 Welcome back everyone, day two here. The Cube's live coverage, Washington, D.C. for MY's, Mandiant's Worldwide Information Security Conference Exchange Communities here. We're here with the man, Kevin Mandia, CEO of Mandiant N, with now with Google Cloud. Great to have you on theCUBE. Thanks for joining Rob, Stretchy, and I here on theCUBE. Thank you guys for having me. First of all, I want to say we really appreciate what you guys do for the industry and for companies, protecting them in an era of where we're being attacked and the adversaries are winning. Now we have AI coming on and your keynote illuminating that, so I want to say thank you for that. Appreciate it and you and your team and your ecosystems developing. Let's get into it. So obviously, we're in an era now where cyber security, we all know what it is. Everyone's buying every tool on the planet. Anything that comes out, they buy it. C-SOS are under pressure. We're in kind of a generational shift. We had web, mobile, AI now hitting another inflection point that might change the game on how things are built, platforms are built, apps consumed, tools built. So we're in kind of this AI journey. That's all the hype. But that could have a material change. That was part of your keynote. Where are we right now in the progress with AI now as a gift and an opportunity? Well, I think the timing of it's well. And I'll go back to the threats first. I've been responding to security breaches since 1995 when I was in the United States Air Force and things have changed in the last few years, meaning, and it's always evolving and everybody talks about the threat evolution, but specifically China's innovation on offense just blows me away over the last year. So when I was reading the forensic reports we were doing in our investigations last year, we saw the offense from China really graduate. It was freshman squad, it was the JV squad, it's varsity squad now and it's playing real ball. It's got zero day capability. It's surreptitious. They're operating at scale. And when you see the rules of engagement, here's the thing guys, there is no agreed upon global rules of engagement in the cyber domain. So we learn it by observing other nations and we're observing China's innovation blowing away the other nations right now. And that's a problem. That means we have to change defense because you have a national capability behind these intrusions. And I'll leave you with this thought, nation state versus company, the nation's going to win in the cyber domain. They're going to put the puck in the net. So that means we have to change our defense and the shift change to AI is coming at the right time because I think the threat landscape is getting a little bit, it's more targeted, but it's more effective. The offense is doing pretty well right now. We are in DC, obviously, in Silicon Valley where I live, Rob's in the East Coast as well. The narrative hasn't really been aggressively talking about this where we are essentially like a thousand paper cuts. And what is our doctrine as a country in the public sector? Because I mean, if people are landing on our digital shores and they are and impacting our lives and we have victims happening everywhere from all kinds of attacks now, breaches, what's the public policy narrative? I know you guys are leading that. You brought up in your keynote, but this is like a big deal for the average person in America and companies who have to defend themselves. They don't have a militia. You know, there's policy and then there's guys like me there like let's go do what works. I can tell you this, in the private sector we've got to build secure by design code. We got to work hard to do it. I think it's very hard to do. The biggest software companies still have vulnerable code, but we don't want to ship vulnerable code. We recognize it's hard. We got to help the smalls and the mediums. So I think it's on the private sector have secure by design principles and have software that updates itself to help people avoid misconfigurations. It's on us, because we don't want to see legislation say, here's how good your software needs to be in security. And that would be hard to legislate anyway, by the way. I wouldn't want to try to. We don't want to go there. We need to figure out in the private sector, how to make the private sector more secure. And then we need to figure out how to share with the government, all the different intel that we've got. And it's team ball in the cyber domain because only the government can bring risks and repercussions to the threat actors that are attacking us. So we're going to do the best job we can in the private sector. Companies like Microsoft and Google, we're all going to work hard to help people build secure code. We're going to work hard to make sure we have an ecosystem that is more secure, harder to penetrate. And then we're going to share information with the government. The government's going to share information with us. And then we're hoping the government can also, the only deterrence you'll ever have is if there's risks or repercussions to the threat actors. And that could be democracy. That could be, I should say this, it could be doctrine. It's going to be diplomacy. It's going to be arresting people. We have to do something there as