Generative AI (as used by defenders AND attackers) will Drive SOC Evolution – Greg Notch, Edward Wu – ESW #369

The question everyone is pondering: why did they walk away? Did they never take the deal seriously? Was this a strategic move to boost their credibility pre-IPO? Or was there a real chance they might accept a deal from one of the top 5 cloud service providers? On that last point, it always struck me as odd that the largest, fastest growing vendor-agnostic cloud security provider would ever seriously consider throwing away that cloud-agnostic label by selling to Amazon, Microsoft, or Google.

Cole Gromus has an interesting take over on LinkedIn, likening it to Wiz's "Zuckerberg moment".

BlackHat Spotlight is similar to RSA's Innovation Sandbox, in that many startups apply by submitting videos, and a handful are chosen to compete. Each finalist gets a free booth at BlackHat, where they compete on stage, and a winner is selected. A key difference is that Startup Spotlight chooses 4 finalists instead of RSA's 10.

It has been tradition to interview a few of the finalists on Enterprise Security Weekly, and we're already working on scheduling some of them for August shows.

This year's finalists are:

• DryRun Security: "delivers near-instant security code reviews"
• Knostic: "provides need-to-know based access controls for large language models (LLMs)" <- Sounil Yu and Gadi Evron
• LeakSignal: "empowers organizations with protection against sensitive data leakage"
• RAD Security: "a behavioral cloud detection and response solution"

While some of these details have been available before now (7/24 at the time I'm writing this), some of these details are new and worth discussing. I particularly want to discuss this because there are a lot of myths, conjecture, and wrong information out there about this incident.

TL;DR - Crowdstrike's process for releasing software updates, and sensor content was and is careful, resilient, and contains many levels of sanity checks. Crowdstrike's process for releasing Rapid Response Content didn't include many of these safety measures, but it will in the very near future.

Interesting insights and mythbusting points:

• the release that broke the world was only out for 78 minutes before Crowdstrike realized their mistake and reverted
• this Rapid Response Content update didn't contain software code, it contained methods for detecting potential malicious tactics (specifically, template types for the abuse of named pipes)
• software code and sensor content is subjected to automated unit testing, integration testing, performance testing, and stress testing. It is then rolled out in a staged manner within CrowdStrike, and then staged out to customers. Additionally, customers have the option of separating their fleets into three tiers of staged updates.
• Sensor updates contain AI prevention and detection capabilities; Rapid Response Content contains behavioral heuristics
• Rapid Response Content and Template Types are also tested automatically, but do not go out in a staged manner, which is why it seemed like the whole world got hit all at once (it basically did)
• a bug in the automated content validator missed the problematic content

Crowdstrike is still in hot water with a lot of folks, and it will take a long time for them to live this down, but I've got to give them kudos for handling the issue so quickly and so transparently. The way they handled this will go a LONG way to placating customers and starting to make up for the damage done.

That said, insurance companies and their lawyers will come knocking soon.

Like a little bit of that pandemic effect on the environment, but thanks to an anti-virus instead of a virus this time.

THIS is what real, effective security looks like. Simple policies and automations to block unnecessary privileges and access, like I don't know, "outbound access to any/any on the public Internet" have saved savvy organizations untold numbers of headaches.

I just talked to a healthcare CISO earlier today about how her role was poised to expand yet again, with regards to who would be responsible for AI/LLM evaluations, which will probably be seen as "AI vulnerability scans", even though the tests tend to be focused more on preventing human harm than the digital equivalents. I've also heard from more and more CISOs that they're becoming where the buck stops for risk and fraud as well.

How much is too much? We're probably already past it. We've all seen the massive CISO responsibilities mindmaps, right?

We're talking here about new GenAI technology, particularly the text generation bit that is aiming to replace existing search engines and virtual assistants as the de facto way to get questions answered and perform research.

"In the last year, the number of websites specifically restricting OpenAI and other AI scraper bots has gone through the roof."

The article focuses on a new study released by MIT called Consent in Crisis, The Rapid Decline of the AI Data Commons. It was apparent, even in the first few months of ChatGPT going public that we'd go down this road. As soon as OpenAI started monetizing ChatGPT and hit 100 million users in two months, the websites that were scraped to make all this possible were collectively angered.

They did what? With our data? And didn't give us a cut?

Clearly, this would not stand, and we now find ourselves treated to other ridiculous headlines, like:

• Google is the only search engine that works on Reddit now thanks to AI deal
• Anthropic AI Scraper Hits iFixit’s Website a Million Times in a Day <- yes, these are all 404media.co stories, I'm a fan

This sucks for organizations like iFixit, trying to run a business and a massive community effort, as AI companies effectively DDoS their systems. It also sucks for consumers who want to see Reddit content in their search results, but don't want to use Google's search engine.

It's ruining the Internet for everyone. We now have silly results due to both unintentional (put glue on pizza to help the cheese stick) and intentional (What's the best way to remove a data connector from an orange?) data poisoning. As well as websites that are walling off their content to prevent theft, but also making it harder for authorized and paying customers to access content (including 404media's own site!)

"The claims dismissed by Judge Engelmayer were noteworthy and novel in that they sought to:

• Hold a CISO personally liable for a lack of detail in a company’s SEC filings.
• Base liability on a company’s internal scoring against a nonbinding cybersecurity framework (the NIST Cybersecurity Framework).
• Treat an issuer’s cybersecurity practices as internal accounting controls"

I absolutely HATE vapes, but maybe not for the reason you think: most of them are disposable. Most vapes have rechargeable lithium-ion batteries, but the "vape juice" is not refillable, meaning that as soon as the juice runs dry, li-ion batteries go straight in the trash (or in the parking lot, as my kids keep finding).

This one takes this trend to the max, as it has a touchscreen and a full computer built in, not just the rechargeable battery. Are we, as a society, really okay with selling computers that will be used for one month before going in the trash?

Is my outrage just a product of my age? Or the fact that I have a passion for rescuing gadgets from the dump and trying to give them a second life?

$27M Series A, co-led by Index Ventures and Cyberstarts. Prior, $6M Seed led by Cyberstarts.

We talked Identity Security with Will Lin (AKA Identity) last month, on episode 364, and again a few weeks ago with Henrique Texiera (Saviynt) on Episode 367. Identity security definitely looks like it's becoming a thing.