1 00:00:00,050 --> 00:00:07,229 On Thursday, they issued a emergency directive mandating that all federal 2 00:00:07,230 --> 00:00:14,559 agencies immediately hunt for signs of a known Russian APT that broke 3 00:00:14,579 --> 00:00:17,060 into Microsoft's corporate network. 4 00:00:17,700 --> 00:00:24,139 And then it, they pivoted to steal some sensitive correspondence from us. 5 00:00:24,595 --> 00:00:25,855 Government agencies. 6 00:00:26,475 --> 00:00:32,855 And this directive comes, I think it's a little less than three months after 7 00:00:32,855 --> 00:00:38,955 Microsoft confirmed that attackers also stole source code from them. 8 00:00:39,644 --> 00:00:41,214 And here's the thing. 9 00:00:41,695 --> 00:00:48,294 They think that this group might still be poking around in their internal system. 10 00:00:48,524 --> 00:00:48,814 Hey 11 00:01:06,294 --> 00:01:06,774 everybody. 12 00:01:06,775 --> 00:01:10,725 I'm Brad Bussie, chief information security officer here at e360. 13 00:01:11,215 --> 00:01:16,055 Thank you for joining me for the State of Enterprise IT Security Edition. 14 00:01:16,545 --> 00:01:20,095 This is the show that makes IT security approachable and 15 00:01:20,115 --> 00:01:22,295 actionable for technology leaders. 16 00:01:22,915 --> 00:01:26,315 I'm happy to bring you three topics this week. 17 00:01:26,455 --> 00:01:31,984 The first, as MFA, which is multi factor authentication, adoption 18 00:01:32,065 --> 00:01:35,415 grows, so do MFA bypasses. 19 00:01:36,065 --> 00:01:37,155 Second, U. 20 00:01:37,155 --> 00:01:37,315 S. 21 00:01:37,335 --> 00:01:41,535 government on high alert as Russian hackers steal critical 22 00:01:41,535 --> 00:01:43,964 correspondence from Microsoft. 23 00:01:44,475 --> 00:01:48,864 And third, announcements from Google Next Conference. 24 00:01:49,695 --> 00:01:51,675 So with that, let's get started. 25 00:01:52,495 --> 00:02:00,385 Now, first topic of today as MFA adoption grows, so do MFA bypasses. 26 00:02:01,014 --> 00:02:09,194 So multi factor authentication MFA is really now, a mandate for 27 00:02:09,215 --> 00:02:11,424 most organization and accounts. 28 00:02:12,074 --> 00:02:12,804 You need it. 29 00:02:13,115 --> 00:02:17,655 To get things like cyber insurance policies for an organization. 30 00:02:18,105 --> 00:02:22,075 And it's even part of a presidential executive order. 31 00:02:22,865 --> 00:02:26,454 And it's interesting because just as all of this is starting to 32 00:02:26,464 --> 00:02:28,805 get enforced in organizations. 33 00:02:29,345 --> 00:02:32,375 Attackers are now finding a way to bypass it. 34 00:02:33,125 --> 00:02:37,825 So what I thought I'd do is talk a little bit about how attackers are 35 00:02:37,825 --> 00:02:43,385 bypassing MFA and some of the things that you can do, not just as a user, 36 00:02:43,734 --> 00:02:49,574 but as a cyber professional or an IT person in your organization. 37 00:02:50,364 --> 00:02:56,540 So one of the first styles of attacks when it comes to MFA Is what's called M. 38 00:02:56,540 --> 00:02:56,799 F. 39 00:02:56,799 --> 00:02:56,989 A. 40 00:02:57,000 --> 00:02:57,820 Fatigue. 41 00:02:58,370 --> 00:03:04,649 And this is where a threat actor essentially peppers a target user with 42 00:03:04,659 --> 00:03:08,079 alerts just to confirm authentication. 43 00:03:08,410 --> 00:03:13,599 And what they're hoping for is somebody is just going to get tired of it and approve. 44 00:03:13,990 --> 00:03:15,940 The authentication request. 45 00:03:16,220 --> 00:03:19,730 And this actually does happen because the user starts to think, 46 00:03:20,150 --> 00:03:22,830 well, maybe the issue is on my side. 47 00:03:22,840 --> 00:03:27,020 Maybe my, my email needs some kind of authentication or one of 48 00:03:27,020 --> 00:03:28,680 my applications is freaking out. 49 00:03:28,689 --> 00:03:31,000 And if I approve it, it'll stop. 50 00:03:32,135 --> 00:03:35,025 And interestingly, if you do approve it, it does stop. 51 00:03:35,675 --> 00:03:43,184 But the reason it stops is someone now has that token or that six digits 52 00:03:43,415 --> 00:03:47,184 or just the push authentication, which then gives them access. 