In this episode of "On Location With Sean Martin and Marco Ciappelli" at Black Hat Conference 2024, host Sean Martin sits down with Willy Leichter to discuss the latest from AppSoc and explore the evolving landscape of application security.
Black Hat Hacker Summer Camp: A Meeting Ground for Security Minds
As Sean Martin and Willy Leichter kick off the discussion, nostalgia sets in as they recount their years of attending the Black Hat Hacker Summer Camp. The perennial themes of security, new technology, and ever-evolving threats always seem to find their way back into the conversation, no matter how much the landscape changes.
Returning to Basics: The Unending Challenge of Security
Sean points to the recurring themes in security, to which Willy responds with a reflective acknowledgment of the cyclical nature of the industry. "It's back to figuring out how to manage all of this," he states, highlighting that while new technologies emerge, the essential task of managing them effectively remains unchanged.
Introducing AppSoc: The New Kid on the Block
Sean and Willy then dive into the heart of their discussion—AppSoc. Founded by serial entrepreneur Pravin Kothari, AppSoc is positioned in the Application Security Posture Management (ASPM) space. Willy elaborates on the company's mission: to consolidate, normalize, and prioritize security data from various point solutions to reduce noise and enhance actionable intelligence.
The Importance of Prioritization and Orchestrated Remediation
Willy explains how AppSoc’s "secret sauce" lies in prioritizing critical alerts among the plethora of security vulnerabilities. The goal is to transform a seemingly unmanageable thousand alerts into twenty high-priority ones that demand immediate attention. He emphasizes that detection without action is futile; hence, AppSoc also focuses on orchestrated remediation to bring the right information to the right teams seamlessly.
Leveraging AI for Better Prioritization and Security Posture
The use of AI in AppSoc is multifaceted. The company employs AI not only to streamline security processes but also to protect AI systems—a burgeoning field. Willy suggests that the explosion of AI applications and large language models (LLMs) has opened new attack surfaces. Thus, the role of AppSoc is to safeguard these tools while enabling their efficient use in security practices.
Real-world Applications: A Day in the Life with AppSoc
Willy shares a compelling success story about a CISO from an insurance company who managed risk across different departments using AppSoc's platform. This real-time, continuous monitoring solution replaced the less efficient, bi-annual consultant reports, demonstrating AppSoc’s efficacy in providing actionable insights promptly.
The Shift-Left Strategy and DevSecOps Collaboration
The conversation shifts to the importance of integrating DevOps and DevSecOps teams. Willy points out that while specializations are valuable, it's crucial to have "connective tissue" to get the bigger picture. This holistic view is essential for understanding how threats impact various departments and teams.
Conclusion
Sean Martin wraps up the enriching conversation with Willy Leichter, expressing his excitement for the future of AppSoc. The episode underscores the critical importance of effective application security and how innovations like AppSoc are paving the way for a more secure digital landscape.
Learn more about AppSOC: https://itspm.ag/appsoc-z45x
Note: This story contains promotional content. Learn more.
Guest: Willy Leichter, Chief Marketing Officer, AppSOC [@appsoc_inc]
On LinkedIn | https://www.linkedin.com/in/willyleichter/
Resources
Learn more and catch more stories from AppSOC: https://www.itspmagazine.com/directory/appsoc
View all of our Black Hat USA 2024 coverage: https://www.itspmagazine.com/black-hat-usa-2024-hacker-summer-camp-2024-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
The Evolving Landscape of Application Security | A Brand Story Conversation From Black Hat USA 2024 | An AppSOC Story with Willy Leichter | On Location Coverage with Sean Martin and Marco Ciappelli
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Here we are. We are at Black Hat Hacker Summer Camp. Once again. Once again. Been a while. It's been, uh, many years we've been chatting about all kinds of stuff. Security.
[00:00:11] Willy Leichter: A lot of years we've been here and it seems like there are some common themes that keep recurring. Right. Even with all this new technology and new threats.
[00:00:18] Sean Martin: It's back to basics. Is that one of them?
[00:00:21] Willy Leichter: I think it's back to figuring out how to manage all of this. Or that's always been the perennial problem.
[00:00:28] Sean Martin: There's always something new and, and, uh, you have to figure out how to fit it in. Uh, for those watching, uh, you've probably seen Willie on the show. Willie Leichter.
It's good to see you.
[00:00:38] Willy Leichter: Great to see you again, Sean.
