En direct du RSAC ! Testez, vérifiez, validez

00:02 Raghu Nandakumara: Welcome to The Segment. A Zero Trust Leadership Podcast. I'm your host Raghu Nandakumara, Head of Industry Solutions at Illumio the Zero Trust Segmentation Company. Today I'm joined by Rob Ragan, Principal Researcher at Bishop Fox, a leader in offensive security and penetration testing. At Bishop Fox, Rob focuses on pragmatic solutions for clients and technology and oversees the company's strategy for continuous security automation. With over a decade of cyber experience, Rob previously held various software engineering roles with Hewlett-Packard and SPI Dynamics. In this special edition episode, Rob joined me live at RSAC to explore different types of threats, offensive security trends and how to continuously find new opportunities to improve cyber resilience. What is the career path that you've had to get you where you are? So tell us a bit of your background.

00:57 Rob Ragan: It really for me started as a personal passion and hobby. I was fortunate at a young age to find some like-minded folks. It was actually through the 2600: Hacker Quarterly Magazine and I had a friend that maybe wasn't such a good influence at the time that was showing me about how to deface websites and I'll skip over the parts about getting in trouble with them but it really opened my eyes that there was even this community and this possibility of people that were looking at computers in this way. From there, I always thought I'd be a software engineer. I really went through the path of being an IT consultant and doing everything from tech support to network admin to sysadmin and... But I started actually getting the chance to do some coding when I was testing some software and doing debugging and maybe helping with some bug fixes and from there went on to become a web application developer. And so I was a web application developer professionally for about seven years. And then I got my first role in security actually in the security product space, for a company called SPI Dynamics that was making a product called WebInspect that was crawling and scanning web applications for vulnerabilities in an automated way.

02:05 Rob Ragan: And I was like, "Yes. This is really what I want to do." And I was working on that engine, I got to work on static analysis at that company as well. But actually my first job there was to write vulnerable web applications to make sure that our products could find it. So I got to really in-depth study all the wrong ways to build an application like, what are all the different ways you can implement SQL injection just to make sure that our products were at the code level and at the live application testing level finding those issues. But it was also there where I got my first taste of penetration testing. They actually put me with a group of people where we got to kind of, for two weeks, go after an organization. And really it was do your worst. And I was like, "Wait. You can do this professionally? People will pay you to just do this all day every day?" And that really opened my eyes and I was like, "Yes. Alright. This is... I want to make the shift. This is what I want to do. This is exciting."

02:52 Raghu Nandakumara: That's awesome. So in your role as Principal Researcher, I love the title by the way. If you look at sort of the nature of threats and to use a cliche term, “threat landscape,” how has that changed over the last sort of 10-15 years that you've been sort of an avid participant in this area?

03:17 Rob Ragan: Yeah. I think that our understanding of it has changed and evolved a lot. I still think fundamentally there's some consistent truths so... I like to think of the threats in the spaces as really like opportunistic threat hackers that don't even necessarily care which organization they're targeting. They are maybe scanning the entire internet for whatever the latest CVE is, whatever the latest issue is and seeing who's vulnerable and collecting resources, collecting assets, getting an initial access vector and maybe later figuring out where they're at. And I think there's also motivated threats that are... I have a goal to target a specific organization or... And then ultimately persistent threats that are, "I'm not going to give up until I get what I'm after." I think that we're seeing over the last 10-15 years this just evolved into... A lot more of those opportunistic threats are able to have such more of an impact of, "Okay. I got a shell on a system now I've realized what organization I'm in. This is a really ripe target for ransomware. And I think that I can sell that... Even sell that initial access vector to another group that's more motivated to actually run that ransomware tool and automate the process of extorting that company."

