is bsides this is a technical security conference I'm not going to talk about the real problems of a CSO I think what we really want to talk about is the top security challenges uh that we need to deal with and so these are six sort of

top security challenges and by the way I did not just come up with these on my own accord I actually talked to over 40 cesos and I Consolidated that data and this actually is the consolidation of that those conversations these are sort of the top six what's also interesting about these top six is like similar to what I just said earlier that really is not surprising like if I said five years ago is vulnerability management a problem you would go like yeah if I asked it 10 years ago you'd be like yes detection and response compliance and measurement like these are all standard same problems that we've dealt with 10 years ago that somehow is still the

problem today right and then she start like thinking about this look a little bit third party Incident Management lease privilege these two you know they've always been in the top 10 and they kind of like you know rotate in and out of the top five but like why you have to ask this question why after 10 15 years where we have billions and billions of dollars in products and Solutions in this market that these are still the same problems right had do are are these just vendors not solving it no that's not true I think you have to look a little bit deeper so there's an underlying fundamental problem that I think glues a lot of

these things together that makes it so it doesn't matter the vendor product we can't have substantial disruption on solving any one of these things because of this underlying fundamental problem so let me tell you what I think the underlying fundamental problems are I think it's about coverage I think it's about context and I think it's about communication these are the three things that today I think really inhibit the ability for us to actually solve these problems at any level of real material ways so let's double click into each of these first let's talk about context context is the who what where why and how of everything that happens how do I get enough information to make a confident

decision about what I'm looking at this is everything so let me give you a very highlevel simple example vulnerability management a key consistent problem why is it a key consistent problem well let's say you get a vulnerability that pops up what happens well it is a CVSs rated High vulnerability how many people here in security operations go oh yeah that's correct nobody because of context the first thing you say well is it exploitable if it is exploitable by whom an Insider an outsider is it only by three senior engineers and one certain account like everything is about context is there compensating controls that are revolved around this like hey is there like is it only available to

authenticated users versus non-authenticated users how hard and easy is it to remediate is a great question for example priority is not necessarily criticality right like it may be a high vulnerability but I may have a medium vulnerability that is a patch that fixes 70 other medium vulnerabilities that I know who the developer is and it's a non-breaking change and he will make it super simple and there's no testing evolved that goes up in priority right so but there's no people look at this as well criticality equals priority this is context um so when you start thinking about context this is why every single alert is just not actionable because you have to ask the context questions so let's go

through a real life example uh that I have been through and experienced just to bring it home um I picked this one it's the S3 bucket example um why did I pick this B I know because every single one of you has experience with this you've gone through this process it is the public S3 bucket which is the bane of our existence so let's talk about what happened with me um so we get this report High issue says hey you have a public S3 bucket we're like okay great first of all we have lots of public S3 buckets so how do I know this is one that's not supposed to be public so the team goes well we

have a list of the ones that are supposed to be public right like yeah I think so oh well where is it um I think it's in this Excel spreadsheet oh okay let's go look it up open the expel but by this is really what happens uh okay here are all has three buckets that we know are supposed to be public hey when was the last time this was kept up to date uh I'm not sure like maybe a couple months ago okay well it's clearly not in in that list so all right well then what's in the S3 bucket so you know it's a pretty big S3 bucket there's a lot of data in it so you start sampling like

let's start looking at the objects in there and then things start getting a little worrisome oh hey there's a there's some pretty sensitive data there's customer information in here there's pii there's some sensitive configuration oh there's some keys in this bucket what in the world is going on all of a sudden now it starts going into more incident response mode and then people start saying well who owns this bucket where did it come from how do we disable it so then we start saying well who owns it well okay well let's go to our cspm all right cspm inter bucket name nothing okay well uh let's go to the infrastructure team hey infrastructure team do you know what

this bucket is I don't know I'm not sure uh go into slack search all conversations in slack engineering for bucket name oh here's some stuff that pulls up go in jira search for jira bucket name oh here's some stuff that pulls up and then you start figuring out okay what's the picture and what's going on with this bucket this is context this is why one vulnerability alert that shows up in a dashboard requires a massive amount of work which is the iceberg underneath the water uh this is why things don't change because I have thousands of these things and thousands of icebergs under the water that you've got to deal with this is context very

critical and done with everything all right let's go to the next one coverage coverage to me coverage is probably and I'm going to you know stick my finger in the air and this my only opinion but I think 99% of breaches are caused because of coverage um I think it's all about the width and the depth it's not a matter of do we have the technology to detect it it's that we weren't there to see it or it fell through the cracks this is where cover makes the biggest impact let's give an example let's take the S3 bucket example that we just talked about so of course what we end up find like the team is

like well how do we not see this why is it not in our environments so here's what we ended up finding we ended up finding out that an engineer took their corporate credit card signed up for an AWS account launched this S3 bucket as a prototype partnership with our partner just to test it out they just wanted to test it out but of course we all know this testing turns into prototype turns into V1 turns into V2 and that bucket never changed and the bucket never got incorporated into our account it just ended up becoming used with our partner as its transfer mechanism well what's really fascinating about this is as a security team were like well hey we have

