Navigating Forward

Cybersecurity: Discovery, automation, and AI with Bruce Hembree

Launch Consulting Season 4 Episode 8

On this episode of Navigating Forward, Mike Halstead and Creighton Adams from Launch Consulting host Bruce Hembree, Field CTO for the Cortex division of Palo Alto Networks, in a wide-ranging discussion about cyber hygiene. They highlight how thoughtful automation and quality machine learning can enhance scalability of security efforts and allow engineers to spend time on creative pursuits that can ultimately increase the maturity level of the organization. They also touch on how AI will change the development and testing of products — and how humans will still be absolutely necessary for those tasks. Finally, they reflect on whether or not anything has changed since the SolarWinds attack and if it shifted the perceptions of cybersecurity teams.

To learn more about how to develop your organization's Future State of Cybersecurity, go to launchconsulting.com/cyber.

To download the Unit 42 report referenced in the podcast, go to https://www.paloaltonetworks.com/resources/research/2023-unit42-ransomware-extortion-report

Follow Bruce Hembree at https://www.linkedin.com/in/bruce-hembree-4679a6a5/
Follow Mike Halstead at https://www.linkedin.com/in/mike-halstead-77bb6018/
Follow Creighton Adams at https://www.linkedin.com/in/creighton-adams/

00:00:01:17 - 00:00:49:21
Narrator
Cybersecurity is one of the most important and most complex aspects of modern business. Ransomware and other cyberattacks are skyrocketing. Millions of security jobs remain vacant, and in the age of AI, new opportunities and threats are growing quickly. In this special series from Navigating Forward, security and business experts from Launch Consulting explore the evolving landscape of cybersecurity across industries. Along with a slate of distinguished guests, we’ll discuss how organizations can build healthy habits and practices that promote cyber resilience for the long haul. Join us as we uncover what businesses need to do now to prepare for what's coming next. This is Navigating Forward, the Cybersecurity series.

00:00:49:23 - 00:01:30:13
Mike Halstead
Hello and welcome to Launch Consulting's Navigating Forward podcast. I'm your host, Mike Halstead. We feature guests from industry and our own internal experts to educate you on specific areas to better safeguard your organization. As you may be aware, 80% of cybersecurity is good hygiene and the rest is extra credit. However, you're never going to be able to address the more advanced risks if you haven’t basic cyber hygiene. Today, we'll deep dive into the extra credit, or the 20% that's required to help protect your organization from advanced adversaries and threats. We'll provide thought leadership, practical ideas, along with takeaways for your consideration. I'm pleased to be joined by our special guest, Bruce Hembree. Bruce is an Air Force veteran specializing in anti-terrorism.

00:01:30:15 - 00:01:56:22
Mike Halstead
He was part of Microsoft Digital Crimes unit, an elite unit fighting organized cybercrime, taking down some of the biggest botnets out there. Bruce now is Palo Alto’s Cortex Field CTO. I'm also joined by Creighton Adams, who is Cybersecurity lead for Launch and is a self-proclaimed gearhead. Little bit on myself, at Launch Consulting I'm the Managing Director of Cybersecurity. Prior to Launch, I had a long career at an international bank and most recently as a cybersecurity executive.

00:01:56:24 - 00:02:09:05
Mike Halstead
My passion is connecting with industry peers and organizations to better help businesses understand what is real and help them prioritize what is important. Creighton, can you give a quick intro on yourself and a little bit on your background and passion?

00:02:09:08 - 00:02:26:27
Creighton Adams
Yeah. Creighton Adams. I've been playing with computers ever since I was ten. There is a video game Diablo that I always wanted to play, but my AMD 75 processor on my 486 wasn't powerful enough, so that's when I learned overclocking. From there I did Active Directory as my first target, which is a little bit different than most gamers.

00:02:26:29 - 00:02:56:08
Creighton Adams
They usually don't look into Active Directory, but parents being part of the medical industry, controls of Windows 2000 is where I started. From there, helped found an ISP team over here in Seattle, became the principal engineer at that ISP before it sold and then moved on to consulting to go from place to place, including Microsoft in the lab space and did enterprise systems engineering, which is all aspects of compute and corporate IT, and then moved over to cybersecurity due to my curiosity. So that's where I'm at today.

00:02:56:10 - 00:03:02:03
Mike Halstead
Thanks, Creighton. And finally, Bruce, our special guest, a little bit on your background and your passions.

00:03:02:06 - 00:03:25:07
Bruce Hembree
Sure. I come from the Information Warfare groups of the United States Air Force and am currently in Field CTO for the Cortex division of Palo Alto Networks. I did used to run the operations for the Digital Crimes Unit at Microsoft. The DCU is where we were looking at the way that organized crime groups and nation state threat actors were building their threat ecosystems, and then we would exploit the vulnerabilities in those architectures to seize them and take them down.

