#599 AI Agents Are the New Attack Surface. Security Teams Are Already Behind | Jason Remillard

Mehmet: [00:00:00] Hello, and welcome back to a new episode of The CTO Show With Mehmet. Today, I'm very pleased, joining me, Jason Remillard. He's the founder of Data443. Jason, I'm really excited to have you today with me on the show, especially because you've been in the industry for a long time. You've seen it all. Um, you've done a lot of work around cybersecurity and, you know, I think we need to keep talking about this.

People ask me, "Why you keep discussing?" 'Cause I think we're not talking enough. So, thank you for being here with me on the show. Traditional question I ask to all my guests, tell us a bit more about you, your background, your journey, and then we're gonna start the discussion from there, so the floor is yours.

Jason: Uh, certainly appreciate. Thanks for having me on and appreciate the, uh, last minute reschedule last time as well. 

Mehmet: No 

Jason: worries. Uh, you know, overall it's definitely been scarily enough over 30 years now that I've been in the field. Um, and I started off, uh, in the dark old days of the '80s essentially. Uh, and my first official professional job was [00:01:00] being a systems operator for a VAX 750.

Uh, big old machines, raised floors, line printers, air conditioning, all that sort of stuff. Uh, the use case there was, you know, again, it's my first gig, is, um, we ran a forest fire base basically. So, uh, the big water bombers, the big yellow jet, uh, planes that scoop up water and everything, that's the base that we were operating.

So I was involved in, in, even in those days, uh, data amalgamation, uh, collection from the field, packet radio even, uh, compression and all those sort of things, even, like I said, in, in the mid '80s. Uh, and I've continued to grow from there, that first gig, all the way up into, uh, running my own ISP in, uh, Manitoba, Canada.

Uh, we were the second largest in the country. Uh, moved to Toronto from there. Uh, worked with a bunch of companies, Pricewaterhouse before it was Coopers and Lybrand, all those sort of things. Eventually moved to New [00:02:00] York. Uh, started up my se- well, it's my fifth or sixth operation now. Brief journey to Raleigh, North Carolina for almost 10 years, and back to New York City now.

So been around definitely a fair amount. 

Mehmet: Great, and that's very inspiring actually. You know, quick, quick question about the name of the company. I know what it stands for, but why it's Da- Data443? 

Jason: Uh, one of my favorite questions, and what's interesting is, uh, you know, I think everyone says, "I know what it stands for," but why, right?

Wh- wh- wh- what's the point? And when I was doing this operation and kind of building it up, incorporating it, doing trademarks, all those sort of things, it's really hard to do nowadays because either you're creating a completely new word or something, and even trademark ability and stuff is, is a challenge there.

So at the end of the day, you know, we were gonna be a data security company. No matter how it was secured, where it was, or what the tools were, whatever. So obviously [00:03:00] datasecurity.com is already taken. It's, there's a lot of stuff around it. I was like, you know what? I wonder if we just use the port number.

So 443 was available everywhere. Uh, everyone asked the question and I don't think anyone will forget where 443 comes from and the data 443, uh, moniker. 

Mehmet: Yeah. It's the se- Yeah ... HTTPS, the secure- That's right ... layer to, to, to connect to the internet. So for- A- a- and even 

Jason: non-technical people know that, right?

They know if they type in the S, they get the lock, and they'll say, "That S means port 443." 

Mehmet: So- Yeah ... yeah. A- and I, it's a good reminder for, you know, I, I, you know, we're lucky enough now that browsers, they show this warning. Sure. But back in the days for people who might remember, you know, this was the number one risk- Yeah

because you, you go to the website and it's not secure and your data might just get stolen or, you know, lost- It is ... or whatever. 

Jason: Yeah. It's funny how that knowledge still percolates, and even people who are just, you know, entering professional worlds know that they want [00:04:00] the S everywhere, and they look for it.

Uh, you know, whether you're a doctor or anything else, and people are really looking for that S, so it's kind of cool. 

Mehmet: Right. Jason, when I was preparing for the episode, uh, today and, you know, going through the profile that you shared with me, something stopped me. Like, uh, when I saw you said that, uh, you know, "Not my job thinking is one of the biggest security risks inside enterprises," I know what you mean.

Yeah. I worked, you know, on both sides of the table as someone who was like you back in the days, you know, a system admin, uh, and system engineer, you know, and of course cybersecurity was part of my day-to-day task. And then work for vendors who, who, who, you know, work on the cybersecurity side. Why do most cybersecurity failures still start as a cultural failures rather than technology failures in your opinion?

Jason: I think, you know, at the end of the day you have a large resource [00:05:00] pool, uh, available, which is the whole employee base of the company. Uh, and this really came through for me, uh, recently when I was doing kind of a blog entry around our ransomware recovery manager, and I was covering the story about Striker, right?

