 Welcome back everyone to theCUBE's live coverage here in Washington DC for MY's. This is the Cybersecurity NANDI at Worldwide Conference. All the thought leaders are here. We got the brain trust here for the final panel of day one. Great kickoff, great keynote speech, great experts kind of breaking down the cybersecurity world. The attacks, the defenders, the role of AI, shared security, all the scenes, all the malware, the MGM hack, all that will be discussed here. And of course, natural security, how do we protect companies? How can they defend themselves better as a topic of this kind of panel, roundtable expert at Marshall Heilman's global CTO at Mandean here. He's going to talk about that. Chris Krebs, former director of CISA, co-founder of Krebs Stamos Group and Rick Smith, the CTO at CTO's 10 to the 1. Gentlemen, this is like the power panel. Thanks for coming on. Thank you, thank you for having us. I got to say, I really love the messaging and the narrative from Mandean here. I'll send out part of Google that's happened. Just the visibility you guys have into the threats globally. And obviously on the heels of the recent MGM hack and in the casino this past week, we were there at theCUBE. If every company's not scared straight right now, they got their head in the sand because it's just more consumerization of this is happening at explosive rate, the threats, the defense, all this is playing out. You guys are seeing this clearly, the messages get cleaned up, take care of business, but be ready and defend. That's kind of been the key theme. And of course, national security, been a big part of the theme. Yeah, you know, it has. I mean, if you think about it, we buy security technology because we want it to prevent incidents from happening. And generally do a good job, but those things, those, you know, technology does fail from time to time. And that's why you have to be able to detect and respond. That was part of Kevin's keynote message, right? That layer two defense, absolutely. Chris, your Krebs security well written and everyone reads your stuff. You're on top of it. You've been doing it for years. And I want to thank you for doing that. But we're living in a time where businesses need help. I mean, do they have to hire their own militia to defend against the adversaries from other countries? We're under a major attack. What's the role of the government? We hear regulation of AI. I mean, that's rolling my eyes on that just to begin with. But the government's role, private sector, big part of the theme here, is there hope for businesses to defend themselves? What's your view on this? I absolutely think there is hope. We talk a lot about the higher order threats, the Russians, the Chinese. But the fact is that every organization, any organization, frankly, that uses any internet connected service is on the playing field. And that's a lot of what we're seeing with ransomware these days, where it's all opportunistic. There's a lot of spray and pray scanning that ends up in those compromises. The good news is there's a lot of collective defense, a lot of collective work. And that's why Mania and Sentinel-1 sit next to each other a great advantage for the defender, because you're bringing some of the best and brightest out there together into an integrated defensive strategy. And that's what it's going to take. It's going to take everybody working together, putting pooling resources and defenses. There is hope, but every organization has taken seriously. Where do you see the progress bar industry-wise right now? Are we further along? Obviously, it feels like we are, at least in seeing the results. Where are we in the progress bar of being totally ready and to tip the scales back against the adversaries and the ex-competitors? It's a marathon, it's not a sprint for one, right? A little cliche, a little cheesy there, but this takes significant time and attention to get it right, and you have to be constantly on top of your game. We are seeing improvement, and I think the Ukrainians' defense and resilience through the onslaught by the Russian shows that you might take a hit, but you can sustain it. You can keep moving through. You don't totally collapse. So I think, again, the Ukrainians' resilience through the attack by the Russians is a great example that, yeah, there's hope. The progress bar is moving ahead, but if I know anything, it's that as the defenders innovate and improve, the bad guys are going to innovate as well. So we have to constantly stay looking for, and that's what frankly gives me a lot of excitement about the integration of generative AI into defensive tools, because it's all about speed and reaction. We're going to come back and talk about the Ukrainian-Russian dynamic on stage. Your CEO said China's now number one, the varsity. They got pegged down, the split the JV now is Ukraine and Russia, Test Kitchen, some say, we'll get that in a second, but Rick, let's get you in here. Sentinel-1, what's your vision, view, the technology, the pace of play? I love the quote, IT and technology is being adopted faster than you can secure it. That's interesting. There's not enough people, not enough budget to match the 10x, 100x game-changing speed. You see, there's a couple of things that we need to look at. So what we have in defense is really collaboration. That's