Rock Lambros, Founder and CEO of RockCyber, joins Sean Martin at Black Hat USA 2024 to discuss the pervasive influence of AI in cybersecurity and its potential to accelerate threat response times. Dive into their enlightening conversation on balancing technological advancements with human oversight and the critical importance of AI governance.
Guest: Rock Lambros, CEO and founder of RockCyber [@RockCyberLLC]
On LinkedIn | https://www.linkedin.com/in/rocklambros/
On Twitter | https://twitter.com/rocklambros
____________________________
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Episode Notes
In a recent On Location episode recorded at Black Hat USA 2024, Sean Martin and Rock Lambros explore the prevailing topics and critical insights from the event's AI Summit. Sitting in the media room, not on the bustling show floor, the paid dissect the impact of artificial intelligence (AI) on cybersecurity, shedding light on its multifaceted implications.
Rock Lambros, Founder and CEO of RockCyber, shares his observations about the predominance of AI in every corner of the conference. He notes how AI's presence is ubiquitous, even saturating advertisements at the airport. Lambros provides an overview of the AI Summit, highlighting the diversity of sessions ranging from high-level talks to vendor pitches. While some were mere product promotions, others provided substantial insights and valuable statistics, which Lambros is keen to share on platforms like LinkedIn.
The discussion progresses to the remark by Nvidia's CEO, Bartley Richardson, suggesting that cyber is fundamentally a data problem, and AI could be the solution. Lambros concurs with this in part but emphasizes the necessity of maintaining human oversight in the process. Martin and Lambros reflect on the potential of AI to augment cybersecurity tasks, particularly for tier one analysts. There is a focus on leveraging AI to expedite responses to threats, potentially reducing the reaction time, which currently lags significantly behind the speed of AI-driven attacks.
Lambros presents a balanced perspective, warning against the risk of reducing entry-level jobs in cybersecurity due to AI advancements, advocating instead for upskilling these professionals to handle more complex roles. The conversation touches on governance and risk management, with Lambros stressing the importance of integrating AI governance into existing frameworks without rendering AI oversight an exclusive domain for data scientists alone. He highlights the EU AI Act and Colorado AI Act as critical regulatory frameworks that emphasize this need.
Lambros also brings attention to DARPA's open-source resources aimed at securing AI, encouraging practitioners to utilize these tools. Towards the end, a poignant observation from Robert Flores, former CISO of the CIA, underscores the difficulty governments face in keeping up with AI's rapid evolution. Lambros reflects on the mixed audience at the summit, a blend of technical practitioners and policy leaders, all grasping the significant impact and challenges AI brings to the field.
The episode underscores the crucial balance between embracing technological advancements and maintaining human oversight and governance within cybersecurity. The insights shared by Rock Lambros and Sean Martin offer a nuanced perspective on the current state of AI in the field, emphasizing a collaborative approach to integrating these innovations responsibly.
Be sure to follow our Coverage Journey and subscribe to our podcasts!
____________________________
This Episode’s Sponsors
LevelBlue: https://itspm.ag/levelblue266f6c
Coro: https://itspm.ag/coronet-30de
SquareX: https://itspm.ag/sqrx-l91
Britive: https://itspm.ag/britive-3fa6
AppDome: https://itspm.ag/appdome-neuv
____________________________
Follow our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
On YouTube: 📺 https://www.youtube.com/playlist?list=PLnYu0psdcllRo9DcHmre_45ha-ru7cZMQ
Be sure to share and subscribe!
____________________________
Resources
Rock's LinkedIn Post: https://www.linkedin.com/posts/rocklambros_ai-cybersecurity-ciso-activity-7226988285410074626-rX3-
AI Summit Keynote: Enhancing National Security with AI-Driven Cybersecurity | A Black Hat USA 2024 Conversation with Dr. Kathleen Fisher -- https://redefiningcybersecuritypodcast.com/episodes/ai-summit-keynote-enhancing-national-security-with-ai-driven-cybersecurity-a-black-hat-usa-2024-conversation-with-dr-kathleen-fisher-on-location-coverage-with-sean-martin-and-marco-ciappelli
Learn more about Black Hat USA 2024: https://www.blackhat.com/us-24/
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverage
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Are you interested in sponsoring our event coverage with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Want to tell your Brand Story as part of our event coverage?