The story about Striker was, of course, hackers got in. They didn't steal data. They just sent an Intune delete command, right? All the way out the door. 200,000 machines forced to reinstall. And there was no failings in that regard. None. Everything was secured. There was 2FA. There was all these things. And of course, Mike's locked into did what it said.

It said, "I just ran the 200,000, uh, recovery," right? Uh, endpoint reset. And the one thing that kind of came out there for me was that there's been this continuous thing in security industry where- End user education, the weakest link is human. You know, they're, they're stealing data, they're bypassing DLP controls.

All those sort of things fit into the overall risk posture of the business, and it continues to be the same old tale. It's [00:06:00] people- Mm-hmm ... by mistake or maliciously doing things. Now, what I realized with this review when I was talking about Striker was that, um, and I validated this with Gartner and some other folks a- along the years too, was that we don't engage that end user as much as we could.

Mm-hmm. So to A, yes, you know, if you're in email, you mark something as a spam, you're training back the machine in, in some f- way or fashion, right? Uh, and hey, if the users are smart enough to get around DLP controls, like printing a document and, uh, scanning as PDF and putting a password on it to bypass controls, right?

They should be, uh, capable enough to help recovery. So in the Striker example, you know, um, you can't get IT, no matter what their size is, to do 200,000 machines in hours, right? It's physically impossible. So you need to re-engage that community. So what I realized with that whole scenario was our technology with just a reboot resets it to last known good state, right?

And that is something [00:07:00] every single user in the company knows how to do. Uh, I call it the, uh, three finger salute, uh, fix, basically. And everyone knows that. You know, talking about the 443 side, everyone knows control alt delete, right? Which is, again, uh, unique with people, uh, still learning what that is, 'cause I'm sure a lot of Gen Z's recently have not had to do that before.

So it's interesting how they continue to do these sorts 

Mehmet: of things. Right. I'm happy you brought, you know, this scenario of, um, you know, bypassing the security measures, and especially the DLP. One of the main things which I repeated here on the show with, uh, other guests as well, the number one thing that comes now when, when, you know, people ask me for solutions, like, they say, "Hey, Mehmet, like you talk to a lot of people.

We're looking for something that can protect, protect us from people stealing our data through AI," right? Mm-hmm. And I tell them, "You know what? There's nothing." Because I can just, you [00:08:00] know, open an Excel sheet, I can take a photo of that- Mm-hmm ... I can go back home. I will... You know, if I'm using Mac, you know, I'm a Mac user, I will just, you know, AirDrop it from my phone to my- Yeah

you know, laptop. Very easily. And then I will give it to ChatGPT or all these measure, uh, all these tools, right? And then no one can stop me. Yeah. Now, t- to your point, and now, you know, I think this is a good topic to, to a little bit, you know, discuss with you. Because you work with large financial institutions, you work with regulated enterprises, so- Like maybe this is one example of some, some blind spots that, uh, are underestimated by executive teams.

The counter arg- uh, you know, argument here would be, Jason, is like, "Hey, we've spent billions of dollars on cybersecurity tooling. Why it's not working?" So let's try to uncover this little bit with you, Jason. Yeah. 

Jason: Uh, and certainly at [00:09:00] the end of the day it's the business that pays the bills, right? So you see this friction of, you know, uh, let's talk banking, right?

That the loans origination division needs to go faster, do things quicker, uh, distribute information to c- customers faster and easier. And the security's saying, "Whoa, whoa, no, no, no, you can't just send a PDF. No, you can't use DocuSign. No, you can't. No, you can't." It's always, "No, you can't." Right? Uh, and, and that's where that tension comes from.

And I think regardless of what the controls are in the business, generally you'll see people actively trying to bypass them. Uh, we had a story one time in the recent past where, uh, they were doing a phishing test of the organization, and there was one person who, he couldn't get, uh, the link open on the inside of the business, right, in the firewall.

He tried his laptop, he tried his phone, he tried somebody else's laptop. He did all these things. He forwarded it to his Hotmail, and then at home he tried opening it five more times too. You know, he [00:10:00] was legitimately needing to open this thing. It was complete phish, and he did everything he could to, to, uh, you know, enable that.

And that is the problem, right? Uh, it's a friction in the business. Data wants to be free. It's kind of its own thing. The second it's digital, it's, you know, you might as well count it as being gone. And really it comes down again to that enforcement angle. So all the DOPs in the world and everything else are never gonna be able to b- uh, you know, control someone who really, really wants to do something.

So that behavior is something we need to do better with. Um, and I, I really do think IT does a very poor job of managing exceptions or enabling the business to do their own decisions around content. Um, so a very good example is, you know, I need to send a application form to somebody in a PDF, and DLP control says you can't or you can't even receive it that way, right?

