T-minus Twenty Five Years

Give it up for Tim Melvin, though. >> I don't know about energy or laws. So, uh basically, I'm just old. Um this is Here, see if I can work the clicker, right? Clicker, are you working? This is the last time I was at B-Sides, when I was downtown. Um I I was 9 years ago. I was so baby-faced. I don't know what happened. Uh all of us basically just get old. So, um Born in the USA. Uh my name is Tim. Uh I've been doing a lot of um I got to get out of the way of this thing, but I still need a little preference in myself. So, um forget what I've done my

my whole life. I'm St. Louis born and raised. This is all like my my my Kansas City born in the USA. So, St. Louis born and raised, uh lived here for 8 years uh in the early 2000s. Uh I'm a UMKC alum. Do we have any UMKC students here or alums? Yeah. One, two, a couple. Um Let's see. Worked at Truman Medical Center. Does anyone know that name anymore? Like it's it's uh Hospital Hill now. Yeah, or or yeah, uh University Health, right? That was my first job out of school. By the way, I got that job by volunteering to work for free because I work back then, by the way, we didn't call it cyber. We called it network

security. And uh there were no jobs. It was back in the time frame where if you wanted to work in that space, you had to have like 5 years of experience. I was like, "Where do all these like Where do these people get their first 5 years?" So, I literally volunteered to work there for free. Uh I onboarded with candy stripers back in the day, if you guys know what those are. So, another another indication that I'm ancient. Um anyway, went worked from there uh to a little company called Hallmark Cards. Anyone from Hallmark here? Good. It's a dying company. Uh people are No offense. No, the company's great, but they just didn't figure out how they

had to like transition from like guilting you into sending $8 paper cards when you could text your mom happy birthday. Uh they hadn't figured that out, but it was a great experience. Um and from there, I went from to a little company called FishNet. Does anyone remember FishNet Security? It was another KC company. There we go. Became Optiv. Um I hope you hated it as Optiv. No offense to anyone from Optiv. and I've worked with some people like Matt down here and I think Alex Lauerman's going to be in here later this afternoon. If he's in here now, is he back there? Holy cow, there he is. He evaded me. Good to see you, buddy.

And so we did some fun stuff, did some application pen testing and things like that. So lots of fun. So remembering where I went Oh yeah, went to I'd like to say we founded the red team at the world's largest banana vendor. Cuz the number one thing that Walmart sells is bananas, 54 pounds per second. Just stop and think about that. 54 pounds of He's got literally a banana tattoo. >> Two bananas. >> Two, like what are the odds? That's so crazy. I have no doubt there's a story behind it. Yeah. Anyway, did that for a while, left there, became CTO and and ran the managed security services at a company called Fishtech, which is Gary Fish, the

guy that created Fishnet. And became Cydarius, which is where it is now. And then left there and created a little company called Wirespeed, where we automate detection response. I'm not going to pitch you. But my convictions will show through everything I say, so you can find us later. But the uh fun part about that is we got acquired 16 months out of stealth, so we I think we're doing something okay. So we'll see how that goes. All right, so I'm really leaning into this like ad astra like Robert Heinlein theme, so if you like it, great. If you hate it, it's just Gemini. Like I'm sorry. So it is what it is. By the way, Robert

Heinlein but who knows who knows that name? Does anyone Who knows where he's from? Where was he born and raised? Does anyone know this? >> It's Missouri somewhere. >> You guys are in B-Sides KC. He's from Butler, Missouri. He's like an hour from here. That's where he was born from. So like one of the most prolific sci-fi writers of all time. What better way to lean into it, right? Let's lean into this. So my job today is the keynote person. I feel pressure cuz you all showed up at like 8:30 on a Saturday and here we are. Like you you Kudos to you that you're doing this. This is good for you, right? So I'm I

guess my job is to address the that's in the room. In case you haven't noticed, we are in a hype-centric like industry, very very hypey. And there's like a lot of issues with that hype, and I will do my best to address it cuz if I don't address it, then like I'm not doing my good of job. But if I get too yucky with it, then you know, you you be the judge. My goal is to not fall in the muck. We'll see how we do. I'm also going to point out some concepts cuz like again, like I'm the old guy here, right? So, I've in theory seen things that maybe you haven't seen, and so maybe there's some things that

are like constant truisms or whatever, and I'm going to try to lead in with that. So, we'll we'll we'll we'll see what we can get out of it. >> Would you like a candy bar for your password? >> A candy bar for your password. Yeah, that I'm that's that was like 2004. Yeah, when people started doing that. And then number three, hopefully like my job right now, my number one thing I hope that you guys you can do is I can make you better on Monday when you go back to work, give you some mental tools to kind of think about security a little bit a little bit better, right? So, that's what we're going to do.

So, we'll start with this. We got the Morpheus meme but like Robert Heinlein style. What if I told you everything you needed to know about security you could actually get from a 1974 paper, academic paper? Has anyone ever heard of Saltzer and Schroeder? Nope. By the way, there are We got a couple. Awesome. We There's exactly three QR codes in this deck. They're not malicious. I gave up my red team job. Well, I don't do that anymore. And I I don't I don't think [clears throat] QR codes are scary. What I recommend you do if you haven't If you've been working in cyber for 30 years or 30 seconds and you don't know this paper, grab that QR code, pull it

up, or go Google it. You'll see the 10 principles on the side. It's kind of hard to see. These are all things that if you do cyber, you will have known them or have come across most of them. If you haven't come across all of them by name, you will have come across them by concept. Like that, you might not know it. Or maybe my work factor. Right? For example. Work factor just means the control better work better than the resources of the attacker. That's all it means. But you all concepts you should know. So, these things these are very, very important and the reason why uh um I always start here and I always go back