[00:00:39] Sean Martin: Thrilled to have you on, uh, our, uh, Brand Story episodes here. Uh, we're going to talk about AppSock today. Yes. Which is cool. And you guys have some new announcements, which you're going to dig into. Um, I want to start with the folks who aren't familiar with AppSoc yet.
Yeah. Maybe a little background on how it was founded, why it was founded, who it's for, what you do.
[00:01:00] Willy Leichter: Great, yeah, and uh, most people probably haven't heard of AppSoc yet, so fair enough. We're a startup, although we've been around for a couple of years, uh, founded by Praveen Kothari, who's a serial entrepreneur.
He's one of the founders of ArcSight back in the day. He started CypherCloud, where I worked for him before. Um, done several other startups and He's a legend. He is a legend, yeah. And, uh, walking down the hallways here a year ago, I ran into him and he recruited me back into his latest startup. So, and it's been a lot of fun.
So, AppSoc is in the ASPM space, which is an awkward acronym, but Application Security. It's hard to pronounce anyway. It doesn't roll off the tongue, but Application Security, broadly. Um, but what that means is, we take all of this data from all these security point solutions, you know, SAS, DAST, IAST, IAC, all the way from development through operations.
We bring it all together, we normalize it, we consolidate it, aggregate it, but then we try to prioritize it as intelligently as possible. And the perennial problem is all of the noise that the analysts get. You know, there's just too many vulnerabilities. If you just go by CVSS score. You'll have a thousand, you know, ten critical alerts every day.
So that's not manageable. So you've got to bring in other factors, the exploitability, the business context itself, how critical is, you know, is this asset to this business, and a number of other things. We managed to reduce that Venn diagram from say a thousand alerts to 20 alerts that are most critical that you need to deal with.
So that's kind of the, our, our secret sauce. Um, but also then we, um, orchestrate remediation because, you know, detection is great, but detection alone without doing something about it is, um, gets lost. And in fact, a lot of the problems now are, there's so much data that gets into silos that with different teams, you know, the development team has their DevSecOps silo.
The vulnerability team has their own silo. You need to be able to put that together and get the bigger picture. Otherwise you can't tell what your posture is. So that's, that's our goal.
[00:03:04] Sean Martin: I love it. And can I ask this, um, Praveen's background in security management, the whole SIEM space. How much of that plays a role in what you're doing?
[00:03:15] Willy Leichter: I think quite a bit. I mean, he has a sixth sense for where markets are going. Which, that's why we follow him. Um, but he's got a combination, you know, security management with SIEM. He also started a risk management startup. Uh, he also, I was involved with Cypher Cloud, which was doing cloud security and, uh, the first CASB.
So you put those together, you know, there's something new every, every time. But he's, he's got a very good sense of what enterprise practitioners need day to day. And I think at the end of the day, that's who you
have to satisfy.
[00:03:50] Sean Martin: Yeah, and I think, um, having worked in the sim space many, many years ago, You get a nice, good view of what's going on in an organization.
So I'm certain he has a good perspective on what's running where, who's running what, how's it supposed to support the business.
[00:04:07] Willy Leichter: What's funny, if you look at SIEM and then SOAR and now ASPM, we use the same words, you know, consolidate, aggregate, de duplicate, normalize. It's been the same terms, but we, you know, the threats go up exponentially.
So it requires Better, not different approaches necessarily, but better technology to keep up with it and better prioritization. So, you know, we're using AI like a lot of other security practitioners to streamline it. Although what we'll get into in a minute is not just using AI, but protecting AI systems.
That's our next, our next frontier. But like you said, Sim is a, is a good background and it's sort of deja vu all over again with, you know, these same kinds of challenges haven't gone away. Maybe they're too fundamental. Yeah.
[00:04:53] Sean Martin: And I think, um, you probably have the same experience, uh, at Cypher Cloud, but when you, because you mentioned silos, right?
Yeah. You have the DevOps and CloudOps and SecOps and ITOps and there's all these teams and they all have some connection in some way to an exposure. Yeah. Or a weakness or some, some threat and being at the forefront of, of cloud security with Cypher Cloud. Connecting security and CloudOps and ITOps.
Having that understanding of what's important to those different teams, how those teams function, what their priorities are, must play a huge role.
[00:05:34] Willy Leichter: You know, the specialization in silos is good. We're not specialists, but you've got to find the connective tissue so you can get the bigger picture. Because the same threat can hit multiple places.
