The a16z Show - Cybersecurity's Past, Present, and AI-Driven Future
Episode Date: June 26, 2024Is it time to hand over cybersecurity to machines amidst the exponential rise in cyber threats and breaches?We trace the evolution of cybersecurity from minimal measures in 1995 to today's overwhelmed... DevSecOps. Travis McPeak, CEO and Co-founder of Resourcely, kicks off our discussion by discussing the historical shifts in the industry. Kevin Tian, CEO and Founder of Doppel, highlights the rise of AI-driven threats and deepfake campaigns. Feross Aboukhadijeh, CEO and Founder of Socket, provides insights into sophisticated attacks like the XZ Utils incident. Andrej Safundzic, CEO and Founder of Lumos, discusses the future of autonomous security systems and their impact on startups.Recorded at a16z's Campfire Sessions, these top security experts share the real challenges they face and emphasize the need for a new approach. Resources: Find Travis McPeak on Twitter: https://x.com/travismcpeakFind Kevin Tian on Twitter: https://twitter.com/kevintian00Find Feross Aboukhadijeh on Twitter: https://x.com/ferossFind Andrej Safundzic on Twitter: https://x.com/andrejsafundzic Stay Updated: Find a16z on Twitter: https://twitter.com/a16zFind a16z on LinkedIn: https://www.linkedin.com/company/a16zSubscribe on your favorite podcast app: https://a16z.simplecast.com/Follow our host: https://twitter.com/stephsmithioPlease note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
It's time to hand over cybersecurity to computers.
Entropy is increasing.
They have more apps, more entitlements, and more actors.
Every single year, it's exponential growth in the number of public breaches,
the size of the breaches, the damage in the breaches.
Vendors still exploding.
How can they watch out for a bank run that's orchestrated by a deepfay campaign?
If this is indeed state-back, this is probably not the only thing they did in that two-year period.
In 2022, $8.8 billion was lost by,
consumers alone in the U.S.
How can we build compound businesses from day one?
How can you actually build a platform from day one even though you have startup?
Who does security?
Nobody does security.
The cost to launch a disinformation campaign that's AI generated is quickly approaching zero.
Now that the cybersecurity industry commands a market of hundreds of billions of dollars,
it's easy to forget how this industry, when ceased to exist.
And in its few decades of rapid growth, things have changed a whole lot.
So in today's episode, we'll take you on a tour through the history of security,
which can't be disentangled from the history of the internet and culture.
This episode was actually recorded at A16Z's Campfire Sessions event this April,
where our infrastructure team brought in some of the top security minds in the industry.
And just like any good campfire session,
today you'll hear four people talk candidly about what's really keeping them up the night,
from what really happened with the XEUTils attack,
to new AI threat factors that are already impacting companies,
to empowering overworked developers, and a lot more.
For those both inside and outside the security community,
I hope this episode is a helpful reminder
of just how much has changed throughout the years,
for both offender's and defenders of trustworthy computing.
So with that, we'll start with Travis McKeak,
co-founder and CEO of Resourceley,
who will walk us through how we really got here.
Let's keep things off in 1995.
As a reminder, the content here is for informational purposes only.
Should not be taken as legal, business, tax, or investment advice, or be used to evaluate any investment or security,
and is not directed at any investors or potential investors in any A16Z fund.
Please note that A16Z and its affiliates may also maintain investments in the companies discussed in this podcast.
For more details, including a link to our investments, please see A16c.com slash disclosures.
Okay, phase zero, the Dark Ages.
The year's 1995.
Billboard number one song, Gangsters Paradise,
the box office number one was Batman Forever.
Nostalgia for the old people here.
Who does security?
Nobody does security.
It was a totally different world.
You have to realize that we didn't have much internet connectivity.
Patching wasn't really much of a thing.
Vendors was basically like antivirus in the start of firewalls.
Milestones of this Dark Ages time,
we had the first DefCon,
We had the first CSO, Stephen Katz at Citicorp.
So that year, they actually had a breach where somebody stole money,
and they said, this can never happen again without us having someone to go chop their head off when it happens.
So this is the first CISO.
We had the first word macrovirus.
The first bug bounty came from Netscape.
As we'll get to, Netscape did a lot of cool things that moved forward security.
And, of course, the hackers movie.
It was Web 1.0.
It wasn't an app that you went and dealt with.
It was a site that you came to.
So this is Apple's site from 97.
Hackers are like these dingy people.
It's not like an actual job.
One of the things that really moved from this to the next phase
was web browsers went from like that Apple thing
that I just showed you to a place that you go do business.
Netscape made a lot of those things possible.
So they brought forward SSL.
They had the first bug bounty.
They were putting forward a standard
of how we're going to build apps on the internet.
And that standard was JavaScript.