53 00:03:47,775 --> 00:03:55,504 So what's what's interesting here is that Apple has seen the style of 54 00:03:55,504 --> 00:03:58,334 attacks, but it took it one step further. 55 00:03:58,734 --> 00:04:03,519 Not only was the user getting peppered with all of these requests, The user then 56 00:04:03,519 --> 00:04:10,220 got a phone call from someone that was pretending to be Apple support and said, 57 00:04:10,269 --> 00:04:12,940 Hey, there's a problem with your account. 58 00:04:13,380 --> 00:04:18,589 We need you to read us the six digit code that just popped up. 59 00:04:18,690 --> 00:04:19,029 Yes. 60 00:04:19,029 --> 00:04:22,279 We understand there was like thousands of them all of a sudden, but that 61 00:04:22,280 --> 00:04:25,390 last one, why don't you go ahead and read it to us and then we can fix it. 62 00:04:25,909 --> 00:04:31,020 So not only are we talking about MFA to fatigue, but we're also 63 00:04:31,020 --> 00:04:33,280 talking about social engineering. 64 00:04:33,625 --> 00:04:39,995 To a certain extent, and Microsoft has gone on record saying that 65 00:04:40,005 --> 00:04:47,494 they see somewhere in the realm of 6, 000 MFA fatigue requests 66 00:04:47,915 --> 00:04:50,645 every day in their organization. 67 00:04:50,694 --> 00:04:55,515 So people are targeting Microsoft and just think of that 6, 000 of these 68 00:04:55,604 --> 00:04:57,304 a day for just one organization. 69 00:04:58,455 --> 00:05:04,935 A second way that MFA is, is having some challenges is with 70 00:05:04,965 --> 00:05:06,725 what's called SIM swapping. 71 00:05:07,304 --> 00:05:13,944 So inside of a phone or device, you have a SIM card and there are 72 00:05:13,944 --> 00:05:18,655 ways of cloning a SIM card without it even leaving your device. 73 00:05:19,105 --> 00:05:21,915 So if you're interested in that, there's a whole bunch of 74 00:05:21,915 --> 00:05:23,155 information on how to do that. 75 00:05:23,545 --> 00:05:24,165 Please don't. 76 00:05:24,485 --> 00:05:28,035 , and if you're, if you're trying to do it for nefarious purposes. 77 00:05:28,580 --> 00:05:36,200 Really don't because it's, it's a bit of a challenge for cyber professionals because. 78 00:05:36,690 --> 00:05:42,770 A lot of users, they don't want to use an MFA app. 79 00:05:42,780 --> 00:05:44,170 They don't want to use a token app. 80 00:05:44,190 --> 00:05:45,620 They don't want to use something like that. 81 00:05:45,880 --> 00:05:47,219 So what's the next best thing? 82 00:05:47,580 --> 00:05:48,880 Well, you get a text message. 83 00:05:49,610 --> 00:05:54,959 Now, if I've cloned your SIM card, guess what's going to happen 84 00:05:54,960 --> 00:05:56,340 when a text message goes out? 85 00:05:56,949 --> 00:05:59,019 I'm going to get that as the attacker. 86 00:05:59,409 --> 00:06:03,209 So then I've got the code and then I can go on and continue to. 87 00:06:03,685 --> 00:06:08,315 attack you, take over your email, move laterally, all that bad stuff. 88 00:06:09,875 --> 00:06:14,494 Third way that MFA is having some challenges is around what's 89 00:06:14,494 --> 00:06:17,015 called session cookie theft. 90 00:06:17,575 --> 00:06:26,460 And that is where a threat actor will Swipe, what's, I mean, I like to call 91 00:06:26,460 --> 00:06:32,450 it the browser's hall pass, and that is the session cookie and it's just 92 00:06:32,450 --> 00:06:38,990 a stored string of characters that allows for, think of it as like re 93 00:06:39,029 --> 00:06:44,229 entry into an application or system without re entering a password. 94 00:06:44,530 --> 00:06:47,520 So essentially all the good stuff like, Hey, I knew who this person is. 95 00:06:47,520 --> 00:06:48,710 They are who they say they are. 96 00:06:49,000 --> 00:06:52,030 They're coming from a device that says that it is what it is. 97 00:06:52,030 --> 00:06:56,260 We verified that we don't need to necessarily check 98 00:06:56,380 --> 00:06:58,230 that again for 30 minutes. 