something that's not happening with the bad actors. And so when I look at the partnership that we have between Google Cloud and Mandiant and Sentinel-1, what's really happening is we've got a killer technology on the endpoint that uses AI for protection, but we take all of the threat intelligence that Mandiant puts out there and basically allow net new detections as they're going ahead of us and looking out what's happening in the world, and then we can actually eventually convert that through AI so that we have behavioral understanding of protecting that endpoint. That's the critical part of how we ultimately outplay them, but on the generative AI standpoint, it's really about making it so that people are more efficient in shutting down alerts, triaging and resolving them more quickly. That's really the name of the game. Yeah, I also love the concept of the security mindset. The tabletop exercise. So Marshall, take me through, what is a tabletop exercise? You sit down, is it a war room? Is it have a coffee? What does he mean by tabletop exercise? You know, my background is as a consultant, so the answer is it depends. Depends on what you want. Now, in all seriousness, the right way to do a tabletop is to get your senior executives to sit down and think of it like a war room and actually walk them through what you do in an instance. You make it as realistic as possible, and what you find is oftentimes, the executives, they may understand what the answer response plan looks like, and they may think that they understand their role in dealing with an incident, but it's not until you actually go through one, you see what role do you actually take, who actually makes a decision, how does this actually happen? And so by having a tabletop exercise done by people who have experienced and have lived through these incidents beforehand, it gives them that realistic, you know, operational view of this is how it's going to go, and it's not going to go the way you think. Any thoughts on tabletop? Yeah. I'm curious the answer or a point? I mean, Marshall's absolutely right. It depends on what you want to accomplish. Two great examples of tabletops right now. Just last week, up in New York City, the Select Committee on China of the U.S. House of Representatives held a tabletop exercise with financial sector representatives walking through what an escalation over Taiwan would look like. And I think every major organization in the United States needs to be doing that right now at the board and ESSA and the senior leadership level to understand what does it look like if things escalate with China? How is that going to affect the company's supply chain disruption, just like we saw on COVID? But the other one is bringing the MGM hack to life. Companies really need to be taking a hard look right now at their security plans, their set response plans. Make sure they know the decision tree for a business disruption. Everyone in the gaming industry, I guarantee you, is going through that right now. What can everyone learn from the MGM hack? Let's get that real quick, because I think this is really a notable opportunity. A teachable moment. A teachable moment of social engineering. It's a teachable moment, as they say to the kids. Rick nailed it. Social engineering, insider trust. There are a lot of these vulnerabilities that we often overlook. But if identity is the new perimeter now, and that's what's getting attacked so successfully by these ransomware crews, we really need to do a deeper dive on identity management. I mean, it's not just identity management. You've got to teach the employee base how to protect themselves, because that's how it's actually being accomplished right now. So as soon as I get your credentials, I can MFA bomb you. I'm in, I've got access. Now I can start unhooking all of your tools. Come on, you're Google. You've got all kinds of technology in the closet. Do we have to teach everyone? Can we just use biometrics, voice activation? What's next? Is there check to solve this or is it a human problem? I mean, who are you going to teach everyone? Not to click on an email? It does highlight, right, the risk also of help desk. If help desk can reset the password on an administrative privileged account, that's the thing. And that's why it's called the human factor, right? You can have all the right technology in place. But at the end of the day, there's the human factor. The humans are going to mess things up. We're going to do something we're not supposed to. We're not going to follow policy. We're going to click on that email because it looks like we should. You know, like as we like to say, the attack only has to be right once, vendor has to be right every single time. So ultimately you're going to find the one employee who will inadvertently click on an email or click on a link he's not supposed to and give the attackers access. But I would say, in addition to social engineering, I think especially casinos right now are looking at what is their plan for dealing with ransomware? How are they going to effectively deal with it? From all perspectives, what technology they need to have in place? How are their networks segmented? What is their response plan? Do they shut down the casino? Do they segment it? How do they not have another one of these incidents happen to them? And going back to