You know, there's correlating threats across, if it's a vulnerability in your code, something that's being exploited in run time, some other new threats that are making this. You know, this vulnerability is particularly a problem. I think that's always the challenge is putting that bigger picture together.
But it's, it's hard because people have their jobs, they have their focuses. You know, you're trying to ship code, you're trying to get all the vulnerabilities flushed out, and then hand it off to someone else. And then the biggest thing that we still see everyday is important information gets dumped into a spreadsheet, emailed to someone, and then a couple days later, you know, this is why it can take days to weeks to months.
For companies to do the right thing. And it's not a lack of talent or a lack of, of ideas. It's just there are gaps and that make things incredibly inefficient.
[00:06:35] Sean Martin: Stand up meetings to run through spreadsheets. It's not very fun.
[00:06:38] Willy Leichter: Yes, exactly. Exactly. And also it gets back to different groups speaking different languages and looking for different things.
You've got to find a way to. Satisfy both, give you the bigger picture, but let everybody drill down into what they're looking at. And that's, that's really what we try to do with our platform.
[00:06:53] Sean Martin: So can you, can you paint a scenario for us? Sure. A customer, multiple customers, whatever. Kind of a day in the life of working with AppSoc.
Sure. How things change, how things look.
[00:07:04] Willy Leichter: Um, actually I'll give you a scenario from one of our customers, uh, is a CISO. Um, for an insurance company. And he's managing a mid sized company, you know, about a thousand people. There's a group of developers. There's a group of, um, you know, people who are doing security management.
There's operations people, there's, and he's trying to manage risk across the whole company. And you know, the question for him from the board or from his, you know, the CEO is, are we secure? What's our security posture? And can you tell me, you know, how's it looking today? And he, his anecdote is he would hire consultants every six months, pay them about half a million dollars every six months.
To comb through the logs, pull all this stuff together, and then give him a thumbs up, or, you know, you need to fix this. And that's, you know, not exactly real time. The minute it was done Better than not having it, that's usually Yes, but it's out of date. It's dead on arrival, in terms of the, you know, the validity of the data.
So he's been trying to find a platform to get this in real time, get it as a continuous process, rather than a one off. And that's, that's the challenge, I think. You know, they have the usual assortment of tools in different silos. They have SAST and DAST. They have cloud infrastructure, they have operational tools, they have traditional infrastructure.
So there's all these different feeds of data coming in, but what we try to focus on is risk scoring based on some business context on what's important to this particular organization. And that's also kind of been their vision is, you know, we know we don't, we We're not a healthcare company. We're an insurance company.
So what are the particular risks? What are the particular assets we're worried about and really flagging those and then just making it making it manageable? So it's a good success story there. I think probably we are most valuable for Teams that are trying to connect or collaborate or get the bigger picture
[00:08:58] Sean Martin: What types of teams are there?
DevOps, SecOps, IT?
[00:09:01] Willy Leichter: Yeah, you know, I mean there of different titles. So certainly the AppSec groups, DevOps, DevSecOps. Um, but also, I guess people come at it from two sides actually. There's the shift lefters, and there's the traditional right handed people, right? Really trying to do the same thing, and both trying to get visibility across the gap.
But, you know, the infinite loop of the DevSecOps never quite was completed. Right. You know, it's a great idea, but I think that's it. Making that actually work. So both sides are looking at the same dashboard. So that's, that's really our goal.
[00:09:36] Sean Martin: And so when you're, you get this information and we talked a little bit about remediation.
What are, what are some of the outcomes? The last few weeks I've had a lot of conversations, driven a lot by some of the topics and sessions here at Black Hat around metrics. Yeah. And what, what is a metric that you're going to measure against? And what does success look like? So what.
[00:09:59] Willy Leichter: Yeah, that's great. That's a great way to put it because success looks like, first of all, not having bottlenecks in getting the information to the right people, automating some of the communication workflows, you know, and there again, if you're doing a better job prioritizing when you send alerts to people, they're not bombarded.
So, you know, being more selective there. But, automating that, automating ticket creation, things like ServiceNow and JIRA, having that be bi directional, so, you know, lots of people just working on the ITSM side, so if they're making updates, you want to feed that back. If there's a lot around exception management, you know, we know this bug's not a problem.
It's not going to shut us down from the developers. Okay, we don't have to have it pop up 20 times every day. Let's, you know, have an approval process where this bug's okay. Put it on the back shelf, and it's not going to raise alarms. We have some other
mitigation. Exactly, exactly. And then also, you know, with every vulnerability from every source, there's a lot of useful information about what to do about it.
