The AI boom is destined to pop, just like the 1990s’ dot-com bubble. Get used to the term “IT heterogeneity” as this will be the infosec budget-buster you never wanted but soon will need. And how can memory safety bugs still represent 70% of Microsoft and Google flaws despite a 2005 cybersecurity pledge to eradicate them by 2010?
Alex Stamos, CISO at SentinelOne and lauded Silicon Valley insider, tackled these topics and others at last week’s Black Hat USA security conference.
In a SC Media briefing with the ex-Meta security boss and former Yahoo CISO, Stamos also said the window of time is short for IT security teams to deliver next-level cyber resilience to their systems before geopolitical conflicts spark the next CrowdStrike-Microsoft level outage executed by an adversary — not a flubbed update.
Like others here at Black Hat, Stamos believed that the CrowdStrike-Microsoft outage was a mixed blessing, serving as a warning shot. “This was our warning in peacetime that we need stronger cyber resilience against a future event of this magnitude.”
Fragility of US critical infrastructure
He warned U.S. critical infrastructure and Fortune 100 companies are in the crosshairs of adversaries. A World War III-scale event is going to play out a lot worse than the CrowdStrike outage aftermath, he said.
“If you had told me the morning of the CrowdStrike outage that China's PLA (People's Liberation Army) were in the Taiwan Strait, I would of believed you. So much went offline that morning. Three U.S. airlines — half the civil air reserve fleet — were grounded,” Stamos said.
What is IT heterogeneity?
For Stamos, the lasting impact of the CrowdStrike-Microsoft outage will be a drive for IT heterogeneity. This concept is based on the premise that organizations need duplicate critical infrastructure systems that are separate and not vulnerable to the same single point of failure or attack.
“If you're an airline, railroad, power system or any company that absolutely can't go down, you are going to end up with IT heterogeneity. … Companies have backup generators if the grid goes down, and similarly businesses are going to build parallel systems because they can’t afford another CrowdStrike catastrophe,” Stamos said.
An organizational shift to IT heterogeneity is still in its nascency. But businesses will justify investments. He pointed to the lesson learned by Delta Air Lines and its own estimated $500 million price tag for the CrowdStrike-related systems meltdown.
“One thing is you could end up with is companies running on separate cloud systems where you end up with less operating leverage across cloud systems, different authentication and operating domains. Any disaster recovery system is going to be running in a completely different cloud,” he said.
These divergent systems — built to support a unified business goal — will assure operational continuity against disaster. “It’s going to cost more money, and it's going to be a pain from an IT perspective,” Stamos said.
Interestingly, Stamos predicted the IT heterogeneity trend will swing the door wide open for managed service providers and managed security service providers to build and manage these backup infrastructure systems.
Back to future with AI
Remember the '90s and Tamagotchis, Al Gore’s information superhighway and the dot-com boom and bust? Stamos believes that when it comes to the AI boom, we may have that same fuzzy nostalgia looking back at the 2020s.
The move-fast-and-break-stuff spirit behind the AI gold rush coupled with over $1 trillion in AI investments (PDF) is spurring an AI bubble and an eventual AI hangover, Stamos predicted.
“There's good reason for so much investment in AI,” he said. “AI delivers huge efficiencies in the economy.” But a survey of products flooding the market — ranging from genius to foolhardy — are inadvertently introducing a brand-new class of risk.
“Large language models are not yet secure by design,” Stamos said. The fundamental research necessary to put large language models on any kind of security gradient just doesn’t exist, he said.
“All this AI feels reminiscent of the '90s,” Stamos said. “I remember when an internet vulnerability would debut at Black Hat and DEF CON, and the next day every web app in the world would be vulnerable to it. That's close to where we are with AI,” Stamos said.
The AI wet blanket, he predicted, comes when companies attribute financial losses to expensive AI investments that fell far short of a vendor’s ROI promise. Then there is security. Internal AI systems linked to breaches and massive hacks tied to a company’s over-reliance on AI bots versus human intelligence could inevitably put the hyperactive AI market on ice.
“When a critical mass of companies use AI to replace human beings — who are making intelligent decisions — things are going to get messy fast,” he said.
Fight the dark side: Join the ‘cyber resilience’
The oft-repeated mantra heard at nearly every Black Hat keynote last week when it came to mitigating risk was “cyber resilience.” Stamos agreed but said the concept needs to be more than a security conference bumper-sticker. “Secure by design can’t just be a CISO checkbox item,” he said.
“In 2005, keynotes talked about eradicating memory management bugs in five years,” Stamos recalls. “It’s an indictment of the software industry overall that in 2024, with all the memory safe languages to choose from, we're still dealing with C++ bugs and use-after-free flaws.”
“Security by design back then assumed we were on a path to eliminating this entire class of vulnerabilities. And we did not,” he said. Fast forward and a CrowdStrike regex failure took out millions of computers and grounded fleets of airplanes.
The Stamos top 10
Stamos’ sage advice, “assume nothing when it comes to security” and, yes, practice security by design, don’t just preach it. He offered these cyber resilient tips:
- You're going to have vulnerabilities, so limit the danger downstream through smart system architecture and design.
- Moving things into user mode and figure out what needs to be jailed.
- Build code to have verification on the front end and not crash the important systems.
- Design cloud services so that input validation is on the front end.
- Carefully choose what languages you choose to run services in.
- Build data validation layers and data access layers that ask for access control checks as close as possible to the data itself.
- Build a system so that you flow identity all the way through the system.
- Avoid impersonation attacks and make sure you don’t have a confused deputy issues where you lose the plot of who is actually making a request for data.
- Design your cloud architectures so that all the different components are authenticating properly with one another.
- Build your systems for least-privilege on the operations side.
Those are the kinds of the security by design decisions you have to make up front.