Adam Gleeson
Hello and welcome to CyberLab’s latest podcast. Today, we’re going to be talking about AI in cyber security explained. Not sure whether we’re going to explain all of it, but hopefully we’ll give you enough information so that ‘Gen AI’ and these sorts of terms are no longer things that you just think, I dunno what that is, you’ll have a bit more of an idea of it. I’m Adam Gleeson, Vendor Alliance Manager here at CyberLab. And joining me today, I’m really pleased to have Dave Mareels here. Dave is quite the catch to get because he’s really, really busy. Do you want to just give us a little bit about your history, where you’ve come from and what you’re doing now, Dave?

Dave Mareels
Yeah, sure. Thanks for having me, Adam. And hi everyone. I’m Dave Mareels. I’m Senior Director in Product Management in the Security Operations business unit of Sophos. So managed services are really my remits and managed detection and response and managed risk, which is a new service, sort of tenable vulnerability management as a service.

Adam Gleeson
The next big thing, I think.

Dave Mareels
It’s the next big thing, the next big service expansion. So a bunch of PMs and engineers that we deliver against the roadmap, all things managed services and all the way down to sort of the data. I believe good MDR R is rooted in good knowledge of that data of pulling in. And I’m sure we’ll talk about that soon in this podcast. But prior to that I was, and two and a half years only within Sophos. And prior to that I was having fun in cyber security startup world mate. So I was the co-founder and CEO of a small company called Soc.OS, which was at the pub I would say I was trying to ‘build the poor man Splunk’. So very much sort of that data middleware, how do we process data, how do we normalise it, correlate it, and all that good stuff. And then Sophos acquired that technology to put it under the hood of MDR and XDR.

Adam Gleeson
And I think that entire MDR platform and solution just goes from strength to strength as new features are added and new integrations, it is really good. Okay, so let’s talk a little bit about what gen AI actually means. And I think in a shift, this is going to be me predominantly talking at you because I’ve recently been learning about this stuff, so I’ve still got a lot to learn. But one of the things that we talked about before is that I often say I don’t like people talking about AI because I think that when people talk about ai, there may be sci-fi fans and they’re thinking about these computers taken over the world and when they talk about AI, they’re actually talking about sentient and artificial intelligence isn’t sentient, it’s, it’s something that will give us answers back based upon the data that has already been put into it.

And this big thing that we’ve all heard about chat, GPT and Gen AI and this, that and the other, this is part of a paradigm shift. So AI is not something new. The traditional AI and machine learning was all based on large language models. And what does that mean? The simplest way that I’ve been able to wrap my head around it is that if you think of it as a series of different sentences that have been put into the language model, and then when you ask a question, so what colour is milk for example or something like that, it will then go through its language model and find and try and intuit, okay, I’ve heard this statement talk about milk and this talk about this. So I think that the answer is going to be white or creamy coloured. And gen AI takes that one step further by using foundational models, which I’m not going to try and describe, but what they’re better at doing than large language models is being able to intuit that response. So you put a question in there that if we use the same example again, what colour is something or other.

In the previous large language model, the most accurate way for it to write it is if it already has that sentence in there, the colour of this is this or whereas with generative ai, it doesn’t need that core sentence. It can intuit what the colour of what the answer to the question is from the data that it’s got. That is questions that may be around that. And that’s kind of the simplest way, that’s probably an oversimplification. All of the gen AI experts watching this probably rolling their eyes and saying he doesn’t know what he’s talking about, but that is what makes sense to me.

Dave Mareels
Gen AI is generative. So it can generate correct what you’re saying, it can generate, it can create and I think that’s the definition. A lot of people say what’s gen ai? Well, clues in the name really, it can create things, it can craft an email, it can tell you what the colour of something is…

Adam Gleeson
And that’s why it’s becoming so useful in the enterprise because it’s gone from something that you put with the previous ones. Whenever in the previous incarnations of any AI engines I’ve worked with, it’s like you’ve got to be very specific about the information that you put in, otherwise you’re not getting anything out and very quickly it’s just you sort of comes to the conclusion this isn’t the right way for me to be solving this particular issue or trying to find that knowledge.