04:26 Raghu Nandakumara: So I kind of want to... You touched on essentially the whole sort of, I'd say, the malicious actor malware economy slightly, so we'll come back to that in just a second. But you talk about motivation and I see that evolution of motivation from, "Oh. I found this way to essentially disrupt something, slightly irritate some folks, maybe irritate an organization and leave it at that." And then of course ransomware being a prime example of, "How do I monetize, and demand ransom for being able to restore access to data to systems and so on?" And over the last sort of... Particularly the last... I think it's... The term has come in vogue over the last 12 months but it's definitely been the case because of political events, etc. of really about disruption on a massive scale. And as a result we've obviously seen and heard the term sort of “cyber resilience” now becoming really something that customers want and of course vendors talking about, "Okay. We help you achieve better cyber resilience." Have you also seen that change in the primary motivation of attacks shifting from nuisance to money to large scale disturbance?

05:32 Rob Ragan: Right. And I do think it becomes really organization specific of... Companies are getting more mature at being able to look at what they want to focus on from either that business continuity plan or the resiliency plan of, "Is availability something that I want to focus on? Is, how does that affect our bottom line if we do have outages is it property that I want to protect or is it some other thing that I want to focus on?" I am seeing these organizations even at the executive level want to sit down and maybe do a table top where they're actually talking through the incident response plan in these different scenarios that they feel are affecting their peers, and it's a matter of when not if they're going to have to deal with this - getting ahead of it by actually planning how they're going to try to recover. Even at all levels of the exec team it's like what's the legal team's role in this? What is HR's team in this, what is the PR team? Do they have a pre-written plan and response of how we're going to recover whenever this happens so that we're not scrambling to actually do it under pressure and making mistakes.

06:31 Raghu Nandakumara: Sure. And coming back to see, organizations and the threat landscape and so on and tying into the whole... Sort of we spoke about attacks that their primary motivation is large scale disruption. And connected to that, we see particularly of late the focus being on national critical infrastructure and as an extension of that OT... Large OT/IoT networks and that point at which IT and OT/IoT kind of meet. How is that really shaping your practice as a Threat Researcher and as an offensive security vendor?

07:10 Rob Ragan: We're fortunate to get to work with some of the largest companies in the world that are... One that's public that's a partner of ours is John Deere. And so whenever you're looking at that scale of an organization and how they see OT as really part of all of those tractors, become the tens of thousands or hundreds of thousands of devices that are interconnected that go through satellite networks to connect back to production, telematics and data centers and things along those lines so that they're actually getting visibility into the global food supply chain and if there were to be disruption of those OT devices, that could affect being able to feed entire countries and affect entire economies. What we're able to do is help them look holistically at what are the starting states of different threat actors that they want to be able to practice their incident response capabilities around and by that I mean it might be what does it look like to compromise the heads up display unit on a device? What does it look like if there's a workload in a cloud environment that's compromised? What if it's... The starting state is a laptop in a corporate environment or that of an employee? And then being able to actually have a plan in a scenario of, what are the controls that they're expecting to help them get visibility and even detect that this type of attack is occurring. What are the controls that they have from a prevention perspective?

08:43 Rob Ragan: And we're going in and helping them actually visualize what are all the components that are related? Even if this isn't developed, we're helping organizations map out the architecture and design of these components so they can look holistically from a red teaming perspective and answer the question, where are our intended trust boundaries? Where are the areas that we feel like we're going to want to trigger an incident response? And then helping them actually visualize on an attack graph what we see from an attacker's perspective. What are the MITRE ATT&CK framework TTPs that we are using to pivot whenever we're executing attacks in these environments, and where are their opportunities for improvement? We're helping them visualize on this graph like we made it to this system with this access. We pivoted to another system, we encountered a control here or we didn't encounter a control that we expected to, and this maybe becomes an opportunity for improvement. Or where we did encounter a control, this is where we had to take another path, and we're helping them actually understand where there's partial detections, where there is partial preventions, but there maybe was a lack of visibility here or there was a mis-config that they could improve.

09:35 Rob Ragan: And I think a lot of teams are craving seeing that from emulating an attacker perspective. And we're even going down into the detail of we made our own malware implant framework that has a journaling capability. And so we're actually recording whenever we're on a system this is the date and timestamp that we ran this exact command so that blue team can then go study if... are we able to correlate in our Splunk or in our other logs that we saw that activity, or is this something that there's no legitimate use for that, so we want to be able to trigger that as a new event that happens in our incident response.