00:03:25:09 - 00:03:52:22
Mike Halstead
Awesome. Thanks, Bruce. So, we've already spoke about the importance of good cyber hygiene. Essentially, it's the basics knowing and classifying and protecting your critical assets, security testing, scanning and of course, patching vulnerabilities, multi-factor authentication, incident response monitoring are just a few that are out there. So, assuming that an organization has addressed the good hygiene side of it, Bruce, what are other areas companies or organizations should focus on to secure their environment.

00:03:52:29 - 00:04:53:14
Bruce Hembree
Assuming that cyber hygiene is in place and it's in good working order, then the next thing that I would be looking at is a combination of automation and discovery. Discovery of what you don't know. It's important to understand what you don't know about your enterprise and to make that an ongoing process. That's something that we do internally within our SOC here at Palo Alto Networks, we are continuously doing self-discovery both internally and externally, and then we have keyed automation against that so that if something new is discovered, it is placed in a place where it's not supposed to be or it's in an unpatched state, whatever the circumstances are, we want to make sure that we are responding as well as we can to those things that pop up, because you have to be graceful, you have to be efficient in the way that you defend an organization. And expecting the unexpected is critical.

00:04:53:16 - 00:05:08:03
Mike Halstead
So just touching on the topic, on kind of discovery and or dark corners in the organization, are there best practices that organizations should undertake to perform that discovery so they’re ensuring they haven't missed anything?

00:05:08:05 - 00:05:42:22
Bruce Hembree
Absolutely. You can certainly expect that there are going to be endpoints in your enterprise that are going to appear and disappear. Expect them to be added by engineers as needed and perhaps spun up, spun down. That let's call it evolution, of your network. It's an organic thing in the way that it grows, the way that it changes. Don't expect a static state and those, if I could say it, best process would probably be to look at your external surface, yes.

00:05:42:22 - 00:06:16:19
Bruce Hembree
Look at your internal surface and then make sure that the discoveries that happen there aren't wasted. Don't collect data unnecessarily. Do something with it. Humans are notoriously unreliable. We get bored, we get frustrated, we get angry, we get sick, we go on vacation, all the things associated with being human. If you have automation tied to the discovery process, then it can have that gating factor of a human waiting on them when they return.

00:06:16:22 - 00:06:44:04
Bruce Hembree
So have a sanity check there. Within our SOC when we discover something new, if we discover that one of our firewall engineers has changed something that left a server in its unpatched state or exposed something to the outside that wasn't visible before, it's going to generate one of the manual events that our SOC is going to have to field, and that sanity check is going to be, hey, I can see something new from the outside and this is the machine learning speaking.

00:06:44:07 - 00:07:03:07
Bruce Hembree
The machine learning says, I can see something from the outside now that wasn't visible before and I need to know what you want me to do about it. Do you want me to quarantine it? Do you want me to leave it alone? We're not trying to cause a production outage. We're trying to respect the pace of business. But we also have to respect the pace of threat.

00:07:03:09 - 00:07:43:19
Bruce Hembree
And it means that there has to be a compromise between those two, those two rough surfaces that rub against each other. They will become they will become welded together. But when you have automation in the mix, it can help you key a moment where that endpoint that was in a non-sanctioned state or a non-sanctioned place either gets patched or gets quarantined or moved.nThere's a host of responses there, but make sure something happens. Don't let data that you've collected just lay there.

00:07:43:22 - 00:08:00:07
Mike Halstead
That a great point. I like the sanity check and the fact that there's a lot of data out there that's being generated and there's also a lot of false positives. And how would an organization, how does an organization deal with all the false positives?

00:08:00:09 - 00:08:29:22
Bruce Hembree
The most scalable mechanism that we have found is machine learning and machine learning that is trained well. Machine learning is only as good as the data that you give it. If you give it garbage data, it is going to give you garbage responses. And the way that you train machine learning is also fundamental. We have just over 100 patents within Cortex that are related to the way that we treat data, the way that we respond to data and the way that we build our machine learning.

00:08:29:24 - 00:08:57:29
Bruce Hembree
One of the things that we focus on the most is false positives, making sure that we aren't chasing our tail. It slows us down, it creates inefficiencies. All those things that cascade from the beginning of a process to the end of the process. And it is not, it's not it's not scalable, it's not efficient. Getting good data to the machine learning and making sure that machine learning models are well trained and that they are not resting on their laurels.

00:08:58:02 - 00:09:15:22
Bruce Hembree
You have to continue to evolve with your machine learning. We retrain our machine learning on just over an exabyte of data every two weeks because of the I'll call it the constant churn associated with the way that machine learning has to be trained and the data that evolves alongside of it.

00:09:15:24 - 00:09:20:08
Mike Halstead
So, it's almost like garbage in, garbage out type concept with machine learning?