Learn More 👉 https://itspm.ag/evtcovbrf
Enhancing Cyber Defense: AI Innovations and Challenges | A Black Hat USA 2024 Conversation with Rock Lambros | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Here we are. We're coming to you from the Hackers summer camp in Las Vegas. We're not on the show floor. We're actually in the media room at Black Hat USA 2024 and, uh, so many emotions right now. Sitting, sitting across from my good friend, Rock. How are you, Rock? I'm doing great, Sean. Thank you. So, so good to see you.
Rock Lambros: Absolutely good to see you. It has been, uh, it has been way too long. It's been a journey.
Sean Martin: Way too long. Thankfully we keep connected, uh, online and, uh, but in person you can't, you can't replace that.
Rock Lambros: Exactly.
Sean Martin: So, so thrilled to see you and so excited to hear your experience, uh, the last couple days, uh, from Black Eye.
You get to go to some things that I, I didn't have time to get to. I wanted to go to the CISO Summit, I wanted to go to the AI Summit, um, so I wanted to get to, uh, Kind of your perspective. No, I know some of that's Chatham house rules. So don't share anything that, uh, you shouldn't. Yeah. [00:01:00] But, but yep, you have great perspective on things and you, you get involved in all kinds of fun things.
And so I want some of your ideas or thoughts of what what's coming out of this week.
Rock Lambros: Awesome. Yeah. So, um, texted actually a couple of mutual friends and said, the letters A. I. Is literally in every damn ad at the airport. And I saw that funny enough. And so that, that right there gives, gives you a hint or a preview of what this week is about.
And it's almost like you can't, it's almost like you can't go to market anymore without the words AI in your branding, whether you're actually using it or not. Um, but the AI summit was actually pretty awesome. Um, there are a lot of, You know, high level, um, speakers with a lot of in depth knowledge. Some of the sessions were, um, more high level.
Some of them had a little [00:02:00] bit more meat to them. Some of them were just vendor sponsored pitches. Um, effectively.
Sean Martin: Are they still good though?
Rock Lambros: No, they're still good. Okay. Um, you know, more than anything, they provided some awesome statistics. I screenshotted it and may put up on LinkedIn. Um,
Sean Martin: yeah. So we'll, we'll, uh, for a bit.
People listening to this will include links to stuff that you referenced from your post so yeah, they can they can see that you're talking about there
Rock Lambros: Yeah, awesome. So yeah, one of the one of the quotes that really stood out to me was from Bartley Richardson He's the CEO of Nvidia. You know a small chip company may or may not Be driving some of the AI solutions out there
Sean Martin: Hopefully they can hang on Yeah, I don't know.
It's gonna be sketchy.
Rock Lambros: Exactly. Um, and he said, cyber is a data problem, and AI is a data solution. And I mostly agree with that, [00:03:00] because yes, while AI, while cyber is a data problem, and AI is absolutely a data solution, you know, we still have people in processes. Right.
Sean Martin: Yeah.
Rock Lambros: Right.
Sean Martin: Yeah. Yeah. Yeah. That's very tech driven.
Rock Lambros: Yeah. Message. Um, but when you, when you think about it from a defensive perspective though, and, and helping the analyst, that absolutely makes sense. Right? Yeah. Helping the Tijuana analysts make their, their jobs easier, be able to do it faster, more effectively, um, and whatnot. Attackers are, I mean, leveraging AI now, I think a statistic I saw this week was like Launch and encrypt the server.
Or actually the entire ransomware execution be done in less than a minute. And the analyst takes an average of five minutes to respond to an alert. Right? So even if, even if they got the [00:04:00] alert on second one, right, right. Um, by the time they analyzed it internally and did something about it. That minute time span is gone.
So there's a lot of focus around leveraging AI to really help and augment the tier one analysts on the flip side, you know, we can't talk about augmenting and helping, uh, tier one analysts without kind of thinking, well, does this mean we will need less tier one analysts? Right. Right. And, you know, I really, um, Hope and endorse and support anything that we can do to upskill those analysts and make them tier twos.