10:09 Raghu Nandakumara: I kind of want to ask with a very basic question to pay off from what you just said. Often when we talk about IT the threat of IT, OT, IoT, it's often like well the focus is on that IT and OT boundary. Where that interconnection happens and I guess the simplistic representation of the risk is compromise of IT leads to compromise of the OT network, leads to, let's say, manufacturing stopping or a healthcare organization not being able to deliver patient services. But I'm sure that the real threat or risk is significantly more complex than that and it's even essentially a compromise of the OT network of itself without any interaction with IT. That is a real threat. So what are you seeing as a more better representation of what the real threats are?

11:00 Rob Ragan: Yeah. We're seeing organizations want to actually dig into... We're going down in some cases to testing the firmware on those devices and actually trying to understand what are the third party components that the organization maybe didn't have a role in building but now has the shared responsibility and the security of their usage of those components. We're seeing that's often where they previously weren't doing testing and analysis but it's come to light especially with the focus on supply chain risk and especially with the focus on like that might be our weakest point and previously we weren't testing it and to try to uncover vulnerabilities with it. But that might be the weakest link in compromising that device. And the threats are... So attackers are studying these commonly used components in these devices. Maybe it's a chip set that has inherent issues that's going to be out there in the wild for years and can’t actually be fixed. So they're looking at it from, if I have an exploit for it, this is going to affect all those devices that I can find and see on the internet. And organizations need to know the answer to that question of should they be putting other mitigations in place or plan for that if it's something that's going to live out there for dozens of years.

12:02 Raghu Nandakumara: And actually you touched on something that... I know we were offline. We were having a conversation about how as offensive security teams and vendors that you do have an opportunity to essentially pick up brand new or I'd say, very old technologies and just dive deep into them. And I think the OT space is a great example of where it's such a diverse range of technologies. Each manufacturer does their own thing to a large extent. So having to go in deep into those must be a real challenging but also fascinating part of the role.

12:31 Rob Ragan: It is. It becomes fun. We get the chance often to... I'll give an example where we worked with a power utility. And they had concern about the risk of their substations that were all over an entire region of the United States. And the devices that are in those substations are from the 90s. The protocols that they used were designed with no security in mind, the opposite of Zero Trust. They're full trust. They’re trust anything that talks to this, there's no authentication, authorization, there's no even concept of an identity. And we were able to come in and help in a lab environment study how these work, study that protocol that hasn't been updated in decades, and actually show how we could send commands to it to flip the switches of actually turning power on and off until the point where it's shorted out and completely broke and shut down - which being able to affect that on our network would be a complete catastrophic failure of the power grid.

13:31 Rob Ragan: And.. but we're coming in and helping our customers actually understand that, demonstrate that risk so that they can plan for their mitigations around it and then they can get the focus from their teams and their executive buy-in on, I actually know I need to do something about this. And having that proof and having that evidence that this is possible helps influence the budget and the resources for, “We need to put other mitigating controls around this, we need to make sure this device can't be talked to remotely from other things on our network”, and really I'd say segment it off and whitelist what's talking to it.

13:58 Raghu Nandakumara: So you mentioned that word Zero Trust, so we're going to come on to that in a second. This is a Zero Trust podcast after all. But I wanted to just before we leave the whole sort of the OT/IoT security space and move on to other things, there's obviously been a huge development in what security vendors are doing to better secure OT and IoT. And there are a plethora of vendors that sort of focus on some aspect of that. In your opinion, what is the key need above all else to better secure OT and IoT?

14:30 Rob Ragan: I think helping with the usability of making it easier to actually apply security onto some of these devices that have no security built in or weren't designed with security at all. If there's a problem to solve, it's making it easier to apply that. If it's not easy, then it's not going to get easy.

14:48 Raghu Nandakumara: Yeah. Absolutely. Okay. Alright. Let's shift gears a bit. You mentioned the term Zero Trust. I didn't. Okay. So what does Zero Trust mean to you as a security practitioner?

15:00 Rob Ragan: Yeah. From my perspective, it's that ability to authenticate and authorize this action. It's where every action that's happening in the environment and in the systems, it's can we, with confidence, understand who is doing this, how they're doing it and is it authorized.