Whereas with the generative AI, it absolutely, I mean even I’ve been taken aback when using copilot and stuff like that, how accurate the results are that come up. Actually I went to an event yesterday, one of our distributors was holding and what they had done is they’d used chat GPT and they’d asked it a question about CyberLab and then it printed out they did it for every one of the delegates that were there and it gave us a reasonably. CyberLab’s fairly new, and we’ve got a lot of different things have happened within the history of CyberLab and within the chess cybersecurity organisation. So it wasn’t completely correct, but for something that someone’s just gone tell me about CyberLab, what they do and who they are and this, that and the other who are the most notable people, it was pretty impressive that the information that this thing had gone out, scraped off of the internet and come back with it. And obviously it’s core language model was not, it didn’t use the language model that it had to answer the question in that way it went out and it found the information itself or it asked, it used the language model that it had to formulate new questions to go and find out where the answers to the question that I had asked came from.

Now historically this was always done as unsupervised learning, or rather it was more supervised learning on structured data. Gen AI is also a sort of a paradigm shift in that it’s been designed so that it can do unstructured learning on unsupervised learning on unstructured data. And originally when they first started to try and do this with Gen I performance was a massive problem because you need huge amounts of compute resource in order for it to do all of these transactions that it’s trying to do. So consequently, the cost of ai gen AI tends to be quite hard. You need to have the Nvidia or typically Nvidia VGPU resource that you’re using to actually give it that parallel process in power. But some of the advantage, and I feel like I’m just talking at you here Dave, but it was like I said, I wanted to do this myself.

The advantages of gen AI are the performance and the productivity gains that we’ve just been talking about. Now there are however disadvantages I touched upon the compute requirements, there are now data centres popping up all over the place. Lots and lots of people are invested in huge swades of hardware to build these server farms that are designed purely for process and gen requests, so that they’re very, very beefy. I mean going back, put my old end user computing hat on, it’s the specification of these hosts kind of make me drool. I would’ve loved to have architected VDI environments that had that much compute resource available to it. The final disadvantage, and I think this is really important and this is something that I kind of touched upon it earlier, was that I didn’t really trust what was going in there. And that’s even more of a problem now because the AI is going out and a lot of the learning that it’s doing is it’s going on unsupervised and it’s trying to figure out things itself by asking different questions.

Now of course it’s using the internet as that resource and there’s lots and lots of good internet news on the internet, but as we all know, there’s also a lot of bad information, misinformation stuff that people are just getting wrong. So that is also one of the drawbacks because the AI isn’t smart enough to completely remove that. I think it can remove quite a bit of it now and it’s something that all of the technology giants are working on building that piece out so that the trustworthiness of the data is there, but it’s something that we always need to bear in mind.

Dave Mareels
I think everyone can sort of look back and well, if you’re using the ChatGPT’s and the other LMS that you’re using, you’ve probably got an example that comes to mind of how confidently wrong it can be at times as well. Based on that, and I heard a funny example, I think it was some tech founder talking about their sales team they’re using, it’s obviously really popular in the sales and craft me an email finding a prospect and in the out-bounding cadence and they were using it for the reconnaissance, find something about this person, try to relate to them and then relate to how our product could help. And he got it so confidently wrong that it was so embarrassing for the brand. Then the CEO had to reach out to this person. They basically went out to this prospect and the prospect’s father had just passed away and it said it linked that in and it said, oh, I just heard that your father’s died. I just wanted to say X, Y, and Z. Here’s how software can help. So when you go confidently wrong in that sort of magnitude, it can be brand damaging. So the curation and the management of it to ensure when you’re reaching out and you need to have that the QA almost department of are we sense checking this stuff before it goes out.

Adam Gleeson
Yeah, quite scary. Yeah, that’s making me cringe internally quite hard, hearing something like that.

So alright, I’m just conscious of time. So one of the things that we’ve talked about, and you and I are both on exactly the same page in this is something called Amaras Law. So for those of you listening that don’t know what Amaras law is, it was coined by a science fiction author whose name I neglected to write down someone

Dave Mareels
Someone ‘Amara’, I think!