At the same time, we had Java,
which was one of the first ways of building apps on the internet
from an old company called Sun, today known as Facebook.
Checkpoint was founded in 1993
from somebody that came directly out of IDF
and used all of the stuff that they learned
to productize the web application firewall.
Okay, phase two.
Security is an actual thing, but it's a function of IT.
So the year's 2001.
Billboard number one is hanging on by a moment.
Box office number one is Harry Potter and the Sorcerer is Stone.
Who does security?
IT does security.
So context here, this is the start of when we get big hacking.
So it's not just like a thing that happens once in a while.
Businesses have all either moved online or rapidly moving online.
Vendors now is antivirus firewalls, systems management.
Milestones here, Microsoft engineers coined the term SQL injection in 98.
The first big internet worm that made it like bad for business was Code Red.
The first patch Tuesday was in 2003.
And I don't know, for anybody that's old like me,
We had this Y2K thing, which was actually like complete nothing burger.
But what was interesting about it is we cared enough about computers and what they do that we thought it might be a thing.
So one of the changes here was bug track and full disclosure.
So back in the day, we had mailing list, bug track.
People would send security vulnerability reports.
And vendors would basically do nothing with it.
They just sit on it forever.
And so there was this big moment at the time, full disclosure, where it's like, okay, well, we're just going to put like the full gory details of this thing and force action from vendors.
And then that led to regular patching cycles.
So Microsoft quickly copied that.
We also had the first web application security tools.
So this is NICDO, an old one from 2001.
It was kind of open source.
But this is the beginning of these tools being broadly available.
And then this is the beginning of what I call the tail wagging the dog
when it comes to vendors in security.
So from some of the folks I talked to, we basically have these new attack paths.
And the buyers, in this case, IT, were very uneducated about how this works.
So it's like, you need to have your work.
web port open. It needs to be legit open. And I can get in and compromise you through that.
IT didn't understand it very well. So vendors had to do their part to come and educate the
IT buyers that this was possible. What this looked like was basically, I just completely compromised
all your systems. And they said, how did you do that? And then you explain why this web application
security is an actual thing and why they need vendor solution for it. All right. Phase two is
the risk sign-off function. So the year is 2004. Billboard number one is, yeah, by Usher and Little
John. Box office is Trek 2. This is what phones look like. By the way, these phones will last
longer than you will. These things were like basically indestructible. Who does security? Now we have a
security team that does it. So this isn't just like a thing that like IT does with some of their time.
So this is when we start to get the beginning of traditional security activities. We have Microsoft
basically getting popped in the mouth and they need to do some stuff differently.
Tech companies start hiring people that are actually called security. Vendors now is exploding.
So we have antivirus firewall still email security, web application firewall,
DAST, and SAS.
Milestones here, we had the first use of the term cross-site scripting, again by Microsoft
Engineers, OWASP was founded in 2001.
The first use of the term shift left.
I actually thought it was much more recent, but this is a very old term.
And then SOX regulation was, I think, the first compliance standard that actually mandated
some security activities.
There was a growing community of folks that were really interested in web security and all
of what's possible here.
And Mark Curfey started.
this group called OASP to basically make this knowledge more socialized so that people knew about it.
One of the first projects in OASP was the OASP Top 10. And that immediately became like,
how can I get my vendor shit to be one of the top 10 things that people are buying? So this is,
you know, yet more tail wagging the dog. It's like, oh, my thing should be, you know, in the top
five for sure because it's going to help us sell a lot more of it. Now we have the beginning of
the big internet worms. So at the time, Windows basically didn't come with any firewall.
You started up, it would get immediately compromised by stuff. The worms here,
we're costing a lot of money. So we had attacks like Mafia Boys DDoS in 2000.
It took down like more than one million of the five million IAS servers and cost an estimated
$2.6 billion in damages. And so for part of this, basically Microsoft had these big
customers that were saying like, hey, we're just getting killed because we're using Windows.
And then this led to, in part to trustworthy computing. Basically, we need to see the light.
We can't just keep doing business as is. Bill Gates saw a very early version of a book that Microsoft
folks were writing on these security practices.
And basically, that led him to say, like, we need to completely change what we're doing.
We're losing trust with customers.
And then that was the beginning of what we consider traditional security activities today.
We have threat modeling, stride, all of these things are being birthed around this time.
We also get more compliance.
So PCIDSS, version one, was written in 2004.
This mandated security activities.
Again, vendors are trying to get themselves into the standard so that they can sell more product, right?
like, okay, well, if you're going to deal with payment card data, then you need to do web scanning, for example.
ProofPoint was an example of one of the companies here.
This was founded in 2002.
Still around today, very successful by email security, right?
So as soon as you have email being used as widely as it is today, and we also have email viruses,
it's, okay, we're going to need something to filter out spam and viruses.
So ProofPoint started that.
And then also improve a big web application firewall.