scps that say you cannot have public S3 buckets unless you go through our ticketing process which ironically enough is the exact reason that caused this cu the engineer is like well hey I'm just testing this to see if it works right like I don't want to go through the process of getting security to approve this thing it's painful I'm just going to go over here and Shadow it this thing and this is now the width of why coverage is key now we would have never seen it it was never part of our environment it was never part of our rules it went out of band here's where it get becomes even more interesting depth well in that S3 bucket there was

huge and huge amounts of data in fact as we were going through it we identified and engineer accidentally uploaded their entire home directory into this S3 bucket this is not a joke people this really happened I'm not making this up their entire home directory was in this S3 bucket containing all of the source code all of the keys all of the access this thing was everywhere and of course you start going well did anyone access the keys and then your next question was well how do we determine that does this S3 bucket have logging on it well no of course not it's in this thing there's no log on and even if we did have logging

we wouldn't have object level logging because that is just you can't do that the performance and cost is way too much right now that's an example of depth why in the world shouldn't I have logging on every single axis on every single object well it's just too intense too much too expensive it just can't do that I miss the incident I miss the content because of the depth the coverage problem okay by the way there's so many examples of coverage I could give hours of conversation on this but I just want to do a few more let's take for example account takeover I have a policy that says all employees mandated toofa how many people that's a good policy to have

we should make sure we do it are we doing it yes absolutely hey what happened is one of our uh social SAS engineering platforms got an account takeover and that that person was in the account and we figured it out and I'm like well how did they do an account takeover don't we have tofa how did they bypass the tofa oh well unfortunately we had these were some contractors that we made an exception to coverage fell through the gaps okay well hey we're doing postmortem on a security incident how did we not see the lateral movement of this guy doing this to go do this well we're missing the logs or even worse the fields of the

events that we needed were missing well why can't we do a detection of this and I'm going to give you a real example a very popular software well we can get events for login failures but there's no event for login success so that means we can't look to see if brute forcing and a successful brute forcing right so well who logs login successes no one's going to log that like happens millions of times a day right or here's another one well I thought we were getting logs from there what happened oh well uh the log stopped being sent to us like a couple quarters ago well what happened I don't know like we're just no longer getting

the logs anymore this is coverage and my final one I won't go through all of these but the final one is how many of you have the thousands and thousands of vulnerabilities that are medium and lows or in your your your uh your sim or detection response system of alerts that are mediums lows that all need to be triaged and you will not do medium and low triage because you just don't have the time you don't have the resources this and yet we all know the attacks happen through a combination of medium and lows it's never the high that the attacks occur it's always the combination of the medium so it's highly likely that most attacks

who did occur you actually saw it you're you the event was there it's just no one looked right okay last but not least before we start getting to the fun stuff communication uh this is the most important and biggest waste of time and you might say Caleb that's a man come on that's a little uh it's a little rash to say it's the biggest waste of time uh but let me give you some examples first of all your manager or let's say me as the ceso I come over to you and say hey how are we doing on these okrs how many of you had that question uh asked in you're doing yes of course this

is this is this is your your status reports that you need to go WR and then what do you have to do you have to go and say okay I need to talk my manager to talk to other people to talk to ICS to write their tickets to do their stuff to manage these things in reports we talked about this a little bit earlier I would say 20% of any team's time is probably spent basically justifying their existence am I actually doing work or I might not that is what's happening and it goes up the stack because the ceso needs to do it for the CEO CEO needs to do it for the board like it all

just is levels of abstraction of reporting what if I ask a question like what is the risk of this asset well actually in order to get the risk of an asset that requires a lot of work I actually have to go into my cspm dspm aspm am in order to generate reports around one particular asset because none of these products talk to each other one asset both is an application it has data it's in the cloud it has privileges why do I have to go to all these separate products to generate data in order to mash it up to hand it over to you so you can look at this and say okay it looks

okay right it's super painful um and of course like why did we not fix this issue hey I we reported this to engineering uh engineering said that it was going to be fixed but yet we retested it clearly wasn't fixed the issue is not closed what happened oh engineering didn't know that was that a high priority so they just they scheduled it for next release wait a minute this is a huge High PR how did they not understand that and why did we get this notification only after this has happened well none of the communication happened right or finally uh can we trust you okay well there's a vendor okay well as a vendor I'm going

to sell you I'm going to send you a big long Excel spreadsheet with a bunch of security questions you're going to fill that out and you're going to lie to me and you're going to send it back to me and I know that you're lying to me and I'm going to say okay so we can c ya for legal right this like this is terrible right this is communication why how is there not a way that which I you can you can distinctively say I here's a way that you can trust what I'm saying right in the right way without you also offering it to be a security risk this is all about communication and to me

communication is about translation right it's about translating a version of the truth to another thing or another person whether it be reports whether it be system to system whether to be Auditors Regulators Partners it's about translating some version of Truth or quote unquote truth into different audiences okay so now we've talked about the three context coverage communication so what do we do about these um this is where I think AI works really well so if you think about what we talked about previously where we were looking at how did AI work what are the things that it's good at it's good at translation it's good at synthesizing data it's good at being able to act and do tasks these

