a16z Podcast - Cybersecurity's Past, Present, and AI-Driven Future
Episode Date: June 26, 2024Is it time to hand over cybersecurity to machines amidst the exponential rise in cyber threats and breaches?We trace the evolution of cybersecurity from minimal measures in 1995 to today's overwhelmed... DevSecOps. Travis McPeak, CEO and Co-founder of Resourcely, kicks off our discussion by discussing the historical shifts in the industry. Kevin Tian, CEO and Founder of Doppel, highlights the rise of AI-driven threats and deepfake campaigns. Feross Aboukhadijeh, CEO and Founder of Socket, provides insights into sophisticated attacks like the XZ Utils incident. Andrej Safundzic, CEO and Founder of Lumos, discusses the future of autonomous security systems and their impact on startups.Recorded at a16z's Campfire Sessions, these top security experts share the real challenges they face and emphasize the need for a new approach. Resources: Find Travis McPeak on Twitter: https://x.com/travismcpeakFind Kevin Tian on Twitter: https://twitter.com/kevintian00Find Feross Aboukhadijeh on Twitter: https://x.com/ferossFind Andrej Safundzic on Twitter: https://x.com/andrejsafundzic Stay Updated: Find a16z on Twitter: https://twitter.com/a16zFind a16z on LinkedIn: https://www.linkedin.com/company/a16zSubscribe on your favorite podcast app: https://a16z.simplecast.com/Follow our host: https://twitter.com/stephsmithioPlease note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures.
Transcript
Discussion (0)
It's time to hand over cybersecurity to computers.
Entropy is increasing.
They have more apps, more entitlements, and more actors.
Every single year, it's exponential growth in the number of public breaches,
the size of the breaches, the damage in the breaches.
Vendors still exploding.
How can they watch out for a bank run that's orchestrated by a deep-fay campaign?
If this is indeed state back, this is probably not the only thing they did in that two-year period.
In 2022, $8.8.8 billion was
lost by consumers alone in the US.
How can we build compound businesses from day one?
How can you actually build a platform from day one
even though you have startup?
Who does security?
Nobody does security.
The cost to launch a disinformation campaign
that's AI generated is quickly approaching zero.
Now that the cybersecurity industry commands
a market of hundreds of billions of dollars,
it's easy to forget how this industry
when ceased to exist.
And in its few decades of rapid growth, things have changed a whole lot.
So in today's episode, we'll take you on a tour through the history of security,
which can't be disentangled from the history of the internet and culture.
This episode was actually recorded at A16Z's Campfire Sessions event this April,
where our infrastructure team brought in some of the top security minds in the industry.
And just like any good campfire session,
today you'll hear four people talk candidly about what's really keeping them up in night,
from what really happened with the XEUTils attack,
to new AI threat factors that are already impacting companies,
to empowering overworked developers, and a lot more.
For those both inside and outside the security community,
I hope this episode is a helpful reminder
of just how much has changed throughout the years,
for both offender's and defenders of trustworthy computing.
So with that, we'll start with Travis McKeak,
co-founder and CEO of Resourceley,
and we'll walk us through how we really got here.
Let's kick things off in 1995.
As a reminder, the content here is for informational purposes only, should not be taken as legal, business, tax, or investment advice,
or be used to evaluate any investment or security, and is not directed at any investors or potential investors in any A16Z fund.
Please note that A16Z and its affiliates may also maintain investments in the companies discussed in this podcast.
For more details, including a link to our investments, please see.
A16C.com slash disclosures.
Okay, phase zero, the dark ages.
The year is 1995.
Billboard number one song, Gangsters Paradise.
The box office number one was Batman Forever.
Nostalgia for the old people here.
Who does security?
Nobody does security.
It was a totally different world.
You have to realize that we didn't have much internet connectivity.
Patching wasn't really much of a thing.
Vendors was basically like antibiotics.
and the start of firewalls.
Milestones of this Dark Ages time,
we had the first DefCon,
we had the first CSO,
Steven Katz at Citicorp.
So that year, they actually had a breach
where somebody stole money,
and they said,
this can never happen again
without us having someone to go chop their head off
when it happens.
So this is the first CISO.
We had the first word macrovirus.
The first bug bounty came from Netscape.
As we'll get to you,
Netscape did a lot of cool things
that moved forward security,
and of course the hackers movie.
hackers movie. It was web 1.0. It wasn't an app that you went and dealt with. It was a site that
you came to. So this is Apple's site from 97. Hackers are like these dingy people. It's not like
an actual job. One of the things that really moved from this to the next phase was web browsers
went from like that Apple thing that I just showed you to a place that you go do business.
Netscape made a lot of those things possible. So they brought forward SSL. They had the first
bug bounty. They were putting forward a standard of how we're going to build out apps on the
and that standard was JavaScript.