00:09:20:10 - 00:09:51:04
Bruce Hembree
Certainly. But the, what is the saying, to err is human, but to really screw things up requires a computer. Well, when you start dealing with data at that scale, when you start looking in the exabyte ranges and things at that scope of awareness for machine learning and the cost of moving that kind of data around, processing it, storing it, you're looking at very real dollar figures and the tolerance is not good for storing a bunch of garbage.

00:09:51:06 - 00:09:54:06
Mike Halstead
Excellent. Thanks for that, Bruce. That was helpful.

00:09:54:09 - 00:10:26:03
Creighton Adams
That's perfect. I'll pick up here. So, I'm going to pivot off some items that you're sharing, which is the organic process, and then the two rough pieces rubbing together to either weld and possibly polish. Right. So, engineers love to spend time building. What has been a good approach to bridge the gap between business needs and their deliverables, while allowing engineering such space and time to develop solutions that are not in existence yet? We'll start with that one.

00:10:26:05 - 00:10:47:29
Bruce Hembree
Engineers, they are creative people. They are, they need that time to create. And everybody has our daily workload. Everybody has something that you have to do. That quotidian thing, the tyranny of the urgent that's constantly weighing down on you, that is always going to be there. But there needs to be a time in your day where you are working on that creative outlet.

00:10:48:06 - 00:11:12:10
Bruce Hembree
The side projects that ultimately increase the maturity level of the entire enterprise. That was, in our SOC when I was looking at our SOC, the way that our SOC operates, those engineers that live in that space, they are living under the tyranny of the urgent. Before we had our automation in place, before the machine learning was trained as well as it is today, they spent their entire shift dealing with whack-a-mole.

00:11:12:12 - 00:11:53:04
Bruce Hembree
And that is counterproductive to an engineer, to a creative person, and to the enterprise maturing as an organism. Once we got our machine learning and automation in place, it allowed our engineers to break their day into thirds. One third of their day was spent sitting in the queue waiting for one of the manual events that human has to touch. It needs a human's wisdom. Machine learning is a brilliant idiot. It will absolutely do the most horrible things if you let it, but it has things that it can do that a human can't hope to do.

00:11:53:11 - 00:12:20:20
Bruce Hembree
We can never put these things together if we just don't have that kind of capacity within a single human that I've met. And once you give the machine learning the ability to affect change inside your network and you've learned to trust it, then it becomes the ability for those engineers, those humans to split their day into dealing with the things that they have to deal with, the tyranny of the urgent, back to it.

00:12:20:22 - 00:12:44:12
Bruce Hembree
But then they get to go on their creative pursuits. They get to have that time where they are working on the side project that they wanted to get to. Those side projects that ultimately increased our maturity level with things like the zero trust, things like port security and SSL decryption, URL filtering, all the little side projects that you want to get a chance to get to but never get a chance to touch suddenly can happen.

00:12:44:20 - 00:13:04:06
Bruce Hembree
But you've got to have the right solutions in place to help the human be human, help the human get that opportunity to do the work that they are so good at, and the machine learning and artificial intelligence just doesn't do well. I hope that makes sense.

00:13:04:10 - 00:13:27:07
Creighton Adams
No, it does. Well said, because the analogy I was giving to some executive leadership on Monday was what is the role of AI in our new world? And it's similar to I want to build a log cabin out in the woods. Well, you can do that with an ax, manually, sharpen it, start hacking away, but you get tired after a bit. If you have a chainsaw and many gallons of gas, you’re gonna get a lot more logs.

00:13:27:09 - 00:14:03:21
Creighton Adams
It's an amplifier for the intent that needs to be carried out, which is that log cabin. So having that space for the engineer to be in that organic creative place, to wander, to ponder, to then develop a solution that doesn't yet exist or achieve a goal that they have visually in mind will give them that space with proper tooling is where my brain was going on that. So definitely aligned there. The follow up question, how does the culture of the company fit into its cybersecurity positioning with what we just spoke about, giving that space to the engineers.

00:14:03:24 - 00:14:23:21
Bruce Hembree
Culture is fundamental and the I'll call it explosively dynamic nature of security means that a threat that didn't exist yesterday can absolutely exist today, and it can fall on you much like the Inquisition. Nobody expects the Inquisition, right?

00:14:23:23 - 00:14:24:25
Creighton Adams
That’s correct.

00:14:24:27 - 00:14:53:27
Bruce Hembree
The culture means that instead of focusing on production at the expense of everything else, understand the need for security alongside of production. If the executive staff project from the top down production is king, nothing else matters, security will take a back seat, and then something is going to get through that is going to bring production to a screeching halt.