It's also still around today.
Okay.
Phase three is DevSecOps.
The year is 2013.
Billboard number one is Thrift Shop,
box office number one is Iron Man.
Who does security?
It's everybody's job.
We've collectively decided that basically security doesn't scale.
Like we've been this sign-off function
that you have to do with security
before you ship your product for the year.
And now we're moving to Cloud,
and we're doing continuous deployment.
And securities like, I don't know when I do these assessments anymore.
So what we do is we basically take every single developer
and tell them, guess what?
Good news, you're a security person now.
So we're also getting more and more mega breaches.
If you look at the numbers from this time,
every single year, it's exponential growth
in the number of public breaches,
the size of the breaches, the damage in the breaches.
Venders still exploding.
So EDR, next-gen firewall detection,
all the posture management, dev training, bug bounty.
Milestones, the first use of the term devSecOps
was actually in 2013,
and we had the first CSPM,
which gave birth to this massive posture management
industry that we have today.
We start to see no before, right?
It's like we're gonna train developers,
continuously. Developers are going to learn about all of the types of cross-site scripting and SQL
injection with one day, like once per year of training, where they learn it and then they
immediately forget it the next day. We also have big bug bounties, so crowdsourcing more and more
vulnerabilities in the hopes that the attackers aren't going to use these things to cause massive
breaches for us. So much posture management. So the first was cloud security posture management.
Evident was the first company here. At Netflix, they'd also created security monkey,
which is basically open source posture management.
And since then, it's just like posture management's just exploding all over the place.
We have AppSec Posture Management, Data Security Posture Management, Identity Posture Management,
SSPM, like whatever that bottom posture management is, just so much posture management everywhere.
What these things are really good at doing is like going and finding problems after they're already deployed, right?
And then you have to go do something about it because just knowing about risk, you can't just tell your boss like,
hey, okay, well, here's all the risk that we have.
They're going to want you to reduce it somehow.
And so what we moved to, since this is now developers owning security, is we rip a bunch of Jira tickets for them and we call it a day.
So we also are getting at this time job shortage.
The first time the job shortage news articles was in 2015, early 2016.
We're short a million jobs already in 2016.
This is just piling up more and more.
We don't have enough security people to actually do the work that we need them to do.
So where does this leave us?
I think that we're entering a new phase, phase four of security.
We're basically telling developers, it's your job, you fix security, all the things.
the time. Didn't particularly scale well. I think that that's becoming very evident today.
So, years 2020. Blinding lights is number one. Box office is bad boys for life. Who does security?
I think systems do security. What we're doing doesn't scale. We have developer fatigue.
I hear people tell me all the time, like, oh, we take the posture management and then we just
filter out everything that's not higher critical. And then we ship those Jira tickets to developers.
Training relentlessly, obviously, it doesn't matter how many times we've trained developers on
like all the SQL injection types, they still don't remember it, and really they shouldn't have to.
So milestones, one of the projects that really informed how I see this is Limer, the Netflix
released in 2015. Google launched the Identity Aware proxy in 2017. Chrome added a password manager
by default back in 2018, and Clint Gibler, one of my friends and somebody that has done a lot of
work in the space, did his talk in 2021, called How to Eradicate Vulnerability Classes.
So, Lemur, when I got to Netflix, it was in 2017, and I remember.
I remember just being blown away at how easy it was for our developers to just get things like certificates
without having to select a cipher suite and pick crypto parameters and rotate it and store your private keys securely.
It just made it like dead simple.
And the benefit of this is that developers never have to learn about crypto anything.
They just get it for free.
Google has done just probably more work than anybody here.
So we're going to upscale people to HDPS automatically.
Chrome updates itself, which became standard for many other pieces of software.
where we have these basically like impossible to mess up Golang libraries
to handle a lot of security things.
And actually, my mom sent me this article recently.
Mom's so funny.
She knows that I work in security and sends me like everything that has security in it
out of Wall Street Journal.
And usually it's like something that either happened three months ago
or it's got nothing to do with me.
But this one was written by Larry Ellison and it's not very old.
His point is it's time to hand over cybersecurity to computers.
Basically, just relentlessly hounding the users
and like trying to get the users
to be smarter, like it doesn't work anymore.
What we want to get is developers back to just writing app code,
like working on the business,
not having to be like security people all the time.
So today, if you think about it,
devs have to burn down this never-ending pile of Jira tickets.
This causes annoyance with the security team.
If you had a friend that only showed up
when they wanted you to do something,
you're probably going to start avoiding that friend,
and we're getting a ton of that.
What if instead, if they just use systems,
they made good security choices on their behalf,
and forget about all of this, like,
training relentlessly all the time.
So conclusions, I was part of this move from like waterfall to continuous and then saw this,
we just heap stuff onto our developer's plate and then saw developers learn to resent and avoid security more and
more.
