AI in Cybersecurity: A Nuclear Threat or a Defensive Tool? with Rodrigo Loureiro

[00:00:00] .

[00:00:02] When I'm told AI might be a nuclear threat in cybersecurity, I do have to know a little bit more. What is the state of play in cybersecurity? How is AI transforming responses? And what more can we learn? Rodrigo Lallaro joins me on this bonus episode of the Business of Tech.

[00:00:22] Today's episode is supported by Huntress. You want to focus on your clients and are always looking for ways to get more time.

[00:00:31] Use Huntress' fully managed cybersecurity platform to fight off cyber threats.

[00:00:37] Huntress is more than cybersecurity software for endpoints and identities. It's a 24 by 7 security operations center.

[00:00:44] It's security awareness training, community engagement, and dedicated partner support with an average CSAT score of 99.3%.

[00:00:53] Technology can only get you so far. Human expertise is what's needed to truly elevate and protect small businesses. And you get that with Huntress.

[00:01:03] Secure your clients and help them thrive with the number one rated EDR for SMBs on G2. Visit huntress.com slash MSP radio to find out more.

[00:01:15] Well, Rodrigo, thanks for joining me today.

[00:01:18] Thank you. It's a pleasure to be talking to you and getting to know you, Dave.

[00:01:23] Well, you spent a ton of time looking at companies and helping them with their cybersecurity profile.

[00:01:28] Give me a first look in your take of the state of play for cybersecurity.

[00:01:34] So in terms of the state of play for cybersecurity, I have to unfortunately bring in my own personal opinion,

[00:01:43] which is the biggest failure for cyber for organizations in general around cybersecurity is that companies are still failing at the basic at the cybersecurity one-on-one.

[00:01:57] What I typically call the cybersecurity hygiene.

[00:02:00] There's obviously a lot of conversation about advanced security and and ideas is IPS is and all of those stuff.

[00:02:10] But, you know, if I had my take, if I had my if I was king for a day, I would wish all organizations were very good at cybersecurity hygiene.

[00:02:20] That would solve, in my opinion, 80 percent of the cybersecurity problems that most organizations face.

[00:02:27] OK, so let's go right there because one of the problems is the motivation.

[00:02:32] You said if you could wish. Well, clearly we haven't motivated business leaders enough to invest here.

[00:02:38] I want to give you a premise and I want you to kind of react to it.

[00:02:41] Tell me what your thoughts are. So my premise is that business leaders really don't want to spend money on cybersecurity because it doesn't drive revenue and it isn't driving the business case.

[00:02:51] And so it won't ever get attention as it should.

[00:02:54] What's your reaction to that premise?

[00:02:56] So that is unfortunately true.

[00:03:00] You know, I will I will give you an example.

[00:03:03] You know, back in 2015, I was hired by a large high education company with the with universities around the world, 67 universities around the world.

[00:03:16] And that premise was different. Why?

[00:03:19] Because that premise was that the company, a four billion dollar private company, was preparing for an IPO as part of that preparation for the IPO.

[00:03:29] They had to have a cybersecurity program.

[00:03:33] So there there was a business case for cybersecurity.

[00:03:37] So I had the very good fortune of joining the organization and I can't say that I that I had unlimited funds.

[00:03:46] We never do, especially in higher education.

[00:03:49] But I had a very motivated board and a very motivated executive team to really clean up cybersecurity, putting a good face, get the cybersecurity insurance in place and put on a good face for the investors.

[00:04:06] So you are absolutely correct.

[00:04:09] Unless there is a business driver for the company to invest in cybersecurity, companies tend not to invest in cybersecurity, which, you know, in my opinion is a big mistake because for me, cybersecurity is table stakes.

[00:04:26] It's essentially the infrastructure, the basics of any company these days because all companies these days are digital companies.

[00:04:35] I agree with that. But if we're trying to push cybersecurity to be a thing, we have to actually like we have to meet business people where they're at.

[00:04:43] I would offer don't we need regulation to make that a requirement?

[00:04:49] We've got a bunch of regulations around all kinds of other safety elements for operating business wouldn't talk about like how regulation now you view it and what you think the outcomes and necessary regulations are to make it to actual table stakes.

[00:05:03] I view it as mandatory.

[00:05:08] I view it as a failure of our government and overall our society, if you will, that we are still missing those regulations.