15:16 Raghu Nandakumara: Okay. So now as in your role like offensive security and what Bishop Fox does, what type of conversations are you having that are straight up about Zero Trust? Does it come up in engagements, and talk to us a bit about how that happens? What are the discussion points you're having and what typically the outcomes are?

15:36 Rob Ragan: Yeah. It comes up in conversations when I'd say customers feel like they've made an investment in the area. And honestly we're almost always still seeing like a hybrid environment. If someone says, "Well we have implemented a Zero Trust environment,” there's still typically some hybrid things that aren't following those principles. And it comes up a lot when our customers want to push the limits of their team or they want to see and understand their blind spots in their environment based on the controls and the investment they've made in implementing that type of framework. We'll have maybe a CISO that says, "I've implemented application whitelisting. What would you do to bypass that in my environment?" And so we're building out scenarios where we're going to say, "Okay. If you were to put us onto an employee system or onto a laptop we're going to assume a breach of that with some malware that's been installed." Actually going through and emulating what real attackers would do such as DLL injection into an application that has permission to access another part of the environment.

16:32 Rob Ragan: And then we're assuming that role and that identity of that application and now we're on the whitelist but we've injected it with malware that can help us perform whatever our objective is or help us with further malicious actions. And then from there, it's what other controls are in place to either detect or mitigate the risk. But they really want us to take them through those scenarios so that they can practice and see do they have other triggers or other events that are going to help them in their incident response capability.

16:57 Raghu Nandakumara: So what then does the recommendation look like? Because it's like how does... 'Cause it feels as an attacker, you do have sort of the ability to test all kinds of things. And as a customer there's a finite set of things that they focus on and say, "The rest of it, I accept the risk." So how do you guide your customers to say this is important?

17:20 Rob Ragan: A lot of it becomes very specific to where they're at in their maturity level. And if a customer already has application whitelisting, they're more mature than most. It's helping them then understand what other controls do they have and where's the opportunity to catch the attacker, 'cause they've already increased the amount of time and effort and resources that the attacker had to spend to achieve that. If they had to find an application that's on the whitelist, find a way to inject into it and then assume the identity of that application and that user that's running it. It's what other things could they have done in the environment or what other steps and commands that attacker run that they could trigger an event and contain and eradicate the threat. So we're often running those scenarios on a continuous basis to just help them keep practicing, help them identify new opportunities. And it's not then just relying on that one control. It's looking holistically. It's like what else do we have available to us that's an indicator of compromise that we could trigger that event on.

18:19 Rob Ragan: And we're actually helping our customers in a lot cases push that further to having a better understanding of what their indicators of exposure are and what their indicators of vulnerability are so that we can... Maybe that's even starting with testing that OT device that they're relying on that's critical to their environment or maybe that's testing some of the applications that they're using to understand, does it even have that vulnerability or that weakness that you can address and fix so that an attacker can't take advantage of it as part of a greater attack chain.

18:46 Raghu Nandakumara: 'Cause I think in what you're saying really that education for customers of their entire security organization's such an important thing because it does feel like the skillset that is now required to be a professional in cyber is very different to what it was even five years ago where there's now a real emphasis on, "Do you understand the nature of threat? And do you understand how an attacker is going to progress?" I think there was sort of a talk just earlier today from one of my colleagues that is really about “think like a hacker to build better resilience.” So how are you seeing that uplift in skill set taking place in your customer base?

19:27 Rob Ragan: Yeah. I'm seeing a lot of folks that are willing to adopt more proactive testing and continuous testing and it's always reevaluating what was the scenario or what was the goal of the test and adapting and enhancing it to whatever outcome they're trying to achieve. I'm seeing a lot more folks that are... Security engineers are now on blue teams that are also then wanting to participate in those red team exercises and in those tests and be involved and actually understand how they can learn to apply those techniques while they're building and into their threat models. And I see that the folks that are doing that on a more regular basis are maturing more rapidly. And if they're not factoring in that testing to what they've implemented, then there may be are long periods and long gaps of where there's a susceptibility that remains unknown.