I think what we should do instead is help them out.
Like they're very, very busy people.
We should build a system that makes it fast and easy for them to go do something they want to do
and then has security victims a side effect.
So it's like when you want your dog to take vitamins, you don't just put vitamins in your
hand and offer them to the dog.
You put the vitamins in the peanut butter, and the dog wants the peanut butter, and the dog gets the vitamins too.
I think this is what we should be doing for our developer users.
Speaking of meaning to make things easier for our developers, let's get a sense of what these hacks can really look like in 2024.
Now, usually in this talk, I like to talk about solar winds, but we actually have a better example that was gifted to us, the XD Utils attack.
So everybody here has heard about this by now, but this was some group likely, I think, backed by a state that infiltrated an open source.
data compression project called X-C-U-TILS.
That was Farras, Abukadija, founder and CEO of Socket.
So X-U-TILS has taken the security industry by storm, since it introduced a backdoor via OpenSH,
which is a critical piece of infrastructure used by millions of servers around the world.
Let's hear from Farras regarding what really happened there, to get a sense of the kind of security offenders we're now dealing with in 2024,
that can involve multiple years, multiple contributors, social engineering, the potential
potential for state actors, and more.
The way that they did this was just so interesting, and it's something that, I mean, look, I'm sad
that it happened, but I'm also like, I've been telling you guys about this for so long.
I'm sort of like kind of satisfied in a way that finally, there's an example that's really
caught the imaginations of folks. So what happened here was we had a group, like I said,
probably state backed, winning over the contributor of the project over several years of work.
So that's like a scale of time invested in this that we haven't seen in other.
attempts like this, and then they introduced a sophisticated, though not flawless, backdoor
that was aimed at compromising S-SH servers. So it's a pretty multi-layered vulnerability.
There were multiple personas involved from identities that hadn't been seen anywhere on the
internet before, so that kind of is another indication that probably this was someone
relatively sophisticated, this wasn't just someone doing it for the lulls, and so
probably suggesting kind of state-backed actors here. And then just the way, the timeline,
and the kind of some of the stuff that they did, also,
seem syndicate that it might be like the same people behind solar winds probably but again this is all
just kind of speculation i want to kind of go into a little bit of so you can kind of see just the
character of what what this attack kind of looks like so this is kind of individual who ended up committing
and releasing the malicious code and this is his first email patch to the mailing list where they
do the development for this project xe utils and it's interesting this is just kind of a totally
pointless patch right this is like the kind of thing that is a maintainer you get all the time
someone just drive by dropping in an editor config file, which is basically does nothing, right?
It's a no-op in terms of the functionality of the project.
And oftentimes you'll see these from people who just want to get to be able to say that they're a contributor to a project.
It doesn't require any understanding of the project.
It's just noise, but you can see their first attempt to kind of get involved in the project.
Then they sent another patch a month later fixing some kind of build problem.
And they also sent a couple more patches after this one, all totally ignored by the maintainer,
who at this point has been maintaining.
this project for about 15, maybe 20 years. This is a long time project, and the guy running it
is just, at this point, it's in maintenance mode. It's basically, he's sort of burned out, he's sort of
kind of half maintaining it, checking the mailing this once in a while, but really not actively
working on this anymore. So it's something that a lot of maintainers go through. And so then,
finally, the maintainer, this is like, I think three more months after the last email, we see
that the maintainer just randomly comes by and merges a couple line change to the project.
that is the first code from this Gia-Tan individual
that's actually included in the project.
And what I think is interesting about this
is all of his other patches were ignored.
The patch that was merged is this like trivial two-line patch
that you can just look at and kind of,
as an overloaded maintainer,
you can look at this and sort of figure out what it's doing
and oh, it fixes a bug, cool,
let me just merge it and move on.
The bigger multi-hundred line patches were ignored, right?
Typical, also typical behavior
for an overloaded maintainer, right?
Okay, then a couple months go by
and now we see a new character enter the page
This guy, Gigar Kumar, sends kind of a few emails complaining that some of Giatan's patches
weren't landing.
This is often used to pressure maintainers to include code in projects.
Patches spend years on this mailing list.
There's no reason to think anything is coming soon.
So aggressive, right?
At this point, remember, he's already landed a few of the patches, but the pressure is building
here.
And then this is insert project name still maintained.
That is the bane of a maintainer's existence.
meanest kind of issue you can open up on a project, in my opinion. This has happened to me many
times. I have a couple screenshots here. Is this still being developed? And like on a perfectly
active project, because their PR wasn't looked at for a little while, right? Here's another one
on one of my projects. Is this project dead? It's not nice. Don't do this, people. And I think one of
the interesting things about this whole situation is that this is another one of the things I've seen
change in the way that open source is done is traditionally you think of a project like Linux or WordPress
or these big foundation-backed projects. They have the structure up here at the top where you have
one project, one entity with many, many maintainers that are participating in the project.