Mm-hmm. The business is saying, "No, I have a legitimate business need. I'm making sure it's only this time." All those sort [00:11:00] of things. And there's no way to track that basically within the organization. And even, you know, even the most mature organizations still struggle with this. Uh, the whole concept of risk, uh, mitigation, which is our name, but really capturing what the risk is- Who's accepting that risk, and is it, uh, managed long term?

And has it been closed, right? In a regulated business, there are times you can, uh, uh, you know, reasonably bypass our technical control or open it briefly for just this, uh, kind of special project, right? Um, but there is no real tracking mechanism. And I think, like you said, bill- businesses spend billions and billions and billions, and a significant amount of their overhead in, in operations is this security function.

And I don't think it does enough to enable the end user to make decisions, whether the end user's a bank teller or, uh, a line of business 

Mehmet: owner. Right. Now, [00:12:00] speaking of, you know, like, how things also are changing currently, we know that the attack surface, especially the external one, are, you know, going out of control.

And I know, like, you've done recently an acquisition, um, for doubling down the efforts on that. So how things change, you know, with the SaaS, APIs, Shadow IT, and now AI agents. Mm-hmm. So how this have changed the l- the, the way we do what we call the visibility? So we always said, like, uh, we cannot protect what you d- we don't see, right?

Or, uh- Yeah ... we cannot understand what's going on until we dig more and we find out. So tell me more about that and how y- you know, this acquisition, um, you know, would help, um, you know, to uncover or, like, say, let's say solve this challenge. 

Jason: I think, you know, if you go back to when DLPs were being rolled out over the years, right?[00:13:00] 

Uh, they went from rigid binary enforcement, no, you cannot ever hit a URL of this kind from within the business, until usually near the, you know, last few years they've been doing, um, monitor, don't block, basically, traffic. And then from that perspective, security was knowing what was happening out there, right?

What tools the users were using and all these sort of things. And generally not gonna get fired for using a portal of whatever by accident or even on purpose, right? So for the AI stuff, we, we did the acquisition of Acora, which, um, in some instances is just another DLP, right? It's in the flow of all the transactions.

It's got MCPs, ATA, uh, A2A, and ACP capability built into it, but it is happening really, really, really damn fast, right? Yes. So fast. And you cannot do a ServiceNow ticket to approve this access control, for example. You can't do these things that [00:14:00] we're not even keeping up with today with, you know, two, three time, two, three date lifetime between delivery of content, for example.

So now it's, you know, several milliseconds it has to be there. And the expectation from the business, again, is very heavy on- You know, this, this rapid and, uh, really un-unconstrained, uh, data, um, acquisition. Um, you know, it's... We're still playing catch-up. IT is still catching up to the business, the business is still catching up to industry trends.

AI in general is a huge thing obviously, but really what's having a lot of power there is leveraging actual data sets and making those decisions, right? So in context for that, you know, there are ways to enable the business to onboard to the IT security controlled and approved AI agents, right? Uh, you can be, you know, hardware on-prem and all that sort of stuff, but I think even better you can enable the end user, whoever they are, to [00:15:00] do better, uh, in their function.

So a good example is to say, uh, we're a very large bank, we've got, um, some, uh, GPUs in, in premise, um, it's attached to SharePoint and OneDrive, for example, and we're gonna give the end users some tools to use that repository and that technical capability inside and enable them. I think the business always goes around IT when they're too slow, too late, too far behind, too expensive, too everything, right?

And really the IT function, especially IT security function, really has to be focused on enablement as opposed to control and blocking, and that's a mind shift I think that we have not, as IT people, done a really good job with at all. 

Mehmet: I agree with you, Jason, but you know, to be... Also have like a fair point, I would say- Yeah

um, the hype, I-I'm... It's not a hype. I don't like to call it hype, but I mean, the rush to, to implement [00:16:00] AI in business is real, right? Yeah. Um, and every day we see new things- Yeah ... and, you know, companies, you know... B-because I still remember I was, you know, uh, when the, the, you know, let's say the first wave of adopting, you know, uh, shifting applications towards like the web from paper to, to, to online forms and so on.

You know, like it was an urgency, but not as urgent as now. Like, hey, if we don't adopt AI, we're gonna die, we, we're gonna be out of business. So this is, I think, part why businesses are pushing, why the board is pushing. Like, hey, we need to- Mm-hmm ... to get these co-pilots and we need to get, you know, these workflows and all that.

Um, and they're- Try to rush AI into production- Yeah ... which we know that it can cause. Now, saying this, even we, you know, like, and I want to take your, your thoughts on that. Even with seeing technology companies falling in this trap- Yeah ... especially with the [00:17:00] vibe coding and, you know, giving access to these agents, you know, to, to do things.