Adam Gleeson
I’ve got a feeling it it was in relations to something else. There was a bit of a story about it and I was so busy on getting the technology down that I missed the actual, the sort of anecdote piece of it. Amaras law states that we tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run. And the implication of that really is that the true impact of technology is something that often emerges gradually over time. And I think that just off the top of my head, mobile phones for example, they started off as just, it was a phone, it was something that you could walk around with a phone, then came SMS, then came smartphones and now we’ve got this thing, we’ve got a computer that’s way more powerful than the computers we used to use in work 15 years ago. And server virtualization struck me as another one that they started off doing it and then once it started to hit its stride, there was lots of other key capabilities that they could leverage and use it for different applications. Actually heard that there was a trend towards virtualization, but that’s probably a conversation for another one. It’s one of the other potential ones. But it can also go the other way as well that the initial overestimation of a new technology becomes a bit of smoke and mirrors and it doesn’t actually transpire. And the examples I was kind of conflicted about this, Bitcoin was quoted as one of these things that it was overestimated. I think that the expectations of it could have been realistic and it might just take longer for that to come. I’m not sure.

Dave Mareels
Yeah, Bitcoin, I mean today I think it’s the all time record high now, right now I think it’s thousands of pounds or something. It’s insane.

Adam Gleeson
A member of my family works in the banking industry and one of the things that I found it interesting that the impact that the technology had had on the financial sector was that during the initial boom with Bitcoin and stuff like that, a lot of people were taking out financial loans and stuff like that to fund it and it was crashing and they were losing everything. So the banks I believe in general have then sort of said, we can’t finance this anymore because it’s in people’s own best interests. And it’s one of those things that I kind of like when you think back to what the banks were like 20 years ago and there are a lot more, I think there are a lot more human now. They try to, I’m sure people would disagree with that, but what I hear from how they operate internally, I dunno why I started talking about that. Jay will cut this because it’s just nonsense.

Dave Mareels
Back to Amari’s Law, you’re absolutely seeing that now with Gen AI. It’s everyone, every single event, all the VC money’s being pumped into gen AI and security. And as long as there’s a gen AI company, that’s where the valuations are high. And so we’ve got this huge Amaras law right here and now, which is like, ‘oh my gosh, this is going to be amazing’. But no, I don’t think, and we haven’t done this for cloud and like you say mobile, all these big platform milestones and shifts haven’t really, we are not going to see that impact for a while and everyone’s scrambling. Whereas the gen AI use case and almost like you’ve got consultants saying, ‘we’ve got businesses coming saying we need gen AI’ and then figure out whatever the question is.

Adam Gleeson
The answer is it’s a typical knee jerk thing though. It’s like, oh, this is a really good thing for us to have, but you have to understand how you’re going to actually apply it. And I think that’s maybe what businesses need help with is understanding how to apply it best for them.

Dave Mareels
Correct.

Adam Gleeson
But just going back to the overinflated expectations, there’s a graphic that I’m hoping our marketing guys will throw up on the screen now for those viewing at home and it’s Gartner’s Hype Cycle. And I think this describes the trend that we see with new technologies, especially ones that do have longevity in them and they stick around and they continue to grow and we’re kind of either on the way up on the peak of inflated expectations and soon to follow will be the trough of disillusion. But it makes me laugh every time where people start to realise, oh right, it won’t do this for us and it won’t do that. And it then starts then they call it the slope of enlightenment where people actually start to really start to get it, squeeze it and get the most out of it when they’ve now learned what they can do with it, they’ve learned what they can’t do with it. They then learn to apply what they know they can do with it to make things better.

Dave Mareels
Well, I think it’s similar to mobile cloud, right? Cloud it first comes out, “what are we going to do?” And you have this huge, what do they call on the cycle right at the top when it first comes and everyone goes wild.

Adam Gleeson
The technology trigger the first one.

Dave Mareels
But you fast forward to today, I think most if not every single company in the planet is some sort of cloud company. They have some most vast majority. So you can basically say with a high degree of confidence, most companies today are a cloud company.

Adam Gleeson
They will have in some way, I would say exactly without shadow of a doubt, they have elements of their infrastructure, whether it’s their data, whether it’s their disaster recovery, whether it’s business continuity or something like that. There’s a critical part of the organisation is now

Dave Mareels
… is somewhere in the cloud!  So that’s probably another good example of you probably couldn’t if you came out early to said every single company in the world will be a cloud company. I think people would be going, whoa, you’re delusioned…

Adam Gleeson
Well certainly in the early stages of adoption, maybe once we started to get past the peak of inflated expectations where people were going, right, let’s move everything to the cloud. And a lot of organisations did that, just blindly and then suddenly went, this is crippling us, it’s not working very well. And again, in my background with end user computing, when I was talking to customers about whether they wanted to deploy an on-premises like hardware-based solution or whether they wanted to leverage cloud technologies that would deliver that VDI or RDS end user computing environment, there were a lot of things sort of individual triggers that it’s like, well, where’s your data going to be? Yeah, indeed. If your data’s going to be on-prem, not going to work, putting your VDI workloads in the cloud and things like that started to come out as databases were physical databases got virtualized or we won’t virtualize it, we’ll just virtualize it and put it straight into the cloud.