A lot of times they're paid by their employer to even work on the project and to submit patches
as part of their day job, right? But what we see a lot more of as we've shifted into this
world of many, many, many dependencies, a lot of tiny dependencies is more of a structure like this,
where you have an individual with hundreds potentially, hundreds of projects that they take care of.
And that was the case here with Lassie Collin. He had multiple projects that he was managing as an
individual maintainer. Okay, so let's continue on to
So this is three months has gone by.
He replies, he apologizes for the slowness,
and he also adds in a bit about how Giatan has helped him off-list with XC Utils.
So probably they have some kind of chat conversation going off-list now,
and they're collaborating more closely, building up the trust.
And he says he might have a bigger role in the future, at least with XC Utils.
It's clear that my resources are too limited,
and something has to change in the long-term.
So the kind of idea has now been planted in his mind
that he probably should give access to somebody else to help maintain the project.
And again, this all sounds nefarious because I'm doing it in a talk and I have slides up here,
but this is also open source working correctly.
This is thinking about, oh, hey, maybe I'm not the best maintainer.
Maybe I should hand this off to somebody.
That's pretty normal as well.
At this point, nothing actually nefarious has happened, by the way.
There's no bad code that's been included.
This is just laying the foundation.
So a couple weeks go by.
So now we have this character, Gagar Kumar, who enters,
and this person's much more aggressive and really starts to apply more pressure.
So they go, over one month and no closer to being merged,
not a surprise.
So like dropping into threads to just sort of neg the maintainer and kind of make him feel like he's not doing a good job.
Progress will not happen until there is a new maintainer.
And then the maintainer finally replies and pushes back and says,
hey, I haven't completely lost my interest here, but I've been having some mental health issues
and I have a lot of things going on in my life.
But again, maybe Gia Tan will have a bigger role in the project.
And so a few months after that, Lassie, Colin merges the first commit with Giatan as the author.
You can see here.
And they actually are listed as an author.
This is a pretty innocuous change.
And then, again, the pressure continues.
from Gagar and Dennis, who's this other persona that are both there, really just support the idea
that Gia should be made a maintainer. And you can see here, you ignore the patches that are rotting
away on this mailing list. Right now, you choke your repo. Why wait until 5.4.0 to change
maintainer? Why delay what your repo needs? Right. So applying the pressure. And then again,
the last one here is great. Like, why can't you commit this yourself, Gia? I see you have recent
commits. So just kind of pushing more and more. And then finally, Lassie says, again, Gia Tan has been
really helpful off list. He's practical.
practically a co-maintainer already.
And then finally, this is the first email about two years after the very first interaction
with the mailing list where Gia Tan is actually now doing the release notes for the project.
He's been made a maintainer, and this is the first release going out.
So two-year kind of effort here, if this is indeed statebacked, this is probably not the only thing they did in that two-year period, right?
They probably have other things going at the same time, right?
So we shouldn't overreact and assume that Linux is like totally back to order or anything like that, but also like probably this isn't the only
thing that these folks were working on, right?
So the truth is like somewhere in the middle here.
Sophisticated software supply chain attacks are not the only ones on our hands in 2024.
In fact, the XIUTILS attack was performed really without AI.
So let's hear from Kevin Tian, founder and CEO of Dopple,
around the ways that AI is introducing new threat vectors
and already impacting real-world businesses.
In 2022, $8.8 billion was lost by consumers alone in the U.S.
We've had 39 billion credentials stolen by bad actors that same year.
And the cost to launch a disinformation campaign that's AI generated is quickly approaching zero.
So if you've seen a lot of the startups that are currently pitching about how we can make it easy to generate AI videos
or how we can make it easy to generate AI voices, right?
That same sort of stuff is going to the bad guys as well.
And so how are we seeing this manifest today with real-world people and real-world businesses?
So one common scheme that has grown super quickly just in these past couple months has been the emergence of a lot of deep fake videos,
specifically deep fake videos of individual personas. It could be Taylor Swift, could be Travis Kelsey,
could also be your CEO and could be your financial institutions, chief technology officer.
And so what we've quickly been seeing here, right, in terms of the landscape,
is more and more deep fake videos being produced in the exact same way,
models being trained in a very similar way,
the voice being generated in a very similar way,
and the intention of the tech being operated in a very similar way,
all across different platforms, whether it's YouTube, TikTok,
any sort of video platform out there,
we're already seeing deepfakes emerge,
and this impacts a whole bunch of different sort of individuals,
whether it's business, whether it's celebrities,
or even political campaigns.
Of course, big federal election this year,
it's top of mind for everyone.
The good news, bad news is that it's already happening
and we're seeing it happen across a lot of different platforms.