well. The wild card and all this, and this came out of your keynote and the panel after, is the interesting angle is that the collaboration and aspect of security sharing could be the wild card in the new model of global data. Yeah, and we do share, it's interesting though, the sharing, when Ukraine invasion happened, the private sector and the government, we had Slack channels open, we're sharing information, everybody looking for it, is there anything news or anything novel, and how do we do shields up? And I think we literally called the campaign out of sys, it was called shields up. But then over time, determination wanes. It's hard to keep that constant vigilance. So every once in a while you have to lean in, CEOs have to lean in and get their people, lean in and push, always keep the channels open, because the threat doesn't actually alleviate ever. So we focused on Ukraine and we're good at the specifics, but now we've got an ongoing, almost like that tsunami wave, it just keeps coming at us. And the boiling frog analogy, we got to get out in front. And so it's well aware, government partners, private sector folks, we're aware of that thing common. And so we got to maintain the constant vigilance. And to your point about China really ramping up and becoming a varsity team, we do a lot in the open source community. We see a lot of China being involved in the open source community. Does that worry you that they're really amping up where they could be in the supply chain and where they're trying to evolve? Everybody's where supply chain risks, right? Everybody's building software that depends on software that depends on software. And ultimately what I've observed and learned the hard way as a computer science major by the way, and then later as forensic science, is geopolitics is reflected in software. Geopolitics is reflected in malware. Doctrine is reflected in how people behave in the cyber domain. You've got to buy software that is built in countries you trust. And companies have to earn the right to do business internationally by being trustworthy in how they develop software. That's interesting, you bring your computer science background, I think that's interesting. We're in an era now where a lot of the lawmakers have legal law degrees, not CS degrees. I want to get your thoughts on the notion of systems thinking versus tactical execution. Because starting to see now platforms emerge where cyber is now not just a department, it's actually embraced everywhere, designed in at the beginning of all applications. When you look at the industry, the idea of systems thinking where there's consequences is it shields up, channels open. You're kind of going down this operating system model where there's an operating model of a security. That is not obvious to the industry tenders who are building products. What do you view on this? Yeah, see I described that as the evolution to companies would get breached and respond to sole entities. Then you started seeing ISACs form and industries starting to respond to threats. You have to have national response or international response and it does need to be collaborative and coordinated. Otherwise it's just not as potent, quite frankly. And so that's what I described that as, is we need a process that over time gets even more formal where we have a national response to the cyber threats we're aware of. I love the data conversation. Security and data go hand in hand, AI's based on data architectures, observation space, lateral movement, all this is like you're watching things, right? This is what you have to do. Is there a data supply chain, data chain if you will, quality data with LLMs, you mentioned that's going to be a big opportunity. LLMs, everyone's seen the hallucinations, they see that data injection. What's the role of data? It will it change, what's your vision on data? Because you've got software supply chain, but now you've got data supply chain. You need data real time. It's a great point. And you all have AI experts tell you these things and I kind of think about it with the front row seat. The data that goes into the model matters and that's why we have SECPOM for security. It's a special large language model for our practitioners to derive better conclusions period. And you're going to see industries even probably pop up around AI where they have what they think is the most unique data to create the best models to have the best bias, quite frankly, but the best decisioning to their AI. So that's going to happen, I would think. Yeah, I mean that totally makes sense that you would have a segmented or specific language model for what you're doing. How do customers take advantage of that? How do they engage with their AI? It is very early on. So here's what I will tell you. We're still rolling AI into our products. I would say this is the first inning. It is coming faster than any technology I think we've seen in our lives. I always likened it to, and I hate using this analogy because it says something about me, but I own a Tesla. And I remember the day it said it could drive itself and I remember thinking there's no freaking way this car can drive itself. So I gripped the wheel the whole way home. The very next day it drove me. It was amazing how fast we had the trust. I think you're going