At the same time, we had Java,
which was one of the first ways of building apps on the internet
from an old company called Sun, today known as Facebook.
Checkpoint was founded in 1993 from somebody that came directly out of IDF
and used all of the stuff that they learned
to productize the web application firewall.
Okay, phase two.
Security is an actual thing, but it's a function of IT.
So the year is 2001.
Billboard number one is hanging on by a moment.
Box office number one is Harry Potter.
and the Sorcerer's Stone.
Who does security?
IT does security.
So context here, this is the start of when we get big hacking.
So it's not just like a thing that happens once in a while.
Businesses have all either moved online or rapidly moving online.
Vendors now is antivirus firewalls, systems management.
Milestones here.
Microsoft engineers coined the term SQL injection in 98.
The first big internet worm that made it like bad for business was code red.
The first patch Tuesday was in 2000.
And I don't know, for anybody that's old like me, we had this Y2K thing, which was actually
like Complete Nothing Burger.
But what was interesting about it is we cared enough about computers and what they
do that we thought it might be a thing.
So one of the changes here was BugTrack and Full Disclosure.
So back in the day, we had mailing list, bug track.
People would send security vulnerability reports, and vendors would basically do nothing with it.
They'd just sit on it forever.
And so there was this big moment at the time, full disclosure, where it's like, okay, well, we're
We're just going to put the full, gory details of this thing and force action from vendors.
And then that led to regular patching cycles.
So Microsoft quickly copied that.
We also had the first web application security tools.
So this is NICDO, an old one from 2001.
It was kind of open source.
But this is the beginning of these tools being broadly available.
And then this is the beginning of what I call the tail wagging the dog when it comes to vendors and security.
So from some of the folks I talked to, we basically have these new attack paths.
And the buyers, in this case, IT, were very uneducated about how this works.
So it's like, you need to have your web port open.
It needs to be legit open.
And I can get in and compromise you through that.
IT didn't understand it very well.
So vendors had to do their part to come and educate the IT buyers that this was possible.
What this looked like was basically, I just completely compromised all your systems.
And they said, how did you do that?
And then you explain why this web application security is an actual thing
and why they need vendor solution for it.
All right.
Phase two is the risk sign-off function.
So the year is 2004.
Billboard number one is Yeah, by Usher and Little John.
Box office is Trek 2.
This is what phones look like.
By the way, these phones will last longer than you will.
These things were like basically indestructible.
Who does security?
Now we have a security team that does it.
So this isn't just like a thing that like IT does with some of their time.
So this is when we start to get the beginning of traditional security activities.
We have Microsoft basically getting popped in the mouth and they need to do some stuff differently.
tech companies start hiring people that are actually called security.
Vendors now is exploding.
So we have antivirus firewall still, email security, web application firewall,
DASD and SAS.
Milestones here, we had the first use of the term cross-site scripting,
again by Microsoft engineers.
OASP was founded in 2001.
The first use of the term shift left.
I actually thought it was much more recent, but this is a very old term.
And then SOX regulation was, I think, the first compliance standard
that actually mandated some security activities.
There was a growing community of folks that were really interested in web security and all of what's possible here.
And Mark Curfey started this group called OASP to basically make this knowledge more socialized so that people knew about it.
One of the first projects in OASP was the OASP top 10.
And that immediately became like, how can I get my vendor shit to be one of the top 10 things that people are buying?
So this is, you know, yet more tail wagging the dog.
It's like, oh, my thing should be, you know, in the top five for sure because it's going to help us sell a lot more of it.
Now, we have the beginning of the big internet worms.
So at the time, Windows basically didn't come with any firewall.
You started up, it would get immediately compromised by stuff.
The worms here were costing a lot of money.
So we had attacks like Mafia Boys, DDoS in 2000.
It took down like more than one million of the five million IAS servers
and cost an estimated $2.6 billion in damages.
And so for part of this, basically Microsoft had these big customers
that were saying like, hey, we're just getting killed because we're using Windows.
And then this led in part to trustworthy computing.
Basically, we need to see the light.
We can't just keep doing business as is.
Bill Gates saw a very early version of a book
that Microsoft folks were writing on these security practices.
And basically, that led him to say,
like, we need to completely change what we're doing.
We're losing trust with customers.
And then that was the beginning of what we consider
traditional security activities today.
We have threat modeling, stride,
all of these things are being birthed around this time.
We also get more complied.
So PCIDSS, version one, was written in 2004.
This mandated security activities.
Again, vendors are trying to get themselves into the standard
so that they can sell more product, right?
It's like, okay, well, if you're going to deal with payment card data,
then you need to do web scanning, for example.
ProofPoint was an example of one of the companies here.
This was founded in 2002.
Still around today, very successful by email security, right?