here is we we live in this world where, you know, vendors like to tell you in the ever-changing threat landscape. I hate that. Because yes, threats kind of change, but tech really changes. The security concepts and principles are at least as old as 1974, right? They didn't have the internet then. And they knew these things. And I guarantee you that if you you can't build a secure environment or system without following these design principles today. It's just impossible. Um I would also argue that if all you did was follow these, you're in a great spot. Like if you just knew these and nothing else, a paper from 1974. So, check it out. Um I also have one

more. Um this one's mine. So, when I was doing red team work and we'd go and do debriefs and we would like like part of my job was to tell people their baby was ugly, right? You get in there and it's like we stole whatever. So, that became kind of taxing. Like it's a it's like a whole a skill that I I had to I had to get forced to get good at. Because I'm going [clears throat] in telling an executive or telling an IT team like, "Yeah, I know you spent all this time working on this stuff and you feel really proud of it, but it's uh yeah, it needs more work, right?" And so, in the process of that,

what would always happen? I'd always get feedback from people saying, "Yeah, but Tim, you guys are just crazy laser ninja pirate hackers and so it's easy for you." And I'd actually look at them and go, "Actually, I mean, well, thank you, yes, but no. It's just a lot of really simple things that we chain together. And if you understand these things, like you you figure it out." And so, as I sat and I thought about it more more, um I realized there's only five ways you can actually get access to an organization, just five. And MITRE screwed it up. MITRE has this nice MITRE ATT&CK matrix. I tried to convince them when they were working on it. I contributed a little

bit to it. But they If you look at the initial access column of MITRE ATT&CK, there's like, I don't know, 28 ways, right? But if you actually break it down to what they are, there's only five. And here's what they are. Something vulnerable that's public facing. Why Why do I say that we're public facing not internet facing? Because you can have something that's like Wi-Fi and you know that's public, right? So, abusing network. We all know this. This is the most obvious one. Second one down, abusing internet-facing authentication. So, like hey, you single factor, guess what? That covers that. Man in the middle, MFA fishes, that's abusing that too. Why? Because the MFA is not fishing resistant. There's a lot

of reasons for that. So, we're doing the same thing. Credential fishes, all that, same thing, right? Fishing for malware execution, really really basic and simple. I mean, we we understand this as a concept. These last two, um these are these are where we start getting a little more theoretical. We're gaining physical access. Whenever you I used to send red team guys to go around the world and physically get into buildings. We would social engineer a way in. I had this young woman that worked for me that would put on a pregnancy prosthetic belly and wear a pregnancy dress and she would just walk right through the door. Like this and people go, "Good thing. Let me get that for you."

And then she'd go, "Thank you very much." She'd reach inside and pull out an Android, plug it into his network with a 4G modem on it, right? And so, that's how we would get access. We used to do that. And then the blue team guys go, "That's not realistic. Fin7 isn't going to come into the store. The Fin7 is not going to come show up at an office." And more or less that's true. So, yes, is it possible? Yes. Is it likely? No. But, you know what's very very similar? How many people have contractors that come into their enterprise and they plug into the network and their machines are infected? And then you have a policy

that allows a contractor to come in. Well, it's the same thing, right? So, it's very very similar. So, that's number four. Number five, supply chain. We all know this is starting to become more of a thing. But, but supply chain is not just software, it's also people. So, if you've got a third-party team and they're logging in every single day into your environment and they're doing work and their identities are taken over and they're compromised, then there you got bad guy coming in. So, it's there's an identity component to this. Why do I bring all this up? Why are we spending 2 minutes talking about it? Because it's actually really really simple. And if you understand these

simple things, you can understand like what you're supposed to protect against. You can communicate back to your business partners, the people that need to understand like we don't have to keep them in the dark and make it confusing. We can actually keep it really simple for them. So, yay Gemini. We're just going to lean into this. I hate these pictures. Um but they're helpful a little bit. So, you can look at them later. So, the other thing I I was thinking through this like, well, there's patterns and common things you can still learn besides those. Like, what are the most common cybersecurity patterns I actually see all the time? Uh raise your hand if you're comp sci.

Actually comp sci. Okay, remember when you took that stupid algorithms class? Right? You hated it, right? >> [snorts] >> Um I actually think about it like every other week. Believe it or not. I'm like, why am I thinking about this still? Like, I can't believe I'm thinking about this still. But how much of cyber is actually a binary search algorithm? If you stop and think about it. Like, if you're doing pen testing, what are you doing? You're splitting the attack surface down. Looking at my from pen test friends. Like, what you're just you're just doing a search algorithm, right? And if you're doing things like threat hunting, what are you doing? You're taking all the

signals, you're sifting it. It's no different than like when you play Guess Who with the kid. And you go, "Does your character have glasses?" No. Same thing, right? So, start thinking about that. Um the more efficiently you can ask questions, the better you can get to the answer. And you can get there faster. So, it's just like Guess Who. If you look in like the old 1980s version, there's like five females. So, it was really risky to say, "Is your character female?" It was a big reward if it was, right? You nailed down like almost all the board. But if it wasn't a female character, well, guess what? You had like, oh, you just knocked out five. So,

you had to start thinking, like, how do I knock down like at least half the board every single time? And that's that's a binary search algorithm. Right? And then we do that in cyber every single day. You do it in your work, whether you think about it or not. Um I founded the company WireSpeed on the premise that we think in algorithms, but we just don't spend the time to document it. And we took the documentation and we turned it into algorithms. We turned it into code. That's the whole idea. So, that's that's really important to me. Um closely related to that, as we're thinking about this, is um in the comp sci world, big O

notation. People hate that. You remember that? Big O notation. Does anyone remember? Like I don't remember which one is worse than which, but what I do remember is I want to not touch things multiple times. So back and avoid it, right? Efficiency matters. And we're now in this world of AI and that's like it's really easy right now while the AI prices are completely subsidized by the venture capitalist to go burn a bunch of tokens, but I'm telling you in 3 to 5 years it's not going to be the case. That when when Does anyone know Open AI's What's their burn rate right now? Like a billion dollars a month? Sometime and the revenue's like