I think, I'm not sure, like, um, you know, if, if what was verified or not, but a company, you know, the whole repository was wiped out- Mm-hmm. Right ... you know, because, because, because the agent did something wrong- Yeah ... and, you know, they didn't have... E- even it, I think even they said they deleted backups. So that, it was funny for me- Yeah

because I work in this, in that domain also for a long time in, in data protection, so it was funny for me. But now, I mean, how we need to think about two things. There's, there's balance between, yeah, moving fast, but at the same time keeping your, you know, the guardrails and making sure that we're not doing something wrong when it comes to security.

And the second thing, do you think, like, people are thinking enough about, you know, the identity problem created with these AI agents and non-human actors? Uh, 

Jason: yes, and I think the, uh, uh, the [00:18:00] question with the AI wiping out the data, I think the AI decided that fixing the old code was not worth it, so it deleted it to start fresh, basically.

Probably. The right decision as well, right? There's probably nothing wrong with that. Technically, it's the right answer probably. Um, you know, I think, uh, I look back to how we've kind of embraced it and, you know, we've been a little bit laggard on that ourselves in site for a bunch of reasons, and of course the data, uh, challenge is a bigger one.

And I think there is this balance where the service providers eventually mature, they have more technical control, so they have so- those sort of things in place. Um, but also there's, again, there's this concept of giving the end user some power. So one thing we did on the inside is I said, "Listen, 100 bucks a month, you guys just expense whatever your AI use case is."

Some were using it for transcription in meetings, right? Others were using it for code reviews. Probably the biggest thing we've seen value in has been the log analysis, actually. [00:19:00] Uh, some of our products have massive amounts of logging, you know, hundreds of, uh, gigs of flat file content that is really difficult for a human to go through, right?

So w- with that in mind now, I, we have the QA and support teams using AI very, in this fixed function and, you know, they built a layer on top of it, all these sort of things, and the model just switches out to whatever is more effective. But they've been enabled to do stuff, right? Uh, and day zero they weren't controlled as to which AI they used, right?

Uh, they were allowed to experiment a bit. And I think at the end of the day, the business is still just trying to function. Um, and, you know, they got pressure from the board for sure, and so does security, and there's that middle ground. I think there's... I don't think I've ever seen a security team properly staffed for managing the inside people of the business.

Um, some larger organizations will have a, a BSO or a CSO or a CIO in the line of business embedded. I've seen those being, uh, pretty [00:20:00] successful because those people are technical first, right? Mm-hmm. Uh, delivering and reporting to the business and then, you know, IT security or, or infrastructure is a, uh, you know, a interested party now.

So that's another way to structure. 

Mehmet: Right. Now, regarding the point you mentioned about, you know, the, the visibility and, and all this. So we know also, um, and this is not something new, it's been even... I, I remember, I think we, we implemented the first SIEM solution in, I mean, at least for me, 2010, 2011. Um, and you know, the amount of alerts that we were getting was frightening.

Imagine this, like, how many years ago. I, I, I can't even think how many emails and alerts that come today. Yeah. So does AI genuinely help, you know, people, let's call on the defense side, operate faster, or is it [00:21:00] adding more complexity and noise to the picture? 

Jason: I think, uh, model practitioners, right, are not doing enough to enable the business or the owners to train the models.

Uh, a good example is our email phishing capability, and if we just ran it native saying, "Detect phishing," eh, it's not gonna do too much, right? Mm-hmm. Um, and when you say just detect phishing, and you send the content to the LLM, you're asking it and directing it to do bottom-up analysis, including loading libraries to opening up an EML file, kind of all those things that are involved in doing that parsing.

What we did in our case, we did that, you know, kind of gross up, uh, dumb model thing, just very, uh, generic and nonspecific and told it to do whatever it could and needed to do to re- read that email. As we started to develop a model and training it as to what it looked [00:22:00] like, the inference capability of the base came along really, really quickly.

And I think this is the biggest thing that no one's talking about today is that inference is your friend. Inference does not generally need GPUs. It's another big one. And runs very well actually on plain Jane server CPUs, um, if the model's trained right, right? And I think- I think most of us are saying, "Okay, I prompt, I- I'm training, I'm telling to save things."

Yes, that's true, but where is that onboarding process for, uh, training of an LLM, right? You're not gonna ask a financial advisor in a retail banking network to do that training. Somebody has to, and it's been a problem with machine learning since day one, right? ML is not new at all. We've had it in our systems since early 2000s, right?

And at the end of the day, every single time, every single customer said, "I don't wanna train this thing." Yeah. Even if it was just a week, right? Saying, "Hey, it [00:23:00] gives us, you know, uh, 5,000 Word documents that are sensitive, we'll classify it." So again, it's this onboarding thing. Uh, and it has to be dumb simple, and it has to be really effective.