So as soon as you have email being used as widely as it is today,
and we also have email viruses,
it's okay, we're going to need something to filter out,
spam and viruses. So ProofPoint started that. And then also Impurva, a big web application
firewall that's also still around today. Okay, phase three is DevSecOps. So the year is 2013,
billboard number one is Thrift Shop, box office number one is Iron Man. Who does security? It's everybody's
job. We've collectively decided that basically security doesn't scale. Like we've been this
sign-off function that you have to do with security before you ship your product for the year.
And now we're moving to cloud and we're doing continuous deployment.
And security is like, I don't know when I do these assessments anymore.
So what we do is we basically take every single developer and tell them,
guess what?
Good news, you're a security person now.
So we're also getting more and more mega breaches.
If you look at the numbers from this time, every single year, it's exponential growth in the number of public breaches,
the size of the breaches, the damage in the breaches.
Vendors still exploding.
So EDR, next-gen firewall, detection, all the posture management, dev training, bug bounty.
Milestones, the first use of the term devSecOps was actually in 2013.
and we had the first CSPM,
which gave birth to this massive posture management industry
that we have today.
We start to see No before, right?
It's like we're going to train developers continuously.
Developers are going to learn about all of the types
of cross-site scripting and SQL injection
with one day, like once per year of training,
where they learn it and then they immediately forget it the next day.
We also have big bug bounties,
so crowdsourcing more and more vulnerabilities
in the hopes that the attackers aren't going to use these things
to cause massive breaches for us.
So much posture management.
So the first was cloud security posture management.
Evident was the first company here.
At Netflix, they had also created Security Monkey,
which is basically open source posture management.
And since then, it's just like posture management
just exploding all over the place.
We have AppSec posture management,
data security posture management, identity posture management,
SSPM, like whatever that bottom posture management is,
just so much posture management everywhere.
And what these things are really good at doing
is like going and finding problems
after they're already deployed, right?
And then you have to go do something about it
Because just knowing about risk, you can't just tell your boss like, hey, okay, well, here's all the risk that we have.
They're going to want you to reduce it somehow. And so what we moved to, since this is now
developers owning security, is we rip a bunch of juror tickets for them and we call it a day.
So we also are getting at this time job shortage. The first time the job shortage news articles was in 2015, early 2016.
We're short a million jobs already in 2016. This is just piling up more and more. We don't have
enough security people to actually do the work that we need them to do. So where does this leave us?
I think that we're entering a new phase, phase four of security,
we're basically telling developers,
it's your job you fix security all the time.
Didn't particularly scale well,
and I think that that's becoming very evident today.
So years 2020, blinding lights is number one.
Box office is Bad Boys for Life.
Who does security?
I think systems do security.
What we're doing doesn't scale.
We have developer fatigue.
I hear people tell me all the time, like,
oh, we take the posture management,
and then we just filter out everything that's not higher critical,
and then we ship those Jira tickets to developers.
Training relentlessly, obviously,
it doesn't matter how many times we've trained developers
on all the SQL injection types.
They still don't remember it, and really they shouldn't have to.
So milestones, one of the projects that really informed
how I see this is Leamer, the Netflix released in 2015.
Google launched the Identity Aware proxy in 2017.
Chrome added a password manager by default back in 2018,
and Clint Gibler, one of my friends
and somebody that has done a lot of work in the space,
did his talk in 2021.
called How to Eradicate Vulnerability Classes.
So, Lemur, when I got to Netflix, it was in 2017,
and I remember just being blown away at how easy it was
for our developers to just get things like certificates
without having to select a cipher suite
and pick crypto parameters and rotate it
and store your private key securely.
It just made it like dead simple,
and the benefit of this is that developers never have to learn about crypto anything.
They just get it for free.
Google has done just probably more work than anybody here.
So we're going to upscale people to HTTP
automatically, Chrome updates itself, which became standard for many other pieces of software.
We have these basically like impossible to mess up Golang libraries to handle a lot of security
things. And actually, my mom sent me this article recently. Mom's so funny. She knows that I work
in security and sends me like everything that has security in it out of Wall Street Journal.
And usually it's like something that either happened three months ago or it's got nothing to do
with me. But this one was written by Larry Ellison and it's not very old. His point is it's time to
hand over cybersecurity to computers, basically just relentlessly hounding the users and trying to get
the users to be smarter, like it doesn't work anymore. What we want to get is developers back to
just writing app code, like working on the business, not having to be like security people all the
time. So today, if you think about it, devs have to burn down this never-ending pile of Jira tickets.
This causes annoyance with the security team. If you had a friend that only showed up when they
wanted you to do something, you're probably going to start avoiding that friend, and we're getting a ton
of that. What if instead, if they just used systems, they made good security choices on their
behalf and forget about all of this like training relentlessly all the time. So conclusions,
I was part of this move from like waterfall to continuous and then saw this, we just heap stuff
onto our developer's plate and then saw developers learn to resent and avoid security more and
more. I think what we should do instead is help them out. Like they're very, very busy people.