00:14:54:00 - 00:15:20:03
Bruce Hembree
And you are not resilient. You are brittle, you're fragile, all geared towards production. And that comes from your culture. That culture of resiliency means understanding that security is production. If you keep that security baked into it, then it allows production to continue at a sustainable pace that is resilient.

00:15:20:06 - 00:15:45:08
Creighton Adams
That resonates really well Bruce. That actually reminds me of the time when I was at the Federal Open Market Committee for the Federal Reserve in Mike's neck of the woods in Chicago, where Alan Greenspan shared maximum sustainable growth is our goal and an echo of running a business maximum growth or maximum sustainable growth requires that due diligence to know what's within your four walls.

00:15:45:10 - 00:16:16:27
Bruce Hembree
If you're constantly sprinting, you're going to exhaust the animal. If you are running at a sustainable pace and it has, let's call it guts, if it has the internals that keep it functioning, then it is possible for that organism to continue going indefinitely. That's what production is for us. And within our SOC, we are making sure that the efficient protection of the data that we are producing daily is sustainable and always with security in mind.

00:16:17:00 - 00:16:19:09
Creighton Adams
Love it.

00:16:19:12 - 00:16:39:05
Mike Halstead
To just, back on this point, you had written an article around executive culture compromising security a couple of years ago. Have you seen a shift towards the positive where organizations are starting to get at they have more top-down views around security as being part of the production process? Or do you still believe that that's lacking?

00:16:39:08 - 00:17:12:19
Bruce Hembree
It's a cultural, there is a cultural difference. Certain nations are very strict in the way that junior employees interact with their executive staff, and it's endemic in their culture to believe that the executive staff are not questioned, they aren't approached, they aren't ever queried. And that intimidation factor creates a fear culture. That fear culture, it stymies the efficient development of an organization.

00:17:12:21 - 00:17:58:19
Bruce Hembree
I have seen a growth. Yes, it is changing, and that is because the awareness, even within the business side of the house, the CEO, the CFO, those execs that previously looked at security as a cost center, they now have come to recognize the value of their organization to threat actors. They come to see, holy moly, we are a juicy target. We want to make sure that they have an eye toward security, too. And I'd love to see that evolution of businesspeople becoming aware of how critical security is for the business to function, not just as a cost center. It is happening.

00:17:58:21 - 00:18:25:15
Mike Halstead
Good to hear. Just pivoting over, we touched a little bit on AI, but I'm going to touch on it a little more. It's of course all over the news. ChatGPT, Microsoft Copilot, others and while it's been around for some time now, it's getting a lot of the spotlight. So, from your perspective with AI, how does it help or hinder our defenses from cybersecurity perspective?

00:18:25:17 - 00:18:55:02
Bruce Hembree
Developers over the course of the next decade are going to become curators. They're going to become people that are skilled in building the query that the AI uses to build something for them. And you have to be aware of what that's going to do to the product that is outputted. So that output product is only going to be as good as the query that was built by the engineer that put it together.

00:18:55:05 - 00:19:24:10
Bruce Hembree
If you give it a query that doesn't take into account all of the criteria that are necessary for it to succeed in the real world, then you could potentially wind up with a product that is again, fragile. And so, you have to be aware that careful construction of the instruction set that you give to the AI to build something must be complete, it must be tested, it should be thoroughly looked at.

00:19:24:16 - 00:19:47:06
Bruce Hembree
And so, developers are still going to be necessary. Absolutely. We can't get rid of the humans, and we shouldn't get rid of the humans. The humans are the soul inside this thing. We are the ghost in the machine. At some point we become that enabling oversight, I guess, if you will. But you have to be good at building that query.

00:19:47:11 - 00:20:09:03
Bruce Hembree
And then the product that's produced must have security, secure coding practices built into the produced product. If you just tell it, go build me this, it's going to take the shortest possible series of steps to get that. If you tell it, go build me this, but use these secure coding practices, then you get an entirely different product.

00:20:09:06 - 00:20:32:13
Mike Halstead
Does that change the type of assessment that will be done in the future. You know, if you look at security testing today, you do threat modeling, you do vulnerability scans, you scan the code, pen testing. So how do you see that looking down the road with AI so that you look for those fragile and don't deploy those fragile products or applications?

00:20:32:15 - 00:21:09:04
Bruce Hembree
Code review is going to change dramatically over the course of the next decade. It's going to become as much about the code that was produced by the AI and as much about the prompt that was used to produce it. What was in it? What prompt did you use, did you feed into the AI to produce the code set that was the result. That code review, look at that. Now you've got two places you're doing code review, not just in code review of what the end product is and what it's doing, but what produced this and what was your output here. I think that that code review is going to become even more critical than it is today.

00:21:09:07 - 00:21:11:02
Mike Halstead
Agreed, thanks for that Bruce.