99 00:06:58,490 --> 00:07:01,880 So then it creates one of these, session cookies. 100 00:07:02,485 --> 00:07:06,125 It's just kind of how applications work in a zero trust environment. 101 00:07:06,525 --> 00:07:12,245 It actually would check each authentication and authorization request. 102 00:07:12,585 --> 00:07:15,195 So this kind of theft doesn't really happen. 103 00:07:15,695 --> 00:07:18,894 Most organizations still are, are implementing zero trust. 104 00:07:18,895 --> 00:07:19,964 It's not fully there. 105 00:07:20,364 --> 00:07:20,824 So. 106 00:07:21,490 --> 00:07:22,700 This one is a bad one. 107 00:07:22,850 --> 00:07:28,020 This actually impacted Okta back in October of 2023. 108 00:07:28,480 --> 00:07:33,099 And that's how some of their customers got compromised. 109 00:07:33,830 --> 00:07:38,779 Now, probably the more useful thing, when it comes to this is what, 110 00:07:38,779 --> 00:07:40,089 what can you actually do about it? 111 00:07:40,729 --> 00:07:47,080 So when it comes to cookie theft, one of the best things you can do is 112 00:07:47,080 --> 00:07:52,820 just shorten the amount of time that a cookie is valid before it expires. 113 00:07:53,269 --> 00:07:59,840 Some applications, it's like 90 minutes, some are days, others are minutes. 114 00:08:00,074 --> 00:08:04,615 And those are the types of applications that I like, is just kind of 115 00:08:04,625 --> 00:08:06,525 limit how long that cookie's alive. 116 00:08:07,445 --> 00:08:12,994 The, I would say the, the gold standard, and this is something that 117 00:08:12,994 --> 00:08:18,354 comes from CISA, and you hear me talk about CISA pretty often, and 118 00:08:18,744 --> 00:08:26,435 that really is focusing on protecting multi factor overall, and that's 119 00:08:26,445 --> 00:08:30,945 creating a phishing, resistant MFA. 120 00:08:31,315 --> 00:08:36,834 And this is using like a smart card, a, what we call a Fido 121 00:08:36,865 --> 00:08:43,174 security key, where only the key owner has access to their device. 122 00:08:43,645 --> 00:08:50,775 So think of it as something you have, something you know, and then take it one 123 00:08:50,775 --> 00:08:55,615 step further with something you are, your face, your fingerprint, things like that. 124 00:08:56,275 --> 00:08:59,094 And really even a one time code. 125 00:08:59,395 --> 00:09:03,335 Sent to a phone is, is not bad. 126 00:09:03,725 --> 00:09:05,745 It's not the worst way to authenticate. 127 00:09:06,345 --> 00:09:11,045 And I would say any MFA is better than no MFA at all. 128 00:09:11,435 --> 00:09:15,035 But I would say, because of some of the things that we talked about, 129 00:09:15,405 --> 00:09:18,734 just making sure that we have another factor of authentication for the 130 00:09:18,734 --> 00:09:24,844 important things, that's, that's where I would be angling for second 131 00:09:24,854 --> 00:09:30,994 thing that I wanted to talk about today is the U S cybersecurity agency. 132 00:09:31,415 --> 00:09:38,675 CISA, again, on Thursday, they issued a emergency directive mandating that 133 00:09:38,765 --> 00:09:45,044 all federal agencies immediately hunt for signs of a known Russian APT 134 00:09:46,224 --> 00:09:53,295 that broke into Microsoft's corporate network, and then they pivoted to steal 135 00:09:53,564 --> 00:09:56,805 some sensitive correspondence from U. 136 00:09:56,805 --> 00:09:57,074 S. 137 00:09:57,074 --> 00:09:57,125 Agencies. 138 00:09:57,410 --> 00:10:02,760 Government agencies and this directive comes, I think it's a 139 00:10:02,760 --> 00:10:09,139 little less than three months after Microsoft confirmed that attackers 140 00:10:09,180 --> 00:10:11,780 also stole source code from them. 141 00:10:12,460 --> 00:10:19,180 And here's the thing, they think that this group might still be poking 142 00:10:19,180 --> 00:10:21,500 around in their internal systems. 