John Richards:
Welcome to Cyber Sentries, from Paladin Cloud on TruStory fm. I'm your host, John Richards. Here, we explore the transformative potential of AI for cloud security. In this episode, we're honored to be joined by Shawn Anderson, a distinguished leader in the field of cybersecurity with a wealth of experience including multiple CISO positions, and currently serving as the CTO at Boston Meridian. We discuss the power of AI and processing vast volumes of data and telemetry, enabling capabilities previously deemed impossible. Additionally, we explore how identity has emerged as cybersecurity's new perimeter.
Shawn Anderson, thanks so much for joining us. Welcome to Cyber Sentries. Really excited to have you here. And looking at your resume, I was quite impressed by it. You've had a lot of different roles in the security space, and I'd love to hear a little bit about how you got to where you are. I know you were in a few different CISO roles. Can you share a little bit about what that journey's been like?
Shawn Anderson:
Sure. Thank you, John, for the invitation today and looking forward to the discussion and seeing what we can unpack here in the next time we have together. I've been in technology a fairly long time. We'll do the quick one-minute elevator speech or thereabouts. Like most people in this industry, I fell into it. I was working as law enforcement in the military and got the computer bug in me and started working there, and then got into computer investigations, which led me to spending a lot of time in and around the DC area here in Washington. And I got into a job where I was working as a security analyst and fell into the role of CISO for Raytheon for their intel business. I spent three years doing that role, learned a lot and worked a lot across all IT organizations, the operations side of it of course, and then working in and around DC with all the three-letter agencies.
Over my time, I progressed, held more senior positions as director of security at other larger organizations, and also spent time as a CISO down in the Carolinas for an energy company. I transitioned though, a hundred percent commercial, got rid of tickets, clearances, got a breath of fresh air, a little bit of recovery, and went out to Seattle where I was a partner manager for AWS. And that role was interesting and exciting at the same time because I was trying to tell the CEOs of these large security companies, "Build cloud capability, consume cloud, it'll be great. You grow, we grow." The challenging thing there though, and we still have this problem today, is how do I pay people on consumption? It's easy to sell a server, pay them a dollar, pay them $2, but consumption's a little bit tricky. And I think the cloud providers still have this problem with their sales organizations today, but I had a good successful two years there.
I was recruited then from there to Microsoft. Satya went out and hired a lead by the name of Ann Johnson to build a security practice. She wanted former CISO security execs to help be the liaison to the Fortune 500, so I had a tremendous experience, five years working with an amazing team, worked at the Fortune 500 level, did a lot of C briefing, C-suite, board review, board briefings, a lot of whiteboarding, architecture diagram on a surface hub. It just really opened my eyes to this world, what the executives were looking for, really understanding the business side of it. And then also, what startups were out there, which led to where I'm at today. As I continued to mature my relationships and understand what was going on, I came across Boston Meridian about a decade or so ago.
An investment bank was never a thought process that went through my head. However, they approached me about a couple of companies over that time and we talked about what they were like, what they would do, and then we had a discussion. And coming on board as a CTO, and I've been here two years now, December, and my role is to assess technology to build relationships with startups. And what I really like about it is I see a lot of companies that are under the radar for most C-suites. They're still too small. And so I'm also out talking to private equity and venture capital and seeing what they're looking for, what the strategics, the larger platforms are looking for as well. And I'm also hoping to give back to the community anything I can, and answer any questions about what I've seen or what I've heard to help those that are coming along behind us, so really appreciate the opportunity today. Thank you.
John Richards:
Well, thank you. Well, and today we're hoping to exercise a bit of both of those skills, so that cybersecurity aspect and then some of those assessment skills as we look at artificial intelligence. And part of why you popped up on our radar, why we wanted you as a guest, you've been writing about artificial intelligence and talking about artificial intelligence in this space, and it's been very thought-provoking. And so I would love to get the early thoughts that you have on why cybersecurity, which in my mind tends to be a little bit like, "We're going to take things slow, we're going to be careful," has gotten so excited about AI. So, what are folks looking at AI for and how do they think it might help them?
