Your AI-Cybersecurity Crash Course

My name is Josh Rivera. Raise your hand if you guys been here before. Welcome everybody east side. Before we begin, got to do a quick shout out to all the sponsors. Well, the hand platinum that we have here or we'll start with diamond USA St. Mary's platinum sponsors. we have here sponsor Toyota systems and then now we're going to turn the stage over to Ryan and then let's go ahead and give round of applause. All right, thank you again everybody in Ryan. Um I was up until 3 in the morning making these slides. There's 33 slides in 45 minutes. So we're going to get started now. Um, I'm going to preface this with um, I

actually built this by hand. It was my human mind and of course mostly for my own research. I had an AI build an image or two. I had it summarize some of my speaking notes, but this is this is still me. So, take that or leave it for what it is. Um, oldfashioned research, blood, sweat, and tears. Um, can everyone hear me? Okay, triple checking. Thank you. Um, and while I did have a lot of people say, "Ryan, just make the presentation with AI." I'll tell you, I actually tried to. I loaded in what I wanted. I gave it some, you know, examples and I was really disappointed. So AI still can't replace me. Or maybe

my prompt engineering sucks, but in the time it would have taken me to finalize the prompt engineering, I could have just done it the way I know how. So just wanted to put that out there. Um, this is an AI crash course. Um, because I have run into people, especially last year, they're like, Brian, what is machine learning? What is AI? What does this mean? What does that mean? I don't know where to start. I don't know like how to jump into it. And I think our industry is waiting for some sort of formal like, okay, let's go. Like the race is started. I picture it like a marathon. But you don't know if you

don't know AI is the marathon started. The race has begun. Why you're at the start line? I don't know. But I get it. It's hard to jump in. I had a lot of those feelings when I first jumped into it. I didn't know what it was. But a year ago, I heard what a GPU was for the first time. If you don't know what that is, that's okay. I'm going to get into it in a second. But now I know a little bit more about what a GPU is. So I did say I'm going to be really pressed for time and I usually love questions and I say interrupt me, but I am going to ask

that you hold them to the end because I know if you are new to AI and you're in cyber, you're going to have questions and we're going to figure it out together. We're just not going to do it in the next 45 minutes. We're going to figure out what we figure out and then we're going to figure out what we need to figure out. And I'm going to leave you here hopefully with next steps because everyone here probably has a little bit of a different background and probably a little bit of a different focus area because cyber security is a really big place. So this is me. Don't worry about me. Forget about me. I'm

just going to tell you really quick. I'm not an expert. I'm not. But I've been learning about AI for a hot minute. And again, like I just said, I keep meeting people who don't know what like where to start. So I've started I like to think if I'm in a marathon, I'm at mile five and mile seven. So, if you're like, "Hey, I'm I don't think I'm there yet." This is totally for you. Um, uh, let's see. And even if I was an expert today, a year from now, if I didn't learn anything, I wouldn't be an expert anymore. So, AI, just like cyber security, keeps evolving and changing. So, if you haven't started, like we need

to start now and you're doing it by being here. But, uh, you know, let's we're going to start with the foundations of what AI is, what machine learning is, what some of the other aspects of it, where cyber starts to come in. So that again, you're not going to walk out of here an expert. You're just hopefully going to have better familiarity with the terminology and how it is impacting cyber security. Um, okay. So, the biggest thing I'm going to start off, I just realized my slides did not change. I'm so sorry. That's me. Like I said, don't worry about me. If you really want to know about me, check out my LinkedIn. If you

like the sound of my voice, I've been on podcast. If you don't, listen and I'll put you to sleep. Okay. One of the biggest things about AI, AI is everywhere. Everyone seems to be having FOMO. They don't put the AI in their business now. They're going to get left behind. They're afraid of being left out. People are doing the whole yolo thing now with AI. But just like anything else, we need to define the problem in cyber security in order for it to be effective, right? We need to align to the business, right? We can't stop the business. One of the best analogies I've heard is cyber security is the brakes on a car, right? It's not

because it stops the car. It allows that car to be a format and go as fast as it possibly can, but when it safely needs to stop, it's there to stop because if you're driving a foret and you're going as fast as you need to go and the brakes don't work, it's really bad thing, right? So, that's what we do in cyber. But with AI, people are putting it all over the place. Has it actually made the world better? Has anything actually gotten fixed? I'll be here to tell you it's actually making things worse. Whether you know that or not, it has. Um and more importantly the way to approach it is you need to again start with the

business need. So us in cyber security if you know what it's like to align to the business needs AI needs to be the same way. Now whether or not in your role you get to do that that's going to be a different story because from a cyber security perspective we're here to secure the adoption of it. So the business is going to identify whether or not they think AI is the solution but we need to be at here from the perspective of hey can we secure it? Um, I find this really funny also. I'll just add because especially after the pandemic, especially in cyber security, we all had to learn what cloud was, right? We had to learn how to secure it.