We should build a system that makes it fast and easy for them to go do something they want to do
and then has security victim as a side effect.
So it's like when you want your dog to take vitamins,
you don't just put vitamins in your hand and offer them to the dog.
You put the vitamins in the peanut butter,
and the dog wants the peanut butter,
and the dog gets the vitamins too.
I think this is what we should be doing for our developer users.
Speaking of needing to make things easier for our developers,
let's get a sense of what these hacks can really look like in 2024.
Now, usually in this talk I like to talk about solar winds,
but we actually have a better example that was gifted to us,
the XCU Tills attack. So everybody here has heard about this by now, but this was some group,
likely, I think, backed by a state that infiltrated an open source data compression project
called XCU Tills. That was Farras, Abukh Dijee, founder and CEO of Socket. So XCU Tills has taken the
security industry by storm, since it introduced a backdoor via OpenSH, which is a critical
piece of infrastructure used by millions of servers around the world. Let's hear from Farras regarding
what really happened there, to get a sense of the kind of security offenders we're now dealing
with in 2024. That can involve multiple years, multiple contributors, social engineering, the potential
for state actors, and more. The way that they did this was just so interesting. And it's something
that, I mean, look, I'm sad that it happened, but I'm also like, I've been telling you guys
about this for so long. I'm sort of like kind of satisfied in a way that, finally, there's
an example that's really caught the imaginations of folks. So what happened here was we had a group
Like I said, probably state-backed, winning over the contributor of the project over several years of work.
So that's like a scale of time invested in this that we haven't seen in other attempts like this.
And then they introduced a sophisticated, though not flawless, backdoor that was aimed at compromising SSH servers.
So it's a pretty multi-layered vulnerability.
There were multiple personas involved from identities that hadn't been seen anywhere on the internet before.
So that kind of is another indication that probably this was someone relatively sophisticated.
This wasn't just someone doing it for the lulls.
And so probably suggesting kind of state-backed actors here.
And then just the way, the timeline and the kind of some of the stuff that they did
also seems to indicate that it might be like the same people behind solar winds, probably.
But again, this is all just kind of speculation.
I want to kind of go into a little bit of so you can kind of see just the character of what this attack kind of looks like.
So this is kind of individual who ended up committing and releasing the malicious code.
And this is his first email patch to the mailing list where,
they do the development for this project XE Utils.
And it's interesting, this is just kind of a totally pointless patch, right?
This is like the kind of thing that is a maintainer you get all the time.
Someone just drive by dropping in an editor config file, which is basically does nothing, right?
It's a no-op in terms of the functionality of the project.
And oftentimes you'll see these from people who just want to get to be able to say that they're a contributor to a project.
It doesn't require any understanding of the project.
It's just noise, but you can see their first attempt to kind of get involved in the project.
Then they sent another patch a month later, fixing some kind of build problem, and they also sent a couple more patches after this one, all totally ignored by the maintainer, who at this point has been maintaining this project for about 15, maybe 20 years.
This is a long time project, and the guy running it is just, at this point, it's in maintenance mode.
It's basically, he's sort of burned out, he's sort of kind of half maintaining it, checking the mailing this once in a while, but really not actively working on this anymore.
So it's something that a lot of the maintainers go through.
And so then, finally, the maintainer, this is like, I think, three more months after the last email,
we see that the maintainer just randomly comes by and merges a couple line change to the project
that is the first code from this Gia-Tan individual that's actually included in the project.
And what I think is interesting about this is all of his other patches were ignored.
The patch that was merged is this, like, trivial two-line patch that you can just look at
and kind of, as an overloaded maintainer, you can look at this and sort of figure out what it's doing,
and, oh, it fixes a bug, cool.
Let me just merge it and move on.
The bigger multi-hundred line patches were ignored, right?
Typical, also typical behavior
for an overloaded maintainer, right?
Then a couple months go by,
and now we see a new character enter the picture.
This guy, Gagar Kumar, sends kind of a few emails
complaining that some of Giatan's patches weren't landing.
This is often used to pressure maintainers
to include code in projects.
Patches spend years on this mailing list.
There's no reason to think anything is coming soon.
So aggressive, right?
At this point, remember, he's already landed a few of the patches,
but the pressure is building here.
And then this is insert project name still maintained.
That is the bane of a maintainer's existence.
It's the meanest kind of issue you can open up on a project, in my opinion.
This has happened to me many times.
I have a couple screenshots here.
Is this still being developed?
And like on a perfectly active project,
because their PR wasn't looked at for a little while, right?
Here's another one on one of my projects.
Is this project dead?
It's not nice.
Don't do this, people.