are things so let's take coverage for example what would you have 10,000 smart Junior security Engineers do or if you remember the beginning of my slide really smart 13-year-olds uh you know who have a patience problem uh but what would you have them doing if you had 10,000 of them let's take an S3 bucket for example I would absolutely have that engineer go through every single S3 bucket object I would absolutely have that engineer go through every medium and low triage event right and by the way this is not fake there are companies today that do this right that will triage becomes a non-existent problem because you you have such level of scale all right uh I would have them go

through and say every single engineering discussion is there something security related in this every requirements document that's built is there something security related to this every code that is committed what's going on here that can affect security 10,000 can now increase and make substantial material difference in the way that you do coverage that is a massive massive difference context this is the hardest but I also think is one of the things that is very very doable today which is when it comes to context I can actually have Oracles of information and you can out these agents can go talk to other agents and pull that information out synthesize it properly and then present it communication it's just all

everything is just about the ability to effectively uh communicate it to the Right audience take data synthesize data format it and translate it for the right people and by the way chat Ops is back like this is very doable with AI in a real way if you need context you can just slack the actual engineer AI can sign and have a decent conversation with that engineer and ask follow-up questions and get data synthesize that data and send it back to you this is doable and is being done today right like this is where it makes very significant changes okay now what I want you to do is take a little bit of a journey with me um and let's say now

that all the things that we've learned how would this show up tomorrow so I'm going to go a little bit of what we see today and then how should this look like tomorrow assuming context coverage and communication are pulled together properly in AI in the next year or two all right so so today I sit down at my alert console and I get a detection alert that says a new outbound call to stripe.com was identified and you look at that and you go yeah that's pointless and useless is is it is it supposed to again context context what what's who what where why well what happens tomorrow tomorrow this changes it is now being allowed oh

that's interesting this is expected behavior and is considered a low risk for the following reasons number one stripe is a trusted provider and outbound calls are only allowed number two engineering documentation and discussions have identified stripe being the new accepted payment provider number three the stripe libraries were introduced to the code repo payment lib on this date number four a discussion with Cosmo who is the active contributor to payment lib occurred at this time frame via slack and he did confirm stripe.com as a domain should be allowed wow guys like this is come on like wouldn't that be amazing wouldn't this be amazing if this could happen let's do another one vulnerability management today we

get a cross-site scripting issue was identified in our internal CIS system via the case commenting function great what about tomorrow well it's located here the total exposure time was 22 minutes what oh that's interesting at this time frame the issue was identified via the nuclei assessment that was done and here is the bolded part by the way the issue is rated low risk due to internal system limited authenticated users required and on a staging system wow this is doable this is totally doable the issue was then introduced in the last push to staging the code that has the vulnerability was found to be introduced by Josh Smith a fix with a PR was submitted and Josh was notified via

slack Josh has recognized this issue and has accepted the pr a new rule was added to semrep and the requirement stock was modified for this type of issue that's fantastic now I can just like I'm going to go like hang out with my kids job's done let's do one more uh your requested approval settings are high for any Crown Jewel trust zones a request for delete access for rooll SP report jam on S3 bucket this bucket do you approve how many forfill this how many of you hate this process it's terrible well do I approve do I not approve do I delegate like I don't even the people who are delegated to The Experts still

don't know whether they should improve what does it look like tomorrow our recommendation is to Grant access for the following reasons this request was made by Martin Bryce who is the principal engineer of the data infer team who has ownership of this asset oh that that is context that makes a big difference meetings with Martin and The Bu Business Media team discussed cleaning up and discarding reports on a regular basis on this date oh okay that adds some more value to this jured ticket 2928 was filed with a request for expanded permissions for regular cleanup activities okay also very good the requirement DOC for the SP report gen role was added to have delete capability

and finally we reached out to Warner brondz who is the head of security engineering via slack at this date who also says we he gives his approval for this you know what absolutely approved move on and then like last but not least status reports uh for example I have a very simple ask I have a set of crown jewels and in my crown jewels I want to do lease privilege and all I want to know is hey how many accounts have been reduced and I want to know of the accounts that have to be there how many privileges have been reduced that's it and all I want to know is on a day-to-day basis are these things

getting lower and that doesn't require people to go do work that just requires an automated thing to do the right pull the right data which is easy enough translate that for me and produce what I have here okay so I hope you've enjoyed sort of this journey uh I look forward to all the startups that might come out of this and maybe make our journey a little bit better okay thank you any I guess uh any [Applause] questions I how how much time I had three minutes for questions three minutes for questions okay um are there any there there are some but I was not ready to read them because oh with three minutes I could probably

answer one question so all right do that one question with upboats um what are some potential real world challenges using Quantum Computing with artificial intelligence I have no idea um I am not I I not knowledgeable enough that that subject I don't know so I guess that is the answer to that question all right fantastic thank you so much Cale we really appreciate you