And making sure that doesn't get lost, that's part of the tickets, that's part of the remediation workflow, all of that stuff. Kind of unclogging the pipes with all this information, and making it readily available. And we don't try to reinvent the wheel on remediation, you know, people want to use ServiceNow or JIRA or, or the tools they, you know, they want to use Slack, of course, all those things are just part of what we do.
Exactly, exactly.
[00:11:23] Sean Martin: So we talked a little bit about leveraging AI to help with some of this, right? Yeah. Understanding context and bringing a story together and maybe even helping with some of the remediation options I presume you're doing. I don't know if there's anything more you want to elaborate on the use of AI in a meaningful way.
But then I also know you've done some stuff.
[00:11:44] Willy Leichter: Yeah, I think we, you know, probably a good time to pivot towards what we're doing with AI. Um, to protect AI. Now, this is an incredibly hot topic. Um, it's also very early days. So, you know, there's more talk than there is understanding, frankly, in a lot of this.
But that's okay, that's part of the process. But, there's, we've all seen this since CHAT GPT, you know, went viral. Um, Almost, not everyone, but many, many organizations are feeling like they need to do something. They need the chatbot up and running. They need to use AI for competitive purposes. So there's this, you know, snowball going with enterprises, a lot of pressure.
There's also new players, data scientists, business owners who aren't, you know, maybe not in the traditional security routes or traditional governance routes who are doing these skunkworks things, creating great stuff. Um, but it's happened so quickly. Like other trends in the past, security is racing to try to catch up.
But from our standpoint, it's a very logical extension of application security. Absolutely. You know, these tools, while you have new attack surfaces, obviously you've got the LLMs, you have the data sets, you have, you know, all kinds of new issues there, but you've still got to cover the basics. Yeah. Um, so, I don't know if you've looked at Hugging Face at all.
Uh, a little bit. A little bit. It's, you know, it's gone from like a few thousand LLMs to close to a million now. All free. All downloadable. You can add things to it. You know, great open source community thing, except there is no guardrails or governance. And, you know, it's incredibly attractive to bad actors as well.
Um, and the data scientists love the easy availability of all these models. You know, they want to experiment. They want to test data sets. That's all great. But if you're an enterprise, well, let me also separate two things. There's the whole world of people like me using CHAT GPT all the time. Some prompt, yeah.
Yeah, which, you know, a lot of issues there, bias, other things. But park that for a minute. What's also happening is enterprises are building AI applications. They're bringing in, you know, tools like from Amazon and Microsoft and Databricks. Open AI. You know, they're, they're starting to build these stacks of tools.
There's a whole MLOps, you know, practice now. Um, all of it is really very parallel to what we already do in DevOps. But it seems to be a little bit in a, you know, in a different swim lane. Right. Um, but, um.
[00:14:14] Sean Martin: Is that because of the data scientists versus the application engineers?
[00:14:16] Willy Leichter: I think a part of it, I think maybe the speed.
Yeah, I think it's been treated as a specialty and, you know, something new. It's code at the end of the day, right? But. Um, it, it somehow has happened quickly that there are new players there that seem to be in a, you know, parallel universe. And that's a problem for any CISO. You know, we've talked to many CISOs who aren't sure how many LLMs they have.
They know there's a whole bunch of AI projects, but they're not sure how many. So, starting first, we're doing, um, what we're calling Shadow AI. You know, you remember Shadow IT? Not that long ago. Shadow AI, you know, do we know the projects? Do we know what LLMs are used? And we're not necessarily trying to, you know, figure out what someone's, you know, doing on the dark web.
But if you're an enterprise, you're probably using, you know, a platform like Amazon. You're probably using SageMaker or OpenAI or Databricks. So, what are those projects? Do you have some governance around them? Have you documented, you know, typical compliance things. Have you documented why you're building this, who it's for, what the risks are, what the sensitivities are?
There are all these things that, um, haven't been documented. Really organized so getting that all into a compliance framework, and then we're also Developing a knowledge base around hugging face and other sources So we can start to scan and detect at least where they came from who's touched it And also make sure
[00:15:42] Sean Martin: Describe that a little bit more
[00:15:43] Willy Leichter: sure so we're we are scanning The Hugging Face World.
Okay. And using various tools and with some partners trying to put some risk rating around these different LLMs. And then also trying to
[00:15:57] Sean Martin: It's kind of like the old days of assessing the App Store.
