Welcome to Cybersecurity Insights, the podcast for the CyberEd.io learning community. Our goal is to bring Cybersecurity practitioners, the latest and most relevant education and training to upskill and dive deeper into topics that matter in today's modern Cybersecurity world. Good day, everyone. This is Steve King.
I'm the managing director at CyberEd.io. And today on our podcast episode, we have Alex Wentrop with us who runs the DFIR operation at Cygnus. And we're going to talk a little bit about the dangers of generative AI in the incident response world. Alex is a 10-year veteran of the IT and security ops and digital forensics and DFIR world.
And we're pleased to have him with us today. So thank you, Alex. I appreciate you being on the show. Thank you so much for having me here, Steve.
Sure. I guess we could open with kind of the obvious, most obvious question, is what is it that chat GPT can do for us in incident response? I mean, if I were running, if I were doing what you do for a living, what would I be looking forward to? That is a really good question.
And just from a brief stance, chat GPT and all these other artificial intelligence solutions that are coming out, really can only produce this rudimentary high-level response plan. It's not nearly detailed enough to be a sufficient incident response playbook that you can actually utilize during a cyber crisis. Yeah. That's been my experience as well as we've developed some course education coursework using it.
But from our point of view, if you're a smaller company and you strap for resources, it seems like it's better than nothing, is it not? Yeah. I mean, so I went through like a three-month process of testing this theory of using chat GPT to design or build a cyber incident response plan. Just to see if it would be a viable option for organizations that would be lacking those resources, you know, companies below the cyber poverty line, those companies that don't have enough budget to hire talent, incident response talent.
So within that three-month period, what I found was that chat GPT and a few other solutions would only be able to outline the definition of an IR plan or provide some sort of general overview of what the procedures that may be necessary during an incident should include, rather than presenting that detailed, fully build out step-by-step playbook on how to manage the crisis and which crisis to manage. Yeah, sure. I want to push back just a tiny bit on that, though, in that from my view, and we talked to a lot of companies that most companies don't have an IR plan period, right? So I'm like, give me a piece of napkin, you know, with something on it.
I'll take that, you know what I mean? But yeah, I understand your point for sure. You are just curious about your view from where you perch, I guess, on the SOC side. If you look at level one, level two of SOC analysts, chat GPT looks alike.
It could do a lot of the sort of tedious work of a level one analyst. Is that your view as well? Yeah, and to clarify that, you know, for a small business that is looking to build out a response plan within artificial intelligence solution like chat GPT, what they should be aware of is providing it private information secrets. Just like we wouldn't provide secrets into a GitHub or a public solution out there, a website, you wouldn't want to put it into a chat GPT or others because they ingest that information to populate other questions that may be asked from other organizations.
So that's really where my fear of using a tool like chat GPT would be valuable for these small businesses on designing that response plan due to, you know, your capability of using it to push out secrets, it could cause a big issue there. When it comes to SOC one, SOC two, those levels, we're already seeing solutions being put out there that are designed to take over those roles and replace those roles. There have been solutions out for the last few years and we're seeing some develop into more in-depth solutions. We see some endpoint detection response tools that are actually using AI to do threat hunting and finding malicious emails and finding malicious software vulnerabilities.
So, yes, it's going to be a very interesting next few years to see where artificial intelligence goes. Yeah, no kidding. Tell us. Tell us a little bit about what SIGNET does and what your business model is.
Sure. So, SIGNET is a guided crisis response platform. And what we are doing is we are solving for three main challenges. Challenge one is, you know, that time where the crisis happens usually happens on a Friday.
We saw that with WannaCry all the way to Log4J, incidents don't happen on a Monday. And now you've got to get all your team into one place to start communicating and collaborating securely. So, that's basically the first two. You need to be able to get those internal and external teams.
You're happening on a Friday right before you drink that glass of wine. So, it's sort of panic mode into the weekend. The third one is that you now have a response plan. Where's the response plan?