143 00:10:23,040 --> 00:10:27,729 And you've heard me say this on a previous podcast, I don't like to say the name of 144 00:10:27,740 --> 00:10:32,860 the attacker group because I feel that it gives them notoriety and some power. 145 00:10:33,150 --> 00:10:33,900 So I'm not going to do it. 146 00:10:34,209 --> 00:10:39,269 So if you want to know who they are, you can, you can look up the, the 147 00:10:39,269 --> 00:10:41,974 actual breach from three months ago. 148 00:10:42,305 --> 00:10:43,925 And read more about this hacker. 149 00:10:45,045 --> 00:10:53,045 So according to the directive from CISA, federal agencies, they need to analyze 150 00:10:53,605 --> 00:11:00,905 the content of exfiltrated emails and reset any compromised credentials. 151 00:11:01,495 --> 00:11:07,805 and take additional steps to ensure that authentication tools for privileged 152 00:11:08,125 --> 00:11:10,625 Microsoft Azure accounts are secure. 153 00:11:11,075 --> 00:11:15,664 So what they're, what they're saying here is anytime that you think you've 154 00:11:15,665 --> 00:11:20,334 been part of a breach, or you've been notified that you are part of a breach, 155 00:11:21,264 --> 00:11:27,155 one of the first things you should do is go and reset compromise credentials. 156 00:11:27,469 --> 00:11:30,699 I say, take it a step further, reset everything. 157 00:11:31,160 --> 00:11:35,050 So if you get one of those letters in the mail that says, Oh, sorry. 158 00:11:35,509 --> 00:11:39,349 You know, someone, someone went through our systems and they now 159 00:11:39,349 --> 00:11:42,539 have your username, password, blah, blah, all that kind of stuff. 160 00:11:42,780 --> 00:11:44,049 Here's your free credit monitor. 161 00:11:44,449 --> 00:11:44,919 Thank you. 162 00:11:45,429 --> 00:11:45,769 Great. 163 00:11:45,839 --> 00:11:49,400 Take your credit monitoring, but then go and cycle all of 164 00:11:49,400 --> 00:11:50,959 your usernames and passwords. 165 00:11:51,470 --> 00:11:52,620 Especially. 166 00:11:52,990 --> 00:11:55,790 I know some of you are going to kind of go, Oh, that's me. 167 00:11:56,300 --> 00:12:00,680 If you are using variations of the same password on all of your different 168 00:12:01,530 --> 00:12:04,850 websites, accounts, anything like that. 169 00:12:05,430 --> 00:12:07,319 And for those of you that use the same. 170 00:12:07,815 --> 00:12:08,865 Password for everything. 171 00:12:09,734 --> 00:12:11,615 I don't even know what the word I'm going to use is. 172 00:12:12,145 --> 00:12:18,775 How about don't and, try a password manager because if, if you don't have 173 00:12:18,775 --> 00:12:23,355 the time to remember and change and do variations, it does all that for you. 174 00:12:23,415 --> 00:12:24,984 And you can find free ones. 175 00:12:25,884 --> 00:12:27,944 It's definitely better than what you're doing now. 176 00:12:28,804 --> 00:12:36,015 So when it comes to the compromise of the Microsoft system, A lot of it was 177 00:12:36,015 --> 00:12:42,135 the corporate email accounts, and there was that X fill of correspondence between 178 00:12:42,625 --> 00:12:48,564 government agencies and Microsoft, and that's where the real concern happens is 179 00:12:48,564 --> 00:12:53,564 that since this is a Russian attacker, they are looking at this from the 180 00:12:53,564 --> 00:12:57,185 government standpoint, the different agencies that are communicating with 181 00:12:57,185 --> 00:13:01,635 Microsoft, and it's and it's kind of working its way out as a blast radius. 182 00:13:01,995 --> 00:13:03,045 So that's what we're really. 183 00:13:03,200 --> 00:13:07,449 Concerned about that's what sysa is concerned about, and that is what 184 00:13:07,460 --> 00:13:11,110 Microsoft is concerned about now. 185 00:13:11,850 --> 00:13:20,530 Microsoft has represented to sysa that for the subset of affected agencies 186 00:13:20,670 --> 00:13:24,089 whose emails perhaps contained. 