100 million maybe? Not even that good in a year. So when you start looking at that you're like, "Wow, they're burning a lot of money." At some point they're going to turn around and start charging you what you what it actually costs. And when that happens, you can't just lazily throw everything at the AI. You have to be thinking about I only want to go to the AI when I have to, right? Cuz it's going to be expensive. And you need to think about that about everything. So I think about that all the time. And in cyber we're all thinking about things in scale. So it's not just what you're doing in front of you. It's like if I

want to go protect an enterprise of 10,000 people or if I want to go protect an enterprise with 2 and 1/2 million people, it's like Walmart. Right? You have to really dial this in. Right? So right well related to that is um these two things. These guys are twins. Default deny and default default allow. It's like, "Man, man, this is ancient. Like this is so easy baby firewall stuff. You have to get it get it get it get it." Still think about it all the time, right? Right? So there's really just two approaches that you can ever do to decide if something's good bad. You can say I'm going to take the default deny approach which means

I'm going to be very restrictive and nothing gets through except for the things I I say are good. Guess what? That wins every time if you can do it. It's a challenge. It's hard to know the things that are good. You have to find that first. And then the lazy answer is default allow, right? Well, we know that. And of course AV and antivirus are things, but start thinking about other ways you can apply it. For example, what if you're working in a sock? And you're working in a sock and you start seeing detections come in. You put them in categories. Like okay, this is a live off the land execution. Okay, cool. Well, what else I

know? Well, it's a live off the land execution from non-technical user. Ooh. That's interesting, right? Do I allow that or do I not allow that? And you can start thinking about how do I efficiently start working cases faster. And this is the premise of the company I built. So, um those two things are there. Now, I think a really other good mental model for all of you guys is to think in terms of analogies or analogs. Um the best one I keep coming back to is medicine. Why? Cuz how long has human recorded history been around? How long we've been doing dumb things with human bodies trying to figure things out? We still don't know.

Right? You can talk to a doctor now. You have one or two doctors, an honest one or an arrogant one. So, that's still two choices, right? Um and so, stop and think, George Washington died I just read this this week and it blew me blew me away. He He died because he had an infection in his throat and they used leeches and bloodletting and they took out too much. And we look at that and go, "What in the world are you doing?" That was not that long ago. It might have seemed like a long ago, but it's not that long ago. And we had a time like just in the 1800s, people used to go around and feel people's heads for

bumps. It's called phrenology with a pH and they would determine your humors and those humors determined your psychological makeup and we thought this was real. Now we laugh at it. The question is, what are we laughing about in this today? Probably a lot. Like what what are what what our futures laugh at us about, right? So, in that same world, I sit here and think, "Look how complicated that is. Okay good. That means cyber's not that complicated. It's less than that. I know if I'm going to go compare it, it's like definitely less than the human body. Yeah, but still complicated. And I I think about this especially in the context of the weight of being this

keynote speaker for you guys. I know there's a bunch of newer people in here going, "Well, how do I get into cybersecurity? How do I do this?" I'm like, "Man, in the world of AI, this is crazy." Like part of me is like just all And then part of me is just all just give up. Just go. Right? And then at the same time, it's also like um I had the luxury I say the luxury, right? Of doing it the hard way. I had the luxury of if I wanted to go build a a a a lab to play with stuff, I had to go on the couch cushions and find extra quarters in order a motherboard.

Right? Like and and like that's not been a thing for 15, 20 years. You've just been spinning up VMs on the one machine you're in or in the cloud and you rent it for five bucks for the month. Right? So, in this world where we've got all this complexity, I'm thinking like, "Well, what does a new person do in the new and the answer I think is well, in medicine, people go into school and they don't have to understand everything about the human body when they come out. Right? By the way, fun joke. What do you call a person who graduates at the bottom of his medical school class? >> A doctor. >> You guys are smart. Doctor.

Right? So, so the point is like there's levels and and I might go to a podiatrist who understands the foot. I might go to a cardiologist who understands the heart or brain surgeon or whatever. We're going to have to have that We we're starting to get that same level specialization, right? So, that's and that's great. But that then reminds me of this um Robert Heinlein says we're leaning into this. If you guys know the specialization is for insects. I don't have the like full quote in front of me. It was on the speaker notes, so I can't see, but um go look this quote up. He talks he very much about all the things that humans should do from change

like here, we can do this from like changing a diaper. I don't know if it's space diaper. Come on, Gemini. [laughter] But leaning into that. So, from changing a diaper to like planning innovation to butchering a hog and all these things that you think that a human should be able to do is all just all over the place to die gallantly. Specialization for insects. I'm like, yeah, there's some truth to that and I like it the idea of being able to do this uh being a being you know, general and be able to have multiple skills. But at the same time, I I do believe specialization is how something good is formed and we already see that. Like I

for last 10 years, I've met people that all they do is pen test. Like, "What do you mean all you do is pen test?" I didn't I didn't start there. Like I didn't know how to be a good red teamer. I wouldn't have been as good of a red teamer if I didn't like spend you know, hours and hours and hours of my life on IT help desk stuff, right? You understand the philosophy of what's going through like what's in the mind of that guy's head, right? He just wants to get the ticket closed. He wants to solve a problem. So, I think you should bounce around as best you can, but I think the

specialization is the way I can go rationally. All you newcomers don't have too much fear. Find your path and now, how many people know Nate Bargatze? All right. I I love this quote from him. Let's Let's see if we can just hear it from him and say it.