Oh, it's in my car. Well, I'm on vacation. Can someone break into my car and get the response plan? Because we only had one copy?
Well, what SIGNETs would do is provide you that solution in a dynamic plan within SIGNETs in a secure out-band area to be able to bring in those plans. And then the last challenge that we're solving for is the first 48 where we want to get back up and recovered fully recovered, at least within the first 48 hours. We can assess the damages during that time, recover, remediate, and start getting to that notification steps, hopefully within those first 48. So, that's really where a SIGNETs comes in.
It was built in a secure out-of-band area where you can bring those internal parties in, really start collaborating from your phone, communicating over our video or audio bridge and start direct messaging all from that one secure location. That's pretty cool. Are you in from a categorization point of view? Are you a managed detection response company then?
We would partner with solutions like that, where a customer would be going through a crisis and they would click on some sort of button, or you have a sock or a sim. And within your sim, you're categorizing something as that SEV-3 incident. It would then ask you if you wanted to open up a Cygnus room, and you would say yes, and you would all move into the secure area, where it would have all your dynamic plans. Anyone who needed to be in the room would be there with granular access related to either the room access or the work streams, something which is really exciting for me, because it will also help with upholding privilege, because anyone who needs to know will know, anyone who doesn't need to know about certain things would not have access to it.
Yeah. I assume that's through an API, or do you natively integrate with certain sims? It would be through an API connection. And this is something we're building out to really help these small, medium, large businesses guide all the teams through a crisis, essentially that incident response management platform that we've all been looking for the last 20 years of incident response.
Right. You've described the topic before, I asked you to talk about the company, a huge problem that is very present right now that I don't hear a lot of people talking about, and that's that IP escape thing that you described, where we've got people willy-nilly right and left just throwing stuff out on this large language model that is the corpus of data that chat TPT and others use. And so if somebody wanted to dig into, I mean, folks are doing that in kind of a shadow IT context in my mind, right? I mean, Department A is working on whatever is appropriate for them, and so they fire up their instance of chat.
If you're all, none of this is policy driven by companies yet. I know no company that has an AI, ML, you know, access or use policy unless you can correct me. And what we have is this huge hole through which we're pouring all of this confidential and sensitive information. And I don't know how we're going to stop that.
I mean, I know that, you know, chat's got, you know, the option you can select, eliminate my session when I'm done, you know, not keep that data, but A, I don't know whether that's true or not. I mean, I don't know whether it works. And B, I don't think very many people know that. Anyway, no one has said, hey, be sure, you know, and plus it's a C, I guess, is a lousy way to implement policy.
What's your opinion about all that? Yeah, I mean, I agree with you, Steve. I have not seen anyone regulate AI, ML at this moment. We do see solutions using it to provide an additional layer of security and prevention detection.
But I haven't seen those regulations on removing it completely. We've seen countries that have blocked chat TPT from being used so that specific secrets aren't provided to it. But we haven't seen companies restricting the, or I haven't seen personally, restriction on AI yet. Actually, what I'm seeing is more use of AI, and that brings that fear of if we're going to use artificial intelligence.
What is the back end? Who is looking at that data? What could they see? What can't they see?
And how can we ensure that everyone is aware that secrets don't go into an external solution? That's my biggest fear, because we looked at, you know, the example is when you're coding, you look and you upload your code into a certain repository. And that repository may have connections from public access, people who are external to your company. So too, with artificial intelligence, I don't know the back end of it yet.
And it's constantly changing, so I can see something very big happening shortly where there is visibility and there is awareness of what we can and cannot do, and what is visible from the external sources soon, and it might be very alarming to a lot. Yeah, and I think it will be. And Congress is the last place that we should look to for any refuge there, just simply because it's their version of regulating the technology. The technology is completely off the mark, but when you have businesses that use get up to your point or other repositories, access to those repositories are not well controlled.