So I think the biggest thing here, though, is like,
this is not necessarily entirely novel,
attack surface, right, or entirely new threat, right?
Like, we've always had social media,
we've always had video platforms,
and we've had bad guys try to create fake content
to achieve certain means.
I think the main lesson here in terms of what we're seeing is that it's just become a lot easier to do.
And so just there's entire markets around fishing kits and there's entire markets around cybercrime in general,
we're going to start seeing and we're already seeing that same sort of stuff come around with,
deepfake technology, impersonation technology, and just how do you personalize attacks more and more for your target victim?
I think the biggest thing too is that we're seeing this not only to run scams, but ultimately,
this stuff is impacting businesses at large. I actually just on a talk this morning, chatting with
some big banks out there. And one of the biggest concerns for them is how can they watch out for
a bank run that's orchestrated by a deepfate campaign, right? Or we've even seen this affect
companies outside the financial sector where pharmaceutical company had an impersonator talk about
how Viagra is going to be free now and saw that impact the stock price very, very quickly.
It's, again, stuff that has happened before, but what we're seeing in 2024 and what we're
expecting in 2025 and beyond is that this just gets easier and easier to do and it gets to
the point where it makes it really hard to tell what's real or not online.
And it's not just deepfakes.
Here's a completely different approach.
This one is a SEO poisoning case, so specifically something that we've seen out there a lot for
airline industry, finance industry, any industry that has customer support, phone numbers,
things like that, right? We've got the traditional SEO poisoning attack where people find a way
to get content upranked for any given company. And what's interesting is basically how well can
people do this in 2024? What we're seeing a lot of things happening today is that they're putting
it on these third-party sites that do have great domain ranks, things like Microsoft,
It could be LinkedIn.
We've seen a lot with Hub as well, of course, and WebFlow, other platforms like that.
And so they're taking advantage of the fact that these are legitimate third-party sites with great domain health,
stuff that Google will quickly uprank or any other search engine will quickly uprank.
And they're generating content and conversations on forums.
For example, how do I speak to a live agent at United?
How do I speak to a live agent at Uber?
Right.
And what we see happen here is they're able to generate a bunch of the spam content across these different third-party forums,
get them all uprank, get them all to dominate that first page of search results.
And again, it's just a classic case of, well, they would have to script this, right, and generate the content now.
They can make it more dynamic with AI and generative AI specifically.
Of course, it's not all doom and gloom.
With every opening on offense, there's equal opportunity for defense.
Here is Andre Safunsi, founder and CEO of Lumos,
taking us back to where we started in this episode
through a historical arc that brings us to a digital era of autonomy.
So what do we do now that we're in this new era?
And if you happen to be a company hiring security professionals,
should you be thinking about things any differently?
I just want to take you a little bit on a historical journey, all right?
So the funny thing is, if you look 60 years back,
we are all ideas.
So there's two types of factories.
There's a product factory and there's an idea factory.
So what the product factory is is usually where the cars are born, right, or where windows are made.
And where the idea factory is, is where we create and design those cars, right?
And especially the idea factory changed in the recent years and changed like two years ago again.
So the idea factory looks something like the office or more like, you know, in the recent.
the 60s. In the 60s, 50s, there were no computers. It was really interesting. And we mostly
used typewriters and pen and paper. So then the computers came about and we digitized the office.
That was kind of the first step. IBM, SAP, Oracle, Microsoft, all those big companies
came about and digitized it. So that was step one. Step two is we cloudified, I guess, the office.
I was like with Salesforce. They kicked it off in Workday and Atlassian. Those were the first cloud
company. So suddenly we're in the cloud. It's also where EWS was born. I think 2004, 2005. That's when
we cloudified it. Then something interesting happened is we made it collaborative, right? Workday
is not really collaborative, neither is Salesforce. But then suddenly Zoom, Slack, Figma, Airtable,
all those kind of great companies came about in the 2010s. And suddenly it became very,
collaborative. So that was like, kind of, I would say, the third change that happened in software,
which is pretty cool. Now, what changed in the last two years is we moved from just like digitizing
it to cloud, to collaboration, to autonomy. So we're creating more and more autonomous software.
And it started honestly for the first time with something like a Grammali, where they are like more
like kind of co-pilots that help you kind of do a job better. Even like GitHub, this is GitHub,
co-pilot there in the middle. They're not fully autonomous, but they help you do your job better.
The big trend that we're seeing right now is especially OpenAI is bringing out at the end of the year
reason models that can reason and they can literally talk with themselves and do certain things.
So really spooky. And we've seen this as well like Devon. That's like a kind of a new kind of
type of software engineer and AI software engineer that just like basically codes themselves.
So we're moving from GridHap co-pilot or Grammally to actually systems and services.
that build things themselves.
So that is actually a whole new paradigm that's changing.