Yeah, right versus You know succumbing to the capital markets and saying here we could cut costs here It's already hard enough to break into our industry if we start taking away entry level jobs. Yeah, [00:05:00] we're gonna be in trouble in the long run
Sean Martin: well, it Raises the question for me is I had a chat with Michael Piacente about the field CISO role.
And I related it to kind of like a sales engineer or system engineer, but at a higher business level. And I think, I guess the point I'm trying to make is I think there's, there's an opportunity to maybe relook at how we do things in the business and perhaps some of the entry level folks. Move from response more to protection.
So they maybe they connect more with dev and more with I. T. Ops to actually set things in a way. So we're not on our back heels with the tier two and tier three folks still. So I don't know. That's just an initial thought.
Rock Lambros: I mean, I think there's plenty of [00:06:00] opportunities to upskill and A. I, you know, has the potential to help across all those domains.
I ran into a company on, on the floor yesterday, I forget their name offhand, but you know, they're essentially, you know, uh, an AI based product engineer, right? Like, you know, replace your product engineer with AI type of thing, uh, product security engineer with AI type of thing. And uh, obviously I, you know, we're never going to get the human out.
I hope we never get the human out. I firmly believe that a human always needs to be in the loop, whatever that role looks like. Um, just from a governance perspective. Yep. Um, but, you know, it, it is going to, there are a ton of opportunities. Uh, the other thing that was really a focus at the AI summit is that the benefits of AI have been asymmetrical in the sense that it has helped the bad guys more than the good guys.
Right. The bad guys don't care about governance. They don't care [00:07:00] about, frankly, the budget. Uh, oftentimes the, you know, they can just go fail, do it again, fail, fail. They don't care about the harms. They don't care about, uh, ethical biases. They don't care about any of that. Right. And you know, while in the meantime, I'm having conversations, uh, with people reaching out to me saying, Hey, we need to like wrap our arms around AI governance.
I'm like, great. What are we governing? What's your strategy? And it's absolute deer in the headlights type of look, right? It's like, all right, so we need to have a different conversation first. And then before we have that conversation, it's, you know, what's your, what's your data governance model? Because a lot of the tools out there today, you know, the, the A.
I. Gateway space, which I internally call it, uh, A. I. Casby, right? Casby for A. I. you know, really depends on your, your data being classified and tagged really well. I mean, it'll do some basic, you know, dirty [00:08:00] word, DLP stuff, you know, identify PII, potentially some sensitive information, whatever. But, um, it really depends on your data to be classified well to be able to block any proprietary data going into the AI.
Sean Martin: What are your thoughts? And I don't know, Mark and I've had this conversation. I think it started back in RSA where we talked about the Frankenstein of the industry. And, um, where it's kind of creating a monster in and of itself. I almost feel like this AI world, not just, not the bigger, broader, but certainly when we start talking about AI and security, that we're creating another similar scenario where it's mysterious, all these certain people.
have the knowledge, and it's a special thing, we have to treat it in a special way. And, [00:09:00] and then I've heard some folks say it's just another application that's driven by data. So it's an app with data, right? So I'm wondering, what, what kind of sense did you get from the conversations, presentations, and whatnot from the summit?
Are we? Are we creating a new thing that we're excluding folks from this world when we should really be bringing them in?
Rock Lambros: I don't think so. I mean, there are some special considerations for AI around like biases and potential harms and, you know, responsible use, accountability, transparency, all that kind of stuff.
But from a, you know, I live in cyber risk management and you could absolutely use your same frameworks to manage risks around AI. Um, Yeah, I, uh, you've heard me rant about this before. You know, I think Cecil's got away in the early days with just saying, Hey, we're doing some dark magic over here. You don't need to wave, wave your hand.
You don't need to know what's going on. [00:10:00] Um, you know, kind of pat on the head, Mr. C. E. O. You're not going to understand it anyways. And, um, but we can't do that with a I. A. I needs to be a shared responsibility across the entire organization because of all those reputational effects, potential economic effects, you know, biases, You know, you, you deny somebody a, a mortgage because your AI model went rogue.