In my mind, I mean, I can get to them from my desktop or I can get to them from my corporate desktop, which is sitting next to my personal desktop here. And in the same way that Sally who's a commodity trader for ABC commodities can pull that data, pull that commodity history data from her employer, and then work on her own machine to use strategy bt adding to that lm with that corporate data. So, you know, in my mind, unless the solution is somewhere in the data, you're not going to know how you control access in any kind of a foolproof way. I mean, it's just going to go back to awareness.
We're going to see within the security awareness training ways that we can use artificial intelligence in a productive way. And then ways we can use artificial intelligence in a very detrimental way. And then with that, we will make people aware that, you know, some things can be used in moderation and it could be really good. And then if we use it too much, then it can start becoming detrimental, just like, you know, with food and drinks and stuff like that.
It's going to be the same thing with artificial intelligence, where you want to just keep it to the high level stuff. I'm asking maybe rewriting an email without people's information, but not really designing a secure incident response plan that's going to help you prevent or help you plan practice and respond to a cyber crisis. Yeah, but, and, you know, I'm not worried about Bob in accounting as much as I am worried about Sally and trading, right? Because Bob, you know, Bob can be a good citizen and you can think, well, you know, yeah, I got this in my security awareness training.
I'm going to practice, you know, I'm going to, you know, manage best practices as best I can because I'm a good guy. Sally is only interested in making that million bucks that you can make next week with a great trade and to heck with the rest of it. You know, so I think there's, we always have those drivers behind that behavior and I'm just not sure how, you know, how the story is going to unfold, you know. Well, we're here to watch it unfold and I'm really excited to see what the future holds of artificial intelligence.
Yeah, yeah, me too. And I don't mean to be, you know, Debbie Downer here. But what? So, given that, why don't we talk about some of the more promising examples of AI in terms of how it can help us in cybersecurity defense?
Sure. So when we look at future of instant response with artificial intelligence, we're already seeing a bunch of tools that are coming out. We saw EDR tools, those endpoint detection and response tools that have been publicized and have launched either at RSA. And then after RSA, we are seeing vulnerability solutions, you know, just vulnerability scanners that are pushing out solutions to find vulnerabilities within the environment.
We're seeing artificial intelligence enhance IR capabilities, just like you were saying, Steve, on that tier one, tier two, SOCSIDE. We're seeing a security analytics where artificial intelligence can process, correlate those security event logs and the network traffic and security info. And what that's doing is correlating that all that information together and identifying some advanced persistent threats within the environment based off of some complex attack patterns. We're seeing phishing and fraud detection, something that I've been, you know, just publicizing over the last few weeks.
We're seeing Chachibiti being utilized to detect phishing campaigns and then putting out key markers from there into the Intel sharing community of new phishing and smishing and phishing campaigns that are going out. And then in addition to that, we're seeing source solutions, those security orchestration automation and response solutions automating with artificial intelligence to design out the playbooks and then also close the loop on certain incidents without a human being there. Yeah, I think we talked about the phishing and fraud detection issue. I think it was Kasarski, I think that somewhere near a 90% detection rate, but also a very high false positive rate, right?
I'm in like a quarter or 23% or something. You know what's causing? I mean, obviously the brackets are too wide, but do you know what's causing that in particular? Like the false positive rate?
Yeah, the positive rate. So there are always ways to manipulate your email to look legitimate. And so an email can look legitimate. There can be spoofing involved.
There can be legitimate email addresses being utilized by the threat actor because they gained access to your coworker or they gained access to a company that you've been working with for years. And now the email is coming from Steve at King.com and you have been speaking to Steve for a decade. And it's the same email and you've done everything in your book to check off all the boxes. And yet it's still in from you.
You're like, as a human, you're like, oh, this email looks very suspicious and anomalous because he's not going to share a weird attachment with me without letting me know that before. The artificial intelligence wouldn't have known that because they're not you. They're not the human. So they're not going to pick up on that.
They're going to say, hey, Steve at King.com is sending you an email. We have seen Steve at King.com send you emails before. There's nothing here that's connected that looks malicious or anomalous. So we're going to check this off and say that it's legitimate.