00:21:11:04 - 00:21:39:11
Creighton Adams
My mind is going in so many different directions about code review and because the one idiom I always stick to with my team members is to get good answers, you have to ask good questions. That's it. So really focus on the questions. And I remember doing those MBRs back in the lab space. That precision-based questioning was very uncomfortable at first. So, get comfortable with discomfort is one of the next things I'd always tell the team members to be ready for.

00:21:39:14 - 00:22:18:09
Bruce Hembree
And then now you're going to be looking at the place where AI and AI are going to collide. You're going to be winding up with these machines building machines, and it's going to be a, it's an amazing time to be alive. But it's also the careful ethical construction of the things that are going to power the next decade will be so critical and the things that we have to think about that are ancillary to that. Think about the impact of the business world of the people that this could potentially displace for low level work that was previously done by humans.

00:22:18:11 - 00:22:31:18
Bruce Hembree
Now we're going to have to worry about how do we pay those humans, how do we feed them, how do we house them? This was their job before. They don't have that job now. There's so many things to think about and that the ethics of that are going to be fundamental.

00:22:31:18 - 00:22:53:21
Creighton Adams
That's just like, I believe, who was it, Mark Twain that says history doesn't repeat itself, but has a tendency to rhyme. That's that industrial revolution where manual labor was replaced with steam power and mechanical. And then that happened again later with, what did the USPS think that email was going to put them out of business. So then how do we adjust for that? Right?

00:22:53:24 - 00:22:55:25
Bruce Hembree
It's a sliding window.  

00:22:55:25 - 00:23:05:28
Creighton Adams
Hundred percent. So, going into that sliding window, if you could speak to Bruce five or ten years ago, what would you tell Bruce back then to be prepared for in cyber with what you know now?

00:23:06:01 - 00:23:32:08
Bruce Hembree
Ten years ago, automation was, and I harped on automation a lot, and that's the reason, that's because it plays such a fundamental role in the way that we defend ourselves at Palo. It allows us to have a very small SOC, a relatively tiny team. We only have ten analysts at Palo Alto Networks inside of our SOC for the entire company globally.

00:23:32:10 - 00:24:03:26
Bruce Hembree
Now we distributed them globally, so they only work during the time zone where they live, but we're trying to respect the quality of life. We want them to make sure that they spend time with their children, that they're home to pick up a package when it arrives on the doorstep, all the little things that contribute to quality of life. That small number of humans, those ten people that are doing our security at Palo, they are handling about 36 billion events per day, per day with ten people, and automation makes that possible.

00:24:03:28 - 00:24:31:20
Bruce Hembree
Ten years ago, I didn't know just how impactful it could be. I didn't know that it was going to give us that third of the day to be creative. I didn't know that. I hoped, but I didn't know it. And back then, especially for organizations that are small, an organization that might have one human doing security ops in their network, maybe two.

00:24:31:22 - 00:24:56:28
Bruce Hembree
They will say we are too small to use automation. And the first thing I'm going to say to them is the smaller you are, the more you need it, because you can't be there all the time. And on the offensive side, we knew the time of day for our targets. We knew local holidays, political events, all the things that made a campaign more likely to succeed.

00:24:57:05 - 00:25:28:17
Bruce Hembree
And if you have automation in place helping you do work, then it does good things for you. The thing that we hated the most on the offensive side was automation. It wasn't your antivirus, it wasn't your firewall, it wasn't your anything. It was automation because automation never blinked. It didn't get sick, go on vacation, get frustrated, bored, angry. It didn't do any of that. It never blinked. And ten years ago, I didn't know just how much it could change the way we did security.

00:25:28:19 - 00:25:45:15
Creighton Adams
That's good. In my brain, the only thing I would add is, because I agree, I always had a what about the automation, put that off to the side. You’ve got to have a good system, appropriate automation, to make sure that that critical thinking process takes place. Ask the right question, you get good answers.

00:25:45:17 - 00:25:46:29
Bruce Hembree
Yeah. Don't automate just to automate.

00:25:46:29 - 00:25:56:12
Creighton Adams
Exactly. Oh, because that's chaos right there. Automating to automate because then you have to chase it down and then you end up finding that production was running on test the entire time.

00:25:56:14 - 00:26:02:25
Bruce Hembree
And you wind up with an email box that’s got 10,000 messages in it that were put there over the course of the last 45 minutes by the automation.

00:26:03:00 - 00:26:06:27
Creighton Adams
That's decision fatigue right there. How are you going to get through all that?

00:26:06:27 - 00:26:10:18
Bruce Hembree
Lived it. Automation had to evolve to where it is today. 

00:26:10:18 - 00:26:31:08
Creighton Adams
And I like how you framed that too, because you didn't complain about compute power, wasn't about compute power, it’s that appropriate automation. But now compute power makes that more cost effective, but it's still automation. Rolling on to the next, besides AI Bruce, what are other trends that you're seeing is having an impact in the cyber landscape? What ones hold water and which ones seem not to?