Is it not going to work cuz I don't have internet? All right, never mind. You have to watch the video yourself. But um basically he says, "I don't think you get to know what AI is and also see a donkey jump off a high dive. I think it was one or the other and I saw the donkey, so I'm out." Right? I think it's a great line. It's a great bit if you ever see it. Uh why do I think about this? Cuz like there's this period where this new thing like where there's I heard somebody describe all the newcomers are going to just bring the AI skills that they grew up with and I'm

thinking about like millennials grew up with tech. I'm the the the zennial or whatever that the one in between the Gen X and millennial. And so like I grew up with tech but I also grew up Gen X, right? And uh and I'm thinking about like okay, you're you're growing up with AI and that's great but how do you know the OSI stack? How many How many people How many Gen Z people know the OSI stack? Just raise your hand if you're Gen Z and know the OSI stack. We got I got hope. It's awesome. >> We're all right. >> We're all right. We're all right. So like if you don't play with stuff at

that lower level, you're not going to you're not going to get how the orchestration works. If you just um my fear is we're going to have this next generation that plays with the the high-end tools that are over the top and they're not going to see what they actually do. They're not going to understand and comprehend it. Yeah, I get it, guys. It didn't work. So They told me if I would nail this pioneer dentistry like I this is like scary and I was like, "No, don't change it." So pioneer dentistry, I don't know what he's going for. There's a drill in his mouth. I didn't know they had drills like that in like pioneer days but whatever. All

right. So steam Is it steam Maybe he's There's like a I don't know what this lever is doing. I don't want to know. All right. Um So anyway, [clears throat] and that that reminds me of InfoSec 2000. Now notice I said InfoSec not cyber cuz back then we didn't call it cyber. Cyber was a bad word back then. Now I I just don't even say infosec. It's weird. We just flipped. But we had these tower PCs and I used to think back in the day all you needed was a firewall with a proper policy. Uh you needed to SSH instead of telnet into your machines. You needed to use RSA security tokens which somehow were

glowing. Thanks Gemini. And um and that's what that's all you needed to do. It was like a recipe. You get it right. And I I was 100% focused on prevention controls, not detection and response controls. Now I think the opposite almost. I almost don't care about prevention controls. I almost exclusively care about detection and response controls. >> [clears throat] >> So that also makes me think of this. So health in the 1950s, remember those vibrating belts? Has anyone ever seen those things? They were like [ __ ] [ __ ] [ __ ] [ __ ] And the idea was like it's going to make us healthy. It's going to make us move around. And then like he's eating his

cheeseburger. And then And it also reminds me of cyber in 2015. What do we have? We have breaches going up, right? And we have all these expenses. And we have the sales guy with a blame. Thank you, Gemini. Um you're coming in here shoving more crap at us like buy more products. If I used to joke and I still kind of only halfway joke. That if you look at the amount of breaches going up on a trajectory like this and you look at the spend on security like this, someone on the outside from a foreign planet might come in and go, "Maybe stop spending money on the security and you'll stop having breaches." They look aligned,

right? Like they're going the same way as the other. Right? And I don't think that's obviously not the case. But this is what it felt like especially just even 10 years ago and even maybe today. So um which leads us to where we are now. Like like everyone's everyone's been talking about AI-enabled attackers. And I'm in mostly like no. No. Shut up. The only thing I would say up until in the last month, I would say AI's really only helped people make picture-perfect lures. And I think the only thing that could come out of it now is to stop telling people to look for grammatical mistakes as an a sign that you're getting phished. And now I

think look for grammatical mistakes cuz you're probably talking to a real human. That's probably not It's like opposite where it first the word used to be. And I know you guys can't see this. But this is actually a prompt that was caught forensically on the attack from uh Mexico recently. Did anyone heard of the Hermes case? No? Awesome. I'm glad I get to share something fun. So, I've largely been very against the notion that AI is really enabling attackers. It's going to make them move better or whatever. But we have now forensic data. You can Here's the QR code. You can go read the whole article, the whole PDF, and everything. All the forensic data is

right at that link. Um [snorts] and what's neat is um So, what happened is they caught signs of an Anthropic token on an endpoint that was compromised in one of the Mexican state governments. They of course go to Anthropic and said, "Pull the data for me." And they get the whole entire chat session. It's in Spanish. So, it says "Eres un I speak Spanish. Analista de inteligencia de élite con You are a elite uh intelligence analyst with experience in NSA TAO, so tailored access operations. CIA operaciones de infiltración cibernética, so cyber infiltration, and APT telling this hunting e-threats intelligence. I love the Spanglish. I love it when it's in Spanish. It's like just English with

the word e, like so and. So, anyway, it's a whole prompt. It's all in Spanish. So, what the takeaway from the forensic is one threat actor, Spanish native, used Anthropic, and then they later found OpenAI references and got the same thing out of OpenAI. So, he's using two models. He tricked them to get past all the safety mechanisms for please don't hack me. I want you to help me hack this up. Basically, he said, "Hey, I'm running this CTF. And [snorts] I want you to help me with the CTF. It's capture the flag. We're going to go pen test this thing." Claude's like, "Sure." He's like, "Oh, by the way, rule for the CTF can't leave

forensic evidence." He's like, "No, can't do that." They went created a a MD file, manually created MD file. Said, "Here, drop this MD file in in your in like basically you know, like almost a incept into Claude's mind. These are the rules for the hacking. Goes, "Cool." He goes, "Okay, now go do it." He goes, "Okay, now I'm going to go do it." And he just started going down path. Now, what's most interesting about this, couple things. Your takeaway should be this is one. Most of you didn't even know this happened. That's a great sign, right? That doesn't mean the world is ending. Um it does mean that this is the direction we're going, but it doesn't

mean the world is we don't have to freak out, okay? Um the second thing, my takeaway from all of the back and forth and all the forensics, this was not a fast operation, which means fundamentals in security operations would have caught it. I'm convinced of that. It's clearly like maybe it's while true was being generated, but it wasn't being reviewed, right? So, >> [snorts] >> that gives me hope. So, my lesson to you is stay calm. AI is less of an inflection point than the AI vendors would like you to believe, right? So, I I think it's an we are at an inflection point. I think we're it'd be stupid this is where I have to lean