No, we're going to have to wait for the next release, I guess. Or we're still going to need humans to look at malicious emails. Let's talk about that for a second. What do you, a lot of people think somewhere along that spectrum, either we need, we're always going to need humans to intervene in these processes because we're never going to be able to trust GAI.
Engines. And then the other end is, yeah, they'll be able to do it themselves and everybody will make stuff up. Where are you on that spectrum? I believe we're always going to need a human being to be able to validate malicious activity.
Unfortunately, even if you train artificial intelligence as much as we've seen with a lot of the tools out there that are primarily based off of artificial intelligence, they're not catching everything and it takes a lot of time to tune tuning by that human being. And so it is a great way to save for those smaller businesses, those ones that are, you know, the municipalities and the schools. And those small businesses, those small law firms that are looking to start and just be aware of what the cyber crisis could be. But I don't see it as a way of replacing cyber security analysts and professionals in the future because there's always going to need that human element.
Just like in physical security, we're seeing a lot of video footage, artificial intelligence, helping out in the physical security. But there's always a human being behind it, validating a lot of that activity. Right. It'll be interesting.
What does this do to the crowd strikes of the world, by the way? I mean, do they embed the capability and simply expand their technology and their market leadership in the core or are they susceptible then to competition from, you know, younger startups, or whatever you want to call it native AI, I guess. I don't see any correlation. I think CrowdStrike did host a artificial intelligence solution out a few weeks ago, if not a month ago at their quarterly earnings meeting, we saw a central one launch at RSA Purple CrowdStrike has launched their own solution.
We're seeing a lot of other EDR solutions following suit. And so I see that as just a new enhancement to the endpoint detection and response. So nothing particularly extraordinary in terms of product announcement. I mean, the extraordinary part is that artificial intelligence is becoming a part of all the different factors of cyber security.
You've looked at Pentas GPT or you know something about that. Can you describe how that works to our audience? Sure. I did some research on it.
I haven't done enough. I do see solutions out there that do autonomous pentesting already. I have been a big fan of a few of them out there. And so it's not artificial intelligence on the back end.
It's actual people designing a software that you can run autonomously within your environment and find vulnerabilities based off of that. Artificial intelligence may just be a solution that complements those tools, complements the hands on keyboard, pen testers and red teamers and purple teamers out there. But I don't see it as a solution that's going to take over all pen testing. Again, just like on the defensive side where you have artificial intelligence complementing those endpoint detection response tools, you're going to have artificial intelligence complementing those pen testing red team purple team solutions as well.
Yeah. So in that context, do you imagine use cases for AI that you haven't seen yet commercialized into vendor product? Oh, there's going to be so many. I don't want to speculate.
I think there are going to be so many new things coming out over the next few months. I know from Cygnus's perspective, we're putting out there. We're hopefully going to launch something. There are a lot of other solutions out there doing that.
I don't know. I'm really looking forward to it. I would love to see what comes next. From a marketing point of view to the extent to which you, you know, involved yourself or had experience in there.
There's already a tremendous amount of noise around this around the space. If you call the AIML cybersecurity space, for example, you know, we do we risk, you know, drowning people in hyperbole again, like we've done with every other thing we've ever created here for cyber security. I think it's just like all the other buzzwords that have come out in the last several years. When you say the buzzword, everyone has their own definition.
And so it's going to be the same thing within artificial intelligence. What is artificial intelligence? How are we using it? Are we using our own personal solution?
Are we using the public solution? I mean, it's just going to be based off the different companies that are out there and what they're building. Again, I don't want to speculate on what's out there and what's going to be of it. But I do see some really cool opportunities out there where artificial intelligence can complement other parts of the cyber industry and non-cyber related incidents as well.
Going into physical security or going into auditing and marketing and basically anywhere artificial intelligence is going to be a very big positive. And there are going to be negatives there too, unfortunately, because that's what happens with all the tools that come out. There's some really good use cases and then threat actors find a way to use it for bed. Yeah, of course.