your question about generative AI, that social engineering exercise is becoming more and more pervasive because you can generate phishing emails. You can do deep fakes that can actually call on the help desk. I just said on my podcast on Friday, AI is just as good for the bad guys to be bad. Productivity gains on the bad guys are there. But the perspective here was that defenders, this is an opportunity to pivot the game and get momentum back on the defense side. What do people need to do to get that mojo going? Is there a North Star and three feet in a cloud of dust playbook? I mean, from an AI perspective, you think about it, AI can help reduce the amount of toil a defender has to go through. So rather having to sit through thousands of alerts and try and understand what happened, AI can help them understand immediately, well, this is what happened, therefore this is what your response should be. So now you've just reduced the amount of time it may take a defender from minutes to hours to seconds. Yeah, signal to noise ratio. The more you can distill that, make people more efficient, the quicker you can respond, bring down mean time to resolve, that's the name of the game. Chris, is there a startup in there that's going to come out of the woodwork that comes from this AI generation? You've got web, mobile, AI, kind of major inflection point platform opportunities to do something different than just another tool. There are a lot of different risks associated with generative AI, right? I mean, when you've got the models, you have to harden the models. There's some really interesting products. In fact, one of the RSA innovators of the year last year was a company called Hidden Layer. It's worth keeping an eye on companies like that. The area that I'm really focused on though is the risk to the enterprise of generative AI use cases. So we're all bringing it in and we don't have the equivalent with cloud of CASB for instance. So how do you monitor? How do you discover and how do you control these generative AI use cases? I think that's going to be a massive area of explosion in investment over the next four years. Rob Stretcher, who's our other analyst here with usually when we have two guests or one is here with me and as well as Rebecca, we were like in the presentation keynote, S-bomb was mentioned and we're like, oh, it's supply chain, all right. So software supply chain S-bombs, one of those in the software open source was the reference there. Even last Thursday, the CEO of AWS, Adams Lesky, was kind of poo-pooing the startups in the open source ecosystem, which I found fascinating because, like, who would bet against startups? One, two, but it was open source, threat around open source. So the question for you guys is, software supply chain notwithstanding that's going to be taken care of, is there a data supply chain problem coming? If AI will be an answer, the role of data becomes hugely important and where's that data come from? The LLM world right now is don't control the data, don't let your data go into proprietary models because it's out there, but then you don't know what's coming back. So is there in cybersecurity a opportunity and danger around data access and whose data you're sharing? So as I talk to firms that are integrating these AI use cases into the enterprise, one of the things that we constantly reinforce is the importance of explainability. So if you're going to use these tools, you better be ready for someone like a regulator or a tort lawyer coming down the road and saying, hey, I want to know how you made that decision, what model you used, what data went into it to ensure that there wasn't any sort of bias. There's a flip side of this though with Europe under some of the laws under the EU where you have a right to be forgotten. There's a case right now in Italy where someone's suing, saying, I want my name, my identifying information out of the foundational models. Technically, I don't even know how you do that. Yeah, where's the story? So it's 10 ways. So you just, again, you got to have that chain of custody for data and I think again that's going to be another area. Marshall, you guys have been publishing a lot about crypto, the panel discussion, talk about crypto, companies trying to beat back banks, banks trying to beat like crypto firms. How does the FBI get credibility up there to say, come work with us when a crypto firm could be turned around and sued by the SEC? Like the government role here is not that simple. I mean, I get his pitch of the FBI. By the way, I was skeptical of the FBI director coming in, his speech was awesome, on point, checked all the boxes, at least from my standpoint. So good for him, but the government's got other organizations. You are a former director of one of them. Can the government gather their own way to help? Is there hope there? What's the role of government? When can we expect them to be fully leaned in to? Or am I over blowing out of control? That's a pretty big question. I'll come up with a couple of different ways, right? Obviously there's multiple agencies with sometimes competing interests, but this is also a new space for us, right? The world of crypto is new for us. And so as with any new space, what you're going to see is there's gonna be some give and take, right? It'll take us time to figure out how the