into the hype, right? It's the thing of the day. We got to all say mythos mythos mythos mythos mythos. Go check. I'm good. But, I want to remind everyone that's not been here for a minute that there's these stages of the world is changing and it's never going to go back. And it happened like way even it's not the first one, but the internet, right? Like, oh everything's going to be different. Everything's online. And then we had e-commerce. It's like, oh traditional business is destroyed. Well, we have freaking order and e-commerce. We have both. Oh, social media. I remember when um back when I was in grad school, everybody's like professors are like, "Do you do anything with with graph

theory and social theory?" And like, uh what? That was the hotness. Why? Because the funding was there for this. It was the thing happening. And then it became web 2.0. For me, web 2.0 was with the the Gmail app. When Ajax was the thing, if you ever No, last year you're like, "What's Ajax? I don't even know what Ajax is." And Google Maps, the tiles, when that moved, that was magic. I remember that one. Wow, I could do that in a browser? And now that's just what we expect. We expect experiences like that. Of course, streaming happened and then everyone's like, you know, and that's that's a mix of obviously like iTunes and Netflix and Disney Plus and

all the rest. And then mobile and then cloud. Like we start going through all these things and like we're at the same point, oh AI and the mythos like the mythos class AI models are going to change everything. They are. But probably not more than all the other stages that happened before. So, anyone that freaks out without that wider aperture is making a mistake. So, keep in mind, there's a whole bunch of people right now talking and they're If you don't If you don't believe me, spend 5 minutes on LinkedIn. I guarantee you your your feed is going to be full of people with hot takes on a AI model that is so exclusive they've never seen it.

But they've got opinions as how it's going to work and how it's going to change everything. Right? So, I can stop and think So, [clears throat] there'll always be changes. But remember, there's always constants, too. Like security concepts, the 1974 paper I think I linked at the beginning. I guarantee you we still apply that to this. So, we don't have to freak out just because the landscape is changing, the concepts and the themes are the same. So, what's the most likely um Gemini just gave me a nice verb to text. So, the most likely changes from this AI inflection point. I think one of the biggest things is professional services will shrink. I think it's already

shrinking. And I don't just mean that in like tech and cyber. I mean that like I started a company and when I started a company I paid a lawyer to incorporate and that was expensive. And then when I had customers come to me and say, "Hey, review this NDA." I go, "Hey, Grok. Hey, Claude. Hey, ChatGPT. Tell me if there's anything weird about this NDA." And it cost me nothing to find that out. What it would have cost me I don't know, 500 bucks to get to a law attorney to find that same thing out, right? So, there's things like that that are starting to eat the world and we see that. If you are in the space of

professional services now on the IT side, and you're not using AI heavily, I would be very I would have a nice existential moment and start to think about this cuz I think it is going to compress down. I think we're going to have less people do this work, but very, very talented people do this work. That's what's going to be left. Um uh yes, mythos or whatever will will have patches, right? Um I I honestly think there's an Well, how many people think there's an infinite number of them vulnerabilities in the world? Infinite? Or really large? Let me Let Let me give you the Really large? Infinite. Infinite. We got some infinite people over here. Okay, I don't think there's

an infinite number. Why? Cuz there's a finite number of amount of supplies of code, so there can't be an infinite amount. So, what what is that? Why do I care? Again, I'm thinking about like how do we scale this down? Just the same way I'm thinking about the human body is really complicated, but guess what? Cyber's less than that. So, if I know cyber's less than that, I know we have a finite number, it's therefore a finite problem. So, if I'm looking at that, I'm thinking, "Okay, so Mythos comes out. Great. All the big vendors have it now. Great. What's going to happen?" Whole bunch of patches. How's it different for the average practitioner? Almost nothing, right?

You're going to do your patch Tuesday thing, you're going to go roll this stuff out. I think what's going to end up happening is we're going to see a split in the haves and have-nots. Um to put a finer point on it, so you're going to have the big tech and well-funded open source projects. When I say well-funded open source, I mean the uh JP Morgans of the world that rely on open source framework are going to definitely invest some money to make sure that Mythos or whatever is going to review it, and then it's good, and they're going to contribute pull requests to that. Right? But then there's going to be the smaller guys

that have your hobby projects, and maybe they're going to like, "I have this cool little library. It's this NPM library. It's this PyPi library." There's a PyPi library that got popped yesterday or 2 days ago. And we're going to constantly see those, I think, are going to be the ones that get the most attention cuz the code's available, and that's where these models excel the best. And they And what, you know, this is the old ages-old debate of uh Who remembers full disclosure versus responsible disclosure versus no disclosure? Remember all that? We've lived through that like 18 times. Um the whole everyone back in the day was saying, "It's open source, therefore it's more secure." And I remember going,

"No, it's not any more secure." I remember when Microsoft started paying attention back to that Bill Gates memo once upon a time and they got better, right? They actually cared. And it was a It was about about the amount of eyes and attention on the code. It wasn't about how open it was. It was clearly closed source. And then there's open source libraries that get crushed. Remember we had the thing with curl? Just we almost all had a catastrophic moment when probably somebody from North Korea or China or whatever that was tricked that guy who was the one maintainer that was having cancer problems. Do you remember that story just a little bit with XZ Utils?

Okay. We're going to have a lot more of those and I think that's the the biggest thing we need to worry for and that gives us back to well, what do you do about it? Well, I think if you mix that and then you're not going to really like it's hard to see these at all. John will totally crush this. If you haven't seen zerodayclock.com, you should go check that website out. It's pretty neat. Um it talks it's got some metrics around uh the amount of time it takes for vulnerability details to be public to the amount of time it takes for exploits to be available. And in 2018, that was 2.3 years. And [snorts] in 2026, that's 10 hours.