And I think if you look at other models in the retail world, um, as to how to engage with the end user. If you remember, I don't know, many, many moons ago, uh, WordPerfect and MS Word and these sort of things, right? They had, you know, function keys. It was actually a very tactical product, right, before mouses- Yep

and stuff like that. In reality, when you're thinking back to those days, you'll say, "Wow, okay, well, the end user of that WordPerfect installation on a, you know, 386 or 486 is using Facebook." And if they could create a Facebook group, add and delete users, and monitor it for spam, they're doing a whole bunch of security controls, and they are not info tech people, right?

Right. Why were they able to do that? Because it was simple, because it was guided towards them. The user experience had value [00:24:00] for them, and it brought them along the journey. So I think businesses can do a heck of a lot better on training models, understanding models, and enabling end users. And the real big side benefit of that is, is that your inference models are super efficient, damn, damn fast.

Like, I am still shocked every day. Right now I've got a bunch of consoles running, and we're doing 20 million mails a day in this one tenant and, I don't know, every five or six are hitting GPU per minute. That's it. Everything else is inference on CPUs. And nowadays, you know, uh, that's a hell of a lot cheaper, right?

Um, and, you know, uh, for our perspective, because we have a fairly large data center footprint and we're drowning in cores basically, you know, 8- 10,000 of them, I wanna use CPUs. And, you know, as we matured that model along the way... And it took, you know, really a few weeks of engineering, architecture, really smart application people, um, and infrastructure folks to come along to this [00:25:00] model.

So, um, I think there's a bunch of benefits for that kind of approach and at the end of the day, a lot of cost savings as well, right? Uh, an H100 from NVIDIA is not cheap, right? Um, and you wanna minimize your exposure to that massive cost center as well. 

Mehmet: Right. To your point, I think what, you know, I'm optimistic about, especially with the AI, it's getting better also because you mentioned the example of how, you know, people who were using, you know, Word back in the days when it's still on the, uh, 386 and 486, and they can manage Facebook, Facebook groups.

I think what's going, you know, very well in my opinion is also, you know, the ability to speak to these models in, you know, like, um- Natural language ... yeah, natural language. Yeah. And then, you know, the model is actually understanding what you want to do exactly. So because I, I remember also myself, you know, like if I wanted to do something, especially if it was like a non, non, [00:26:00] um, y- you know, the, the terminal kind of solutions- Mm-hmm

and I need to go through the documentation, all this. So sometimes, you know, I need to remember like how to do things. So now I can just go to any of these LLM tools and say, "Hey, like I want to implement this and that," and just, you know, do it for me. Done. 

Jason: Yeah. 

Mehmet: The, the UI becoming more like it's, it's your vo- actually your voice is the UI.

Like this is what I- Yeah ... call 

Jason: them, yeah. Yeah. And this is back in the old days where, uh, the browser was becoming your main user experience, uh, tool. Right. And, you know, and you had applications in C++ written with a fat client on the desktop, all that event, it took years to get to a browser, right? But in essence, now you look at a, as, at the common knowledge worker, almost all of it is browser, even email and Word documents, for example.

We have some younger people in our group, and I don't think they've ever installed the Outlook fat client once. Yeah. They don't even know what it is. I know a lot of 

Mehmet: people. 

Jason: They don't even know what it is, right? Which is crazy. Yeah. I think, [00:27:00] um, uh, you said something there that was really interesting. Ah.

Yeah. The biggest thing I, the biggest win with this whole AI, uh, revolution, I think, and I, I don't hear anybody talking about it, is the modal input capability. 

Mehmet: Hmm. 

Jason: Right? If you go to your AI today, like, and you have a, a, a, a printout, right? You're like, "Oh, I gotta scan it. I have to transcribe it. I have to type it into the, you know, the chat," blah, blah, blah, right?

And even today, I still forget that. I don't know, a picture is good enough, right? Yeah. And I'm putting a probably an eight megabyte high-end PDF scan image from my phone into chat, and really it doesn't need any of that, right? But the whole modal interface is the winner. N- NLP is huge, yes. But getting that data in there i- is the true differentiator.

And again, wh- why? It's because the end user is, [00:28:00] uh, experience is simplified, less work for them, and uh, you know, just generic velocity for their function is the biggest thing. So I think the, the, the modal stuff is, is huge and, you know, even today I still forget about it, um, that I've seen it. Yeah. The... Oh, go ahead.

Mehmet: No, no, please, if you want to talk The only other thing I think 

Jason: that, you know, recently came out is the MCP architecture. Um Yeah I think that whole control mechanism is key. And about two years ago, uh, you know, on LinkedIn, I think I said that, you know, this LLM groundswell will make APIs redundant and non-existent.