Dave Mareels
More and more goes out.

Adam Gleeson
And it worked for some people and then a lot of people were then having to go, no, right now we’ve got to spend a load more money and bring this stuff back because we can’t work as efficiently as we did. But inevitably I think most organisations will start off with stuff in the cloud with some stuff, but as that grows longer in the tooth and they come to a point where it’s like, right, we either need to replace this or migrate away from it and soon enough replacing it becomes impractical and then they have to bite the bullet and migrate away from it.

Dave Mareels
But I think the same trend is going to happen with Gen AI. I think it’s the same sort of thing where I think this is a massive levelling up. It’s almost the same sort of platform shift. The internet, the mobile, the cloud, Gen AI I think has the same, it’s the same sort of milestone platform shift and a trend. And I think in the future, every company in the world will be in some way, shape or form a Gen AI company, using it somewhere in some shape or form.

Adam Gleeson
And that kind of neatly brings us back onto the subject of what we’re here to talk about that is how gen AI is being used in cyber security. Now we’ve touched upon how it’s used in business, but how do we apply this to cybersecurity? Now we internally have our own penetration testing branch within the organisation and those guys have been testing this, but there’s also a lot of vendor products out there that leverage this kind of stuff so that you can automate a lot of the, certainly when you’re doing ethical hacking or you’re doing what we call red teaming where you are aggressively attacking someone else. And that’s where we are using AI to automate standardised processes that we would use. So enumeration is a great, when we’re doing that initial reconnaissance of a target environment to try and understand what does the lay of the land look like? How are we going to launch the attacks? What if that attack doesn’t work, what’s going to be our next, all of that kind of stuff to gather information using generative ai, you can do that really quickly and save a lot of time from a manpower perspective. Of course, the flip side to that is that it’s not only the good guys that can do this.

And what is probably more concerning to my mind is that anything that we are going to invest to develop this stuff, and the same with vendors and stuff like that, they’re going to have to invest R&D, the amount of money that they’ve got available or the capability that they’re going to have to invest in this probably pales into insignificance against the money that organised crime has behind it and especially given that they now see the value in continuing and propagating all of the types of modern malware, ransomware and data exfiltration and extortion brackets that we see that I think is quite terrifying.

Dave Mareels
Yeah, absolutely. And you always hear this, that the defenders are always one foot behind because the attackers are always using the latest and greatest. They have no rule book, there’s no guidelines, they’re criminals. So there’s not process, there’s no governance, there are no ethics involved here.

So they can absolutely run free and I think there’s some things that they will, this technology in their hands absolutely makes them more effective in some things. And I think you mentioned reconnaissance and I said for a BDR, they get better at knowing your customer. Well guess what? An attacker can use that to use for the reconnaissance use case to get me a better view of Adam and everything about Adam and everything about CyberLab to then potentially stage a much more targeted and more effective attack. It also back to gen AI being generative, phishing is a big thing. This basically removes the language barrier. I can be a broken English hacker and now can write some pretty fluent emails in whatever language I want.

Adam Gleeson
And that’s another thing that’s really sort of concerning and it comes, there’s something that I often say, and it’s that our users can be our weakest link in our cyber security defences or they can be one of our strongest assets.

Dave Mareels
Yeah, exactly.

Adam Gleeson
Because they can thwart these phishing email scams and other types of email threats.

Dave Mareels
Deepfakes – the deepfake videos. You saw those.

Adam Gleeson
That wrong. That’s the other thing that, this is another thing that gen AI can be made to make, which if you are adding that kind of stuff in one of the, it was many years ago in a previous life, one of the talks that we had, we had someone come in and talk about social engineering and the story that they told about the extent that an attacker, if it’s a targeted attack and you’re talking about wailing or spearfishing here, targeting specific individuals and these individuals, because of the exercise that was going on, they knew that they were going to be in the sites of this company test from them. And the extent that this company went to catch these guys out, especially when these guys had gone and removed all online presence of themselves because they knew that this was coming and they knew that that would be leveraged to build a picture of them.