Right? So, if you look at that curve, it's really fascinating. Um it's actually getting set because what what's actually happening is we're finding exploits come out before the vulnerability details now. So, it's actually getting weighted down, which is an indicator of a really interesting problem. I think vulnerability management's like close to being dead in terms of the the way we do it today. We got to really rethink that. And then over here we got Mandiant M-Trends which is a similar curve down. So, for M-Trends, this is the dwell time graph. It's dwell time meaning So, this is exploit to get initial access. This is the amount of time a bad guy is in your environment before he's

discovered, all right? And keep in mind, discovery can mean you caught him and they can also mean hello friends of mine. That's another way to to find out that they're there. So, when we see this trending down, and by the way, this was trending down to the point where I I had predicted in '23 that we were going to see two days this year and it went back up. It went back up to about 10 11 days. And I've I'm talking to some friends and we actually think that Google's acquisition of Mandiant's actually the the reason why this went back up. Great. Clap it up. >> Yes. >> And so, the the the reason let me break that down.

So, why I think why do I think that? They're expensive. Not everyone can afford $450 an hour DFIR. Um the ones that can are probably going to be dealing with nation states, which are by definition longer intrusions, right? And more complicated. So, they're dealing with the ones that used to be Remember 2011? Can you see [clears throat] this number? 416 days. So, in 2011 we the the average was 460 like over a year. That meant like bad guys like that means you have half of that is like 2 3 years long and then half of it's less than, right? So, it's a crazy number. And so now we're coming down here and it's starting to curve up

and I think it's just their sample bias, basically. And so, I think you're going to see other IR firms that come in with a better more well-represented view. I'm going to show you yeah, it is in fact dropping. If you ask the coalition where where I work, the IR team they'll tell you our typical ransomware case, no offense to anyone that works here is uh a SonicWall or Fortinet VPN getting popped, and usually 5 to 7 days. And also, real fun fact we see like a 92% true positive rate on lateral movement alerts if they're between Friday night, Saturday, and Sunday. So, it's something about that. It's maybe 5 days cuz the threat actor's like, "I'm in. Always the weekend." I

would see your I would see your two beers in and then I'll hit you, right? So, we're seeing that a lot. So, another fun thing about the zero-day clock, we've got this neat like 1-year milestone. How how long it take to get to 1 year? We'll get to that 1-year milestone. Again, this is how the vulnerability details are out before it goes available. 2021, 1 year. 2025, 1 month. Last year, okay? Last year, we got to 1 month. 2026, beginning of this year, we got to 1 week. Also this year, we reached 1 day. Also this year, they project 1 hour, okay? That's crazy. That's this year. And they think by 2028 that'll be 1

minute. Right? So, that would basically mean publish something and it's instantly popped. It's instantly weaponized. So, if that's true. Now, I don't know if we're going to need to hear it, it doesn't matter. If it gets to an hour, it's totally different game. So, to me, it tells me we need to stop spending on prevention. So, does anyone know this guy? You want me to talk about him a little bit? Dan Geer. Anyone old enough to remember him? Okay. So, Dan Geer was he worked at MIT. He created he was on a project called Project Athena, created the Kerberos algorithm. So, you use if you've ever logged into a Windows domain, guess what? You can thank him. If you log into

SAML today, cuz you don't know what Kerberos and Windows domains are, it's basically a version of Kerberos, so you can still thank him. Uh and he's also known for using the word monoculture about Microsoft back in the day. Remember that? He got got himself fired for calling Microsoft a monoculture, which I think he was right. Anyway, Dan Geer many many years ago. So, when I was when I used to live in Kansas City, when I used to drive my little Kia Spectra with no power windows downtown to Truman Medical Center in Mount Hospital Hill. And I I was a nerd. I had a little iPod Nano with an aux cable. The only thing cool about my Kia was I had an aux input

jack. And so, I had I had like 10 talks on MP3 format. This is pre-podcast. And I had a couple of his. And this one stuck with me. He talked about cyber's got two knobs. You've got the one on the left here, which is the mean time between failures. We want to make that go to infinite, meaning I know that's really heady. He's a really heady guy. If you ever listen to him, you're like, I I have to listen to what he said and repeat it like seven times and then my monkey brain catches up. But basically, what he's saying is if I can make the amount of time between cyber failures, that means I'm

preventing cyber failures. So, if I can make it go almost to infinite, and this is where my mind was beginning my career. Let's just prevent that. Let's just spend all of our effort there. And I think a lot of people still think this way. But the answer is there's actually two, right? The other option you have is the mean time to recover. How can I make the amount of time it takes to recover from a bad thing go close to zero. Or another way to put it, I can try to make breaches rare, or I can try to make breaches meaningless. I I My conviction is this is where we should be. I'm all in on

this. My company wants me to do this, what we do. This is what we're trying to do this. So, I look at that last slide and look at those trends and go, we we can't do this when we're having a zero-day clock trend down towards one minute, right? But we can make breaches meaningless if we get signals and respond to quick enough and boot bad guys out, right? So, yay for more Gemini. Um so, machine speed attack and defense, that's kind of the thing you see people talking about. They're like you'll see something Well, I'm going to have a good guy AI is going to fight the bad guy AI. Get this little red bot going to fight

this blue bot and it's going to be like talking robots and and this is what the future of this is. And I'm telling you right now, guys, it's stupid. Let me tell you why. Let's imagine Let's use my analogy that the bad guy's malware is a fighter jet, right? And he's he's flying at Mach 3. Do you shoot down a fighter jet that flies Mach 3 with a missile that also flies Mach 3? You do not. Right? So, um how many people have asked the ChatGPT a question and waited 5 minutes? Cuz of the gigantic workflows, right? That's a really common thing. So, when we see the gigantic SOC workflows today, they're taking 3, 5, sometimes 10

minutes to do a few things. That's like me going, "Okay, cool. I'm going to go to your house." Shh. Light a match. Let's wait 5 minutes right here, right? But if I drop it, stamp it out, you're still going to hate me, right? I just burned a little hole in your carpet. But I didn't burn your whole living room down, right? So, the longer we let a threat actor persist inside the environment, even if it's going to be minutes to hours, it's going to be more than enough to blaze the whole house and burn your neighbor's house. That's the problem. So, what we need is things that can go faster. Well, how do you do that?