[00:05:18] And I will give you an example, right? Every single private company needs to comply with, for example, the SOX standard.

[00:05:26] So the integrity of the financial reporting and so on and so forth.

[00:05:30] You know, there's been discussions and conversations over the last few years that SOX is going to expand to include cybersecurity controls more than just audit and compliance controls over the financial reporting.

[00:05:46] And for me, it's a failure not to have done that already.

[00:05:50] I feel that if we need if we have to increase the security of our critical infrastructure, it's only about regulation because I'll give you another example.

[00:06:03] You know, credit card handling, you know, we have the PCI standard and therefore all companies that are in that business comply with a PCI standard.

[00:06:14] So when PCI came to the floor, obviously there was a wide increase of the cybersecurity part.

[00:06:21] So we do need at the very minimum for public companies and for example, SOX to be extended to the cybersecurity controls rather than just audit compliance requirements.

[00:06:38] I mean, I would agree with that. And I'd say at some level.

[00:06:41] So what's your take on what CIS is doing and their investments and how that relates to private companies leveraging?

[00:06:49] Yeah, they talk a good game. They don't put they don't enforce it right.

[00:07:00] I do think that there are good communications. They talk about the right things, as I always say, they're missing a little bit of teeth and it's only with that teeth is only with those regulatory standards and more than just the regulatory standards with enforcement and audit that we will be able to move forward.

[00:07:25] So the CISA has been trying to do them. The White House has been putting out some some good executive orders, but invariably in all of those executive orders, the audit and compliance mandate is still missing.

[00:07:41] So if I could give them, if I had if anybody is from CISA is hearing you, then why don't we put some some some enforcement of those of those good regulations, good guidelines that is coming out regularly from them?

[00:07:59] Well, you've made the case for Congress to pass laws because that's the teams required. I'm going to pivot a little bit here. You've termed AI as a nuclear threat to cybersecurity. Now I'm impressed. That's a big bold statement.

[00:08:13] Let's observe that nuclear weapons wipe out all life on Earth. So tell me more about why you think that this is that AI is a nuclear threat for cybersecurity.

[00:08:24] Nuclear threat is a is a is a nuclear threat for cybersecurity because of the massive capabilities of the adversaries, all attackers to be able to have an army of you know and whether we call those the AI today as conscious or not.

[00:08:47] That's really besides the point, but it's tireless bots that can execute and penetrate an organization. So imagine this. Imagine, for example, the threat that is represented by what we call the script kiddies, right?

[00:09:07] You know, it's the it's the curious young people around the world with armed nothing more than a few scripts that penetrating to your organizations and they have a good success rate at doing that.

[00:09:20] Now imagine multiply that by millions because to create an AI bot, you know, either you don't need anything else than a small computer and imagine that those bots are working 24 seven.

[00:09:35] Constantly attacking organizations and then you multiply that by the millions of scripted kids that are out there. So for me, I turned it that way because for me it arms those hundreds of thousands or millions of cyber attackers that don't have a lot of skills and arms them with the skills and the power and the knowledge to cause serious damage.

[00:10:04] And then you couple that with what I talked at the beginning that most organizations lack basic hygiene in terms of cyber security.

[00:10:14] And that's why I see it as a as a very serious threat to the stability of our digital infrastructure.

[00:10:23] Now I want to understand the difference between current and what you're thinking about because while I appreciate the threat of script kiddies, I would push back and say like, look, ransomware is run by mafia gangs.

[00:10:35] Like it's a it's these are well run corporate entities that just happen to implement illegal practices rather than legal.

[00:10:44] I mean, I don't think of script kiddies attacking businesses. I think of mafia style businesses that have multi-tier administration have automated their processes to the level of already implementing those bots have, you know, affiliate programs where they can they can sell it out and have armed those bots.

[00:11:04] Those non-technical people already. What's the difference you think AI is going to bring to the landscape that makes it that much more threat?

[00:11:12] Well, AI will be able to, you know, the big promise of AI when when when organizations look at it is increase in productivity, increase or efficiency.

[00:11:27] Now think about that and apply it to those nation states and to those mafias and to those gangs that are organized as cyber crime.

[00:11:39] It is going to impact and increase their effectiveness and increase their productivity, which in my book is a terrible thing because they're already very effective and very productive.

[00:11:53] So you've also offered that this that AI may be part of the defense.

[00:11:57] How do you think that that fits in as a countermeasure?