And I think one of the interesting things about this whole situation is that this is another one of the things I've seen change in the way that open source is done is
Traditionally you think of a project like Linux or WordPress or these big foundation-backed projects they have the structure up here at the top where you have one project, one entity with many many maintainers that are participating in the project.
A lot of times they're paid by their employer to even work on the project and to submit patches as part of their day job, right?
But what we see a lot more of as we've shifted into this world of many, many, many dependencies, a lot of tiny dependencies is,
more of a structure like this, where you have an individual with hundreds, potentially,
hundreds of projects that they take care of. And that was the case here with Lassie Collin. He had
multiple projects that he was managing as an individual maintainer. Okay, so let's continue on.
So this is three months has gone by. He replies, he apologizes for the slowness, and he also
adds in a bit about how Giatan has helped him off list with XC Utils. So probably they have
some kind of chat conversation going off list now, and they're collaborating more closely,
building up the trust. And he says he might have a bigger role in the future, at least with
XC Utils. It's clear that my resources are too limited and something has to change in the long term.
So the kind of idea has now been planted in his mind that he probably should give access to
somebody else to help maintain the project. And again, this all sounds nefarious because I'm doing it
in a talk and I have slides up here, but this is also open source working correctly. This is
thinking about, oh, hey, maybe I'm not the best maintainer. Maybe I should hand this off to somebody.
That's pretty normal as well. At this point, nothing actually nefarious has happened, by the way.
There's no bad code that's been included.
This is just laying the foundation.
Okay, so a couple weeks go by.
So now we have this character, Gagar Kumar, who enters,
and this person's much more aggressive and really starts to apply more pressure.
So they go, over one month and no closer to being merged, not a surprise.
So, like, dropping into threads to just sort of neg the maintainer and kind of make him feel like he's not doing a good job.
Progress will not happen until there is a new maintainer.
And then the maintainer finally replies and pushes back and says,
hey, I haven't completely lost my interest here, but I've been having some mental health issues,
and I have a lot of things going on in my life.
But again, maybe Giatan will have a bigger role in the project.
And so a few months after that,
Lassie, Colin merges the first commit with Giatan as the author.
You can see here, and they actually are listed as an author.
This is a pretty innocuous change.
And then, again, the pressure continues from Gagar and Dennis,
who's this other persona that are both there
really just support the idea that Gia should be made a maintainer.
And you can see here, you ignore the patches
that are rotting away on this mailing list.
Right now, you choke your repo.
Why wait until 5.4.0 to change maintainer?
Why delay what your repo needs?
So applying the pressure.
And then again, the last one here is great.
Like, why can't you commit this yourself, Gia?
I see you have recent commits.
So just kind of pushing more and more.
And then finally, Lassie says, again, Gia Tan has been really helpful off list.
He's practically a co-maintainer already.
And then finally, this is the first email about two years after the very first interaction
with the mailing list, where Gia Tan is actually now doing the release notes for the
project, he's been made a maintainer, and this is the first release going out.
So two-year kind of effort here, if this is indeed Stateback, this is probably not the only
thing they did in that two-year period, right?
They probably have other things going at the same time, right?
So we shouldn't overreact and assume that Linux is like totally back to order or anything
like that, but also like probably this isn't the only thing that these folks were working on,
right?
So the truth is like somewhere in the middle here.
Sophisticated software supply chain attacks are not the only ones on our hands in
24. In fact, the X-Eutils attack was performed really without AI. So let's hear from Kevin Tien,
founder and CEO of Doppel, around the ways that AI is introducing new threat vectors and already
impacting real-world businesses. In 2022, $8.8 billion was lost by consumers alone in the U.S.
We've had 39 billion credentials stolen by bad actors that same year. And the cost to launch
a disinformation campaign that's AI generated is quickly approaching zero. So if you've seen a lot of
the startups that are currently pitching about how we can make it easy to generate AI videos or
how we can make it easy to generate AI voices, right? That same sort of stuff is going to the bad
guys as well. And so how are we seeing this manifest today with real world people and real world
businesses? So one common scheme that has grown super quickly just in these past couple months has
in the emergence of a lot of deep fake videos,
specifically deep fake videos of individual personas.
It could be Taylor Swift, could be Travis Kelsey,
could also be your CEO and could be
your financial institutions, chief technology officer.
And so what we've quickly been seeing here, right,
in terms of the landscape is more and more deep fake videos
being produced in the exact same way,
models being trained in a very similar way,
the voice being generated in very similar way,
and the intention of the tech being operated in a very similar way all across different platforms,
whether it's YouTube, TikTok, any sort of video platform out there, we're already seeing
deepfakes emerge and this impacts a whole bunch of different sort of individuals, whether it's
business, whether it's celebrities or even political campaigns. Of course, big federal election
this year, it's top of mind for everyone. The good news, bad news is that it's already happening
and we're seeing it happen across a lot of different platforms.