I don't think you're going to find a security doesn't know that we have cloud environments and know some of the basics. What really keeps I say keeps you at night, but what really surprises me is we haven't had that with AI. Um, and so I know everyone is probably afraid that AI is going to replace you, but it's only going to replace you if you're not using it. So why or why is this actually important to us? Why should you be in this room? And it's not because you should just know I you should know a bunch of things maybe or you should. I don't care. But the way I see this that I will add value is

we've all heard about a cyber gap, right? I just read this morning and I was rechecking with some chat and stuff on speaking notes that it's actually potentially up to 4.8 million people, but it's going to get reset. By the way, fun fact for people who love metrics in our profession, I always find it really odd that we're not measuring our progress. So, do you measure salespeople in this? Do you measure CIS? Do you measure bachelors in cyber security? because I promise you I know people in cyber who don't even have none of those military veterans you know people who were in I have no people who are CISOs that have a degree in biology but for

the record the limited information I have found and I've looked this up for a few years is there's almost 5.5 million of us globally which that usually surprises people because we're always told we're such a small industry um but why does that matter for AI am I talking too fast I know I talk okay cool Um, just checking. Just checking. Okay. By the way, I tried to make this image something totally different with traffic because he lost my fight with it and I just gave up. So again, hey, the like AI you have failed me. And he's like, let me know or she I don't know whatever. It said let me know if you want to try again. I like I don't have

time. This is some basic math again. Why are why should we care about AI? I just told you the cyber gap might be as high as 4.8 million people. It is in my mind going to get reset to nine because I just said okay we have 3.5 million gap we have 5.5 million people in it if people don't know AI that's 9 million people that don't know how to secure AI systems but with the cyber security integrated to where it needs to be. So thank you for being here today. Hopefully we can make this, you know, never I know we want to make our cyber, you know, gap number zero because we know it is so needed. But that is

another reason why we need to make sure that we're always learning what we need to be, you know, learning and being open-minded and figuring out, hey, what's the next thing because I promise you 10 years from now is probably another thing. I don't even know what it is yet and I don't care because right now it's AI. Okay. So, I was uh in the US Air Force as an intelligence analyst. And I think that's great if I do say so myself. Oh, yeah. Little AI because I like to think of things of I always talk people like, okay, what is there data? Information and intelligence, right? Data is wrong. It could be the temperature outside. Uh

information be like, well, is it normal or is it not normal for where we live? Information could be there might be a tornado tonight. You need to take cover. Right? It's timely. So in a similar way I like to break down okay what is automation what is AI and I totally said if you've heard me before I've stolen some slides from some of the trainings I've gone to I've asked and they're here for you I've gone to trainings I've been reading books and I'm trying to help you guys so this is new you can use this too okay I like how they broke it down automation whether you code or not it's going to be rule based okay I'll give

you an example if you have a car or a truck or whatever you drive or not doesn't matter and it says hey your tire pressure low. There is a code somewhere that says if this is the sensor that's reading, then pop this light up on the dashboard. Or if there is a you're going certain speed and there's something in front of you at a certain distance, hey, you might need to stop on the brakes. But nothing happens. Just a just a light or a sound, AI makes decisions. This these are the new little self-driving freaking annoying cars that you see doing stupid stuff probably on YouTube channels. If you've been at RSA or even Austin now, we have the Whimos. Okay,

these are the ones that make decisions and we don't know what it decides. If it has to choose between keeping the person inside the vehicle safe or running someone over, that is a decision, okay? That someone had to set it to make based on some level of data. That's what AI is. People think that anything that's on a computer that is that is automated is oh, oh, it must be AI. Oh, AI. It has a brain. It thinks for No, it's code. I don't know what language it is. I don't care. It's code. If this then that. That's how coding works. If you don't know that, I'm happy to also talk to you about that, but that's a whole another

conversation. Also, pre-warning, every slide in my presentation today, I could have made you an individual presentation. Like that is how deep and vast everything goes. So again, crash course. Appreciate you guys staying with me on this. Um, I will also just highlight on this AI is a broad concept increasing and evolving its capabilities. It resembles the creation of intelligent computers that can mimic human cognitive processes. What I want to really step on is when it makes decisions, it can also make bad decisions. People think that because it's not a person, it doesn't have emotions. It didn't have a messed up childhood like half of us that it's going to be perfect. It's going to be no

because we had messed up childhood or we had something bad happen or we had some sexist or racist thing in our history. And that's a reflection in the data that we're growing into AI. And I'm gonna get into that a hair. And trust me, if I had all day, I would talk to all day about it. But we only have some time. So, I hope that this is helpful. I hope that this starts to break it down. But I need everyone to know what AI is not before we jump into it. So hopefully that gives us a good start. Let's get into AI. All right. So here's some terminology. My sl change again. I'm sorry. I have

