Security in the Age of AI with Mike Hanley (Duo Security) and Marc Rogers (Okta) | Disrupt SF (Day 2)
2:45AM Sep 7, 2018
This session is going to be is provisionally titled, security cyber security in the age of AI. But we're going to sort of shoot the breeze about pretty much everything we can think of in terms of security and cyber. And it's absolutely my huge pleasure to have such a distinguished panel, please further furthest away from me. First of all is Mike Hanley from Duo Security big round of applause for Mike. And, and next to him is Marc Rogers from Okta.
Guys it's great to see you. Thank you so much for coming to Disrupt.
Mike I guess well you two are, start up with you and congratulate you, you guys and your team and your company on the acquisition by Cisco for $2.35 billion.
Thank you. Thank you. I appreciate that. Yeah.
That'll buy a nice breakfast, won't it?
I'll buy breakfast tomorrow.
Marvelous, I'm, I'm in.
What about, so naturally from what I gather, that was actually, there's a quite a big premium on the, it was supposed to be, you were valued at about a billion, weren't you? And then.
Yeah, last October when we raised the last round of funding about $1.2 billion post money. Yeah. No, we're very excited. I mean, it's a great, great opportunity. And Marc, Marc and I were just talking backstage really, and sort of a great transformational transitionary time in the security industry and to join forces with the world's largest networking security business presents a tremendous opportunity for us at Duo to be a part of that transformation with with Cisco.
And um it's like, obviously, often it's difficult when startups get the acquired and you know, sometimes a bit of a culture clash with Cisco. I presume you're attempting to iron out any issues.
Yeah, I think what's great about Cisco is they, they have a wonderful set of examples of not just acquiring companies and keeping their identity. You look at Meraki, like there was an article on Business Insider just a few weeks ago talking about how they've grown and accelerated within Cisco and very much kept their own identity. And I think there's a great opportunity for us. Clearly we, I think we have a good brand and the security space with Duo coming into Cisco. So I think it's only a great opportunity for us to grow and accelerate that together with them.
Yeah, yeah. Um, Marc, and I was reading your CV. It's um, it's quite a CV. Marc here was, was a white hat hacker. Was that right?
still am I guess.
Still am? Oh, well, I'm glad you're, glad you're, you're comfortable with the phrase. You've been at Cloudflare, Vodafone. You were the head of security for DEFCON.
I still am.
You still are. Okay. So everybody switch off your phones right now.
And, and even consulted on Mr. Robot, the TV series about some of the hacks in there.
I help design some of the hacks in season two, including the femto cell attack at the end of the season.
Femto cells, now just remind us what that is again.
So femto cell is basically a micro sized cell tower, right, originally designed as a consumer product to help people get better signal but as a hacking tool it means I can deploy a cell tower in a building and take over all your phones.
Right, that's handy.
We actually design that one to take over FBI phones.
Right, one of the strangest stories I ever had was, um, I got rang up by the Times and they wanted to know whether or not somebody had hacked David Beckham's phone to make it look like he was having an affair. So I wrote a story about how, you know, that someone could drive behind him with a femto cell, you know, and pick up his mobile phones and stuff and of course actually, yeah, he was just having an affair.
What what is what's going on in, let's shoot the breeze at the moment. I mean, one of the biggest problems of course, with security as we know is, is, us. We're the problem. We are, you know, the human fallibility. Duo, famously, actually came up with a very, very interesting sort of multi factor authentication process. I was reading about it, you know, you send a message through the app to your, to your phone asking you trying to sign on, you have to prove it, deny it. We actually use this at TechCrunch.
And, and actually, I find it quite actually relatively easy, you know, it's not not onerous.
I mean, what we all we all know about two factor and, you know, text messages and things. Are we were able to get beyond that, do you think?
Yeah, and, and I'll relay your feedback to the product team, Mike that.
I have lots of feedback.
So the, you know, what's interesting, you know, to touch on something you opened with there. I would actually say users are are not the problem. Actually, this speaks to the importance of good design and security and design for, I'm sure there are many of you in the audience who are focused on product design or good UX.
And ultimately, when you think about product management, the security space, you you want to build products where the right things happen when they're supposed to, as they have as they're supposed to happen, and that you prevent the wrong things from happening and the wrong people from getting access. But security products fundamentally are about driving your business and making sure that those things happen.
If you build a security team that ends up being the Department of NO, you're probably not going to be very popular and you're not going to be a great business partner to the rest of of your team. So we've really tried to build a product that actually helps your security team be that that business enabler and I think you're actually seeing a lot of sort of other traction happened in the space here where increasingly we are focused on what are the right tools that help people get their jobs done effectively, not how big of a wall can we build? And how big of a ladder can our users build to try to get past that.