So I think the biggest thing here, though, is like this is not necessarily entirely novel, attack surface, right, or entirely new threat, right?
Like, we've always had social media, we've always had video platforms, and we've had bad guys try to create fake content to achieve certain means.
I think the main lesson here in terms of what we're seeing is that it's just become a lot easier to do.
And so just there's entire markets around fishing kits, and there's entire markets around,
Cybercrime in general, we're going to start seeing, and we're already seeing, that same sort of stuff come around with deep fake technology, impersonation technology, and just how do you personalize attacks more and more for your target victim?
I think the biggest thing, too, is that we're seeing this not only to run scams, but ultimately this stuff is impacting businesses at large.
I actually just on a talk this morning chatting with some big banks out there, and one of the biggest concerns for them is how can they watch out for a bank?
that's orchestrated by a deep-fay campaign, right?
Or we've even seen this effect companies outside the financial sector,
where pharmaceutical company had an impersonator talk about how Viagra's going to be free now
and saw that impact the stock price very, very quickly.
It's, again, stuff that has happened before,
but what we're seeing in 2024 and what we're expecting in 2025 and beyond is that this just gets
easier and easier to do, and it gets to the point where it makes it really hard to tell what's real
or not online.
And it's not just deepfakes.
Here's a completely different approach.
This one is a SEO poisoning case.
So specifically something that we've seen out there a lot for airline industry,
finance industry, any industry that has customer support, phone numbers, things like that, right?
We've got the traditional SEO poisoning attack where people find a way to get content upranked
for any given company.
And what's interesting is basically how well can people do this in 2024?
What we're seeing a lot of things happening today is that they're putting it on these third-party sites that do have great domain ranks.
Things like Microsoft could be LinkedIn.
We've seen a lot with Hub as well, of course, and Webflow, other platforms like that.
And so they're taking advantage of the fact that these are legitimate third-party sites with great domain health,
stuff that Google will quickly uprank or any other search engine will quickly uprank.
and they're generating content and conversations on forums.
For example, how do I speak to a live agent at United?
How do I speak to a live agent at Uber, right?
And what we see happen here is they're able to generate a bunch of the spam content
across these different third-party forums,
get them all uprank, get them all to dominate that first page of search results.
And again, it's just a classic case of, well, they would have to script this, right,
and generate the content now.
they can make it more dynamic with AI and generative AI specifically.
Of course, it's not all doom and gloom.
With every opening on offense, there's equal opportunity for defense.
Here is Andre Safunsi, founder and CEO of Lumos,
taking us back to where we started in this episode,
through a historical arc that brings us to a digital era of autonomy.
So what do we do now that we're in this new era?
And if you happen to be a company hiring security professionals,
should you be thinking about things any differently?
I just want to take you a little bit on a historical journey, all right?
So the funny thing is, if you look 60 years back, we are all ideas.
So there's two types of factories.
There's a product factory, and there's an idea factory.
So what the product factory is is usually where the cars are born, right?
Or where windows are made.
And where the idea factory is, is where we create and design.
those cars, right? And especially the Idea Factory changed in the recent years and changed like
two years ago again. So the Idea Factory looks something like the office or more like, you know,
in the 60s. In the 60s, 50s, there were no computers. It was really interesting. And we mostly used
typewriters and pen and paper. So then the computers came about and we digitized the office. That was
kind of the first step. IBM, SAP, Oracle, Microsoft, all those big companies came about
and digitized it. So that was step one. Step two is we cloudified, I guess, the office. I was like
with Salesforce. They kicked it off and Workday and Atlassian. Those were the first cloud
company. So suddenly we're in the cloud. It's also where EWS was born. I think 2004, 2005. That's
when we cloudified it. Then something interesting happened is we made it
collaborative, right? Workday is not really collaborative, neither is Salesforce, but then suddenly
Zoom, Slack, Figma, Airtable, all those kind of great companies came about in the 2010s, and
suddenly it became very collaborative. So that was kind of, I would say, the third change that
happened in software, which is pretty cool. Now, what changed in the last two years is we moved
from just like digitizing in it to cloud, to collaboration, to autonomy.
Right?
So we're creating more and more autonomous software.
And it started honestly for the first time with something like a Grammali,
where they are more like kind of co-pilots that help you kind of do a job better.
Even like GitHub, this is GitHub co-pilot there in the middle.
They're not fully autonomous, but they help you do your job better.
The big trend that we're seeing right now is especially OpenAI is bringing out at the end of the year
reason models that can reason and they can literally talk with themselves and do certain things
are really spooky and we've seen this as well like devon that's like a new kind of type of
software engineer and a i software engineer that just like basically codes themselves so we're
moving from grid hub co-pilot or gramele to actually systems and services that build things themselves
so that is actually a whole new paradigm that's changing and we're like okay shoot how do we
We equip ourselves for that.