Shawn Anderson:
It's interesting. I usually look at new technologies as a way to... You educate by doing. You got to get your hands dirty and you got to put your heart into it and really pick it apart. And one of the things that's always been a challenge for us in cyber and in security is having enough people, enough technology, sometimes too much technology, to be able to assess what the true risk or vulnerabilities are that are out there. And we have so many different categories to be able to say what's vulnerable, what's not vulnerable. The challenge is how do we find what is actually exploitable in our environment? And so I think AI, it's going to allow us to do a lot of this stuff that I consider motherhood and apple pie. Things like PET testing. If you talk to a startup five, 10 years ago, every single one of them got started PET testing.
"What do you guys do?" "We're PET testing." And then they matured into network analysis and code analysis and then started getting into building devices or building architecture around firewalls, intrusion detection. I think that we can use AI also to look at things faster than we can look at it. So if we have these known attack vectors, we talk about web security and the [inaudible 00:06:39] top 10, I can shoot AI to that and it can tell me all of my websites and what the potential is for cross-site scripting, what the potential misconfiguration is, because it knows what the standard looks like. And now I can use AI to show me, "Hey, this is what it should be, and you have some gaps you need to look at."
I think finally, the thing that's really exciting about this, the AI, is the human factor. And social engineering is something I think we need to really watch for because AI will become the social engineer if not controlled the right way. And so I think we really need to look to compliance and regulation first, because those organizations, while they're usually playing catch-up, they allow us to build programs that incentivize companies to actually do the right thing. Compliance doesn't mean you're secure, but you're moving in the right direction.
John Richards:
You mentioned a little bit about how folks have this information that they're looking at, but AI can do a little bit more of that at scale that might not be possible for the human person to do. And some of that, we've got tools out there that are looking at risk and vulnerability, and you mentioned the idea of exploitability. What are the things you're looking for to identify exploitability over that risk and vulnerability alone? What were the things when you were a CISO that you were like, "This is what's really critical to me as I'm trying to assess on where I'm going to put limited time and resources?" How do you prioritize that?
Shawn Anderson:
So one of the first things that I take a look at is are we focusing on-prem or in the cloud? And it's a little bit different. We all, most of us, grew up on-prem and we look at networks in the way of intrusion detection, firewalls, access control lists on a router, so it's very much a gates, guns, guards mentality. We're going to put logical physical infrastructure around our data. And the cloud really pushed our boundaries on that because it got rid of the boundary. And now, if you want to look and find out what's most at risk, you have to have a renewed focus on the data protection because your data can be sitting anywhere. I think that's a big challenge with a lot of these companies with their AI models, and it goes back to Google in the early days. When they had their search engine, they put a server on-prem, and yet they still sucked all your data to their environment and pushed it back indexed.
Who is responsible for the security of that data now? And it's now out in the wild even though there's, "Oh, we've secured it." Well, what does that mean? So I think we need to have the ability to look at where's the risk and vulnerability to the data regardless of the location. And this is where AI can help you because I could come in the morning as an analyst and ask, "Hey, did you stop any data from going to countries last night through any ports that we don't do business in?" And within seconds, the system could spit out these five countries and, "Oh, we stopped the data at X, Y, Z. Here's the times," and then you can go back and do the forensics on it. But that's just one small piece because now I'm taking a renewed focus on the data.
The other thing that we have now is the telemetry. It's not just about the network. I can now look at telemetry across the applications, across the network. I can look at who and what is handling the data. Because we look at it as, and we've said this for a number of years, it's always interesting to me that it's not really taken a hold, but identity is the new perimeter. It's the control plane. I know that at Microsoft, we used it probably ad nauseum. My customers were getting tired of hearing it, but in reality, it's true. I have to be able to trust the device, the identity of the device. I have to trust the user, the identity of the user. And you have to put all these components together because if you're a zero trust company, you're telling me you do 40 different things really well. What I'd like to understand is what part of the zero trust story you play, because that's how we find and really fix these exploits so that they're not a risk to our data and our organization.