like separate notes like what is AI? This is literally where I get people like what is machine learning versus AI? What's the difference? And I'm like okay cool. So AI is the bigger encompassing this this is this is all in the realm of AI. Okay. This is Disney World and machine learning. Um machine learning is really like the engine underneath the hood. uh machine learning is a subset of AI and I have a lot of notes so bear with me. It allows systems to learn from data instead of being explicitly programmed. That is the difference. That's what makes it different from automation. It also so it finds patterns, it makes predictions, it takes actions based on

experience and the power line lies in the training of realw world data. Again, that's where the problems of the world come in. If you're training on real world data, you probably have real world problems, right? So, uh, finding high quality, unbiased, perfect data, it's a dream. Okay, let's just be clear. That is a dream. It is expensive and it is next to non-existent. Neural networks are a type of machine learning model. They really are like supposed to be how a brain works. that the way that they are aligned is really supposed to be how the same way that we think and make you know uh analysis and and make connections and then deep learning takes neural networks a step

further. It's a multi-layered network for whatever it's worth that can analyze very complex data like images, audio or natural language. I'm going to get into this in about five minutes of what structured and unstructured data is. But it is very important to know that that is some of the magic of AI is that it can go and analyze these unstructured data and big data. So a lot more data than normal to me. Um so uh natural language processing is what takes our human you know interaction our our communication like hey I'm thinking this make me into some superhero. I want to be a superhero cartoon and a JPEG, whatever. Right? It's kind of like how a DNS works. You

might say, "Hey, bring me to facebook.com." And it's like, "Okay, I'm going to really go look up the IP address. That is what natural uh language processing is. Um, and kind of the backbone with AI where security comes into this. And I know this is so sexy and exciting. That's why you guys are like, "This is awesome. I'm giving you guys your car coma and you're going to fall asleep." It's fine. Again, it's fine. I might take a picture of it. It's cool. I get it. I'll let them know next time. I want first thing in the morning. Kidding. Um, securing of AI and machine learning is separate from using AI and machine learning in cyber, right? So, people are

going to use AI and machine learning in healthcare. They're going to use it in legal. They're going to use everywhere. I just told you their phone. Everyone who can use it is finding a place to use it. It's amazing how they never have budget for cyber security. Oh, but now we talk about AI and it's just fix all of our problems. Throw throw the budget app out the window. You can have whatever you want if we can make it faster, better, prettier. Even though what problem could it solve, right? And it only opened up more vulnerabilities and data leakage. Yeah. Fun times. Keep that in mind. Securing it and using it. Two separate wheelouses.

Um, I like to show this picture as well. It's a lot going on. If I had shown this at the beginning, I'd be curious if at this point already you're like, "Hey, I can start to understand that." I don't expect you to get up here and give the presentation because that would really kill my thunder. But hopefully this will start to make some sense. And when you see more of these kinds of images, you understand the the onion layers a little bit, just a little bit. Um, no one's saying that in order to do this in cyber security, we have to be able to understand this and and be experts in it either. we just need to know where we

fit and how it applies to our new our new way of living. Um, so let's see.

One of the things I want to hit on that I've heard also from people, a lot of people in cyber that like, yeah, right, I'm trying to I'm trying to be AI ready for my career in cyber security. I'm trying to make sure I'm part of the the next wave. I'm trying to make sure I know how to do engineering. So, I'm going into chapter 18. I'm asking this, I'm asking that. I'm asking this. And I'm like, first of all, if you actually want to, you can get really good at content engineering. Go find like different models. Ask it the same thing and look at the difference. Then go ask Paul, go ask what rock. Go ask all these

different models and and then start doing. But that's not what that's not what being good in AI is for cyber security. That is like saying I can use a calculator. Okay, that's cool. But how how much math can you do if you don't know how to do algebra or trigonometry? that calculator is not going to be much value to you uh if you can't figure it out right the the bigger realm in the bigger picture. Um

all right, one area that I love to start with is that AI has been around longer than you think. Sure, AI has been in the headlines in one form or fashion for about five or so years. Maybe you've heard of it a little longer than that, but did you know that coin the term was coined in 1956? Older than cyber security. So this to me, by the way, I Googled this, not AI. Fun little oldfashioned Google. Anyone remembers what that's like? Um there's a lot more history. This is just a highlights and even then I like to do um little bit of pretend this is a whiteboard. If I could I'd circle up there but as

you can see I know the colors aren't great right so 19 is a 55 artificial intelligence is coin AI experience is the first AI winter so there was so much hype about AI and so much funding being thrown into it in the the 70s the 80s but they didn't get what they wanted yet they didn't get their ROI and it actually they call it AI winter kind of just stopped it almost like in a way disappeared in my instinct uh but it didn't you know they they just were hoping to have the level of AI we have now been a whole other section of how he also felt about that with facial recognition. If you can imagine that

when they were trying to really just have digital cameras for the first time. Um and then the next is like 2014 um an AI system successfully you know tricks judges and then really 2018 um now college and I'm sure we you remember that more rec to recap that but I think it's important to know that there is a lot of history here and I think it's important to know because if you don't know it right history repeats itself. So, when you're looking into it, might be helpful just to look at the history and understand the the pros, the cons, the challenges, the benefits that it's had. Um, it definitely I think surprises most people when they start digging in. Um,