And I think MCP and AKA for sure do that already, right? I don't need to know how Salesforce outputs its records to SAP. I just tell the AI, "I want this here and I want it there. Figure it out." Um, and you know, the good and problem with that is the previous investments in, uh, file formatting, you know, decryption, all that [00:29:00] sort of stuff is gone, right?

There's just nothing there anymore. Don't need it. Uh, and but then all the engineering controls, knowledge, workflow, all the stuff that goes into even just moving something from doing one end to another place are generally, uh, ignored or forgotten about, right? Um, so there is, you know, benefits, uh, both ways there.

It's interesting for sure. 

Mehmet: It will be interesting to see how this will, you know, develop also are we going to API less, uh, b- because if you think about it, yeah, like you can't, again, tell the AI, "I want this application to talk to this application." It will figure it out in the back end. You know, we... I don't need to learn, you know, how JSON is structured and so on 

Jason: Yeah, schema management or any of that stuff at all.

And, and that's, I think that's the biggest and scariest thing. Um, and when people say, "I need a new connector for Salesforce 4.2," they Google, right? Or they go to Cloud or whatever, they pull it down, they install it, they click run, and they're done, right? IT's not [00:30:00] involved there at all anymore, and that's where some of the problems come in.

I think from a work function, uh, you have to consider, uh, the context or the persona of that person, right? They're not always in the office, so they're not gonna use a GPU that's based in the production segment somewhere, right? If they're gonna be remote at Starbucks, how do you enable that? How do you get them, induce them to use an approved product and stay with it and deliver their job?

And that's, I think that's still a u- a user experience issue we need to do still. 

Mehmet: Right. Now, let's talk about the other part of the equation, you know, the attackers, right? So Um, we know it's a fact that, you know, I, I have a friend, you know, um, he used whenever we used to go to clients and he used to do a, a, a joke about he said, "Guys, you know, like these bad actors actually are people like us.

They have families, they have kids to send to schools-" Yeah. "... and wife they need to do shopping." Yeah. "So they need to keep up of new [00:31:00] ideas," right? So now AI is making their life easy also as well, I believe. Yeah. And, you know, they're, they're acting fast. And you've been, um, chasing yourself in- into the threat intelligence and, you know, machine learning-based analytics for a long time.

I'm, I'm sure you're seeing, you know, things happening in that domain. So for us, you know, the, the good guys, like, uh, w- what kind of, um, fundamental changes we need to, to, to apply, whether it's, you know, um, become more adaptive and AI assisted, like what potentially we could do to make sure that we are always ahead of the bad, bad guys?

Jason: And I think this goes back to your SIEM comment. You know, in, in early 2010s we installed a SIEM and configured it, right? And then all we've done really since is just thrown more threat intel information into it. Um, and, you know, paid for storage and, you know, did these massive data lakes that were, uh, disjointed and [00:32:00] really at the end of the day, in most cases, the, the retention of that data has little value.

Now, if you look at the banking side, they had to retain for years, right? It's just terabytes and terabytes of flat files they have to retain for years. You'll probably never, ever open those again. Um, the threat intel side is coming up with a whole bunch of different things now, right? Uh, we've seen that, uh, with our solution, we've kept it pretty raw, like six, 10 days roughly of live real-time data is kind of all we retain.

And really w- day one and two stuff is the most value. Um, we've also integrated, uh, that same idea concept around, you know, bad actors, bad SMTP gateways, proxies, those sort of things to also the AI side as well too. So now we've added, uh, agents, uh, location, type, format into the threat layer to say, we've seen the Salesforce API, uh, MCP talking to 15 different parties and trying [00:33:00] to do, uh, schema scanning or something like that, right?

That AI host agent or model has a risk factor growing up as well. So in a lot of regards, it's exactly like it used to be. You're assigning risk, calculating these sort of things against actors. It's just a heck of a lot faster, right? Uh, but then on the other side is you're starting to say, "I am more in control over how they in- interact with the data," but the second they give out that data, you can consider it gone.

Um, because those players behind those agents, whatever they are, are, you know, generally not exposed to you So the threat intel space has always been, you know, bad things happening, here's the protocols you're using, block 'em. Uh, some customers want the attribution side in there too. They wanna know if it's North Korea, they wanna know, uh, a competitor, whoever it is, and that attribution's important to them.

Vast majority don't care about attribution because it doesn't really matter anyways, right? It is, uh, being in line of those, uh, [00:34:00] responses. And what we've done on our side, and I think, uh, we have some experience with CrowdStrike Sentinel One and Microsoft Sentinel/Defender, uh, which we've onboarded to, is we- our playbooks have been centered around, uh, high velocity near term threats that are happening now.