John Richards:
You mentioned earlier about the AI being a little bit of that social engineering piece, and now as you're able to call up and say, "Hey, here's all this data," it has access to a lot of data. Do you see identity then being a big player in how we lock down what capability we're giving that AI when it starts to get involved on such a level to provide that security and it's reading all your logs has all this information, now it also needs to be secured?
Shawn Anderson:
Yeah, and it is interesting. If I understand your question correctly, John, we talk to a lot of startups and they all talk about the telemetry and getting access to the data, and it's all done through APIs now. "Oh, we wrote an API. We have the connectors." And the challenge is who's protecting and securing the APIs? If I go through Okta, [inaudible 00:11:31] Login, Intra, doesn't matter, I get access through that authenticator and it gives me access to everything on the backside. I don't believe that we should be looking at that. I think we should take the model of just in time, just enough access, like we do with administrators. If you need access to this, why am I not granting it when you need access, not automatically when you log in the morning?
The other piece to that is how do we feed the beast? We've got to have strong identity controls in place because AI, I cannot even describe the amount of data that is going to take place because of AI. We talked about data oceans and it's exponentially worse than that. I worked investigations a lifetime ago. Most weren't even an industry when I started, but it's fascinating to me how scared we were of a one gig hard drive. A thousand bits of data, a thousand stacks of papers [inaudible 00:12:31] monument, and you can't even measure now a yottabyte. And we're feeding the exponential amount of data, and it's going to spit out answers from simple to complex questions within milliseconds. And we've got to have strong controls around that, and we've got to have strong boundaries around that AI. And we've got to really force industry to understand our concerns. We're all in the business of making money, and the more data they have, they'll claim the better telemetry they can provide. But do they need all the data is the question.
John Richards:
Well, for those groups that are trying to do this, maybe they're a startup, they're getting into this space, what should they be looking at to secure this? Or maybe a better way to say that is, if you're a person who is going to use one of these tools, what are the techniques you should be thinking about to say, "Hey, before I adopt something like this, here is the framework or the way I'm going to think about security around this new piece of technology?"
Shawn Anderson:
When you look at AI, you've got to be able to focus on the large language models that they're building. And the challenge is, and we used to use garbage in, garbage out, and it still pertains to AI today. If your large language model is in its pure form and it's new, it's great. Over time, and there's different terms for it. I call it drift, but if you don't have good wind in your sail and you're not really focused on where you're going, you're just going to drift wherever the wind takes you. You've got to have a rudder. And I think that's how we need to look at AI is the large language models need to stay clean in order for them to continue to develop good answers, but they also need to be able to mature in their data sets to be able to provide good answers.
So if you're working in AI, you need to be asking, "Okay, what is the security controls that I'm responsible for if I'm dealing with a shared security model? How are you going to protect my data? How are you securing your AI? How are you securing your language models?" Same thing I go back when I talk to these companies that are building APIs and building connectors. What kind of security do you use to secure the... And I'm not talking about Salt or Noname that do API security. I'm talking about that identity piece, John, that you and I were talking about a few minutes ago. How are you doing the identity at that level, at that layer? I think microsegmentation is a way to look at this, but that requires a lot of work in the architecture. There's got to be good architecture developed as well. So understanding the data, securing the language models in the context there, and then really focusing on your architecture and how you're going to build that out.
John Richards:
Well, you mentioned earlier that the move to cloud brought about that change where we had to throw away, I like that term, the guards and gates and guns defense idea as we left on-premise and started to move to the cloud. Do you see a similar thing where the move to AI is going to really... The adoption of that will cause some radically new approaches to be needed? Or do you think we can repurpose some of our existing techniques as we move into this new space?