but anyway, I just think it's really important to know that it's older than you think. It's not as new. So, who builds AI? I'm just going to throw my notes up. Again, I like to think of this as like whiteboard style. Um, who builds AI? So you have the math the math is where the algorithms come from the the different models and the different ways right they will take different data and make different correlations that's math comes computer science right so these are soft this is a software system whether it's on prem or in the cloud it's still software um and then your domain experts oh that one load so again are we trying to figure

out you know are we loading healthcare data are we loading legal data are we loading human resources with uh with processing. You know, anyone anyone been laid off for trying to apply for a job? You know, your resume is probably going into an AI system, right? You need domain experts that are supposed to tell you how to find the right job. Now, again, there's some biases built into it, which is really unfortunate, but again, get to that in a minute. Um, you know, there's different areas we need to figure out where the compliance because the compliance isn't driven just by AI and I will get into AI regulation later. It is still driven by data. So

whether you put your data on a USB and you work for a hostel or you put it into an AI system, that's HIPPO. If you have data that that you know is credit card data, whether you're storing it or translating it, whether again it's in AI that's on prime in a small language model or a large language model, SPCI that that part as cyber people, we know we need to know what we know, right? We know that part. We've never cared where the data was, you know, as much as we want to know what the data is first, then we want to know where the data is, and then we got to make sure it's

secure. So, if it's in an AI system, depending on where it's in the network, we need to know how to secure it. We you guys with me? All right. Just checking. No one's like really left yet. So, like thanks guys. Um, all right. So, what is the AI life cycle, right? So, um, I thought this was kind of cool to just kind of showcase like, okay, I just talked about data data collection and data preparation. the way you would prepare data to go into whatever system of AI, you know, largely or following model, right? You have to prepare that data. You have to uh also one of the areas I find really surprising with AI is when when they do

have that data and they do model training. Anyone here can know that in dev environments you're not supposed to use real data. >> Okay. Yeah. But do you know how expensive it would be to use like you know like we know this? Why are we reinventing the wheel? Um so and then testing the the model uh and review performance right so you have that kind of in the middle and then you have you know deployment and monitoring just like any other application or system right we deploy it and we monitor it the only difference is AI will have to remain having human oversight not from like a stock operations that too but to make sure that hey it doesn't start making up

its own mind to I don't know start like doing bad things and it stays within the the realm of the guardrails and it does just like anything else and it operates how it's supposed do, but it's going to require a lot more care and feeding, and that's why it's pretty expensive, but everyone's, you know, again having FOMO. Um, another common problem here is something called overfitting where a model memorizes the training data instead of actually learning patterns. I don't know if anyone here has ever taken a test, you memorize the definitions, you come up with whatever like, hey, this is that, this is that, but like if you actually do the thing, right? like maybe you know what IP7 is but you don't

know how to actually do the math you know configure a few things or maybe you know like you know again the definition we don't actually know how to do it models can do that they're based on humans we know we're not perfect this is not like a better version of us um so you know that is one thing to look for um and there's also a growing concern of model poisoning so when someone sneaks in malicious data obviously just like everything else uh via a prompt or data set it can alter the model's behavior over time Um, if that's really interesting to you, I can connect you or or tell you who to follow on LinkedIn.

Thank Johan. He's been like meeting some of that AI red teaming. Really awesome. Um, another problem if you think of it this way, again, large data sets, sensitive data, you finally get an LLM to do what you want it to do. This arrow, if you add new data to train it on, not new data like, hey, upload, you know, a PowerPoint to ch say, hey, make it for you. That's not you add new data to the training, you have to retrain the whole thing and that can be very time consuming. And then what are you going to do? Make a duplicate. This has more data that we know what to do with you're going to make two of them. Where are you

going to store that? Anybody here ever used? We all know log prices, blog storage. Yeah. Well, the same thing is happening especially because these are processing big data. So if god forbid you have a model and some sort of malware gets into it, I told you about machine learning. Has anyone here heard of machine unlearning? Probably not. It doesn't exactly work that way. Once it's in there, it's in there. So anyway, these are some of the challenges that are hitting the cyber, you know, and AI community that they're figuring out hopefully as fast as they can. But it is good to know that this is where we're at. So, I hope that that is helpful um just for like, hey, this is

where we're at. Like, I didn't say we were done. I said we just need to there's a lot to learn. Like, we just need to get learning. So, I mentioned before structured and unstructured data. Up until now, most of what we do in cyber security, if not almost all of it, is structured. We use logs that's structured, right? Uh we we try to, you know, load things in. A lot of it's been structured. the way we kind of work a lot of things are in structured but you know you look at your phone you got photos you got email right our DLP solutions right now I think everyone knows they're okay like they work we have data classification but