187 00:13:24,605 --> 00:13:28,775 Things like authentication secrets, that would be like credentials or 188 00:13:28,775 --> 00:13:30,855 passwords, why that was in there. 189 00:13:30,935 --> 00:13:32,815 I don't know, but it, it happened. 190 00:13:33,295 --> 00:13:40,525 They, Microsoft said that they'll provide metadata for those agencies. 191 00:13:40,605 --> 00:13:43,485 And what that means is they can take that metadata and see. 192 00:13:43,780 --> 00:13:46,580 what the impact looks like in their systems. 193 00:13:46,970 --> 00:13:52,640 So a lot of this is for the agencies that are impacted, but I think this is 194 00:13:52,640 --> 00:13:57,959 just an interesting story because it goes to show even large organizations 195 00:13:58,170 --> 00:13:59,720 continue to struggle with this. 196 00:14:00,140 --> 00:14:04,770 And the larger the org, it seems like the more that they're being attacked, 197 00:14:04,870 --> 00:14:08,140 especially by well funded nation States. 198 00:14:09,454 --> 00:14:20,615 So Microsoft, after providing this metadata, they are basically saying 199 00:14:20,625 --> 00:14:27,064 that because this was a professional hacking team that used not, not like 200 00:14:27,064 --> 00:14:31,604 an old style of attack, but it's a common style, which is a password 201 00:14:31,604 --> 00:14:34,309 spray to compromise compromise. 202 00:14:34,940 --> 00:14:40,660 A legacy non production test tenant, and that's how they gain their foothold. 203 00:14:40,980 --> 00:14:44,309 So just keep this in mind when, when you're thinking about, well, how did 204 00:14:44,309 --> 00:14:46,319 these attacks continue to happen? 205 00:14:46,319 --> 00:14:49,030 We've got, you know, multi factor authentication, 206 00:14:49,040 --> 00:14:50,009 which we just talked about. 207 00:14:50,009 --> 00:14:52,509 We've got all of these hardened systems. 208 00:14:52,509 --> 00:14:53,520 We have all of these things. 209 00:14:54,260 --> 00:14:57,639 A lot of the time, the challenge comes from tech debt. 210 00:14:57,700 --> 00:15:00,970 It's these old systems that someone still needs for some reason. 211 00:15:01,240 --> 00:15:02,379 You can't turn them off. 212 00:15:02,650 --> 00:15:04,219 You can't change the password. 213 00:15:04,670 --> 00:15:08,260 You can't even look at the system wrong or it crashes and next thing 214 00:15:08,260 --> 00:15:11,490 you know, you've got a bunch of people that are unable to work. 215 00:15:11,889 --> 00:15:17,259 So when it comes to those types of systems, we need to wrap some additional 216 00:15:17,259 --> 00:15:22,189 layers and controls around them, because if they're still being used, even in 217 00:15:22,189 --> 00:15:25,700 development, this is a great example. 218 00:15:26,015 --> 00:15:32,345 Of you can still establish a foothold in some systems because developers, 219 00:15:33,245 --> 00:15:39,865 system admins, engineers, sometimes we create these backdoors into systems 220 00:15:39,865 --> 00:15:41,965 just for us, it's just meant for us. 221 00:15:42,355 --> 00:15:46,895 But next thing you know, somebody else is using that type of a, um, 222 00:15:47,065 --> 00:15:48,945 backdoor to get into other systems. 223 00:15:49,535 --> 00:15:55,355 So if you're creating something just for you to use in your application, 224 00:15:55,435 --> 00:15:57,054 your systems, your network. 225 00:15:57,640 --> 00:16:02,640 I'm going to bet money that somebody else is going to find and use that. 226 00:16:03,089 --> 00:16:09,410 So I would recommend a don't create it B if you are creating it during development, 227 00:16:09,740 --> 00:16:15,430 document it and make 100 percent sure that it is no longer accessible. 228 00:16:15,730 --> 00:16:22,290 Third topic for today is the Google Next conference, which I recently 229 00:16:22,290 --> 00:16:28,114 attended, and I got to learn a third of a lot about some of the new 230 00:16:28,935 --> 00:16:32,444 solutions, products and features. 