If ultimately, if you build products that are not easy for people to use, they will find ways to get around them which will make the organization less secure.
What are some of the interesting things you know, sort of methodologies that people are using these days to try and attack as a company?
Yeah, well, the funny thing about attackers and you know, I'm sure Marc sees this all the time as well as the easy stuff works. So fishing remains a largely unsolved challenge and security space. We have multi factor authentication. And clearly companies like duo and Okta offer services to help defend against that. But adversaries are attackers are still rational actors. They are trying to make a buck, they are trying to achieve an objective and they will generally optimize for doing that in a way that's efficient for them.
And fishing is cheap. You can send it to a lot of people, you only need to be right once and you know, assuming the Identity and Access of an authorized user is generally much easier than like bespoke malware.
We definitely MMA moves. Definitely Marc from the world of you know, DDoS attacks to getting down to the user level.
Um I think part of that is because we've actually seen a lot of technology come out that makes these attacks easier to use. So now a 14 year old kid can level attack that can potentially take out an entire country. If you look at things like IoT. Bartlett's like mirror, I also want to do is write a piece of code. Very simple code, to be honest, that takes advantage of a default password on a device takes it over, and suddenly they've got a weapon that's national scale in terms of threat. I think also.
You were talking about the kind of the stories we hear in the press, sometimes about sort of people taking over kind of IoT connected, you know, refrigerators and things like that.
Yeah, the number one vulnerability in IoT is still default passwords and an admin admin default back and stuff and it doesn't take a genius to find a password like that right a couple of lines of Python and send it out to find as many of these things as possible if you've ever used the tool showdown it scans the internet looking for open IoT devices and finds them so it's not the barrier to entry has gotten lower and lower.
And so that means we're now seeing these attacks constantly and I think we is the security industry also guilty of focusing too much on things like old days and highly complicated attacks when the reality is as just mentioned, the old attacks the simple ones, the phishing emails the USB sticks the the password theft stir stealing someone's phone or laptop actually are the number one cause for compromising companies.
You had a story would chatting to me earlier about a story you heard about DEFCON with USB sticks.
I actually was a black hat. An unknown person showed up and threw a bunch of USB sticks down through the conference and you think, you know, conference like black hat? Who'd be stupid enough to pick up a USB stick? Well, guess what a ton of people picked up these USB sticks and plug them in.
The next day the guy comes back and he throws down more USB sticks and these USB sticks contain the files that he'd ex filtering from the laptop so that people are put them in. So like the old stuff works, you know, put a USB stick put nude pictures on it in a label and throw it in the car park also ran a pickup it up.
In the or in my case is usually press release.
Okay, here we go. Oops.
What, what? So there's, there's the bad actors there's there's the organized crime groups, obviously, what about the state actor level has been tons of stories in the last few months about, you know, the North Koreans, the Russians, I was reading the other day that the there's a Russian intelligence agency called GRU, which is about five times bigger than the whole of all of the intelligence community in the in the UK MI5 MI6 DC HQ.
And so there's enough you know, that we'll talk about big big actors going on here? What, what, what was going on at that level? I mean, do you treat it similarly to, you know, just, you know, the criminal gangs etc? Or or did you treat that sort of thing differently.
So in a lot of cases, these guys are actually using the same attacks as the low level guys, because an eau de is actually really expensive. And you generally only get to use it once or twice. So they reserve those are the really high value customers were really high, really high value targets they're going after, which tend to be other nation states.
The campaign's you're seeing from Russia and China are massive fishing campaigns are pieces of malware using really old exploits, look at the wanna cry and not Pacha attacks. They didn't use any sophisticated zero days they used old vulnerabilities. One was relatively new, but it had already been patched but these guys are confident in the knowledge that you know, as long as they use a vulnerability within a few months, only about 70% of the population may have even heard of it. And even less than that will have impact against it. So often than not that sophisticated.
And then and then, of course, you've got, you know, that the corporate and the big the big platform side of it, Marc, Marc, you guys, I think you work with Facebook. Correct.
All right. So you was I will we have folks on my team who previously came from there. Yes.
Yeah. I mean, how the, how the big platforms that you know, of, you know, responding to, you know, the threats out there.
Yeah, you know, I actually think this dovetails nicely off off Marc's point, which is, you know, the you look at just in the last few weeks, Instagram has done a big rollout pushing 2FA for their users. Yeah, fortnight pushed a big campaign out to get to a fate of their users. Rainbow Six pushed a big campaign out via Ubisoft to get to FA to their users. And it really is it is interesting, right, because I think we generally still need to work on our understanding of like, what the payoff structure is and security.
It's very cool To know that you're being attacked by a foreign intelligence service, but if you haven't put locks on your front doors to at least a turd them, you're probably don't have a good investment strategy there and don't have a good understanding of the most effective ways to protect your infrastructure and royally and security. We're very good at making new work. We're very efficient that making new work. So the importance of focusing on I'm like, What are the actually the most effective security controls because many of those actually eliminate work entirely. So yeah.