Uh, and happening now where, you know, bad SMGV gateways were stuff for years, and it was kind of the, the leading edge of the badness, uh, but now it's agents basically. So in some cases, the volume's gonna get higher, it's gonna be much more, uh, velocity involved with it. Um, and then from there you're gonna have to make your decisioning.

Playbooks are the key thing, I think. 

Mehmet: R- right. Now, of course, you know, a- and I'm not saying this to scare the audience or anything, so if you thought that, yeah, the AI and the agents and all this, so we still have some emerging technologies coming up and, um, maybe I covered only one time, uh, which is, you know, what we call the post [00:35:00] quantum, um- Yeah

cryptography issue, PQC. Um, w- I follow very, you know, actively anything related to AI, cyber and- Yeah ... digital infrastructure, so this is my theme because I, I've been- Sure ... into it for a long time and as a technologist, you know, by, by trade I call myself, although, like, I shifted to business side later, but still, I, I need to see what's happening in the world and a lot of news coming out about, you know, quantum computing moving from theory to practical, right?

And still, when I talk to some people about this, they say, "Yeah, it's a problem for another day." You know, we may be far away. Until I think two weeks ago, if I'm not mistaken, and we are recording on the 6th of May, just for people to know, I think I saw something from Google saying that the day is approaching, you know.

That- Yeah ... that day is not far as you- Yeah ... thought. 

Jason: Now- And I think they, I think Google actually brought the [00:36:00] date in last time as well. 

Mehmet: Yes. Yeah. So at what po- at what point does it become, you know, really urgent? And we w- Are we really prepared and how we should start to be prepared, Jason? 

Jason: Uh, yeah, it's a tough one actually 'cause I don't think the answers are very good there.

I think if you look at, you know, the adversarial threat government organization type stuff, even if they couldn't crack the, you know, uh, the SSL tokens using those network communications with the bank- They're saving them anyways. So even the stuff that you've used that was secure today or three years ago is stored somewhere.

It's not visible yet, but once they crack, you know, some of these key, uh, algos, all of that information will be unlocked. So I, I know there's several, uh, state agencies that are just essentially storing everything- Yeah ... uh, and then go backwards on the content, right? [00:37:00] So that's one thing. You know, trust that even the stuff you've done before will not be secure forever.

Um, the quantum side is, is, you know, I don't, I don't think anyone really understands half the magic of that stuff, right? Other than, yes, the, the threat reportedly is this capability that will be, you know, one mouse click could be finished and decrypt everything on the planet. The quantum safe stuff is interesting as well, but it's still just another instantiation of complexity on top of the data set, and that's all we've done through history with encryption, right?

We started off with abacuses and paper, uh, keys, right? Now we got these massive things, and it's, at the end of the day, it's still just a bigger key. You know, whether it's OAuth or whether it's, uh, any other ca- crypto capability, it's just a bigger key. Um, and again, that has legs, uh, that continue to come in closer based on the technology side.

So the answer is, I don't know at this point. Um, it's gonna be hard. I think the only way to make sure that no one ever sees your data is never to [00:38:00] give anybody your data, right? Right. Um, and, and that requires you to be really circumspect with it, um, and very aware of where it's going. Um, I think even some of the tokenization technology that's coming out for, you know, databases and Snowflake and all these guys are not quantum safe either still, right?

You give an AI even today, you know, uh, a compressed, uh, BACPAC file from SQL Server, for example, with, uh, you know, a tokenization enabled on it, and I think the AI will still crack it eventually. It won't be long. 

Mehmet: I, I agree with you. And I think, you know, you, you said awareness, and I think this is the, at least not the cure, but the way to find the cure, right?

Um, to stay awa- to stay aware, to make sure that, you know, you, you, you're trying to, to, to get, uh, the latest of, of what's happening in that and, you know, try as much as possible to, uh, harden your, your measures. Yeah. Now, you [00:39:00] know, as we are coming close to an end, and I want to close with the theme, I know...

And by the way, I, um, when I was preparing, I saw this note from you when talking about, like, you know, we cannot really avoid attacks. We, we know this. Like, this is, this is a myth, right? Like, no one can say, "I'm, I'm attack proof." Mm-hmm. And, uh, you know, I agree with you on this, but we talk in the industry about cyber resilience, right?

And so if you want to put the best, I would say, version of a cyber resilience practice, where- Me as a leader today, should I start with today? Should I start with my SOC, which is the security operation center? Should I start with my identity? Should I start with my encryption standard? Like, uh, or should I start maybe on, of the concept of the network perimeter itself?

Where do I start? 