And we're like, okay, shoot, how do we equip ourselves for that?
So to summarize, actually there are kind of three waves.
I just call them two.
The first wave is the digitization.
The second one is a collaboration.
The third one is the autonomy.
And now we're the third one.
So the interesting thing is that I'm thinking about on a daily basis is apps and access.
Because if you think about everything that you're using, those are apps.
We're on Zoom, then on Slack, then we go and SSH into a server, which is also an app, more or less.
Then we use GitHub.
So everything is apps.
Apps are literally our live blood without abs.
We can't do things.
The question is like, you know, I think that we as security professionals need to ask ourselves more and more is how are we going to manage all those apps with more and more service accounts coming up, right?
and with like software doing the job themselves.
So how do we deal with that?
So I love the Metro framework.
I really love it.
If you think about identities, there are certain identities on different tracks.
So marketing has their identities, right?
Marketing ops, demand gen, content, customer success has their tracks.
And each station is more or less an application or like an entitlement, right?
And some of those overlap, right?
So, for example, customer success in sales,
overlap maybe in Salesforce.
Then design and marketing overlap in Figma.
And then especially engineering,
there are probably like multiple engineering departments,
if we zoom in, and they overlap when it comes to,
especially on an entitlement level,
different permissions that they have access to.
So the only interesting thing is people,
which are more of those wagons,
they jump from one station to another.
And each station, again, is an app
entitlement. And why I think that this is interesting is right now how we think about the world
is a world of RBC. Quick interruption here. For the uninitiated, RBAC means role-based access
control. So instead of assigning permissions individually, you're granting them based on a role.
Arbeck is not moving stations. Arbeck basically means you are a marketing person and you have
access to everything on this marketing tier, even though probably a lot of that stuff you never use.
And sales or engineering is especially spooky. Engineering, UN DevOps, you have access to all
customer data because an incident might happen and you need access to it. Now, on top of that,
we have all those service accounts coming up and soon autonomous actors, agents coming up,
that will also, if we still use R-Bag, get access to all of those things, even though they don't need it.
So the concept is, I'm a metro station, and I need each permission and entitlement just for a short amount of time.
And I think, especially as complexity rises, so we are going from like 100 actors to 1,000 to 10,000,
and also the apps become more complicated.
So instead of having just one or two or three metro stations, I will have thousands of metro stations.
Because I can have access to, you know, 10 EC2 instances, and just like the granularity and the cloud and with Snowflick is going to become more and more and more granular.
So the question is like how we're going to manage that? What's the new paradigm to manage that?
So what I believe how we need to rethink things is security was often seen as analysts, right?
Actually, security started as hackers. Security people were those people that hacked the networks and there were the people that were deep in Linux with the sysadmins and
And actually, most security people were sysadmins before because there was no security 30 years ago.
And there were true hackers.
And then suddenly all those kind of great solutions came about.
And they said, here's an alert, there's an alert, here's an alert.
And we're going to alert you about all those things and you can remediate it very easily.
And so I feel like more and more security became an operating department.
Similar thing happened to IT.
IT used to be the hackers and slowly but suddenly they became ticket resolvers.
Security became a little bit of alert resolvers,
IT became ticket resolvers.
And I think the new paradigm that we need to think about
as we're thinking about entitlements and access
as a metro station,
security and IT needs to see themselves
as the architects of that metro station, more or less.
And, you know, what DevOps and infrastructure
is to full-stack teams,
so I think the same thing we need to think about IT and security.
IT and security need to become, so-to-say infrastructure teams,
to each department.
And this kind of moves us back to security
actually hiring for engineering
rather than analysts,
especially also, you know,
as AI will probably automate most of the analysts work.
So that's, I think, a very important insight
is when it comes to career development,
as it comes to what type of profile you need to hire,
especially engineers and analysts,
and building on top of solutions that you're buying,
is very important.
So basically the premise in this first act
is software is becoming autonomous.
It enables us to create more and more.
Because of that, entropy is increasing.
They have more apps, more entitlements, and more actors.
And so what needs to change is security needs to handle this infrastructure
with some type of technology operations
or without some kind of technology infrastructure.
So I think that is kind of one important change
that we need to see as this whole market is changing.
Now, here's the second thing.
It's about startups, by the way.
This is like an appell to all my entrepreneurs.
I believe that we need to build compound businesses from day one.
So what does that mean?
So security CSOs probably have this problem that they need to use 50 different tools.
And actually in the last two years, especially as the economy has gone a little bit down,
CISOs ask themselves a lot of in terms of like, how can I consolidate?
And that kind of sucks for startups at the beginning, I would say.
They're saying like, okay, we're starting solving this unique pain point.
But then Csos are like, yeah, but you know, I have 80 vendors to manage.
And so the question is that I ask myself a ton is how can we build compound businesses from day one?