to see in AI an adoption that's very quick, but we got to watch it because a lot of times it decides something's bad and you wonder why did it decide that was bad? In my world of security. And so there's still a human element that needs to be involved for what we're doing right now. And those hallucinations you talk about is as fast as it can have the right conclusion, we don't know why. We have a wrong conclusion, we have to figure out why. It's interesting, we were talking about in theCUBE a couple of conferences ago about how AI conversation matches the chess conversation. Chess and AI have been around for a while, humans versus computers, humans. But humans plus AI have been very effective, has opened up the aperture for more grandmasters. So you're seeing AI augmentation, the human creativity. Is there a creative class emerging in cyber where AI is going to open up more talent? Or not? How do you see that? From my standpoint, AI is going to reduce the asymmetry between offense and defense, too much asymmetry. Right now one person working for one hour on offense can create thousands of hours of work for millions of people. This is called asymmetry. So we got to reduce the toil, AI is going to be great at that. Chess has a lot of patterns. AI is great at pattern recognition, great at doing those sort of things. We're using AI to reduce the toil of experts and scale experts so that your tier one security operators can see what experts have learned over the last decade at the speed of compute. So you're going to see the ramp up of expertise faster with AI. You're going to see a massive reduction in toil. And I'll give you one last example on this. I used to write forensic reports when I did investigations. And I literally spent, anecdotally, 80% of my investigation was actually just documenting it. That's not real work. If you can auto-generate the documents, I got to spend 80% of my time investigating every, you know, overturning every rock. That's where the action's going to be. And you brought up before it came on camera, you're a Steelers fan, they won last night. The pace of play, the pro level of cyber is unlike anything you've seen in IT. I mean, the game, the speed game is so hard right now. How do you look at that with your customers and your team because you've got to be a tech athlete to compete at this level? And how do we get that bar lowered a little bit, to get more democratization in there? Great questions. And actually football's not a bad analogy because it's a much faster game today than it was 30 years ago. And you know, people are bigger, faster and stronger. Same in cyber, offense is bigger, faster, stronger. Fine, don't be intimidated by that. We are building learning systems. One of the reasons Google bought Mandion is we know about new and novel before most organizations. You know, 63 zero days out this year we found a lot of them, you know. Actually, I should say the adversaries found them and then we found them. But that being said, we are closing the security gap by responding to breaches and getting our capabilities not just Intel, but everyday Mandion folks are finding the needle in the haystack and we can automate that and put it in the technology then respond at compute speed and that scales. That goes down markets to those who can't defend themselves. I think that's a great example of how Mandion scales with AI because your workflows, your expertise can be prototyped and replicated into software. Yeah, I always like it and I'm probably totally wrong in this analogy, but if you've got Lasik surgery done on your eyes, you want it designed by the best eye doctor and you want it done by whoever did like Tyler Wood's eyes or Michael Jordan's eyes. That's the doctor I want. Well, Mandion's responding to the most complex intrusions and we're going to build into our technology the means to stop those or prevent those. So that window, that security gap, I think it'll always exist. Our ability to secure everything before we roll it out is hard, but that gap between what we roll out and when it's secured, we're massively reducing that window of exposure. Yeah and I think building off of that off the football analogy, I think it's muscle memory, a lot of it. You got to get in the game and have muscle memory and I think you brought up, hey, if you haven't done a tabletop exercise in two years, you may. What are boards thinking about? You're talking about boards all the time. So it depends on when you're talking. After a breach, there's one minor thought, but every board wants to do the right thing. Every board wants to stand third-party inspections as something negative happened to their company and every board's wondering how good are we and how do we know? My recommendation for a board would be really two-fold. Red team, your networks, get unbarnished truth. Control the scale and scope of the red team, but say you have five days to get into this network and make some threat become a reality. If the red team can't do it in five to 10 days and they are an Apex attacker capable red team, you should actually feel pretty good about that. But what if they do get in? Then you have a prioritized list of what you need to safeguard against and then the tabletops absolutely matters. You want a tabletop exercise, the exact threat