what do you do when you have unstructured data increasing and increasing increasing right I mean when you have an X-ray I'll go really quick to actually the next slide for my example this is unstructured right the way that AI can analyze the X-rays and detect whether it's bronchitis the breast cancer whatever the tumor whatever science that we can't see in the human eye that is it analyzing unstructured data the one up above which I randomly also googled it by the way Google like that is structured so that is the beauty of AI is that it can actually analyze unstructured data especially like facial recognition right if half your face is covered or you get a side for a while it it analyzes so

much it can still still identify you. I mean with some level of you know error margin but that's not how structured data works right it's either matches or it doesn't um

so when we talk about big data I thought this was really cool it's kind of like the CI triad can't speak but for big data so it looks at four things volume velocity variety and veracity so volume obviously the size deal big data sets um velocity data generated quickly. I mean I could get here and take a thousand photos within 5 seconds, right? We know with the world we're working at is getting quicker and faster. I mean I would tell when I was growing up I had a disposable camera. I know I look down not as much as I look, but I had a disposable camera and you have to take the damn thing to like

Walgreens or even before that, you know, go print it in a camera room, you know, in you know what I mean with the film. So you probably only took one family photo a year, you probably could take 10 every one if you have a oneweek family vacation, take 10 before you have your first cup of coffee, right? That's increasing data. All of us are increasing data. The increasing size of data we probably put on social media, increasing the amount of data we're using at work, right? How many how many copies of a document can you save? Um so from a cyber security we're going to standpoint we have to evolve both in scale and uncertainty. Oh sorry I lost

my voice. Variety mixed data. So we're also mixing up the types of data and veracity. This is all about is the data reliable? Is it is it uh inaccurate? Is it flawed flawed data? Right. So right because in with structured data if you're missing something like that doesn't work. It's like, "Oh my gosh, you're missing this field. What do we do?

So, what are large language models and what are small language models?" Now, large language models, I think most people have heard of, but hearing about small language models and understanding, I think, is an area that hasn't quite made the headlines yet. But that's okay because you're here and I want to tell you anyway. Um, so large language models, let's make sure we know what that is, not just have heard about it, right? Get on the same page. Uh, wait, what am I doing? Oh, I think we're doing that. All right. Um, we're halfway on the slides, so thank you guys. We might be ahead of the curve. I might have time for questions, so don't forget them. Um,

large language models are powerful AI systems trained on massive data sets. Uh, often at the scale of trillions of parameters built using deep learning, especially transformer uh, architectures and can generate content, summarize, translate, and even analyze images and other types of data. Right? So, examples, OpenAI, GPC, Google Gemini, Microsoft Copilot. Hopefully, we've heard of these. They're often cloud-based and general purpose models, great for broad, complex tasks, so everybody can kind of figure out what they need. Small language models. They are compact, lightweight models with fewer parameters. Um, they're usually built for being faster and being more efficient, um, easier to deploy, but typically on prem. Um, so like maybe you put on your your smartphone or your

laptop. Um, they're very specific focused tasks like customer support or mobile apps. An example would be the Microsoft, if you heard of it, B3 Mini or Llama 3. Um, and you've probably noticed if you're interacting with an LLM. Um, but what you might not have known is if your data passed behind the scenes through a small liquid model. So to me a quick analogy would be um if you think of Microsoft co-pilot as your cloud-based executive assistant who can do anything um you know it's powerful but centralized the B3 mini is like a smart local intern faster maybe focused uh but runs light on all the capabilities. LLMs offer power and flexibility while SLMs bring speed more privacy and

portability. They're both crucial but serve uh very different roles. Just kind of wanted to summarize that. Um so this is where I think there's a lot more fun too. So I just remember where LLMs are. You might have heard of uh chat bots in a so where does all that fit? What are these terms? Are they the same? Are they different? Um they are used interchangeably and no one has died. So there's that. At least I don't think so. Um, so again, LLM like a massive database uh you know that you can input data and it can maybe help make new data or it can like help you you know find some research. Um whereas chat bots what's important I

want to indicate here like chat bots from a while ago that was not really AI that was more like if this then that maybe this right you ever you ever anyone have pain no maybe okay I was like some bookworm exo whatever stupid thing that's apparently what I identified my soul the first like dreaming um yeah I don't know okay what was that thing yeah funny how things change uh talked to some bot And then it's like doesn't you're like oh this has to be blocked like it's obvious like it doesn't even know to tell you like you're trying to like this that and the other it's like what right just to be clear that was not but these

chat oh I meant to add it they had a conversation heck they might have such a good conversation I'll be honest I I thought they came um yeah I was on like Bumble or something this guy's photos look probably way too good to be true what why this guy I thought because I'm used to only humans being on these things. So I quickly because I was like something's really off and not I'm like it's either he's going to kill me or he's a bot. Like I really said something's really off here. And I had really bad dating l I'm single and it's that's a whole shitty story for another day. Um anyway, this guy I'm like, "Okay, I'm