You telling me and well, sorry, Marc, go ahead.
I was actually just going to say, one of the most interesting big platform responses to threat national state threat actors is actually Google's. After Google got hacked by the Chinese. They came up with the beyond Corp architecture, which has now evolved into zero trust. And the whole concept behind zero trust is even if you do use strong authentication, there may be a scenario where a bad actor is able to steal the credentials or Co Op to your employee and gain a foothold in your network.
So what do you do? And the concept behind zero trusth is, don't trust anything inside your network use things like micro segmentation to stop lateral movement so that once the bad guys get in one place, they can't get any further. And this zero trust movement is really going to be the, I think the big next answer to how you stop the BTS, even the zero days from having massive impact on networks.
It's really a repositioning of the trust boundary, right? I mean, traditionally, the trust boundary was represented by your Point of Presence and a stack of gear that you had in your data center that connected you out to the broader public internet and you terminated inside the network via VPN, and then you had broad access to everything from there.
But to Marc's point, we've really we've kind of brought that in via zero trust networking. And in many cases, the even your internal corporate network effectively is is, you know, dumb transit in some cases, and it's, you know, make a decision based on the trustworthiness of the user their device that they're coming from, and then entitlements that they have as close as possible, actually, to the data that they're trying to access or the application.
The, we we provisionally titled this this panel in terms of, you know, security in the age of AI, how relevant is that as sort of a descriptor to describe the next phase using, you know, machine learning and AI to to know for security.
So AI n zero trust or a marriage made in heaven. Because the whole idea behind zero trust is you design policies that sit inside your network, your design, access fabrics are intelligent nodes in your network that make policy decisions as to whether or not someone should be able to access a resource go on through the network. That's the kind of thing or the kind of problem that AI is great at solving.
AI is great at doing human decisions much faster than a human ever can and have great hope that as zero trust evolves, we're going to see AI be baked into the new zero trust platforms. And we're going to start seeing these policies being created on the fly. And we're going to start seeing intelligent responses where networks actually actively defend themselves against threats.
Does that have an effect on the size of company that you require cyber security company that are required to to work on these? I know, Mike, you were telling me when we were chatting before about how, you know, you were a company when it was about 300 people, uh sorry, about 100 people, and now it's several hundred people, obviously.
Is this, are we still going to need lots and lots of humans, you know, sub security specialists, humans to work on these problems, or is the or gradually the system's going to start doing all the heavy lifting and actually impact the size of the company?
Well, you know, I think interesting, right, machine learning or specific applications of that really become necessary, because kind of dovetailing off Marc's point there's also a substantial labor shortage of qualified, it's pretty rational that actually fill many of the jobs that need to be done. So the work still has to happen. How do you do that effectively with products, services and other tools?
So I think that creates a tremendous opportunity for security vendors to figure out what are those jobs that need to be done. And and there are many sort of unsolved challenges yet, and that Space Policy engines I think, are are one of the more interesting ones but to you know, really double down your investment there so that you can solve those jobs effectively with the product because frankly, hiring in this space is very challenging because there's just a substantial labor shortage.
And that looks like.
Um I was just gonna say also the advantage of using machine learning to scale this is that one human souls one problem at a time generally, whereas machine learning can solve hundreds of thousands of problems at one time it can look for commonality across attacks and instead of the person finding a particular partners and taking down the machine learning platform can find and correlate all related attacks and block them simultaneously. That's true scalability.
and often one of the things that we're talking about at disrupt is you know the rise of robots the also the rise of autonomous systems you know and if we get to a point in a few years time where there's a lot more driverless cars systems even not necessarily fully driverless but people relying on cars to drive them around even on the highway driverless Lee as it were, that to coin a phrase,
you know, you know, famously, Jeep was hacked the system there was hacked. Interestingly, what's your view about are the security systems being put in place now by the automakers Do we have to be a little worried about what might happen in the future?
So I guess I was loving unique perspective on this because at the same time the jetpack I hacked the Tesla Model S.
What I have found from from hacking them or less was it has the starting of a really good security architecture. But there were a lot of flaws in it because they are using quite an old operating system. That's actually a common problem in vehicles. It takes four to five years for a vehicle to reach production. But the average life cycle of say, a Linux operating system is two to four years. So almost always your operating system is deprecating by the time it comes out. So that's a big problem that the industry is going to have to solve.
But the other things that I'm seeing and the other signs I'm seeing are really posted. Right now we're starting to see software improvement. So cars are actually getting software firewalls, the filtering signals, etc. By 2020, you're going to start to see replacement of traditional networks like the can network that controls the or the automotive parts of the car.