you're worried about in the cyber domain at your company and have the board involved and it doesn't need to be 24 hours long or 12 hours, even just two hours of we had a ransomware attack, we lost Miami office, we can't do business operations, we can't ship food, we can't take patients into a certain part of the hospital, whatever it is, simulate it because you learn who takes control, who needs to know what and when, can you operate through compromise and you may even learn to do the tabletop. If we do two or three more things, oh, we can take patients here or we can do off internet business operations just as effectively. Kevin, one of the things that's happening right now is on the news is the MGM and Casino breach. We were actually at a show last week at the ARIA and they were impacted. This comes out of the social engineering as a big message in this show this year is that everyone will be compromised at some point. You have to assume that. You talk a lot about the social engineering, preventative, we're going to another stage of cyber, share your thoughts on how to manage through the security mindset around social engineering and prevention. Yeah, I can tell you this, help desks were started to help people and they are going to help people which makes them uniquely vulnerable to exactly the attacks that happen at an MGM or happen at Caesars or other places. It is breaking human trust and so we have to have defenses that allow us to, and I'll speak nerd for a second, we can't have one-time authentication or one-time passwords with SMS text anymore. We just can't do it because of SIM swapping. We have to have help desks that if you bought a new phone and you want to register it so you can log in to the company, we're on a Teams meeting, a Zoom meeting, a Google Meet meeting, or a FaceTime and we're verifying you via your license or your face and you're verifying IT if they call you because the social engineering is actually happening bidirectional. They may be the IT department calling you saying we need you to do something or it may be them calling a help desk saying I need you to reset my passphrase. But again, you want your help desk to help people but you're going to have to change how they do that. Yeah, I mean, one of the things that's always concerning, you mentioned Apex attacker in your keynote, China obviously, those techniques. What is the A game right now on the Apex category? How would you, what does it look like for the folks that want to understand this further? The A game on offense is you hack a platform that doesn't have a lot of defenses to it, such as a firewall, such as a VPN edge device, such as a home router, and you get into there, there's no EDR, there's no CrowdStrike running, there's no Windows Defender. And then from there, they somehow can get a credential or two and laterally move to the crown jewels very quickly. You respond to that and you say, hey look, there's no evidence that anything happened. Because you can't investigate the appliance at the border because it's an appliance black box, you have to ship that to the vendor. And then there's just valid log-ons between boxes. And you don't know if it's Jay Smith, the employee at the victim company, or Jay Smith from China logging in. The Apex attacker, Microsoft, us, CrowdStrike, we call this living off the land. Where the attacker gets in, there is no malware. They're using valid credentials and they're accessing the network components the same way your employees do. So we have to somehow that magic wand that says, oh that's Jay Smith's account being used from a Chinese operator versus that's Jay Smith, the employee. And there are differences and it comes down to you have to have anomaly detection for identity. And this was what I talked about at Keynote. Assume prevention fails, the zero-day works, you need to right away have custom detection on your accounts and your identities and how they're used. The rise of zero-day also came out of the keynote, the numbers are up, but also it tells a different story. People are ready for it, trying to be ready. What is the situation with zero days right now? Is AI helping that along for the attackers and defenders? So AI is going to help us secure code. Everybody wants to secure the code before they ship it. And we're all using environments so that our coders are in an environment where they get suggestions in real time, this is more secure. We're actually scanning our repositories, we're checking things at run time. And yet we still have vulnerabilities. But AI, absolutely because code is structured, you can train AI and you can train models and you can get more structured secure code. So we'll do that. And so I'm confident that the advantage the defender has over the offense, we should have access to our code before they do. And we should know our environments, our business and our people better than they do. So I think AI is going to advantage defense far more than offense. Yeah and it seemed like that a couple weeks ago at Google Cloud Next, there was some announcements with Duet being integrated with Chronicle and a number of other things. Do you see more of that happening between what you're doing as Mandiant now that you're part of Google Cloud? Meaning more integration between all that. So we just did an