Shawn Anderson:
I liken it to there's nothing new under the sun. What we're essentially building, and I've said this for 30 years, when I first found computers and understood at their basic level, and I think we all go back to War Games and the movie with Matthew Broderick. We are creating essentially a neural network, and the neural network of AI and what we're going to on a major global scale is this big brain. The data never is sitting anywhere in your brain. It's always in transit. And I think that's a focus. You can still use routers and switches and you have those. That's the groundwork of the architecture. You need it. It's absolute. But you also have to understand, we have Kubernetes and we have Lambda, and we have clusters out there that are instantaneous. There's not a server there. And that's where compute, I think in the cloud, is continuing to shift how we really look at things. Because it's used, it's fast, and we need to look at it as being able to protect the data regardless of where it's moving or tracking to.
Some of the things that I wish cloud providers did by default, and I think some of them have this attitude of we don't want to break things, is encryption at rest, encryption by default, where we talk about Linux and the operating system and you've installed it before. If you go to install Linux and you don't, it installs everything. Every single package within the OS installs on your computer. You actually have to go in and say, "I don't want this. I don't want this," and unclick the boxes. I think as a cloud solution, when you go out there to the console, every security tool on there should be lit up and you should be looking at this is the total, and if you want that total amount to go down, you start unclicking.
And then you look at your architecture diagram and see the balance of, okay, you just unclicked a lot of stuff. Did you break your architecture? And if you did, you got to go find balance now. And that's where I think that this technology and AI will help with that because it can sift through all that data faster than your brain will ever be able to. I think AI is going to exponentially be smarter than us within a short amount of time. It's just a matter of figuring out how to use it for good.
John Richards:
But hearing that gives me a little bit of, oh, well, if I'm the one clicking those buttons, at least then, or a human being is, there's somebody responsible for that. When something broke, I come back and say, "Hey, you were the reason this happened." Who's accountable then if we're going to say we're going to hand this over to AI? Maybe it's the people put it in place. I don't know. What are your thoughts on that kind of fear that maybe comes along with saying, "I'm going to hand this over to something that's a little bit unknown?"
Shawn Anderson:
It's interesting, because I don't know the solid answer to that. I have ideas on how I'd look at it. AI is a tool. It's a good tool. It's in the toolbox now. It's considerably more compute and able to process it speeds we can't even comprehend. It's going to help us get answers a whole lot faster. It's also going to help us from a safety perspective. If you look at cyber physical, and I had a ride in an Uber and a Tesla a couple nights ago coming back to the house and it's got all the sensors going on around the car, it's telling the driver what lane to be in. You just hit a button and it keeps you in the lane. It won't let you hit anything. That's good use of AI and machine learning. The context now is if we go to the iRobot model of is it going to crash the car because the AI wants to protect something, we can talk about those scenarios all day.
This comes back to the human condition. I think there needs to be controls in place that if you create it, you're responsible for it. We use this model in the government all the time. If you create a document, it's your job to say whether it's secret or top secret or what classification level, and you have rules you follow. And if you read those rules, it'll tell you, "Oh, I need to classify this as X, Y, Z."
Our data needs to be the same way. If an organization is in the business of building oil platforms, they've got huge list of manufacturing and supply chain they've got to be responsible for. They have to be able to use that AI to track those parts all the way back to origination. Because if something gets hacked, something's not built to standard, you risk having a platform issue, an explosion, something catastrophic. And that's where I think AI is going to really hit home is in the different verticals across healthcare, across the banking industry, and just really being able to map the data faster and tell us what to protect. And then it's our job to look at, okay, what's the source of reference that created it? And we need to go all the way back to that, if that answers or helps answer the question. It's a complex topic. You know that.
John Richards:
I think it does. Let me make sure I'm tracking there, but what I'm hearing is we already are starting to almost subsidize tasks over to AI. And you talked about being in the car. I remember when it was like, oh, any kind of autonomous driving features at all were scary. But as we've used them more, we've come to, oh, hey, this saves lives. But you also brought in this idea you mentioned from the government of, maybe gets back to identity, but the person who created it owns this. And then you're putting it out, you're responsible maybe is the right word for it, to oversee how that happens. And then with that model then you can say, "Hey, how can we use this to better secure things?" And then you're watching that over time, seeing if the rates are better.