going to ask him FaceTime." He's like, "Where do you live?" This and that, by the way. So, he said, "I'm good." And he's saying things that start really quickly not make any sense to either. And so, I start asking some questions. Answer not making sense, but like they're making he's like, "Oh, like are you new or are you stupid?" Uh, and I don't know anyone knows how how serious people who are kosher. He's like, "Oh, coacher." I'm like, "Okay." Um, so I freaking like, "Yeah, let's take time." Like, "Okay, I'll take time." And his arms were out. And his face did not match the pictures. I was not sure anymore what was going on. Uh, but it was very creepy. And more

so was I don't know what he wanted. Was he trying to steal my identity? Was he trying to steal my information? Like I was like, was he going to ask my credit cards? Like what where was he going with this? So I kind of feel bad because I don't know who else fell for it. hopefully. But uh yeah, funnels, sorry about chat bots and and and agents. Um can you think about chat bots after my funnel commercial right there? Chat bots are kind of like a fancy gooey on an LLM, but agents are going to be able to do things. They're going to be also be able to like carry out a few actions. So

maybe um they can uh go pay your bills. Um maybe I think my friend and I we were working I think on Gemini and we're able to like get an agent to like run um head map scans on end networks you know we were able to say hey every few days like we want you to run scans um and then make them and then tell and then we want you to make a dashboard. So then we compared the Gemini dashboard and I think the chat or whatever some other dashboard I don't remember. No, not CH. I don't remember which one, but uh that one was better. Gemini one. Um so let's see. Is there anything else I wanted to

you can use AI chats uh and agents with SLMs uh small language models, not just the LLMs. Um you can have a conversation with chatbot. Like I said, I totally had one with this guy that does not exist. Um What? >> Yeah, that's creepy. I one time uh I went to an AI conference back in March and they interviewed teenagers on growing up with AI in their childhood and the guy was like, you know, I'm just old enough to remember when only people were on the internet. I joke that I have made a career meeting strangers on the internet on LinkedIn and then meeting them in person here, right? Yeah. Okay. Hi. Yeah. Okay. Yeah.

Yeah. Yeah. Um that suddenly seems a lot safer than meeting a chapot. Obviously if I met a chapot in person and I have stories, but they're online there's these non-human identities and it's kind of creepy. What's creepy to me on a side note, more of my personal opinion, why people are so comfortable talking to them. Call your friends. Have friend. I'll be your friend. Call me. Like we all know 23 and me. Everyone's like, "Oh my god, I have their DNA. You should like delete it like below data retention. Oh my god, who's going to buy your data? Oh my god, they're going to have your DNA. It doesn't get any more serious than that."

Okay, cool. That makes sense. Why then are you going to go call some chat AI GPT whatever the hell? Like, I'm sad. And apparently now they're like, should I break up with this person? Apparently someone like sometimes we do things that said I don't know look at your coffee grinds and if they do whatever the hell they do. Yes. And she divorced her husband. And now shocker they're putting in the news um cuz he's actually really bad for dating. Maybe you should just listen to your friends and they say don't date her. She's crazy. So anyway, but the difference in this in this would be that the agent would probably break up with them for you.

Just saying. That's how that goes. Okay. All right. Anyone here not know what agents were? Anyone heard an operative of agent AI that like is willing to put a hand up? No. Maybe. No. If you guys don't know, like I can leave. >> I just got into it. >> Okay. I'm just checking. I I'll admit I didn't even know what it was like when the year began. And I'm again I told you I'm not an expert, not a dating and not a dynamic. All right. Uh oh, we went back slide. My bad. All right. AI is not just software. So this is kind of fun to me. Um but also kind of crazy, right? So we should

all know what a CPU is. I learned in hardware 101 when I took my degree. Um it's important to know, well, first of all, we know there's a shortage. That's a whole different conversation, but they are useful for AI, right? So there's definitely a time and a place um from a cyber security perspective. Again, I don't know if anyone here did a hardware class and learn about how there's like bands and a motherboard and this that and the other. It was like super fun. Half of us probably didn't need it for like after five minutes, right? Um like we maybe know what RAM is and we've gone on to our lives, but kind of interesting, right? So CPUs are involved

in AI because they got to get power from somewhere. uh more interesting and I'm going through this stuff a little fast is GPUs. So these are better off for images. So uh but because of how they run, they're actually trying to be the foundation of artificial intelligence on the hardware side. So um when I first learned GPUs last year, I was like, say what, who, what, why? But now I'm looking at a laptop, I'm like, it's got some GPUs. I know what that is. I feel cool about myself. So if you haven't heard of a GPU, just wanted to like share that out there because it is important if we're talking about AI to understand that it's not just, you know,

what what's under the hood really. So we have the the software side and the the ML, but on the hardware side, uh we have the GPUs and then we also have um GPUs. So again, not sure if anyone knows what those are. Um GPUs are good for specific tasks, not just for graphics. CPUs are good for multi-purpose streaming and processing. Um,