different agencies work together and how they ultimately incentivize the right behavior. No one wants to incentivize the wrong behavior. That's accidental. So it'll take us some time to figure out what is the right way to approach these type of situations, so that people do trust the FBI, for example. They do call them in as they should. Kevin was speaking at Mainstate today about the power of the private and public partnerships. We actually need to make those partnerships stronger and more as we move into the future. So what you don't want to do is have the private sector scared of the public. I'm sure you have a better answer here. Yeah, what's your perspective? Look, government has advantages and disadvantages and how they tackle the problem. So CISA is much different than other agencies and that their remit is much more in the voluntary public-private partnership space. But what we've seen is if you tell the right story, if you listen to your target audience and you deliver on even just half of what the partners are asking for, you're going to be in a position of success and you're going to just generate more interest in activity. You know, one thing that wasn't glossed over in the keynote, they did mention it. You mentioned the table talk with Taiwan. Maybe think of this, you know, obviously Taiwan, big water battle going on in Asia Pacific, water rights, all that good stuff. Natural resources, critical infrastructure. It was a case you guys mentioned something on stage. That's a real threat. And those systems are usually all OT systems. So, you know, casinos are getting hacked. They're modern. Now, think about all the critical infrastructure. That came up. What is the current state of security with respect to some of the critical infrastructure and how is that going? Man, I want to hit on that because it's kind of a nuanced point, but important. I'm going to make a generalized statement here, but most OT systems, in order to interact with them, the other have to have physical access. You had to have broken in through an IT network. So we think of like traditional security of an enterprise. That's how you protect an IT environment. Attacker still has to break through all your defenses in your IT environment before they can start interacting with your IT environment. Then there is specialized security technology to protect those OT environments. So, from my perspective, you can protect your IT environment. That is 90% of the way there to protect your OT. Then we start talking about OT systems. You have specialized security technology that you need to leverage, as well as maintaining physical access controls through that technology. And again, there's always ways around this technology, but in general, if you look at some of the, well over the last couple of years, some of the OT system issues that have hit the news, they haven't been actual issues with OT systems. They have been companies that have shut down OT systems to prevent a worst case scenario from occurring. It's almost like lockdown. Shut it down to save the system. Any thoughts on natural security and critical infrastructure? State of the art, are we okay? So I, you know, we're better than we used to be. And we're probably better than most of the rest of the world. But anyway, you cut it, we're also more digitized than almost everybody else. And that creates opportunities for the bad guys. And I think the real challenge we have is as there are more opportunities or adversaries see these and they're going after the things that we hold dear, the things that we, that really drive the U.S. economy. And it's getting baked into military doctrine. And so we know that if China does decide to tee off on Taiwan, and they know that we're going to come in support and defense, they're going to try to take us out of the fight before the fight even begins. And a lot of that is not necessarily, it is yes, hitting Guam and Okinawa, but it's hitting here too. It's hitting our ability to move troops into theater, move material, so logistics, air transport. So everybody I think is a part of that, that tabletop exercise process needs to go through a strategic intelligence review. How would I as an organization fit into the designs or plans of an adversary that wants to do harm to the United States? And I think there's an emerging corporate responsibility element where you have to think about this and you have to take care of your vulnerabilities and your risks. I love the private-public partnership angle. I think that's so important. Assume that goes well, continues to go well. Is there awareness in our doctrine on the cyber war, the red line of old military doctrine, not really related to all these paper cuts? It feels like we're getting a lot of paper cuts under the line here. Is there doctrine going on awareness to change the rules of engagement on counter-striking and on digital American soil, people playing on our soil? Well, so the Department of Defense just released an updated cyber security strategy last week. And a big portion of that is what's known as defend forward or hunt forward. So US Cyber Command takes their teams of experts and sends them over to our partners and helps scan those networks and harden those networks. And the benefit of that is not just our partners are better off, is that as you go through that process and