So how can you actually build a platform from day one even though you're a startup?
And actually counter if people say, I need to consolidate, that your startup actually can consolidate.
So it's 2023.
The top three priorities for CXOs was the vendor consolidation optimizing SaaS licensing,
because of course you don't want to let people go.
You rather want to kind of first decrease your software spend.
So what does it mean for entrepreneurs?
The question for entrepreneurs is like how can I build a compound business from day one.
We've seen this actually done well across many companies.
I think Datadog is an awesome company that did this super well more on the DevOps side.
For the longest time, right, they had one product.
And then actually they switched and became this kind of layered product for anything observability.
Whether it's security observability, infrastructure observability, application observability,
they were able to build a compound product.
And Figma rethought this whole kind of process of before there was sketch, there was Zeppelin.
And what basically Figma said is like what is the underlying concept that's the same across all of those?
And how can I build a solution that covers that all?
And I think, by the way, the whole kind of thing that we've seen in here is like we had first the bundling era.
By the way, with Microsoft Oracle and SAP, people didn't have a lot of applications.
They said like, Oracle is doing it all.
That was that at the beginning.
And then slowly with like cloud, especially AWS and Azure made that happen,
cloud became so approachable by everyone that suddenly, you know, we had all those collaboration tools come up.
I do think we're changing back to an industry of re-bundling.
Especially as we have this autonomous wave coming up.
I do believe, I mean, like, WIS is actually a great example of that.
They started with that kind of a point solution, but spread out very aggressively
and build a compound product very quickly.
So how are you going to manage that complexity?
And then the question is like, how much did I protect my insider threat in some way?
Why?
Because go back to the metro station.
If the developer has access to everything, suddenly this intruder can just like hop from one station to another.
and do harm.
So how can we make sure that it's kind of just in time,
only when you are at the station,
you actually can have access to it.
Now, that gets kind of hard with like millions of permissions.
So what I believe is going to happen,
and this is something that we are really working on right now,
with models that come out at reason.
Basically, I think models will be able to reason better
than our security analysts
in terms of what a certain role should have access to.
Right? So basically an agent on your identity and access management system will look into,
okay, we had 20 new tickets where these engineers needed access to this type of database
that live in North America. They will automatically update your roles and downgrade your
roles, or at least at the beginning be a co-pilot for you and suggest, hey, this role should
be updated in this way or those two roles should be merged in that way. So this is just like a
case study where agents will have a huge impact. The biggest story I think about security is
is that there's enormous complexity and risk, you can never reduce risks to zero. The cool thing
is if you move more to an engineering mindset, when you actually fine-tune your agents and models
on top of your infrastructure, you will be able to solve certain problems that you were never
able to solve before. The rag will look into, okay, is this privileged access?
So basically the AI will be able,
think about you have a million permissions.
How are you going to tag whether this permission
is actually sensitive or not?
It doesn't always say read only.
It doesn't always say admin access.
So the AI will be able to understand or can understand
if that permission is sensitive or not.
So you can reason, OK, this person has privileged access or not.
And then this person can also reason on role anomalies.
Oh man, you know, you are in sales and you have access
to this right, access in AW.
and no one else on your team has that access.
So basically, you know, a rag will ask themselves is,
how privilege is this permission, right?
What is your usage in that permission?
And is anyone else that has similar HRAS characteristics?
Do they have that access?
And you can already do this now pretty easily, right?
This is like kind of more, it's not reasoning themselves,
but you kind of guide them to go through those steps.
That's what chain of thought means.
And the last thing I want to say is like the cool thing
thing about access is it can be preventative. So here's one thing that we're already doing.
If you create a ticket in Jira or if you create a Slack message and say, like, hey, can I get
this access please in a public channel, our AI can detect that you ask for access. And usually the
worst thing that can happen is like back channel access. What that means is someone gives you access
without following processes. Now, you can alert yourself that this happened. Oh, this person got
access without approval, but the better way is to prevent that from happening in the first place.
I think the main takeaway is there will be less and less analysts because agents will take over
and you need to upskill them to become more engineers or even prompt engineers.
That's kind of one big thing.
The second big thing is think about now.
The world is changing so quickly what you can do and what you can demand from vendors
or what you as an entrepreneur can implement when a system can reason by itself.
That's the second thing.
And the third thing is I believe because I'm passionate about the industry is that the scope of identity will increase over the next couple of years more and more.
All right, that is all for now.
Obviously security is always a moving target.
A cat and mouse chase through progressively more complex terrain with more complex tools on both sides.
Now, if you do have any suggestions for future topics to cover, feel free to reach out to us at podpitches at A16Z.com.
And if you did like these exclusive excerpts from our A16Z campfire sessions event,
make sure to leave us a review at rate thispodcast.com slash a16c.
We'll see you next time.