However, they were still, they didn’t remove their children’s or their partner’s accounts and the social engineering organisation was able to find out information about, and in particular the thing that really caught ’em out was a particular charity that was very, very important to the person that they were targeting and they eventually posed as that charity. They found out when the next event was and they crafted such a convincing email that when it was sent to this guy, he clicked it straight away even though he was being really, really clever and not being caught out by any of the tricks they were trying to catch him with. When this email came through, it was so convincing. It was formatted like the charity formatted it had all of the right information in it. It had the dates and it was like, we want to talk to you about what your contribution is going to be to this coming event. Please click here to add detail. And he did it straight away.

Dave Mareels
I mean that’s the whole perfect sales tactic, no intent and get the right timing. We want to do that as salespeople. Same thing with these guys. They want to hit you right where it makes sense, the fishing attempts that you fall for or all those ones, I’ve just been playing around in Google and now I’ve got a Google MFA that doesn’t, and the timing is crucial and reconnaissance and the target. So I think the social engineering impacts absolutely they will become more effective crafting these emails.

Adam Gleeson
And they’re already effective enough and the number of customers that I talk to and that they’re either using old and outdated security awareness training platforms, they don’t really have all, they’re still conducting phishing simulations once a year. The number of times when I’ve been talking to customers and they very confidently say, and I kind of feel sorry for them a little bit, they think they’re doing the right thing. It’s like, oh yeah, we do phishing simulations at least once a year. And it’s like, but you’re sending the same email out to everyone and very quickly you’ll see that well, hardly anyone clicked on it. Well guess why, because the ones that did told the people, the other people don’t click on that – that won’t happen in a real world scenario. They will all look differently. So no one’s going to know that they’re being phished. And so the modern approach to it is to have it, the users know this could happen anytime. It puts them so that their shields up all the time around emails, and that unfortunately is the sad reality. Now, Gen AI also works for the defenders.

Dave Mareels
I was going to say. Yeah, that’s right.

Adam Gleeson
The likes of Mimecast. Sophos as well. These organisations invest heavily in this to increase the effectiveness of the email filtering, and that’s one of the really cool things that I like. Email filtering is not particularly glamorous, but there’s been a couple of super important events that I’ve been to and hearing your guys talk about it and the chaps from Mimecast talking about it, it’s the passion that they talk about it, but also the really cool stuff that’s going into it behind the scenes. Yeah, it is cool stuff is very, very interesting.

So we’re going to sort of wrap it up there. If you are looking at Gen AI, come and talk to CyberLab, we need to understand what it is that you want to achieve. So I think going out there and having a look at what you can achieve, again, it’s understanding and getting ourselves to this slope of enlightenment so that we are not wasting time trying to do stuff that we can’t actually make AI do for us or it’s not going to do very well. And we also need to be keeping an eye on our side defences and making sure that the vendors and the solutions that we’re using in our environment to protect us are actually taking advantage of these things. With vendor land, it’s always a battle for them to be keeping one step ahead of the attackers and the way that organised cyber crime is progressing. Then it doesn’t always just progress in one area, so the vendors are then having to put their money on, well, we’re going to invest in this or we’re going to invest in that, and it’s always a cat and mouse game.

Dave Mareels
Yeah. I guess part of comments for me is the way we think about it in managed services, Gen AI, AI technology should be driven into that managed service to drive operational efficiencies to get better, to get quicker, to get faster, right? Better triage automation to therefore give the customer a better outcome from the managed services project.

Adam Gleeson
Absolutely.

Dave Mareels
Technology and products, slightly different. It’s implement ai, gen AI for the use case of lowering the adoption barrier for our users to make it easier for them to interface to probe data. So think about the investigation layer, how do I interpret these 20 events? AI can help command analysis, AI can help little chat bot, right? That comes up and you say, Hey, natural

Adam Gleeson
Language. Absolutely. It’s really good for that kind of stuff.

Dave Mareels
That’s sort of how we think about it and I think ultimately, sure, the attackers have the technology. I think the marginal gains though are like who stands to benefit most? I think I’m going to be an optimist here. Of course, someone on the defender side, I think it’s the defenders who have more of a gain. They started here, the attackers were here now this is a leveller up and I’m really excited for the applications on both the product side and the services side.

Adam Gleeson
Absolutely. Absolutely. Excellent. Well, thank you very much for your time today, Dave. It’s been always a pleasure as usual, and for those of you out there, stay secure.