And that replacement is going to open the door to things like encrypted can communications or Ethernet in the case of some vehicles encrypted the EC us which reduces the kind of the attack surface and also means that vehicle started truly adopt events in depth right now if you take a car that was released pre 2018 and plugs on making the OBD Tupac it's pretty much game over you have full administrative access to a network that controls and really
and that's that's right now, when the most cars don't have these autonomous systems. What's your view like?
Yeah you know I mean most of most of vehicles today security was a bolt on not a built in activity and you know many of the properties that marks talking about are things that are really most effective or most likely to actually come to fruition if you make those decisions very, very early in the software development lifecycle.
And, you know, the reality is, I think like the, you know, if you read like books on sort of software, software security methodology, I mean, a lot of that stuff is necessarily 20 years old. But many companies don't necessarily have a programs actually affect that in their products and you know, Marc talked about IoT earlier, I mean, there's, there's not necessarily a strong incentive structure to make sure you're even implementing those things in the first place. Because where the penalties for not doing it or, and accountability for not delivering that in your product.
So it's good to see actually, the automotive industry is actually kind of media and on some of that stuff. And to Marc's point by 2020, hopefully one are all being chauffeured around many of these systems will be much more secure.
I think one of the challenges just touched on there is too many industries sit in silos, and they see the threats that say, the internet based economies face and they see the threats the automotive face, and they don't think they're affected. And that's kind of a general fallacy in terms of understanding what the threat landscape is.
And instead of moving from industry to industry, only fixing things when bad stuff happens. We need to start realizing that actually, security is something that's horizontal, it goes across all of the industries and we've had 30 years to learn about how to implement cybersecurity well.
So if you're building a medical device that's going to connect the internet, you should accept that you're going to face the same kind of threats that any IoT device connects the internet face. And likewise, if you're building a car that now has connectivity, you're going to be facing the same kind of threats. And I think until we get to the point where they're understanding happens, we're still going to see industry after industry have its own big issue and then evolve next industry is a big issue and then evolve.
Just just quickly, one of the issues that have happened in the last couple of years is obviously the rise of blockchain and cryptocurrencies and so called you know, very, very supposedly very, very deep encryption in order for these blockchains to run.
Well do you think that will ever have that will start to effect or impact or positively or negatively the cyber security industry?
Yeah, I think blockchain not online Artificial Intelligence or, or other flavors and machine learning are great tools to solve concrete problems that that businesses have. So I can imagine there's, you know, certainly plenty of interesting potential applications where you can solve a discrete problem that an IT admin or that a software company has.
So I, but I think the challenge is a, sometimes it's a cart before the horse thing, it's a, I would, I would like to use this, you know, methodology and then I'll go find a problem to solve with it, versus having a clear understanding of the job to be done. And then working backwards from that to to figure out the right technology so excited to see kind of the rise of some of those things that will come through in our space. But the alignment with like a core problem or a sort of a fundamental thing that needs to be addressed in our space is going to be the critical piece.
What do you what do you make of that?
I agree. I think blockchain is a very exciting technology that sort of looking for problems to solve and I've seen a couple of concrete solutions where it's adding a lot of advantage one of those is in in contract.
Another one is actually Okta has worked with some NGOs in overseas where they use blockchain as a way to permanently record the ownership of land and property. So that's quite a good useful it but I think a lot of the other uses are very early and the kind of looking for problems to solve. I do have high hopes that it's going to solve some stuff so fantastic piece of technology. I think it's just very early.
Marc famously and DEFCON this year was brilliant because you brought some voting machines us voting machines and some teenagers basically hacked into them.
Give us a give us a preview of how you're going to best that next year.
Every year I wonder how we're going to best it and every year someone brings something along for us to that to have the the voting machine issue is actually can laptop the show actually this year was more they were looking at the websites that are used for soliciting votes and making comments.
And kids found a ton of vulnerabilities in the actual voting kiosks last year. And famously, I think one of the kiosk literally lost at about 10 minutes before someone was able to find a compromise. And these things are built on sophisticated technology. And we're talking Windows platforms with open USB ports.
And so if you have a Windows platform, and then open USB port, no really strong policy and someone can go behind the curtain and fiddle with it while they're voting. You're fighting uphill battle. Yeah.
I think voting is probably going to continue to be a focus because it is such an important thing for our democracy. And there's a lot of opportunities to do stuff but we've had people like we've had the FTC come in and ask us to solve problems so and i know i i'd like to think it's going to be transformative. But that's because that's my my own personal favorite area. But we'll see.
Well, hopefully we can stick to pen and paper for a bit longer or pen. Definitely not pencil.
Brilliant. Gentlemen, thank you so much for coming to TechCrunch Disrupt round of applause, everybody. Thank you.