00:26:31:10 - 00:27:05:18
Bruce Hembree
Well, automation is nice to talk about and all that fun stuff, but artificial intelligence is, this watershed moment, is making the average person aware of what computing does for them and how much AI is potentially impacting them towards a better life. We're at a point right now in history where more people have a better quality of life than at any time in the history of our planet ever.

00:27:05:20 - 00:27:50:17
Bruce Hembree
More people have a better quality of life right now today than has ever happened in the history of the planet Earth. They have better access to healthcare, food, water. Not everybody has that, but more people have it right now as a percentage of population than at any time in our history. And artificial intelligence, the practical application of that. Artificial general intelligence, the real-world application of that, where a machine built a process and then a machine does the physical work in the real world, think of that intersection right there where we have a series of machines that are trained by artificial intelligence to do their sorting of our recycling.

00:27:50:20 - 00:28:25:11
Bruce Hembree
Something as simple as that. But right now, is difficult to do. The handling of radioactive waste, the handling of medical waste, all the little things that a machine will be able to do that we can't do. This is a golden era for mankind. If we can control our base urges. Hope that's a, the potential for self-destruction is there and we absolutely have to respect that. The practical application of all these technologies coming together, I think what a great time to be alive.

00:28:25:14 - 00:28:52:25
Creighton Adams
That's a perfect wrap into what you were saying, the intention-built ghost in the machine. How are we going to carry this forward? And one of the things I was always learning back in the day was the energy economy. So having human time is that energy. How can we use it more efficiently? And then looping back to allowing engineers to develop, having that efficient use of energy to have them be creative again. And that just takes that shepherding, being very careful with each step.

00:28:52:27 - 00:29:11:10
Bruce Hembree
Again, back to the tyranny of the urgent. The tyranny urgent will always find a way to pull you away from progressing or making real progress. When you have that tyranny of the urgent under control. It's never really under control, but it is possible to keep it at bay.

00:29:11:10 - 00:29:14:07
Creighton Adams
At bay. I agree. Good stuff.

00:29:14:09 - 00:29:27:23
Mike Halstead
Yeah. It's just, as we talk about this and thinking and, you know, at some point, how do you tell what's real versus AI-generated or does it matter or just a blur you know down the road.

00:29:27:25 - 00:29:28:20
Bruce Hembree
I don't know.

00:29:28:23 - 00:29:37:04
Mike Halstead
How is this regulated right. And I'm sure that, you know, our regulator colleagues are trying to figure that out themselves, right. And how's it governed?

00:29:37:06 - 00:30:13:26
Bruce Hembree
I was just reading about some, I call them AI engineers, and that's what they really are becoming is an AI engineer, a curator of content. They are using AI to detect AI. So, they're saying, show me content that was generated by AI. So, they're going to Bard and they're going to ChatGPT. They're literally going out and looking at content and saying this was created by AI because I can tell by the language that he uses the traits within that language. And it is, well, we'll have to see where that goes. But using AI to detect AI is a thing going on right now.

00:30:13:29 - 00:30:17:18
Creighton Adams
We’ll have to get that for the school system when students upload their papers, eh?

00:30:17:20 - 00:30:29:00
Bruce Hembree
Oh, for sure. There's going to come a point where the papers are going to become too good. And at some point we're going to be detecting the ones that are written by a human because they suck.

00:30:29:03 - 00:30:32:01
Creighton Adams
Right.

00:30:32:03 - 00:31:09:06
Mike Halstead
Wild, wild. Thanks Creighton. And just kind of moving on to a little bit different topic and this is really in the supply chain side of things. And SolarWinds was a pretty significant event back in late 2020. I think those of us who were in the cyber industry remember exactly where we were when we heard about this one and the potential impact this was going to have. So, what I’d like to hear from you, Bruce, Is your perspective on the event, how it was handled, good or bad? And is the supply chain now safer as a result of changes because of SolarWinds?

00:31:09:08 - 00:31:36:29
Bruce Hembree
I would say it's not safer. It's in the same basic state that it was before. So, for us, SolarWinds and that whole compromise, that threat campaign, that threat actor tried to weaponize on us very, very early. We caught it based on its behavior. The machine learning automation that we deployed internally in our SOC is very much focused on supply chain and insider threat.

00:31:37:06 - 00:32:01:15
Bruce Hembree
For us, we call it based on its behavior because this was the machine learning profiles that surround a specific application, even something as fundamental as SolarWinds in the way what it typically does within a network, means that you can understand when malignancy enters in a process because of behavior and this all started because we had to humble ourselves in front of the universe.