20:14 Raghu Nandakumara: Understood. So, moving a bit, what are you seeing as a key areas that need significant sort of investment, that are now cropping up over the last, let's say, 12 months.

20:26 Rob Ragan: Yeah. I still see a lot of folks that are coming to us for help with understanding their attack surface. Understand... And where we're going to see this go is it's going to be not just external attack surface, it's going to be, authenticated application attack surface. It's going to be internal and private networks attack surface. The cloud environments, VPC attack surface and all interrelated systems including up through their supply chain and vendors that they have in their environment. There's still a... This is what I'm seeing folks trying to focus on because especially at the enterprise where as soon as they have an acquisition, it feels like a setback.

21:04 Raghu Nandakumara: Yeah.

21:04 Rob Ragan: A security team that's, trying to get a handle on what they've had for in their core environment but they've now acquired this company and it's trying to make sense out of what they have that they're responsible for protecting. I think that we're going to continue to see investment in getting a better definition of, as those changes are happening and they're happening on a daily basis, what they... Getting visibility into them, and then being able to proactively test them for indicators of vulnerability and being able to then decide which of those matter first. And I'm seeing a lot of folks ask for help with remediation priority. "I have so many things I could fix, help me decide what to fix first." And I still think the best way to do that is to thoroughly test it and to actually demonstrate the impact of exploiting it. And if you can't do that, if you can't show that... I think there's an issue here, this might be vulnerable, but actually what does it look like? Is it possible to exploit it or either mitigating factors and if it is exploited, what's the actual impact? What data you think gets you from there? Having that question answered helps decide what that priority becomes then in fixing it.

22:11 Raghu Nandakumara: The question is, how do you then also inject into that, what is the probability that it is going to be exploited? Because as an offensive security.. you clearly have... essentially, you've been asked to go and do something. So how do you assign the likelihood, because that's almost the key factor in do I pick X or do I pick Y when I only have to pick one of the two?

22 h 33 Rob Ragan : Ouais. Nous avons fait évoluer les notes de gravité de nos rapports afin, je dirais, d'être un peu plus sélectifs quant aux critères que nous attribuons à des critères critiques, ce qui va probablement à l'encontre de ce que font peut-être de nombreux autres fournisseurs. Ils conduisent en disant : « Non. Tout est critique. Tout est rouge. » Nous constatons que nos clients veulent vraiment que nous examinions cette question de plus près et que nous l'examinions de plus près si elle mérite ce niveau d'attention. Et nous le faisons en grande partie en nous basant sur les questions suivantes : « Est-ce quelque chose qu'un attaquant opportuniste pourrait exploiter sans authentification et qui n'a aucun besoin, aucun facteur d'accès initial ou aucun moyen d'assumer le rôle d'un employé ? Ou s'agit-il plutôt d'une menace interne involontaire ou intentionnelle qui est plus motivée, possède déjà des informations d'identification et a pu détecter cette vulnérabilité plutôt que d'une chaîne complexe en plusieurs étapes que nous avons découverte, mais il est peut-être possible de l'éviter en résolvant simplement ce problème. » Nous nous concentrons donc sur ce que nous pensons être la solution ou la solution la plus efficace ou s'il existe des contrôles d'atténuation qui peuvent être mis en place. Nous en tenons compte dans la façon dont nous formulons une recommandation sur la priorité à donner pour y remédier.

23h42 Raghu Nandakumara : J'ai compris. Et c'est vraiment un bon point à aborder. Et au cours des 12 derniers mois, s'il y a eu des thèmes récurrents dans ce qui a été rapporté dans la presse de sécurité. L'un des thèmes a été le retour sur investissement. Comment les organisations font-elles leurs paris lorsqu'elles sont confrontées à des contraintes budgétaires ? Et on leur demande aujourd'hui plus que jamais de justifier le retour sur investissement de leurs investissements en matière de sécurité. Et je parlais à un invité il y a quelques semaines dont la position à ce sujet était que les équipes de sécurité ne devraient pas... Le retour sur investissement ne devrait pas être quelque chose que vous devriez exiger de vos investissements en sécurité. La valeur est exprimée en termes de risque qu'ils réduisent. À quoi pensez-vous, en matière de valeur, s'agit-il uniquement des avantages en matière de sécurité ou du coût total de possession global de la solution ?