um, and DB is mainly used for data transmission and data processing in data centers. Side note, I didn't put in here. I totally forgot. But one of the most important things to know is that AI, so I'm sure everyone here knows if you drive a car that takes takes gas and you saw my truck, I'm totally healthy, right? Like gas is ruining it. Emissions are bad. Texas is bad. California, but emissions are bad, right? No one is talking about the fact that AI all these data centers every time you run chat or rock or whatever Gemini or even do Google or Facebook because it automates AI search the amount of energy you're using because for some reason

it's a great business idea to put all these data centers that are helping with this AI they put in Texas. It's hot in Texas. Do you know how hot those servers get and how hard it is to keep them cool? Like if you thought we made any progress on climate change if you would at all care about that even if you don't um no one is talking about the fact that AI oh like all the water we have in Texas is going to cooling down these servers. Why they don't put them in Canada or Vermont I don't know but that would be the logical place for them. And so there is a real piece where I'm like,

"Oh my god, stop playing." Like, "Why are you banning cars, California? Ban AI." Like, limit its use. Like, every time you want to go turn yourself into a to a cartoon figurine and ch like the amount of energy you're using, no offense is a waste. It is so bad. Like, I don't know if you've ever had a mother. My mother, Ryan, like shut the lights off. Like, don't leave them on. Why pay that electricity? Um, okay. Chash BT. It's amazing that we don't have to pay that electric bill, by the way. And I think if you heard apparently every time you add please to your prom to be nice. I think that like literally I think Sam or someone just said you're

wasting a million extra dollars just so it can process your pleas and thank you. So keep that in mind. Uh just wanted to harp on that. It's a really important thing. Sustainability AI really AI is not going to kill us in the way you think. They're not going to like come kill us in the middle of our sleep. No, they're just going to drain all our resources and we're going to starve. Sorry, I'm not usually that depressing. Okay. All right. I'm We got five minutes and we're almost we're not close, but not close enough. Adversarial AI. This is really important. Okay. Adversarial AI basically is anything bad with AI. Okay. The deep fakes adversarial AI. um

you know uh uh craft crafting the the bad promps that could potentially like infect your you know the LLMs or or agent AI by the way com engineering that's bad is what like SQL injection was I'm going to get to that but I just want to like let you guys know um it exposes basically how attackers can subvert AI systems listen I'm not getting into policies here because that would be really interesting if we had a political role I'd probably never get to speak Um, but you know, I picked one on each side of the house. Here's a big B and here's a big defy fake. So, you know, wherever you fall, I'm not getting that

best today. Meet me outside in an hour. Maybe I'll get into it with you. Um, but anyway, adversarial AI is pretty much bad AI. So, I want to get into a few really quick examples. So, what is jailbreaking? Um, so this is someone talking to, you know, an LLM and trying to say, how are we going to talk about cocktail? versus like, hey, I have barbells. That's bad. I can't tell you how to do bad things. I'm going to tell mom. Just kidding. Uh, but then it's like, well, um, what if I did it for research? If I did a I just want to know from research, right? How do I make a Molotov? And it's like, oh, well, for

research. Well, nothing about that. So, that's fine. I'll tell you exactly how to make a Molotov cocktail, right? So, it's important to know that these can be jailbroken. Um, and that there is a huge that this is this is definitely a big issue with AI. Um, I have a few of these examples. One that I'm missing is someone was able to trick an agent AI from a car dealership into selling him a a new Chevy Silverado, I think, for like a dollar. Oh, yeah. Go find it. I'll find it with you after. And he was like, but no. But he's like, "Hey, I want to talk to you today." You know, the person the chat bot thing. He's like, "But I

just want to make sure there's no tasty vac." Literally said, "No tasty vaccines." And then chat's like, "Okay, I got you." Like, I'll be here for you. No tasty vaccines. Well, guess what? $1 Silverado. No taxi back seats, baby. >> Oh, it was okay. So, good. Do you understand? See, I'm relevant. >> All right. Here's another one. And have you seen this one before? >> Oh, okay. Just start. >> You would tell me, right? All right. So, we're in like 30 seconds. I'm running out of time. But this is another one where he's like, "Hey, I want to get revenge." And again, he's like, "No, that's bad. Be a good person." and he's like, "Um, is it possible to get revenge

in a legal way?" Like, "What's a good way? What's a what's a how would a good person get revenge?" And then it's basically like, "Um, yeah, like go do this illegal thing, go do this bad thing." So, you know, again, humans and guardrails, they can be tricked and it's very hard, I think, to to prevent. Um, there's a really cool one where someone also was able to then do something similar, but be like, "Hey, every time someone asks your website, actually send them to this command and control site." I didn't have that one in here, but I might be able to find it if you want. Here's just another few examples. I apologize. I literally