[00:12:02] So more than just that, I think AI is the only defense that that we that we can have against these.

[00:12:11] I mean, it's essentially an arms race, right?

[00:12:15] You don't bring a knife to a gunfight and the attackers are going to use AI.

[00:12:21] There's nothing you can do about that.

[00:12:23] So if on our side, on the defense side, you are hesitant about about the use of AI, you don't want your people to use AI.

[00:12:35] You are essentially putting your your cyber defenses with knives, arming them with knives to fight off gun slingers.

[00:12:44] So that's why I think that we must use AI.

[00:12:49] One of the most obvious applications of AI is in terms of cybersecurity analysts.

[00:12:56] Our our industry is desperately lacking qualified cybersecurity analysts.

[00:13:04] So AI can contribute to increase the effectiveness and the productivity of those cybersecurity analysts,

[00:13:11] because right now the few that we have are already overwhelmed with responding to incidents in order to to increase and and protect against this heightened attackers.

[00:13:26] The only one the only way we can do that is through the use of AI.

[00:13:31] OK, now I want to want to ask a question.

[00:13:33] Somebody thinks a lot about this.

[00:13:35] We brought up the nation states.

[00:13:37] Why do we allow rogue nation states on the Internet?

[00:13:41] I'm going to say like, why do we why do we Western countries allow Russia to communicate to our Internet?

[00:13:47] They're allowing cyber criminals to run freely.

[00:13:50] Why do we allow that?

[00:13:51] What's your take on the idea of just sanctioning their Internet access?

[00:13:55] Well, we live in a.

[00:13:58] We can't do anything about the fact that we're living in a free market and that we're living in a global economy.

[00:14:06] So it's simply not feasible to say, hey, we eliminate Russia from from from the Internet.

[00:14:15] I mean, they will access the Internet regardless.

[00:14:17] I mean, the Internet is a distributed system.

[00:14:20] There's no central control of the Internet.

[00:14:23] So it's it's technically impossible to say, hey, we're not going to to allow Russia on to the on to the Internet because it's a distributed function.

[00:14:35] More than that, from a defensive side, you can't just say I'm going to block all my systems from Russia because they're already inside.

[00:14:43] So they are using AWS.

[00:14:45] They are using Azure.

[00:14:47] They're using the Google Google Cloud.

[00:14:49] So they are they're already inside.

[00:14:51] So, for example, you're just saying, oh, I am I'm good because I block off all traffic from from Russia.

[00:14:58] Well, you can't you're not going to block all traffic from from AWS.

[00:15:02] It's not it's not practical.

[00:15:03] And obviously, from from a free market and the capitalist society perspective, AWS is getting a lot of revenue from Russia or from India or from we sanction countries all the time.

[00:15:17] We we say you can make it illegal to do business with countries that peddle in cyber criminals.

[00:15:23] We want we talk about regulation.

[00:15:25] We want to have consequences.

[00:15:27] Free market isn't necessarily completely.

[00:15:29] And by the way, they are the free market.

[00:15:31] They don't allow us unfettered access to their.

[00:15:34] In fact, they've built let's pick on the Russians for a moment.

[00:15:37] They've put in a program to build themselves independent from the Internet.

[00:15:42] So it's not a two way street of freedom.

[00:15:45] I want to actually ask, like, why are we assuming it just has to be free market and then we have to allow this?

[00:15:53] Why is that the security answer?

[00:15:57] I'm not saying that it's the security answer.

[00:16:01] What I'm saying is that's my pragmatic view of things.

[00:16:07] I think it's very easy for us to say, hey, we don't do business with Iran or we don't do business with Cuba or we don't be the business with Libya.

[00:16:19] You know, those are kind of easy things to implement.

[00:16:24] But you know, just just look at the recent history, right?

[00:16:28] Russia invaded, invaded Ukraine and, you know, the world survives oil from them still does business with them.

[00:16:36] So when you look at markets like Russia and China, it's simply not practical.

[00:16:44] There are too many vested interests in continuing those commercial relationships with countries such as Russia and China.

[00:16:54] For us on the cybersecurity side to say, hey, that's the answer.

[00:16:59] Let's push and the government and the authorities to cut relationships with them.

[00:17:06] You know, from my perspective, that's something we're not going to win that battle.

[00:17:11] So that's why I say that the market and the markets and free capitalist society will not outlaw a country like China that, you know, I don't know the exact numbers.