00:32:01:18 - 00:32:21:09
Bruce Hembree
And I say we had to humble ourselves. There is always going to be another zero-day. There is always going to be another human in your environment that gets successfully phished. There's always going to be a human that does something that they shouldn't have done. You can't stop that. Prevention's nice, prevention first, always. You don't want to have to clean something up.

00:32:21:11 - 00:32:45:04
Bruce Hembree
But accepting that you can't stop the next zero-day is part of the graceful handling of threat. And so, when you humble yourself and understand that that zero-day is going to happen, the supply chain compromise is going to happen, then you have an opportunity to look at behavior. Behavior. If someone uses their zero-day, they say they go on the dark side.

00:32:45:04 - 00:33:02:22
Bruce Hembree
They spend 150 grand, get their zero-day and they use it for something inside your network. What do they then use the endpoint that they have secured for? What do they do with it? Do they try to exfiltrate data, or do they try to encrypt it? Do they do reconnaissance within their subnet? Do they try exploring other networks around it?

00:33:02:25 - 00:33:30:23
Bruce Hembree
Behavior wins out and behavior is telling. So, for us, we caught it, we quarantined it. For us. SolarWinds and SolarStorm was a very short-term thing. We just didn't know that there were 18,000 other targets coming down the road from us. We did notify the manufacturer, hey guys, SolarWinds. Hey, we found our executable, which was digitally signed, by the way.

00:33:30:25 - 00:34:10:24
Bruce Hembree
We found a digitally signed executable that just tried to do what is strongly looking like a Cobalt Strike Beacon. Okay, that's a big deal. Digitally signed, think about that. We did notify them. I'm not sure they believed us, to be honest. We started looking at it forensically. That particular threat actor had even taken the time to match the capitalization syntax and the naming convention syntax as they were using their function calls, a beautifully written piece of malware. However, there's a lot of people that were very seriously hurt by it. That was the event for us. To my knowledge, we're the only ones at our scale that caught it in its true adversarial state and stopped it.

00:34:10:24 - 00:34:25:24
Mike Halstead
As a result of the SolarWinds event, and for organizations who are out there, what are the learnings that they should be taking into consideration around supply chain and based on that event?

00:34:25:26 - 00:35:07:21
Bruce Hembree
You can't trust something just because it's digitally signed. It's a nice, warm, fuzzy, but the practical application of behavioral analysis inside your network is going to find and help you detect the next time that that happens. I don't think there's a way that we're going to be able to predict the next one reliably. Instead, we're going to have to rely on zero trust as a mechanism to help us look at the behavior of a user, the applications on an endpoint, and then the causality chain that flows from the user or from the application to ultimately a bit being put on the wire.

00:35:07:23 - 00:35:33:21
Bruce Hembree
That series of actions, it's something you can see, and it's more concrete. It helps us be prescriptive with the applications that we allow inside of our network, but you still can't trust them. You have to look at behavioral analysis and you have to be vigilant, especially inside your own network. These applications are leveraging the permissions that they have been implicitly given by either the user that installed them or the nature of the application itself.

00:35:33:23 - 00:36:10:07
Bruce Hembree
There's no exploit here. There's nothing, there's no exploit to stop. They're using their native permissions. They're using the traits that they have as an application. They're exploring the network because they're supposed to explore the network. It's SolarWinds or whatever it is, it's supposed to be doing that. Look at what it's doing. Let machine learning have an opportunity to what we in the military become called a force augmentee. A force augmentee outsizes one human, lets you become more than what you were before.

00:36:10:09 - 00:36:34:13
Creighton Adams
To add to that, my experience directly when I was in the space when SolarWinds occurred is asking those prescriptive and critical questions so I’m going to be a fan for a second. The Palo Alto system with the user ID, I blocked all domain admins going across the internet border. Rule number two and then unknown TCP, unknown UDP, block.

00:36:34:14 - 00:36:49:09
Creighton Adams
I don’t want you around. And then risk five from the database, so people were noticing services were being odd, intermittent when it started happening, but the exploit was walled off because it couldn't cross the threshold because it wasn't supposed to.

00:36:49:12 - 00:37:13:09
Bruce Hembree
Love that. Not every network has the luxury of practicing not logic. If you're not this, you don't get to function. You don't get to do anything because you're not what I'm allowing through. Not everybody gets that opportunity. But if you can, wherever possible, use that not logic. If you're not what I specifically allow to transit, then you're not allowed to exist at all.

00:37:13:11 - 00:37:23:17
Bruce Hembree
And those things that operate in the shadows, that tends to operate on ignorance. They're not in that list. So, they can yammer all they want, but they don't get across the board.

00:37:23:17 - 00:37:23:23
Creighton Adams
Right.

00:37:23:29 - 00:37:36:07
Mike Halstead
Great discussion on that. But just moving on here, are there certain industries organization types that are at more risk, from a cyber perspective, than others? And if so, what steps should they take to be more secure?