231 00:16:32,924 --> 00:16:38,264 So one of the interesting things was Gemini for cloud and cyber security. 232 00:16:38,644 --> 00:16:43,394 So many of you probably remember the experiment by Google, 233 00:16:43,394 --> 00:16:44,904 which was known as BARD. 234 00:16:45,434 --> 00:16:46,294 Well, BARD. 235 00:16:46,459 --> 00:16:53,069 Was powered by a large language model, Gen AI, and the name that 236 00:16:53,069 --> 00:16:54,689 it's going by now is Gemini. 237 00:16:54,859 --> 00:16:55,859 So Bard is gone. 238 00:16:55,919 --> 00:16:57,099 You can still type bard. 239 00:16:57,250 --> 00:16:57,550 google. 240 00:16:57,719 --> 00:16:58,019 com. 241 00:16:58,020 --> 00:16:58,990 It'll take you to Gemini. 242 00:16:59,240 --> 00:17:00,139 Same good stuff. 243 00:17:00,659 --> 00:17:01,409 I'm not going to say same. 244 00:17:01,839 --> 00:17:02,540 Better stuff. 245 00:17:03,200 --> 00:17:04,629 A lot better. 246 00:17:04,699 --> 00:17:07,379 More to the large language model now. 247 00:17:08,069 --> 00:17:09,709 So I attended the conference. 248 00:17:10,800 --> 00:17:13,780 It was full of innovative solutions. 249 00:17:13,790 --> 00:17:17,639 I mean, I walked the show floor and I, this is kind of funny. 250 00:17:17,639 --> 00:17:24,849 I had an AI scan my face and then tell me what job I'm most likely to have. 251 00:17:25,699 --> 00:17:31,290 And apparently it thinks I should have been a firefighter, an astronaut. 252 00:17:31,745 --> 00:17:32,915 Or a journalist. 253 00:17:33,855 --> 00:17:37,435 I think that was a bit of a range, but, but I'll allow it. 254 00:17:38,175 --> 00:17:40,365 I think it's, it missed the mark a little bit. 255 00:17:40,365 --> 00:17:44,484 I mean, it, it did skip cybersecurity professional, but Hey, I think, you 256 00:17:44,484 --> 00:17:46,135 know, they're still training the model. 257 00:17:46,185 --> 00:17:52,864 So it's not perfect yet, but Google introduced a bunch of new features that 258 00:17:52,944 --> 00:17:57,425 provide AI assistance to help customers. 259 00:17:57,885 --> 00:18:03,105 Work code, identify and resolve security threats. 260 00:18:04,004 --> 00:18:10,175 And what I found also interesting is they've expanded access to some of the 261 00:18:10,185 --> 00:18:15,859 general AI models, and they introduced something called an AI hypercomputer. 262 00:18:16,399 --> 00:18:22,700 and AI powered workspace features as part of their enterprise offering. 263 00:18:23,530 --> 00:18:31,590 So starting from this conference, they, they, Google is upgrading some 264 00:18:31,590 --> 00:18:38,770 of the features like we'll call it Gemini code assist, and that can 265 00:18:38,770 --> 00:18:44,700 generate and test code for developers, which is, which is pretty exciting. 266 00:18:45,320 --> 00:18:50,300 And then they're Also providing some more AI driven tools 267 00:18:50,850 --> 00:18:54,240 to help security operations. 268 00:18:54,730 --> 00:19:00,739 So this really is helping an organization spot threats and 269 00:19:00,810 --> 00:19:06,590 summarize the intelligence that's been discovered and, or fed into the system. 270 00:19:07,049 --> 00:19:09,939 And then I like take action. 271 00:19:10,370 --> 00:19:14,280 Against the threat and or attack. 272 00:19:14,979 --> 00:19:18,689 So Gemini has a threat Intel component. 273 00:19:18,699 --> 00:19:22,739 Now it's in preview, but it's still functional, which, which, 274 00:19:22,789 --> 00:19:28,719 which I definitely like it uses natural language to deliver. 275 00:19:30,169 --> 00:19:36,340 Think of it as like a deeper insight about how threat actors actually behave. 276 00:19:36,800 --> 00:19:41,219 And I think what's useful about this is that it does use that natural language. 277 00:19:41,899 --> 00:19:47,569 There's a pretty large context window that enables. 278 00:19:47,850 --> 00:19:56,000 Anybody to analyze bigger and bigger samples of potentially malicious content. 