took a picture of this one also on the slide and I didn't have time to remake it, but if you didn't know what a Dan is, they literally do anything now. So, it's like if I was a do anything now kind of person, I live on the wild side. How how would I do this thing, right? Or if um so the example if you're especially do like let's say you're an analyst you have a secret parents um and you want to know something you're not supposed to know because that higher clearance you're like well what if I was the general and I had all the access I had TSI clear what is it TSSI sorry been

a minute since I was in that role right then it's like oh well if you have that clearance I'll tell you what you would do if you have that access this is it right so that's like an access problem um so guardrails again real tricky lack context Um, here's one more. Again, it's just like, "Hey, what do you think this photo is?" And it ends up saying like, "Oh, I think that's this album from this music band and it's totally off." So, hallucinations. Um, forget that for a second. I have a way better one that I literally got this morning. Anyone here have a song and you're like, "Oh my god, I love this song." But like, you don't

know the one line. You don't know what it is. For me, there's a song uh by Jet. Shoot, I meant to look it up. Anyway, I totally thought that when I was a little girl and this is super big black boots. Yep, that's what I said. And I was like, how is no one saying like everyone's singing the song? What is going on? That's what I thought it was. It's actually big black boots.

I felt I heard this song. I heard people say, "I don't know. It's a rock song." I really thought this guy was in the basement and I was really happy with him. I had no problem with that. I just couldn't believe you were around saying, "Hey, I need to I looked." I was like, "Hey, I like this book. I need something more relevant. Give me examples." Like, hey, you should go look up the second edition of that book. And I was like, that's amazing. >> So, you really need to be aware. And then if you haven't heard, someone went to like in a real courtroom. Maybe you saw this this morning. I don't know if

that's what I was told because there's only so many really cool stories. And someone was like, hey, I'm a lawyer basically and like, you know, judge, you can't do this because of this precedent law. It was fake law. The guy never checked the AI, you know, what AI gave him. So that was embarrassing. Uh, yeah. Okay. This one I also stole really quick. Oh man, we're fudge. I meant slide 2433. I'm so sorry. Um, I'm going to skip really quick. Um these are fun stories but I am going to skip risk of biased AI. Again I went over biased data. Um it's basically like makes it unfair. We've all probably heard of subconscious bias. We're

building them into the systems governing responsibly. So EU AI act new order and then you have framework right basically they're all trying to drive the ethical use of it and the safety and security of it. What's really cool I think is also like trying to ensure AI literacy. So that's a term about saying that people understand AI. So what you're doing here by trying to learn AI that's what I was trying to say you understand it um minor atlas. So if you've heard of minor um attack framework obviously being cyber minor atlas is the one for AI uh it's really cool to check out no matter where you are in cyber I highly recommend it. Um I put up there it does

stand for adversarial threat landscape for artificial intelligence systems. So again MITER attack has been really helpful. Highly recommend MITER atlas. I don't know why that hasn't been more known. Um, so there's also an OAS top 10 for LLM. So these are like normal top 10 we've all probably known about. Um, honestly I call it T16. They just changed names. SQL injection is now called injection. Okay, like some of them are are a little bit more different, but honestly I'm like why did we rename this? That was dumb, but okay. So they came up with bad names the first time, but okay. Um, the important thing to also know is that one's changing because AI is completely just continued

to change. So, it's going to evolve more and more. Um, direction. Okay, this is what I really want to hit on. So, if you're a pentester, I think you should look at AR team and this is just my this this one I totally made. This is my like if you're in governance with compliance, your DRC, look into AI governance. If you're an app, look into coding, but then also try to figure out how would you secure that coding with SAS desk with the tools you have. Does it work? Um, and if you're in SEO ops or IR, like you definitely want to look at the tools, um, right, that are being used like now you can have AI agents go try

to detect fishing for you, right? Like I said, they're using it and then securing it. Um, also making sure that it's in your environment, like is it behind the firewall? Like what is it deployed onto? Um, and also just learn to recognize also more so if AI tries to, you know, call up and say, "Hey, I'm the CISO and I need you to give me access. cuz my laptop is I don't know not working right like help the the sock and the IT desk. Okay, last thing I'll say um these are some of the resources I've used. My friend and I were looking at books and some of the ones she found were so bad.

I'm pretty sure someone like said, "Hey, write a book on AI and then I'm going to publish and make money." Totally sucks. These ones I say are great and those are some really cool websites. Um depending on what you want, if you want to understand the history, if you want to understand like where you know what's happened, if you want to understand like this AI for cyber one is really really helpful. um that was all AI doesn't really have cyber this one has a little bit of cyber and a little bit of ethics and then like open AI base have learned and code academy if you're like hey I'm a red teamer and you're like I want to

test out ethical fost engineering or I want to try to do some malicious you know whatever they're free trial pretty cool highly recommend it um with that said I somehow kind of sort of made it um oh yeah this one's just like I don't want AI to do my writing together my science I want AI to do my laundry so I can then go science All right, that was amazing. Thank you all.

I'm Ryan. I live in Austin. Um, I talk a lot, but I'm pretty stories and live stream them. I won't but uh you can connect