We think about driving. Well, often it's like, oh, one accident we're worried about. But if you look at the statistics, there are so many car crashes all the time, being able to lessen those would be a huge improvement. Similarly, just because maybe one breach gets through wouldn't invalidate it if you were like, "Look, we've cut down and detected five times as many things as we would have if we were trying to do this manually."
Shawn Anderson:
Right. And a lot of it takes time for people to... I belong to an HOA in my community and they're trying to pass a rule right now that all future meetings could be via Zoom. Well, we have about a third of our neighborhood that are over the age of 60, and a lot of those people don't even have Zoom or any capability like that on their computer. They might never, but it's one of those things where technology has to have balance. We have to have balance. It's like when they went to the credit cards or debit cards at the grocery store. When we first got rid of checks and we had to sign that pad, I think I waited three years, and that speaks volumes at my risk level. But I was like, "I'm putting my signature down there. Somebody's going to now have my signature and they're going to take my identity." And it took just time in my head to wrap my head around that that's a secure device, that it's not capturing.
So I think we need to do the same thing with AI is be able to really educate people as it comes, because it's embedded in everything and it will be. Your smart home. I get notified by my Nest constantly. Do you want to take part in this two-week exercise? We're going to limit or watch your heating and your cooling, and then we will configure it better for you. And I'm okay with that. It's when in the head of summer they want to hit my air conditioning up to 78 and I want it down at 72. I don't believe in that kind of control. So it's balance, and I think that's the key to everything. We've got to have good balance.
And corporations, their primary focus with this is, I cannot lose proprietary corporate data that's going to impact my business. And if I do, do I have the backup and recovery and controls in place to recover quickly? I get hit with ransomware. A lot of companies have backup, but they're finding it's cheaper to pay the ransom because they didn't test their backup. In theory, it's 14 weeks to recovery, so that's a huge issue. And so that's the same thing with AI. If we use these AI tools, what are all the things we have to be considerate about and where our data sits and how it's protected. But we're coming into some exciting times, so I look forward to seeing the advancements as they continue to mature.
John Richards:
Well, is there anything that stands out? As you say, we're coming into exciting times. If you think about what we might see in a few years, is there any areas that you're most excited about or you're keeping an eye on to say, "Hey, this could be a big..." Actually, you mentioned healthcare earlier, but anything that stands out that has you like, "Oh, I'm keeping an eye on this space?"
Shawn Anderson:
I think from an AI perspective, it's the industrial revolution and where we're heading. If you look at Apple and their earbuds or whatnot, they've got patents out there. They're going to do the biometrics and biosignals and being able to measure electrical technology. But these tools are going to be able to figure out if you have a brain tumor, if you have seizures, if there's damage going on just from putting an earpiece in your ear. But that takes a tremendous amount of technology coming together because I've got to have information from the medical community that's not HIPAA-regulated, and if it is, it has to be cleansed so that it's okay to share. I have a lot of disease. Cancer runs with the family. I think AI in the medical community is something that's going to be exponentially huge because it should help us fine-tune solutions to these diseases a lot faster.
Also, from a surgical perspective, if you're looking at medical and what's going on there, we have surgical systems that are in place where a doctor can be sitting here in one country and be doing surgery all the way around the world. That kind of technology to me is just absolutely fascinating. So if I were to say what AI and what piece of that fascinates me the most, it's the combination of AI and robotics across industry, because I need to not only have that brain we were talking about, I've got to put it in something. I've got to put it into a device or build something, and that's where I think the jobs are going to go to as well. You're going to need a lot of mathematicians and science on the brain side, but you're going to need a lot of the builders on the right side. And that's a different mindset. There's very few that can cross that chasm. It's a very unique skillset to build versus think things through from a mathematical perspective, and I'm excited to see where the industry is going across those industries.