[00:16:01] Willy Leichter: Yeah, it kind of is, yes. Yeah. And, um, you know, we're starting with I would say as opposed to us trying to find everything bad in the world, we're trying to set up guardrails so organizations can use authorized, approved tools Use authorized LLMs and make sure that a data scientist didn't bring in 20 other LLMs or other data sets that might be suspect.
Connect to known good. Exactly. Connecting to known good. Exactly. You know, everyone's intent is to do that, but without some guardrails or some governance, you know, we know there's going to be some big mishaps. I mean, you know, the CrowdStrike, you know, the potential with AI mishaps. I don't mean doom and gloom, but it's a large attack surface.
There's all kinds of stuff we don't know. You know, we don't know how it's going to be exploited, but we know it will be. Um, but setting up these guardrails so we're prepared for that and we at least can have clean AI systems. We can have documentation. And then, you know, there's still vulnerabilities, there's still code underlying it.
The other thing with, even if it's a different group building this AI stuff, it's connecting to enterprise applications. So, it all goes back to, you know, whatever it is. It's your, you know, application to support your business. Through an API, exactly. And that's one of the first areas we're looking at is all these API calls to applications.
From these, uh, AI tools. So it's a big, you know, it's a big attack surface, but we're chipping away at it, and the other part of it then, as I mentioned before, is not creating a new data silo. You know, there's a lot of people here with, you know, brilliant minds trying to look at different pieces of what we can detect, and we're doing that as well, and also partnering.
But, once you detect, you've got to put it in some framework to prioritize it to management and do something about it.
[00:17:47] Sean Martin: Get it to the right team.
[00:17:48] Willy Leichter: Get it to the right team, yeah. Not, not put it in a spreadsheet. Yep. And that's, that's the non sexy part, but if you don't do that, it's, you very easily create a new data silo.
So it's exciting times. We're, um, you know, there's a huge amount of interest. Um, what's also interesting is we're finding, at least from our point of view, the AppSec world, the CISO world, they're in a way trying to bring this new stuff into the fold. And manage it properly. And we know this world well, what they need to do.
Um, and you know, not have it be out in isolation. Um, then the next level is actually getting in line and looking at the prompts and doing some DLP analysis and things like that. So we're starting to work on that. That's a much thornier problem. You know, it reminds me of the days of, I was at WebSense 15 years ago and people You know, a lot of parallels.
You know, when we were convinced that you couldn't let people just surf the web at their desks because that's a risk. Or you couldn't let them put stuff in a cloud because that's a risk. You know, we figured out how to make it work. But, you know, and it's a cliche, but we also believe no one's going to succeed if you say AI is going to, you know, bring the, bring us down.
It's an existential threat, whatever. It's happening. It should be enabled properly. And if you don't, it'll happen anyway. And then we'll be caught off guard.
[00:19:13] Sean Martin: Exactly. Well, what I love about this conversation, and it's the reason I brought it up in the beginning, is both you and Praveen have tremendous experience in cutting edge problems that needed cutting edge solutions.
And you're bringing those experiences, obviously different technologies underlying all this stuff. Yeah. But you, you've done this before, . Yes. You've done this before.
[00:19:37] Willy Leichter: Yeah. There's some value to, you know, and not being your first goat rodeo. Yeah. It's . It's, you know, you have to, at the end of the day, it's gotta be delivered in a pragmatic way that's really solving.
Yeah. The problems people have now and a lot of understanding their business. Exactly, exactly. And mapping it to what they're mapping, to how security works, to how their business works. Exactly. A lot of these things, it's early days. You know, there's going to be, we'll be talking about this for many years, I'm sure.
Um, and the particular threats will evolve, of course, and what we're looking, what we're detecting will evolve, but it's still got to be brought into the fold. So you can manage it and deal with it. And that goes back to the SIM days, you know, 25 years ago. Full circle, exactly.
[00:20:22] Sean Martin: Well, cool stuff, Willie. I'm thrilled for you in this role and happy to see that AppSock has taken off and continuing to innovate.
[00:20:32] Willy Leichter: Yeah, we appreciate that and I've always enjoyed these conversations because we're kind of, you know, cutting through a lot of the noise. We appreciate that.
[00:20:38] Sean Martin: I hope so. Alright, thanks a lot, Sean. Awesome, man. Everybody, thanks for listening and watching. Be sure to connect with Willie and the AppSoft team, and Praveen as well, and uh, stay tuned for more from Black Hat.