24 h 32 Rob Ragan : Je suis content que vous ayez parlé du coût total de possession. Je pense que les investissements en matière de sécurité sont souvent réalisés à partir de l'achat d'un produit ou d'une solution en particulier et que le coût total de possession n'est pas clair. Et ce n'est que lorsque vous êtes au cœur des phases de mise en œuvre et de son utilisation que vous êtes au cœur des phases de mise en œuvre, vous ne savez pas exactement quelle quantité de travail cela génère pour l'équipe et quelle quantité de travail cela lui impose. Et cela pourrait finalement faire oublier des choses. J'ai vu des cas où... Nous sommes intervenus après qu'un incident se soit produit pour aider à tester une application et ils essayaient de comprendre la cause première du téléchargement d'un shell Web via cette application PHP. Et il y avait en fait... Pendant 13 mois, avant cela, l'outil d'analyse statique utilisé avait révélé une vulnérabilité, mais il avait été fermé et trié par un développeur qui avait déclaré : « Je ne pense pas que ce soit exploitable ». Mais c'était... Peut-être que ce développeur n'avait pas l'expertise nécessaire pour comprendre comment exploiter ce problème. Et ce n'est peut-être pas eux qui auraient dû prendre cette décision.

25h28 Rob Ragan : Mais l'équipe n'avait peut-être pas la sécurité, l'expertise ou le temps nécessaires pour répondre à cette question. Ils ont donc investi dans un produit, ont obtenu le rapport indiquant que quelque chose était vulnérable, l'ont accidentellement ignoré et ont tout de même été victimes d'une faille. Mais je pense que c'était ne pas comprendre quel serait le coût total de possession pour disposer de l'expertise nécessaire pour répondre à ces questions. C'est là que vous cherchez peut-être une solution au problème, et il peut parfois s'agir d'une combinaison de services et de produits, ou de services gérés qui aident à obtenir le résultat complet du problème sur lequel vous travaillez, plutôt que de devoir confier la tâche à des membres de votre équipe.

26h05 Raghu Nandakumara : Et c'est une perspective vraiment intéressante parce que c'est... Et en fait, c'est en quelque sorte la première fois que j'entends ce point de vue parce qu'il s'agit, si vous ne comprenez pas vraiment le problème que vous essayez de résoudre, de votre capacité à attribuer ou à dire : « C'est mon TCO idéal ». Vous êtes en train de deviner ce que cela devrait être, non ? Parce que c'est fait avec des informations incomplètes. Ensuite, vous avez dit, et cela tient en partie à la compréhension du fait que vous devez probablement compléter les ensembles d'outils par des services et peut-être des offres tierces qui les complètent. Dans ce contexte et pour améliorer le coût total de possession de vos investissements, quel rôle jouent-elles selon vous en matière d'offres de sécurité offensives, qu'il s'agisse de personnes comme vous ou de ces suites de tests automatisées qui sont désormais omniprésentes ?

26:58 Rob Ragan : Je pense que nous sommes encore dans une phase où l'automatisation n'est pas là pour faire le travail entièrement, et cela vaut pour la plupart des choses. Pas seulement en matière de sécurité, mais nous y travaillons. C'est quelque chose que nous allons continuer à repousser les limites pendant de nombreuses années à venir. Je pense que le fait de faire appel à votre expertise et d'avoir un plan pour utiliser cette automatisation, que vous achetiez un produit qui facilite les tests automatisés, il y aura toujours des résultats, sur lesquels quelqu'un devra prendre une décision. Et je pense qu'il est possible de décider s'il s'agit d'une personne qui fait partie de votre équipe ou d'une tierce partie avec laquelle vous allez établir un partenariat et en qui vous avez confiance.