So to summarize, actually there are kind of three waves.
I just call them two.
The first wave is the digitization.
The second one is a collaboration.
The third one is the autonomy.
And now we're at the third one.
So the interesting thing is that I'm thinking about on a daily basis is apps and access.
Because if you think about everything that you're using, those are apps.
We're on Zoom, then on Slack.
Then we go and SSH into a server, which is also an app more or less.
and we use GitHub, so everything is apps.
Apps are literally our live blood without abs.
We can't do things.
The question is like, you know, I think that we as security professionals
need to ask ourselves more and more is how are we going to manage all those apps
with more and more service accounts coming up, right?
And with like software doing the job themselves.
So how do we deal with that?
So I love the Metro framework.
I really love it.
If you think about identities,
there are certain identities on different tracks.
So marketing has their identities, right?
Marketing ops, demand gen, content, customer success has their tracks.
And each station is more or less an application or like an entitlement, right?
And some of those overlap, right?
So, for example, customer success and sales overlap maybe in Salesforce.
Then design and marketing overlap in Figma.
And then especially engineering, there are probably like multiple engineering departments if we zoom in.
And they overlap when it comes to especially on an entitlement level, different permissions that they have access to.
So the only interesting thing is people, which are more of those wagons, they jump from one station to another.
And each station, again, is an app on entitlement.
And why I think that this is interesting is right now how we think about the world is a world of Rback.
quick interruption here
for the un-initiated
RBAC means role-based access control
so instead of assigning permissions individually
you're granting them based on a role
Arbeck is not moving stations
Arbeck basically means
you are a marketing person
and you have access to everything
on this marketing tier
even though probably a lot of that stuff you never use
and sales or engineering is especially spooky
Engineering, you in DevOps, you have access to all customer data because an incident might happen and you need access to it.
Now, on top of that, we have all those service accounts coming up and soon autonomous actors, agents coming up,
that will also, if we still use RBAG, get access to all of those things, even though they don't need it.
So the concept is I'm a metro station and I need each permission and entitlement just for a short amount of time.
And I think, especially as complexity rises, so we are going from like 100 actors to 1,000 to 10,000.
And also the apps become more complicated.
So instead of having just one or two or three metro stations, I will have thousands of metro stations.
Because I can have access to, you know, 10 EC2 instances.
And just like the granularity and the cloud and with snowflake is going to become more and more and more granular.
The question is like, how are we going to manage that?
What's the new paradigm to manage that?
So what I believe, how we need to rethink things is security was often seen as analysts, right?
Actually, security started as hackers.
Security people were those people that hacked, the networks, and there were the people that were deep in Linux with the sysadmins.
And actually, most security people were sysadmonds before because there was no security 30 years ago.
And there were true hackers.
And then suddenly all those kind of great solutions came about, and they said, here's an alert.
there's an alert. Here's an alert. And we're going to alert you about all those things,
and you can remediate it very easily. And so I feel like more and more security became an
operating department. Similar thing happened to IT. IT used to be the hackers, and slowly but suddenly
they became ticket resolvers. Security became a little bit of alert resolvers. IT became ticket resolvers.
And I think the new paradigm that we need to think about as we're thinking about
entitlements and access as a metro station, security and IT needs to see themselves
as the architects of that metro station, more or less.
And, you know, what DevOps and infrastructure is to full-stack teams.
So I think the same thing we need to think about IT and security.
IT and security need to become, so to say, infrastructure teams to each department.
Right?
And this kind of moves us back to security actually hiring for engineering
rather than analysts, especially also, you know,
as AI will probably automate most of the analyst work.
So that's, I think, a very important insight, is when it comes to career development, as it comes to what type of profile you need to hire, especially engineers and analysts, and building on top of solutions that you're buying is very important.
So basically, the premise in this first act is software is becoming autonomous.
It enables us to create more and more.
Because of that, entropy is increasing.
There are more apps, more entitlements, and more actors.
And so what needs to change is security needs to handle this infrastructure with some type of technology operations or without some kind of technology infrastructure.
So I think that is kind of one important change that we need to see as this whole market is changing.
Now, here's the second thing.
It's about startups, by the way.
This is like an appell to all my entrepreneurs.
I believe that we need to build compound businesses from day one.
So what does that mean?
So security CSOs probably have this problem that they need to use 50 different tools.
And actually in the last two years, especially as the economy has gone a little bit down,
CISOs ask themselves a lot of in terms of like, how can I consolidate?
And it kind of sucks for startups at the beginning, I would say.
They're saying like, okay, we're starting solving this unique pain point.
But then CISOs are like, yeah, but you know, I have 80 vendors to manage.
And so the question is that I ask myself a ton
is how can we build compound businesses from day one?
So how can you actually build a platform from day one
even though you're a startup?