John Richards:
Man, I wish I could think of who the quote was from, but I just heard the quote recently where the person was talking about is artificial intelligence going to replace everything? And their point was, intelligence has never been more important than with the rise of artificial intelligence. And I think that aligns right with what you're saying with how we're going to need folks to direct where this goes and make those kind of choices.
Shawn Anderson:
I think we're going to have more thinkers.
John Richards:
Yeah. And that's the jobs you want to be doing, right? Hopefully it's the menial tasks that we start to see being automated where we don't have to waste time on that.
Shawn Anderson:
You should not want to be a server at McDonald's for 30 years. That should not be your career goal.
John Richards:
Well, thank you so much, Shawn, for being on here. Before we wrap things up, I'd love to hear a little bit about what you're doing right now. I know you've got a blog. I'd love to let folks know about what you're doing over there, and then a little bit of what you're doing, any events maybe that are coming up.
Shawn Anderson:
Sure, sure. So blog, [inaudible 00:27:18] securitycafe.com. I dive into the different areas of security and technology, and it's fairly new. I just was getting bombarded by so many different thoughts and questions that I've decided. If I can write it down and maybe articulate it to myself, somebody else might want to know about it. So, there's anywhere from generic basic security stuff out there. I'll continue to write on topics as people shoot notes to me. And what I do at Boston Meridian as a CTO, we're constantly evaluating companies, and we are talking to startups and mature companies all the time. The things that I find interesting is there's money out there in industry for investment. So if you have a good idea, come forward with it. Help us understand what problem you're solving.
A lot of companies build great capability, but they haven't really figured out, fine-tune their message. What does the capability do? Is it on-prem or cloud or both? In AI, the big question with AI and cloud is how scalable is it? If you build a security or a technology solution, does it scale to cloud level or is it something for small business just in a smaller business on-prem environment? And then having unrealistic expectations about distribution channels. I think one thing that cloud is going to allow an AI is going to allow is the managed service providers, and we're seeing this in industry right now. There's consolidation of MSPs because the CIO's shop doesn't have enough bodies, so they're outsourcing to the MSPs. We're seeing obviously a lot of growth in AI. Every startup is trying to figure out how to integrate that.
I'd also say that identity is still huge, along with, we saw with Palo Alto with their acquisition of Dig a month or two ago, that the data security, posture management space is huge. So those are areas that we're seeing that are going to continue to mature and grow, and it goes back to some that we've been talking about for 30 years. Identity, data, security, and how that helps the business grow. And that's the key thing too, is if you're going to come to me with your solution and you're going to tell me you're protecting something, great, but is it going to slow me down or is it going to help me build my business? Because that's at the end of the day what I want to do is I want to make money. So ,that's a lot of the stuff I'm seeing right now. You can go to bostonmeridian.com or you can reach out to me on LinkedIn or shoot me a note, shawn@bostonmeridian.com, and happy to reply.
John Richards:
Thank you again so much, Shawn. Thanks for what you're doing here. And yeah, if you're out there and you're at maybe a startup, you're doing something in AI security, definitely check them out. A great spot to begin. Thank you all for listening, and we appreciate you checking out the podcast. Have a good one.
Shawn Anderson:
Thank you, John.
John Richards:
This podcast is made possible by Paladin Cloud, an AI-powered prioritization engine for cloud security. DevOps and security teams often struggle under the massive amount of notifications they receive. Reduce alert fatigue with Paladin Cloud. Using generative AI, our model risk scores and correlates findings across your existing tools, empowering teams to identify, prioritize, and remediate the most important security risks. If you'd like to know more, visit paladincloud.io.
Thank you for tuning in to Cyber Sentries. I'm your host, John Richards. This has been a production of TruStory FM. Audio Engineering by Andy Nelson, music by Amit [inaudible 00:30:57]. You can find all the links in the show notes. We appreciate you downloading and listening to this show. We're starting out, so please leave a like and review. It helps us get the word out. We'll be back February 14th, right here on Cyber Sentries.