27 h 31 Rob Ragan : J'ai constaté que de nombreuses personnes avaient besoin de cette aide pour évoluer, en particulier si les membres de leur équipe portent tellement de casquettes qu'ils n'ont peut-être pas le temps de se concentrer sur le résultat d'un outil en particulier ou s'ils ont l'impression que certains membres de leur équipe ne sont plus là. Et c'est comme un plan... Je suppose qu'il s'agit de planifier cette résilience et le modèle d'organisation de la sécurité. Si une personne dirigeait les trois outils que nous avons achetés et qu'elle partait, que se passerait-il ? Est-ce que cela deviendra une étagère ou avons-nous un plan pour savoir qui sera leur remplaçant pour continuer à les utiliser ? Je constate que c'est souvent là que nos clients viennent nous voir pour nous dire : « Nous avons besoin d'aide. Écoutez, nous avons besoin d'un testeur ou d'une personne experte pour nous aider à obtenir le résultat escompté, et pas seulement un outil. »

28:11 Raghu Nandakumara : Bien. Encore une fois, je veux simplement résumer que pour les spectateurs et les auditeurs, pour être en mesure de vraiment comprendre comment vous allez obtenir un retour sur investissement ou comment vous calculez le TCO, vous devez d'abord déterminer si vous possédez les compétences nécessaires pour tirer pleinement parti des investissements existants ou des nouveaux investissements. Sinon, vous ne pourrez jamais vous rendre compte de ses avantages. Vous êtes confronté à ces défis qui consistent à être en mesure de justifier pourquoi vous n'avez pas tiré parti de quelque chose. Je sais qu'il ne nous reste que quelques minutes. C'est l'heure de la boule de cristal, non ? Vous regardez dans votre boule de cristal du futur, n'est-ce pas ? Qu'est-ce qui t'enthousiasme ? Qu'est-ce qui te fait peur ? Du paysage cybernétique ?

28 h 50 Rob Ragan : Personnellement, je suis vraiment très enthousiaste et j'ai plongé profondément dans le vaste espace des modèles linguistiques. Je pense qu'il y a beaucoup de battage médiatique à ce sujet, mais il y a beaucoup d'optimisme et une certaine inquiétude quant au risque. Personnellement, dans certains des prototypes que j'ai construits avec ce système, je suis en fait très optimiste quant à la facilité avec laquelle il sera possible de réaliser certaines choses qui étaient très difficiles auparavant. Je pense que nous allons être dans cette phase où... Il n'y a pas si longtemps, j'ai lu un livre à ce sujet que je recommanderais si quelqu'un s'intéresse à ce sujet, intitulé « The Missing Middle ». Et il s'agit de savoir où l'homme et la machine se rencontrent, en quoi la machine est bonne et en quoi l'homme est doué. Et il décrit essentiellement un cadre sur la manière de travailler ensemble et d'être en mesure d'en faire plus. Et je pense que nous allons être dans cette phase, dans un avenir encore prévisible, où nous sommes en train de trouver une solution et nous sommes... Et qu'est-ce qui ne va pas dans la mise en œuvre de cela, mais je suis en fait... Je dirais que je suis plutôt optimiste quant au fait que cela va ouvrir de nombreuses portes.

29 h 48 Rob Ragan : Nous l'avons utilisé de manière à identifier la propriété des actifs dans le cadre de cette question relative à la surface d'attaque. Et c'est quelque chose où l'entrée dans le... Souvent, pour ces questions, c'est complètement inconnu ou cela pourrait être complètement différent. Tout ce qui se trouve sur Internet pour écrire, comme une application traditionnelle pour aider ou une API pour répondre à cette question est vraiment difficile car vous ne savez pas quelle sera l'entrée. Mais avoir quelque chose qui vous aide à analyser et à lire les données, puis à recueillir des preuves à leur sujet, puis à répondre à des questions à ce sujet en vue de la prochaine étape de vos flux de travail et de vos processus est pour moi vraiment passionnant. J'y ai constaté une énorme avancée.