It seems to me, though, that if you build your messaging around a very specific solution, like, I don't know, assessing logs, for example, which nobody does, but let's say that everybody should. So you now have a tool that will quickly read through your logs so you don't have to retain 90, 180 days with a log data. You can offload it to an off-site storage and your tool will show you what you should pay attention to that's been going on in the last 24 hours or something. If you have very specific messaging around that, it doesn't emphasize the fact that the tool is an AI tool.
Do you think that's more effective if you're a buyer of a technology? I wouldn't have a 100% answer on this. I think it's a really good question. But again, from a sim perspective, a SOC perspective, retention of logs is not just for correlating events of the past.
It's for correlating the events of the present. And we see with a lot of these ransomware incidents, and again, with business email compromised, where you can correlate BEC going back 60, 90, 180 days where the event actually initiated back in October. Let's say, and we're now in March. And so I wouldn't stop retaining logs just because we have artificial intelligence doing correlations.
Again, it's a technology. It could make mistakes. And having that human being in front of it is again still going to help us out in complementing artificial intelligence and ensuring that we are staying secure from a preventative and a detection perspective. Yeah.
Okay. So I'm conscious of the clock here where we're over our 30 minute allotment. I have one final question for you, though. I assume business is good.
And you guys are doing well. What in your mind is the kind of a main differentiator for you and your company and when you talk to prospects. So I think from a differentiator perspective, a solution like Cygnus is not just a place where you can store your plan or a place where you can practice your plan or a place where you can recover from the plan or secure an out of band area where you can communicate and collaborate. It's all those together in one place where you have your video and your audio and your direct messaging and you have the ability to run through the plan in secure access area where only those who need to have access have access.
And in addition to that, it's not just for the enterprise business. We're seeing a lot of solutions out there that are really targeted towards either the middle market or the enterprise market. And what we're ignoring is this market that's really getting affected by the incidents right now. We're seeing a lot of rents and we're up to throughout different countries.
And my biggest concern back when I was at previous organizations was the small business doesn't really have a lot of tools that they can afford. And Cygnus really stands out there because they can provide a service to the managed security service providers. We are providing services over to the cyber insurance that can provide Cygnus over to their customers, over to their policy holders who can then pre-build their incident response play books into a Cygnus room, plan against it, prepare against it, practice. And then ultimately when the cyber crisis happens, respond to it through through the Cygnus platform.
And it's a wide range of organizations that we're really helping out here. We've been seeing public organizations that have been underfunded, like local municipalities, those K through 12, which I've spoken about in many instances where they are a huge target by a bunch of threat actors. We see large enterprises, small businesses, and all these companies don't, as you were saying, don't have that incident response plan, or a lot of them don't. Some of them, the bigger organizations might, but that small business, they don't even know what incident response is, let alone how to turn off and on the computer or to update their software.
So that's really where Cygnus is going to be helping out a lot. Well, that's great. And I wish you all the best small business needs all the help you can get, dragging, kicking, and screaming, or any other way to get to a place where they're not the ultimate target. There's so many of these threat actors.
Well, look, it's been great talking with you, Alex. I appreciate you taking the time to spend with us and our audience here. And hopefully we can talk again, maybe six months from now, and kind of see how generative AI has taken over the world or not, and see what we do next. Yeah, looking forward to that.
And thank you so much for having me here, Steve. I really appreciate it. Sure, terrific. It was our pleasure.
Again, Alex Winthrop, the DFIR expert evangelist for Cygnus, and we hope you enjoyed the 30 minutes or so that we spent today, and look forward to seeing you again next time. Until then, I'm your host, Steve King, signing off. Thank you for joining us for another episode of Cybersecurity Insights. You can connect with us on LinkedIn or Facebook, or send us an email at social at cyberf.io.
For more information about the podcast, visit cyberf.io forward slash podcast. Until next week, stay safe and secure, and we'll see you on the next episode of Cybersecurity Insights. Thank you for joining us for Cybersecurity Insights.