[00:17:28] But I think they're well on their way to be to be a bigger economy than than than than US.

[00:17:36] And for all large companies in this country and around the world, you know, the Chinese market represents anywhere from 25 percent to 40 percent of their of their revenue, depending on who they are.

[00:17:49] You know, Tesla wouldn't survive without selling their cars in China.

[00:17:54] So I think that there are too many vested interests for us to say that it's practical for us to say, hey, let's deal with with Russia or China the same way we did.

[00:18:04] We do with Libya or Iran.

[00:18:07] So I appreciate the perspective.

[00:18:09] So why are you looking at in terms of like those those critical A.I.

[00:18:13] defensive capabilities?

[00:18:14] Where do you think the best investments are happening right now?

[00:18:19] So the the the best investments right now is in the analysis of the mountains of data that that we have available.

[00:18:30] Oh, we're not lacking in organizations and corporations and authorities, governments, critical infrastructure.

[00:18:37] They're not lacking in terms of the data, you know, invariably whenever we have a cybersecurity incident and a big breach, invariably what the.

[00:18:47] What the root cause analysis says that, hey, yeah, we actually had this indicator of of of compromise and we saw it three months ago.

[00:18:58] But we didn't have the bandwidth to follow up.

[00:19:01] We didn't have the bandwidth to really investigate the added.

[00:19:04] There was this orange light blinking on some someone's dashboard and we didn't pay enough attention to it invariably.

[00:19:13] Invariably and obviously I'm I'm generalizing and simplifying, but we have the data.

[00:19:21] So where I think that I can grow exponentially the productivity of our cybersecurity analysts and defenses is in terms of analyzing identifying patterns and identifying threads in the mountains of data that we already have.

[00:19:40] And that's exactly what what what I'm doing and focused on is really creating a capability where companies can investigate and collect all the cybersecurity data that they have in their organizations.

[00:19:57] We can essentially bring all of that data, centralize it and then let loose an AI on all of that data because the AI will work 24 seven and we'll be able to identify much, much, much more quickly.

[00:20:12] And with a much high degree of effectiveness than than even a small army of cybersecurity analysts.

[00:20:20] Well, the bots will be helping us out.

[00:20:23] Rodrigo Lunar is a leader in the AI driven cybersecurity and the founder and CEO of C3, the cyber connective cooperation with a three decade career spanning titles as such as CIO CTO and CISO for some global entities and recognition from the prestigious Microsoft for Startups founder hub.

[00:20:41] He brings insights into leveraging AI to fortify cybersecurity postures against sophisticated threats and joins from his home near me in the Northern Virginia area.

[00:20:49] Rodrigo, thanks for joining me. If people are interested in learning more, how can they connect?

[00:20:54] Well, the best way to connect these days is always on LinkedIn.

[00:20:57] So you can you can check me out Rodrigo Lohrero at LinkedIn or check out our website cyber connective dot AI and check out our offerings and the way that we are using AI to essentially manage and increase the cybersecurity posture and the controls for all organizations around the world.

[00:21:17] This has been a great conversation. Thanks for joining me. Thank you.

[00:21:23] Looking to reach an audience of thousands of MSPs and IT service providers?

[00:21:27] Put your ad right here on the business of tech and be on the show that 64% of MSPs report having listened to a recurring top 50 tech news podcast.

[00:21:39] There are affordable options for you to reach our audience, and we can support any budget.

[00:21:44] Podcast listeners are more engaged, have a higher level of brand retention and are more willing to listen to ads here than any other avenues.

[00:21:54] Want to know more? There's information at MSP radio dot com slash engage, including a button to book a time to talk.

[00:22:03] I'm looking forward to that discussion.

[00:22:05] The business of tech is written and produced by me, Dave Sobel under ethics guidelines posted at business of dot tech.

[00:22:12] If you like the content, please make sure to hit that like button and follow or subscribe.

[00:22:17] It's free and easy and the best way to support the show and help us grow.

[00:22:22] You can also check out our Patreon where you can join the business of tech community at Patreon dot com slash MSP radio or buy our website.

[00:22:32] Finally, if you're interested in advertising on the show, visit MSP radio dot com slash engage.

[00:22:38] Once again, thanks for listening to me.

[00:22:41] I will talk to you again on our next episode of the business of tech.

[00:22:48] Part of the MSP radio network.