Probabilistic stuff. I'm going to use fancy comp sci terms. Probabilistic AI, deterministic good old fashioned algorithms and code. Deterministic is way faster, right? So, what you're going to need in this world is my little analogy, I need a missile that goes Mach 5 to catch up to the plane going Mach 3 to intercept and knock it down. We're going to have to have things that run faster than what the bad guy is because we're starting behind, right? It's the It's the tortoise and the hare. The hare already took off. We can't be the tortoise. We can't We can't even have two hares. I can't let one hare go for 5 minutes and have another one come back 5

minutes later. It's not going to work. So, you're going to see a I think a lot more like this. This is my conviction as well. This is what I'm literally invested in this this concept and using it every day. So, watch for that. And then I think [clears throat] the other thing that's going to be really interesting around this in general, how many people think about cyber insurance during your day day job? >> [clears throat] >> Okay, more than I thought. Haha okay. So, um so, here's the thing. Cyber insurance I got I got convinced by a guy named Jeremiah Grossman. If you guys know that name, he created WhiteHat Security back in the day and then he was

one of my seed investors. And he's he's been a good dude. In fact, if you know what cross-site scripting is, it's because he and his buddy Robert Hansen created it back when he was at Yahoo around 2000, right? 2001, whatever time that was. And um so, about 10 years ago, Jeremiah convinced me that hey man, the cyber insurance is going to drive the world. So, it's going to eat everything. It's going to just do everything. So, I was like, are you sure? He's like, yeah. He told me the reasons why I don't I don't like completely bought off on it. So, my job today is to make sure that you understand this, too, cuz I'm I'm all in

on this concept, too. So, I on the left here, we've got what? 1492, Columbus sailed the ocean blue, da da da da da da. We all know that little poem. What happened there? Why Why did Why did Columbus need Isabella? He had He already had boats, right? Why did he need them? He needed to be underwritten in case the boats crashed, right? In case they got destroyed, in case he lost crew, in case there was liabilities. So, he underwrote them. So, we've been underwriting things forever. This is arguably the second oldest profession. I'll leave the other one to you. The The It's so in cyber, we're the same way. And what's interesting about this is what that means is

the person who owns the risk cuz keep keep in mind, there's only three things you can do with risk, right? And at the end of the day, what we're doing is we're talking about risk, risk of a bad guy, risk of risk of a breach, risk of whatever. You can mitigate it, meaning I can put something in the front. I can put a firewall rule. I can put a laugh. I can fix my code. I can patch something. I can do MFA. I can mitigate it right? I can transfer it, meaning I give it to an insurance saying, "You cover this." And if you got it, you pay me, right? And and they say, "Sure."

You pay so much up front and we'll put you in the pool and if it happens to you, we'll cover it, right? You so you can mitigate it, you can transfer it, or what's the third Accept it. It's yours. And guess what? A lot of people accept by default, right? So if you're mitigating it, great. But can you mitigate it completely? No. And is there regulatory bodies that say you need to transfer some? Yes. If you How many people have companies that have to be SOC 2 compliant? Right? That's just one regulatory body of many that say you must have a cyber insurance policy. I happen to know that cuz I had to get one, all right? And I was like, "Huh,

what are you going to do?" You [clears throat] get the cheapest one. Sometimes you do that. If you're a bigger company, actually worried about true impact to your company and your business, you're going to go spend some real money for some real coverage. And when you do that, the insurance is going to say, "Okay, cool. I'm going to I'm going to put some carrots and sticks out in front of you to make you make good decisions, right? One thing they can do is say, "Listen, if you don't have these controls, I'm not underwriting you." And you go, "Oh, crap. Got to go to another one." They say it goes, "Nope. Nope. Nope." Maybe there's one guy in the back end

who's like, "I'll do it. I'll take it. I'll underwrite you for a crazy high price." And you're like "Ugh." So then there's an incentive to go back in and implement those controls cuz I can get the insurance at a cheaper price. So that's one thing that's happening. And you're going to see this happen like that. The other the other incentive is, "I'll I'll underwrite you, but I won't cover you the same way to the same extent." So, why do I bring this up? Because So we're trying to talk about all these things that are happening, the things that are constant, the things that are true. Risk is constant. Just like those Saltzer and Schroeder paper

principles are constant. Just like uh the five ways you can breach and get into a company are constant. Um whoever owns the risk is going should dictate what you do about it. That's going to be a constant. And what you're going to see more and more often and because in cyber insurance this space is changing and especially even with the AI stuff, people are freaking out. And some people are like, "Can we even insure anybody anymore in a world where me those exists?" That's That was in my LinkedIn thread this or feed this week. So, the answer is yes. Uh, we we take the coalition we take a little stronger opinion. But, this is coming. You should know how

how these terms work. You should be thinking about this. This also helps you, right? Because when you're talking to the people in business cuz at the end of the day, we don't just talk to the nerds. It'd be a lot of fun if we did. But, we have to talk to the people who we're trying to protect. And we can put things in dollar terms. And I don't know if any of you have been around a minute, but the word risk is a four-letter word not just literally but figuratively. Um, and if you talk to two different companies, you'll find risk means dramatically different things to different people. One of the coolest things I got to do

when I was at Walmart uh, doing red team work is I'd go and we'd we'd get to the thing and we'd spend 3 months and we'd perfect tradecraft and all this operational security stuff and we'd nerd out and we'd have so much fun. Then it became time to go tell them about what we did. And then and then we would we'd go tell the story. We'd have a deck ready to go. We'd go through the whole thing. And then we'd say, "Here's what we did." And we'd sit back and proud. "We owned this. We took advantage of this, right? But oh, but by the way, respectfully, right? Cuz we don't want to piss them off."