279 00:19:56,340 --> 00:19:59,749 And that can be code that can be a bunch of different things, and 280 00:19:59,749 --> 00:20:01,820 it just gives you better results. 281 00:20:03,010 --> 00:20:08,939 I, one of the things that I, that I liked that I saw as some, some good value 282 00:20:09,330 --> 00:20:19,230 AI security add on, and that's really looking at data, privacy and security. 283 00:20:19,639 --> 00:20:24,559 Because those continue to be top of mind for me, top of mind for you. 284 00:20:24,930 --> 00:20:33,039 And with Gen AI really taking center stage, what's interesting is 285 00:20:33,510 --> 00:20:36,879 data breaches, they increased 20%. 286 00:20:37,240 --> 00:20:42,179 Last year, and I think the bigger that GenAI gets, we're going to start seeing 287 00:20:42,179 --> 00:20:48,220 more and more breaches because as you've heard me talk about previously, if you 288 00:20:48,230 --> 00:20:54,919 haven't done data governance correctly, the biggest insider threat you can 289 00:20:54,919 --> 00:20:58,339 introduce into your organization is. 290 00:20:58,920 --> 00:21:00,760 Generative AI. 291 00:21:00,760 --> 00:21:06,370 It is this large language model because the model is just going to do what it's 292 00:21:06,370 --> 00:21:10,940 been primed to do what it's learned to do. 293 00:21:11,450 --> 00:21:14,490 And in some cases, you're going to ask it a question. 294 00:21:14,620 --> 00:21:15,459 What's its job? 295 00:21:15,470 --> 00:21:17,770 It's going to go get you the answer to that question. 296 00:21:18,310 --> 00:21:22,169 It doesn't know if it's necessarily supposed to have access to that 297 00:21:22,169 --> 00:21:24,740 information if it does have access to it. 298 00:21:25,330 --> 00:21:27,659 It's going to pull it back and it's going to give it to you. 299 00:21:28,140 --> 00:21:35,750 And if you have users that are giving PII or information to these gen AIs and. 300 00:21:36,199 --> 00:21:38,524 It's, it's not supposed to go out. 301 00:21:39,184 --> 00:21:40,814 Well, it doesn't know that it's not supposed to go out. 302 00:21:41,205 --> 00:21:45,094 So we're needing to wrap more and more security controls around this. 303 00:21:45,094 --> 00:21:47,054 And this is what Google has identified. 304 00:21:47,534 --> 00:21:53,445 So they're starting to add more components to their security suite 305 00:21:54,014 --> 00:21:57,339 to help with all of the things. 306 00:21:57,740 --> 00:22:01,400 That, that I just talked about and they are starting to weave Gemini 307 00:22:01,660 --> 00:22:10,649 into, Gmail into workspace and they're bringing the whole zero trust principles 308 00:22:11,049 --> 00:22:19,699 into augmenting Gemini and helping to deliver AI powered threat defense. 309 00:22:20,680 --> 00:22:26,010 And I look at this as, you know, our job in security, it's, it's never done. 310 00:22:26,835 --> 00:22:34,885 And with the way that the market is innovating, really, I love organizations 311 00:22:35,014 --> 00:22:41,864 that are focused on helping to keep us third topic helping to keep our data safe. 312 00:22:42,435 --> 00:22:46,405 And I think when you look at some of the neat things that Google's doing, 313 00:22:47,235 --> 00:22:52,034 things like, you know, extending DLP controls, allowing classification 314 00:22:52,044 --> 00:22:56,905 labels into Gmail, they're, you know, they're not the only ones doing this, 315 00:22:56,965 --> 00:23:02,885 but I just was drinking a whole lot of, of Google Kool Aid over the past week. 316 00:23:03,215 --> 00:23:05,304 And I walked away from the experience. 317 00:23:05,905 --> 00:23:10,315 Really, really happy with a lot of the security things that I'm starting to see, 318 00:23:11,405 --> 00:23:15,255 get woven into that, that whole suite. 319 00:23:16,005 --> 00:23:21,434 So thank you for joining me and I look forward to next time on the state 320 00:23:21,435 --> 00:23:23,675 of enterprise, it security edition.