And actually counter if people say,
I need to consolidate, that your startup actually can consolidate.
So it's 2023.
The top three priorities for CXOs
was vendor consolidation, optimizing SaaS licensing,
because, of course, you don't want to let people go.
You rather want to kind of first decrease your software spend.
So what does it mean for entrepreneurs?
The question for entrepreneurs is like, how can I build a compound business from day one?
We've seen this actually done well across many companies.
I think Datadog is an awesome company that did this super well more on the DevOps side.
For the longest time, right, they had one product and then actually they switched and became
this kind of layered product for anything observability.
Whether it's security observability, infrastructure observability, application observability,
they were able to build a compound product.
And Figma rethought this whole kind of process of before there was sketch, there was Zeppelin.
And what basically Figma said is like, what is the underlying concept that's the same across all of those?
And how can I build a solution that covers that all?
And I think, by the way, the whole kind of thing that we've seen in here is like we had first the bundling era.
By the way, with Microsoft Oracle and SAP, people didn't have a lot of applications.
They said like Oracle is doing it all.
That was that at the beginning.
And then slowly with like cloud, especially AWS and Azure made that happen,
cloud became so approachable by everyone that suddenly, you know,
we had all those collaboration tools come up.
I do think we're changing back to an industry of re-bundling,
especially as we have this autonomous wave coming up.
I do believe, I mean, like WIS is actually a great example of that,
is they started with that kind of a point solution,
but spread out very aggressively and build a compound product very quickly.
So how are you going to manage that complexity?
And then the question is like, how much did I protect my inside of threat in some way?
Why?
Because go back to the metro station.
If the developer has access to everything, suddenly this intruder can just like hop from one station to another and do harm.
So how can we make sure that it's kind of just in time?
Only when you are at the station, you actually can have access to it.
Now, that gets kind of hard with like millions of permissions.
So what I believe is going to happen, and this is something that we are really working on right now, with models that come out at reason.
Basically, I think models will be able to reason better than our security analysts in terms of what a certain role should have access to.
So basically, an agent on your identity and access management system will look into, okay, we had 20 new tickets where these engineers needed access to this type of database that live in.
in North America.
They will automatically update your roles
and downgrade your roles.
Or at least at the beginning be a co-pilot for you
and suggest, hey, this role should be updated in this way.
Or those two roles should be merged in that way.
So this is just like a case study where agents will have
a huge impact.
The biggest story I think about security
is that there's enormous complexity and risk.
You can never reduce risks to zero.
The cool thing is if you move more to an engineer,
mindset, where you actually fine-tune your agents and models on top of your infrastructure,
you will be able to solve certain problems that you were never able to solve before.
The RAG will look into, okay, is this privileged access?
So basically the AI will be able, think about you have a million permissions.
How are you going to tag whether this permission is actually sensitive or not?
It doesn't always say read only.
It doesn't always say admin access.
So the AI will be able to understand or can understand if that permission is sensitive or not.
Right?
So you can reason, okay, this person has privileged access or not.
And then this person can also reason on role anomalies.
Oh man, you know, you are in sales and you have access to this right access in AWS
and no one else on your team has that access.
So basically, you know, a rag will ask themselves is how privilege is this permission, right?
What is your usage in that permission?
And is anyone else that has similar HRAS characteristics?
Do they have that access?
And you can already do this now pretty easily, right?
This is like kind of more, it's not reasoning themselves,
but you kind of guide them to go through those steps.
That's what chain of thought means.
And the last thing I want to say is, like,
the cool thing about access is it can be preventative.
So here's one thing that we're already doing.
If you create a ticket in Jira,
or if you create a Slack message and say,
like, hey, can I get this access, please, in a public channel?
Our AI can detect that you ask for access.
And usually the worst thing that can happen is back channel access.
What that means is someone gives you access without following processes.
Now, you can alert yourself that this happened.
Oh, this person got access without approval,
but the better way is to prevent that from happening in the first place.
I think the main takeaway is there will be less and less analysts
because agents will take over and you need to upskill them to become more engineers
or even prompt engineers.
That's kind of one big thing.
The second big thing is, think about now,
like the world is changing so quickly what you can do
and what you can demand from vendors
or what you as an entrepreneur can implement
when a system can reason by itself.
That's the second thing.
And the third thing is, I believe,
because I'm passionate about the industry,
is that the scope of identity will increase
over the next couple of years, more and more.
All right, that is all for you.
now. Obviously, security is always a moving target, a cat and mouse chase through progressively
more complex terrain with more complex tools on both sides. Now, if you do have any suggestions
for future topics to cover, feel free to reach out to us at podpitches at A16Z.com. And if you did like
these exclusive excerpts from our A16Campfire sessions event, make sure to leave us a review
at rate thispodcast.com slash A16C. We'll see you next time.
Thank you.