internal hackathon. We added over 40 teams, all security based. Like how can we use Duet to augment our teams? Get better intel faster. Have like the incident bot tell you what your next step should be. And all these things over time, you know, we're going to use them, you know. And you can talk to our PMs when we'll ship them, you know, if we ship them. But you can't stop progress and that's what we're starting to see. Our teams sunk their teeth into Duet and they're going to start using it. You've been a great leader in the industry. I want to say that it's been amazing to see what you guys have done at the highest level at Mandiant, now part of Google with Duet and brings up the question that we were discussing even last night with some of the product people at Google. There's another generation coming into the business. Some are saying that the demographics of the hack and was 18 to 21, these kids were using Google Docs in middle school. So they know Google. They know technology and so this native new generation coming in, what's it like for them? What's the skills look like? How do you hire? What's your advice to the next AI generation? They're all more optimistic, you know. But they are. It's great, you know, when I got into security it's like you had to come from the military. You had to be law enforcement. You had this mission mindset. A lot of us took oaths to defend the Constitution. It was just a smaller cadre of people. We need way more people coming into it. And I think they're going to learn a lot faster we did. I can tell you my generation, it's like we learned everything the hard way. How do you do this? There's no one to teach us, we got to figure it out. Now at least it's a professional career. We didn't call it cybersecurity when I started. And in fact, when we started doing threat intelligence we had intel analysts and I wasn't sure there was a career path for that. I didn't think there was a career path for those who hunt down artificial amplification for disinformation. But now it's a professionalized career path. So folks getting into cybersecurity today are going to learn faster, have real mentors, have broader experiences, and quite frankly probably be more effective than what we were. The director of FBI was out there also making a pitch so that people in the crowd help join his team or join, collaborate. What's your, I won't say pitch, because it's not a pitch. It's really more of a call to arms. For the young kids out there who are 15, maybe in college who are natively getting computer science skills or coding Python in their sleep, the naturally breathing computer science. What's the opportunity in cyber? What would you say to them out there? What is the aperture? What's the buffet of options that someone might want to get kind of lean into and kind of have fun? Well, you're talking, so it's funny. You led that with the FBI, so I'll do a pitch for them. One of the most altruistic entities and missions you can have in the world is help the good folks and protect them from the bad folks. Get into the FBI. Pursue a career in cybersecurity so that you can help pierce anonymity behind threat actors or bad actors. And the number one deterrent for all the cybersecurity threats we're responding to is you arrest people. You get people to stop. I think it's too lucrative to get them to stop any other way, by the way. So there's those career paths. The military is a great path. The mission to defend the cyber domain as a soldier is a great thing. The mission to go to Microsoft or Google or CrowdStrike or Palo Alto Networks or Sentinel One or Kato Security or all the companies that are here. We are all protecting a domain in ways the private sector doesn't defend land, air, and sea. I mean, we do, but not quite like cyber, you know? We can do it. What's a skill that someone might have, an innate skill that someone that's unconsciously knowledgeable about their domain? Got a lot of gamers out there. I see young people very strong at multi-player kind of thinking. What's a skill that would tell someone that they have an aptitude for being an Apex player? First, you always hear curiosity. In reality, a high level of exactitude, like chasing something down, pulling a thread till you've pulled it, till there's no more left to pull. If you're doing forensics on a machine, in incident response, you need to know Cisco routers, you need to know Windows, you need to know Unix, you need to be able to learn how any application, whether malware or regular applications, valid applications, read, write, store, and delete data, but the number one attribute is the pursuit of what the hell happens. I mean, it really is. Kevin, I really appreciate your time. We went long, we got extra innings here, so to speak. Overtime, sudden death, whatever you want to call it. Whatever sport we're using. Really appreciate what you've done, helping the biggest companies and the most important players now with Google, helping others who can't defend themselves, get armed and forearm for the offense. Thank you for your time. Appreciate you having us, theCUBE. Okay, we're live day two, kicking off. I'm John Furrier, Rob Stretcher here. Getting the data and sharing it with you. Masterclass here at Mandiant, always fun. We'll be right back after this short break.