you see the adversary in action, you get a better sense of what their targeting is. And that targeting can come back here and inform companies like Mania and Sentinel-1. So they're reimagining it. They're reimagining the cyber. So we did this in 2020, where Cybercom went to Ukraine and helped defend their election systems and then brought that intelligence back and said, hey, this is what we're seeing the Russians target, election night reporting and voter registration. That is informed defense. That helps resource constrained organizations smartly in a risk-informed manner defend themselves. That's collaborative too, back to the sharing. You said modernizing. I said modernizing as well. But as Chris has pointed out, this is why it works. Yeah. Guys, let's talk product. Rick, real quick, Marshall, if there's going to be a product magic dust out there that could come out of the woodwork with AI and kind of the next-gen cloud and all the assuming supply chains working. Well, what has to happen? I mean, you got the foxholes. You guys are, you guys do a great job. You have the Andeans in the front lines. There's platform discussions. Is it a tool? Is it a platform? Is it best to breed? We're kind of seeing an operating system mindset emerge around cyber, global, holistic thinking versus tactical attack. Is there a preferred architecture emerging that you guys might see that looks a little bit different than what we're used to seeing that may be needed from a product standpoint? I think that what we're seeing is that we've always looked at data in silos and that the new opportunity that we see with applying generative AI, whether it's our purple AI solution or the emerging solution by Google, is that for the first time we can actually synthesize and see patterns across massive amounts of data. We've never been able to do that before. Usually it's been very isolated that you're looking at telemetry on one lane, like from your laptop, from cloud infrastructure. You're not looking across them to actually see these behaviors, particularly when you see something like what happened with MGM and Caesar, you've got something that went from social engineering, credential theft, then they're in Okta using Okta PUS framework to deal with that. And then they're finding their way into the infrastructure and ultimately deploying a kit malware which then touches the endpoint. You want to be able to see that entire corpus and the only way that you're going to be able to see that is have all the telemetry in one place and being able to have an engine that can actually stitch that story together for you. Thoughts? No, I mean, for one, I agree with his answer. And if you think about it, all the telemetry you have access to, again as a human analyst, you can't possibly synthesize that information and make a decision fast enough to stop a hacker in this particular case, but machine can. So if you have an LLM that's able to synthesize that information and make a very quick decision, you can actually prevent the attack at any one of those stages where it first occurred and those attacks we just talked about would never happen. Awesome. Gentlemen, it's been great to have you on this CUBE session. It's been like an expert round table. Love the format. Let's end it with kind of a quick keynote ending statement from each of you. We'll start with Chris over here, go around. The Marshall prompt is prompt engineering, spirit of prompt engineering. What is the most important story that's going to come out of this show that people should think about and ponder? Not just social engineering, but like in the security industry, how they can affect change, participate. What's the most important story they should pay attention to or be involved in? Well, I think it's the threat intelligence capabilities of manning and pulling through to the Sentinel-1 platform. I think you're integrating two of the top platforms out there and it really is to the benefit of the defender. Well, that's a good Tia for you, but you can't say the same answer. I'm just starting out there, oh my gosh. Yeah, so the Tiaff fact, based on what I said earlier is that we actually have an instance of two great powerhouses in cybersecurity actually doing a deep partnership. We do it in the IR space, we do it in the IR. Now we're doing it from a deep technology space and what's the impact? The customer's better protected. That's the name of the game for us. I'm just going to tee off what you both said. You get two mission-focused organizations when they're very synergistic the way we are and they partner together. What you get is the best possible outcome for customers that are now leveraging the best technology and being protected near real-time from everything we're seeing in the front lines and across all of Google. That's an amazing combination. Operating the networks at high speed, the pace of play, it's the pro game for sure. Guys did a great job, good job on the keynote today. To me, the most important story is national security, victims out there that are getting attacked as part of these ransomwares and the adversaries are attacking us. Cyber war is happening, it's been happening and of course now the world's aware of it and we'll see what happens. This is theCUBE bringing all the action from day one here at MY's Mandian's conference on cybersecurity.