Jason: And that's why these people get paid the big bucks. Those are hard questions, right? I think, uh, what's key is that, [00:40:00] um, if you look at technologies that have done very well for a long time, PGP public key encryption, right? SSL, for example, is a good one where enough was given out to have a secure interchange of information, whatever that happens to be.

Uh, it expired, it was reauthenticated, it was authorized with a root, root certificate. Kind of all those things were there, and they're seamless to the users. Seamless, right? And that's the lowest friction stuff that we should always aspire to. So if you're a bank and you're doing business with another bank, don't just put, you know, 10,000 spreadsheets in a, a data room.

Maybe correlate what they're asking for with what you have, and that interchange itself is all that's done, and it's only for as long as you need it, and it goes away. And I think this is where, uh, any sort of blockchain comes into play here because that information is usually single use, right? Um, it, it needs to [00:41:00] be re- uh, pulled back in some way, shape, or fashion.

And if everyone only trusts that bl- uh, blockchain ledger analysis, for example, for that bit of, bit of information, you can say, "Here's the new one, and that one is defunct," and make sure it is. Um, so I think it's a combination of these things, but it has to be machine oriented. It has to be super, super fast and effective and very low friction, otherwise your user base won't engage on it, right?

And that's where the true flaw comes in. So however we can do that by organization and department, I think at the end of the day, you've got a resilience capability to come to, recoverability, disaster, that sort of stuff, and then these data controls. And we do it inside quite a bit now. When we're struggling with a component or some Kafka job or something, I usually ask the question, "Can we just burn it down and do new?"

Mm-hmm. Because now with live coding, all that stuff, it is a lot faster. Generally, the quality is pretty darn good. And most of our risks and problems come in when [00:42:00] we're back hauling 20 years of source code that really no one knows what it does over time. And, you know, by the time we've diagnosed the whole darn thing, we could have written it twice, basically.

So I think in some cases, uh, much like the DLP world where it was blocking only, then they said, "Okay, forget it. It's not working. Let's just do monitor only and then do the softer side of end user management," that can, uh, play here too as well 

Mehmet: Right. Traditional final question, Jason. Anything, you know, you wanted to share, maybe something I, I didn't trigger you to say it, so this is the space for you.

And of course, um, where people can get in touch and learn more. 

Jason: Sure. I'm on LinkedIn, Data 443. Look us up there. We put out a fair amount of content as well. Um, we're starting to do, do a lot more with, uh, technical content as well too. Uh, thankfully, AI is great, so it makes even the nerds look very, uh, studious and English lit majors and all that sort of stuff.

I, I keep telling our [00:43:00] teams, like, "You don't have an excuse not to blog now," because you say three sentences into an AI, you've got a, a good piece of content. Um, but I think it really is about that velocity and matching what the business needs. And I think IT needs to absolutely keep in touch with things.

If you're in a banking role, and you're in a senior, uh, IT security or IT function, if you don't have a daily scrum with your business, whatever kind of business it is, you're already behind in the use cases that they need, and you're probably already breached. You just don't know it yet. 

Mehmet: It's, it's, it's true.

I know this for a matter of fact, Jason. Yeah. So, uh- Yeah ... you know, yeah. So, so they, they need to change fundamentally so they don't stay behind. 

Jason: Exactly, right? It's, it's something that you have to consider. And any good IT security person has used Breach already, right? So, uh, that's where you need to operate from and what that response looks like.

Whether it's a Striker type attack where your two hundred thousand machines [00:44:00] get nuked or some sort of, uh, breach or data egress, right? You need to assume that at all times and what your response is. 

Mehmet: Absolutely. Absolutely. And, um, you know, again, Jason, thank you very much for being here with me today.

Thank you. I will make sure that your LinkedIn profile link and, um, of course, the company website, they are in the show notes. So for people who are listening, uh, on any of their favorite podcasting apps, they can find, you know, the links in the show notes. If you are watching this on YouTube, you will find them in the description.

And this is how I end my episodes. This is for the audience. If you just discovered this podcast by luck, thank you for passing by and thank you for listening or watching. Uh, I need a small favor from you. Share it with more people so we try to, you know, have a more reach, you know, educate more people. So I appreciate if you can do that.

And if you are one of the people who are already subscribers, people who are already coming again and again to listen or to watch and share with more people, I really appreciate that. Thank you very much for... [00:45:00] I'm repeating this sentence, I know, since last year, but I have to thank people for that. The show, since 2025, beginning of 2025 and continuing for now, I would say, consecutive 14 months, we are always Every week in one country Apple Top 200 podcast chart.

I did a test, I changed the category, which was on purpose, and still we were able to do this. So we are now in the technology category, and we are getting every week new countries. So I really appreciate people who are sharing and getting new people to listen to the podcast. And as I say always, we will have a new episode very soon.

Thank you. Bye-bye.