30 h 20 Raghu Nandakumara : Je pense que pour en revenir à ce que tu as dit à propos du livre, non ? Je pense que c'est sur cette réunion intermédiaire que nous devrions vraiment nous concentrer, car je pense que la discussion sur l'IA est trop tôt, et maintenant, avec le LLM, encore une fois, on y revient, n'est-ce pas ? À quel moment l'IA sera-t-elle supérieure à l'intelligence humaine et alors ce genre de machines prendra-t-elle le dessus ? Oui, comme dans le scénario habituel de Terminator 2. Mais je pense absolument qu'en fin de compte, il s'agit de converger, n'est-ce pas ? Il s'agit de savoir ce que font les humains de manière optimale, et c'est sur cela que nous devrions concentrer nos efforts talentueux. Qu'est-ce que les machines et l'IA automatique sont les meilleures pour faire, n'est-ce pas ? Parce qu'en fin de compte, le but de la révolution industrielle n'était pas de remplacer les humains, mais...

31 h 06 Rob Ragan : Pour l'optimiser.

31:07 Raghu Nandakumara : Pour optimiser. Et c'est vraiment de cela qu'il s'agit.

31 h 09 Rob Ragan : C'est vrai. Et je pense que nous devons toujours le considérer comme un outil et comme une technique à appliquer. Et je pense que tous ceux qui s'empressent de mettre cela en œuvre en production sans qu'un humain soit impliqué ou sans avoir à toucher à zéro pour parler à un opérateur posent beaucoup de problèmes. Mais je pense que c'est comme si... Il sera intéressant de voir comment nous utilisons cette technologie spécifiquement pour les applications.

31:31 Raghu Nandakumara : Alors, soyez sur les LLM, dans quelle mesure êtes-vous préoccupée par l'empoisonnement des intrants ?

31 h 36 Rob Ragan : Oh. Je pense que c'est un vrai problème. C'est pourquoi je dis que tous ceux qui se lancent dans cette application de production ou dans des cas d'utilisation en direct sans le tester pour déterminer comment les cas d'abus posent beaucoup de problèmes et vont avoir des incidents et des problèmes et l'injection rapide reste très facile à faire. Je veux dire, je discutais avec le CISO hier qui a déjà indiqué dans son profil LinkedIn que s'il y a des robots marketing qui analysent sa page, il reçoit une injection rapide pour qu'elle fasse autre chose. Et je pense que nous allons peut-être voir ces lumières... Cela n'a pas vraiment beaucoup d'impact si la campagne marketing de quelqu'un ne fonctionnait pas bien. Mais je pense qu'il sera intéressant de voir comment il sera utilisé autrement.

32:13 Raghu Nandakumara : J'ai eu une conversation avec ChatGPT il y a quelques mois à propos de Zero Trust et j'étais simplement reconnaissante d'en savoir encore un peu plus, mais je suis sûre que ce n'est pas trop loin. Alors, une dernière idée, Rob ?

32:24 Rob Ragan : Merci beaucoup de m'avoir invitée. Je pense que cela a toujours été une bonne conversation avec toi, Raghu et, oui, j'ai hâte de voir comment cet espace évolue.

32 h 30 Raghu Nandakumara : Fantastique Rob, merci beaucoup de vous joindre à nous aujourd'hui. C'est toujours un plaisir de discuter avec vous et d'approfondir vos connaissances dans cet espace. Pour tous ceux qui regardent, écoutent, si vous êtes intéressé par la sécurité offensive et si vous êtes intéressé par la mise en relation avec les experts de cet espace, allez voir www.bishopfox.com. Rob, merci beaucoup encore. Merci à tous de vous joindre à nous aujourd'hui. Profitez du RSA.

32:53 Raghu Nandakumara : Merci d'avoir écouté l'épisode de cette semaine du Segment. Pour encore plus d'informations et des ressources Zero Trust, consultez notre site web à l'adresse illumio.com. Vous pouvez également communiquer avec nous sur LinkedIn et Twitter à l'adresse @illumio. Et si vous avez aimé la conversation d'aujourd'hui, vous pouvez retrouver nos autres épisodes partout où vous pouvez accéder à vos podcasts. Je suis votre hôte, Raghu Nandakumara et nous reviendrons bientôt.

‍