Right? I mean, opens you up to a significant liability, especially now in light of the EU AI Act, um, and the Colorado AI Act Yeah. Um, that have come into, into fruition. So, um, no, I, I, I don't think I, for AI to succeed in the cyber well in general. We can't be exclusionary. We can't be like, this is a special secret sauce and right.
Sean Martin: Yeah. Cause I, I just, as soon as I hear the word data scientist, that to me says [00:11:00] it's not hacker, but it has the same for me, the same feeling that only, only data scientists will really understand this.
Rock Lambros: Well, I mean, we absolutely need data scientists to understand how to model the data, train the models.
That kind of stuff. I mean, that, that is a legitimate skill, but to manage the government, develop your strategy around it, develop your, your business case around it. You know, quantify the value over the opportunity of the business case, right? All that kind of stuff. That's, that's all the stuff that we should be doing today.
Yes. Uh, as cybersecurity leaders.
Sean Martin: Yep. Yep. Completely agree. What else struck you, uh, from this summit?
Rock Lambros: Yeah. Uh, another one was, um. DARPA. Oh yeah. I didn't realize that. Yeah. She's amazing. She is amazing. And I didn't realize that they had a bunch of just open source stuff out there. With regards to securing AI and various, you know, essentially threat models against AI.[00:12:00]
Um, so I would encourage everybody to go check out, uh, that resource. Um, the URL is too long to read on here, so.
Sean Martin: Now we'll include a, again we'll include a link to your post that includes that link.
Rock Lambros: Awesome.
Sean Martin: And, uh, I think, cause we had a chat with her pre event.
Rock Lambros: Oh, cool.
Sean Martin: And she shared some resources with us, so I encourage everybody to listen to that as It's probably the same slides.
I think it was different from what you shared. Oh, really? Funny enough. Yeah, because it wasn't specific to, um, yeah, and I think she, she talked about some other programs and things. Yeah. That she's done. But anyway, a good collection of resources for sure.
Rock Lambros: Yeah. Um, and then, you know, I, I would say like the, the final mic drop moment for me was, uh, Robert Flores, I think he was the former, former CISO of the CIA.
I could be wrong. Um, said governments just can't keep up with the evolving base of AI, right? They are not built to be able to deal with fast [00:13:00] moving technologies like that.
Sean Martin: Was that his mic drop as well or did he?
Rock Lambros: No, no, no.
Sean Martin: Did he give any advice for how to deal with that statement?
Rock Lambros: Uh, no, actually he did not.
That was a little bit of a mic drop. Yeah, it was in the context of a panel discussion.
Sean Martin: Yeah. Yeah. It's hard, hard to catch a lot of that, uh, yeah. In that type of environment. Interesting. Um, I dunno if you had a sense of what kind of folks were in the room with you? Were they other vendors?
Rock Lambros: No, it was mostly practitioners for sure.
Okay. Uh, and I would say folks, I would say everyone from individual contributor to CSOs. Okay. Um, you know, I. Just walking around, I definitely saw some code on laptops, right? So there are definitely some technical people in there, right? And then all the way up to policy and leadership.
Sean Martin: Nice.
Rock Lambros: It was definitely not a technical summit.
Sean Martin: Yeah, more, well, obviously looking at policy and, yeah, and [00:14:00] things like that, uh, very high. And NVIDIA folks, I doubt he was getting into auto code stuff.
Rock Lambros: No, he was not.
Sean Martin: He may be able to, I'm not saying he's not. Um, Anyway, Rock, it's fantastic to, uh, to catch up with you and I appreciate your insights there.
And as I've said a few times, I'll include a link to your post so people can, there's a few more things in there that, uh, that you, that you mentioned. We're not going to cover them now, but, uh, take a look at that post. Do connect with Rock. Um, super sharp dude. I'm thrilled to call you my friend, man.
Rock Lambros: Absolutely as well.
Sean Martin: So enjoy, uh, enjoy the rest of it here and we'll be, uh, we'll be chatting soon again, I'm sure.
Rock Lambros: Great. Thank you. Thank you so much. Enjoy the rest of the show.
Sean Martin: Yep. For everybody listening, please stay tuned. There's a lot still coming from Black Hat here on location. I might drag Marco into another conversation at some point.
Who knows? Stay tuned.