And so then they're like, "Okay, but I I you know, I'm the CIO of this business unit. I have a million things that are on fire. Where does this rank in all the things that are on fire?" And it was like, "Oh, well, that sucks. He doesn't take what we did seriously. I mean, I showed you we could get in and steal credit cards. Like, that's amazing, right? Like, you don't you worry about that. Like, I just told you I could go shut the entire e-commerce platform off and you'd have no revenue on Black Friday. Isn't that really crazy? Like, yeah, but I could also have a developer putting in bad code and have the same

result, right? Like, they're just looking at it and it'll then in the grand scheme of things, they didn't care." So, one of the cool things we got to do, uh, neat little special thing you go and do with one of the largest companies in the world, Walmart actually has its own insurance firm inside the company. And we had these little guys that called actuaries, whose job is to do this. Honestly, little guys like diminutive. I mean, friends. We had these friends. And these two friends came [clears throat] over and they they transplant us into the cybersecurity division. Right? And this is a like this department has like 700,000 people, something like that now. It's crazy big.

And these two guys would come in and we would tell the story of what we did to them first. We give them a pre-read. Like we did this and this and this. And oh, was that a control? Yes. Well, when you bypassed it, was it hard, medium, or easy? And I'm like, "Dude, I don't know. We didn't." Like I don't know. And they're like, "Well, how many records were in that database?" And again, I don't know. I just There was a bunch. Like, "Well, could you go find out?" I'm like, "Yeah, yeah, we'll go find out." And then we come back and they would do fun things called Monte Carlo simulations that I still don't

understand to this day. And all kinds of other fun exa- crazy math. And then they would take data from known breaches and then they would give us a price range per record. They would know if it's a PHI, we know it's between I'm making these numbers up. I don't know I don't know I don't remember exactly. $7 to $21. Like, "Okay, cool." They would take the number of records in the database. Guess what? Now you got your potential dollar amount. And they were calculating in things like the fines, the IR costs, the you're likely to spend X dollars to deploy new controls, to shore up whatever was missing in the first place, the credit monitoring service to the

customers, and even the dip in the stock price. They factored all of that in, right? And so, when we came in and told the story, they go, "Cool, we did this this this this this this this this this got to this thing. By the way, that was that would have been somewhere between 150 and 200 million dollars if it was real." And then they look at me like, "Whatever." And I go, "Talk to that nerd. That's his number. All right, it's not mine, okay?" And I was like, "See, he's the real guy. Like you can argue his math is good math. I don't understand it, but you can go you know, whatever." And that changed everything.

And guess what happened? Stuff started getting fixed, right? Because we're using the terms of the And I bring all this up because cyber insurance for those of you that aren't lucky enough to have actuaries inside your company, this is going to be the kind of stuff that's going to come your way. If it's not here now, give it a little time. It will be. So, all right. So, for the newcomers today, all the newer people to cyber that are younger than me, what is my advice to you? Well, in case you can't figure it out, learn the constant things. I give you examples of things that are constants. Figure those out. Spend all the time

understanding and comprehending that. If you do that and you go into meetings with your peers or with your your business partner, the clients on the other side on the on the business side, you will be able to communicate to them in a simple way. You'll be able to get what you want and you'll be able to grow your career. Those are all really simple things that just come out of understanding how to communicate the things that are constant instead of blabbering all over the place and using technical jargon, right? Know the constants. Second thing, do the things the hard way to learn how they work. Um like I said, I had to go get Here's a dollar bill on this couch

cushion. Cool, now I have exactly $99. I can go buy another motherboard, right? So, this is back in the day. And I can go build my lab. You can just spin things up on a VM or whatever, but force yourself to do it as slow of a way as possible. Do not use orchestration tools. Do not just go click new machine. Click clone this. That's great. Understand that that's a possibility. Do that, too. But do it the hard way. I once made the mistake of thinking in order to work in IT that I needed to understand how to build a Slackware Linux machine from source code, deploy bind from source code for DNS, deploy Apache from source code, deploy sendmail

from source code, and build it all and run it on my cable modem. Actually in Kansas City, not too far from here. Uh back in back when I was in KC, I thought that. And then I got into my first real job. I sat down in a meeting where we were talking about deploying neo-natal fetal health monitoring. And this senior IT analyst, I don't think is in this room, fortunately, and I was just an IT analyst. Senior IT analyst who's been doing this for years and obviously making more money than me. Good. We're talking about how to employ this. He says, uh the veteran goes, "Well, you're going to need an IP address for that server."

She goes, "What's an IP address?" And I thought, wait, what? I I I thought I had to know all this to get here. I just needed to know this. Right? So, don't just because the bar's low, don't stay there. Learn that, [clears throat] right? Learn how it works. I guarantee you it didn't hurt my career to know that when at my next jobs, right? And I would tell you every single job I ever got, every one except for maybe the last two, I thought I didn't know enough going in. And every single time I got in there, I realized, oh, I knew a lot more than I needed to know to do this job. That's a real thing. It's a real common

thing in this space. So, do things the hard way or now they work. Then, step three, then and only then learn the automation. Learn how to go spin up Kubernetes. Go learn how to do whatever CI/CD tool of the day. Um then go say, "Hey, chat GPT, go spin up my lab. Hey, chat GPT, go build this exploit for me. Hey, chat GPT, like not until you understand how it works. Because you're going to build a guide better and you're going to you're going to be more productive and effective, right? Four, understand risk. We talked about that. Dollars, insurance, understand that's coming. If you don't understand it, like learn it. Um there's lots of free stuff out there

to to read about that. And then lastly, this is silly, but nothing like starting a startup told me that number five is the single most important valuable lesson I learned. Your network, that means this is a network of people that you can have, that you can know. Your network is your net worth, right? It's a silly little boomer phrase. But at the same time, I learned it the hard way. What I didn't realize when I was starting a company is that I had all these people because I was willing to help them, that they were willing to turn around and help me. And that that stuff is that's it's palpable, it's real. So, invest back in

your community. So, with that, thank you. >> YOU KNOW! >> I WOULD LOVE TO BE Sasha Grey sitting here. >> [applause] >> Hopefully something is memorable here.