00:37:36:10 - 00:37:57:28
Bruce Hembree
Our Unit 42 is where we do our incident response within Palo Alto Networks. So, your cyber insurance company, they underwrite you and they say, hey, we're going to insure you for this specific compromise. And whenever a cyber insurance company has a breach that they need to help field, they will frequently call us, and we will come help.

00:37:58:01 - 00:38:25:01
Bruce Hembree
So, Unit 42 steps in and helps an organization recover. Before COVID started, the engagement rate would be usually we would see a new breach somewhere in the world that we would try to help with every once, every 1 to 3 days we would find one. Just since COVID and the conflict in Russia and Ukraine has started, the pace of that intrusion has increased to about every 3 hours.

00:38:25:04 - 00:38:47:04
Bruce Hembree
We see something new that we are being asked to help with somewhere around the planet, every 3 hours. So, we started and did a deep dive into what was the vertical that that organization operated in. Manufacturing was a very big one because they’re trying to build something and they're trying to build it as fast as they possibly can.

00:38:47:06 - 00:39:11:02
Bruce Hembree
That means that they can't be down for any extended period of time. They're more likely to pay, so they will pay quickly. We found in our research manufacturing, government and healthcare, because they are the ones that are so sensitive to the public perception of what's going on with their data. Manufacturing is going to pay quickly because they want to get back up and working.

00:39:11:04 - 00:39:36:19
Bruce Hembree
Healthcare is going to pay quickly because lives are at stake, and government pays quickly because loss of data means loss of trust in that government entity. The average ransom demand that was paid by for public entities was twice as high for a public entity as it was for other similar entities. Cities, state governments, places where public data is held in trust.

00:39:36:22 - 00:39:52:09
Bruce Hembree
Their ransom demands were literally twice as high. Go look up the report that we published from Unit 42 on ransomware. Go look at the verticals that are most commonly hit, and you'll see the evidence of where the money is at.

00:39:52:11 - 00:40:17:20
Mike Halstead
Yeah, we'll make sure that we provide a link to that report. In the health area where the government has just recently come out to help because they recognize the obviously the impact the ransomware attacks and other cyberattacks are having on their industry. So, just kind of wrapping up here, Bruce,  Field CTO for Palo Alto Cortex, can you just give us an overview of the product and how organizations can use it?

00:40:17:23 - 00:40:37:18
Bruce Hembree
Cortex is where we build almost everything that our SOC uses for the defense of Palo Alto Networks. We build the machine learning that underpins it all. We build the automation, we build the endpoint defense, the attack surface management, the threat intelligence management. Within the scope of our SOC, the thing that we don't build is the firewall itself and the cloud components.

00:40:37:21 - 00:41:08:06
Bruce Hembree
So, all those components within Cortex, they are the guts, the connective tissue that make a SOC able to operate efficiently. Those ten analysts that we have within our SOC as of this morning, the metric for detection that we have across about 417,000 bits per second is between eight and 12 seconds. Our metric for response is between 50 and 70 seconds globally for the entire company with ten analysts.

00:41:08:09 - 00:41:40:22
Bruce Hembree
So those, the XDR agent, the Cortex XDR agent lives on the endpoint. The XSOAR components are our automation.  XSIAM is our sim, our version of a sim, because for us the traditional sim wasn't working. It was the place where data went to die. It laid there quietly, aggregating, costing us more and more money every single month. And the sim wasn't the place where security really lived for us because it was only as good as the query that was built by the engineer that was sitting at the console at the time that something happened.

00:41:40:22 - 00:42:05:04
Bruce Hembree
It was too reactive, and it wasn't efficient enough. Since changing away from a traditional sim, we're spending now roughly 1/10 of what we were spending on our traditional sim infrastructure. But that is what Cortex is, is the connective tissue that makes a SOC, a small team, be able to be strongly effective in a high-volume environment.

00:42:05:08 - 00:42:23:20
Mike Halstead
And leveraging, you know, to do that, we spoke about machine learning and automation has been kind of the key pillars for you to get to that point to make it a tenth of the cost. So, awesome. Well, hey, I learned a lot today. Thank you, Bruce. Thank you, Creighton, for spending this time with us.

00:42:23:22 - 00:42:26:21
Bruce Hembree
It was my privilege to be here. Thank you for inviting me. 

00:42:26:24 - 00:42:47:13
Mike Halstead
Thanks, everyone, for joining us for today's episode of Navigating Forward, the Cybersecurity Series. Come back next week to get pointers for next steps on your cyber roadmap. And just a reminder that cybersecurity is 80% good habits and hygiene, but to start improving your health, you need a baseline. To learn more about how to develop your organization's future state of cybersecurity, go to launchconsulting.com/cyber.