CYBRARY PODCASTS

Ep.09 Vishal Gupta and Stephen Boughner | AI, Machine Learning and You

podcast default

In this episode of the Cybrary Podcast, we sit down with Vishal Gupta the Global CTO and Senior Vice President of Unisys and Stephen Boughner a Partner at NISP Law. Joined by Cybrarys VP of Content and Community Leif Jackson, they discuss how AI and Machine Learning are affecting the cybersecurity space.

Hosted by: Leif Jackson, Vishal Gupta, Stephen Boughner
Length: 51 minutes
Released on: February 5th, 2020
podcast default

Listen to the Audio

Enjoyed this podcast?
Share it with friends now!

Summary

In this episode of the Cybrary Podcast, we sit down with Vishal Gupta the Global CTO and Senior Vice President of Unisys and Stephen Boughner a Partner at NISP Law. Joined by Cybrarys VP of Content and Community Leif Jackson, they discuss how AI and Machine Learning are affecting the cybersecurity space.

With advancements in machine learning and availability of technology, we are witnessing a huge growth in various fields where use of machine learning has enhanced efficiency. Not only that it has also brought new options to the table. With the impact it has made on our lives, it will not be an exaggeration to say, it is the future of our technological evolution which to many is an excellent career opportunity.

The Interview explores various aspects related to career, development, management and application of Artificial intelligence. Vishal Gupta and Stephen Boughner, share their valuable experience and how the industry has evolved with the introduction of AI. Leaving no questions unanswered, our respected guests provide interesting insights to this ever evolving industry.

Citing the emergence of new trends in fortune 500 companies listed from 2000 onwards, Vishal Gupta and Stephen Boughner discuss the importance of data, data loss prevention, laws related to data protection and how companies, irrespective of size, now have a lot more options at their disposal with Artificial intelligence bringing together Cloud, Data collection and management. Elaborating on how Data is the new king, they also discuss data security operations along with possible development in future, from more efficient machine learning models to newer security measures.

For many of the listeners and Machine Learning enthusiasts, the episode is a wonderful learning resource as well, updating them with technology, Career development, challenges, helping them find better career choices. The interview adequately emphasises on the importance of continuous learning, getting acquainted with technology outside your area of expertise or work as more and more fields are brought together by incorporation of Machine learning. The interview also provides a general understanding of the shift of DevOps to DevSecOps as the threats continue to evolve, requiring quicker response times.

You can connect with Mr. Vishal Gupta on his linkedIn profile at linkedin.com/in/vishal-gupta-046149 and with Mr. Stephen Boughner on his linkedIn profile at linkedin.com/in/stephen-boughner-1b142b75

Transcript

Leif Jackson: Leif Jackson here, VP of content and community over at Cybrary. Very excited to have Stephen Boughner here, a partner at NSIP Law and Vishal Gupta as CTO and SVP of Unisys. Thank you guys for coming today. We'll talk a little bit about AI machine learning, big data, some of the trends, some of the skill sets you should be building in this space and then talk a little bit about, security, within that space and the enablement of your security teams.

Visha Gupta: Thanks. So I got into AI space actually, 25 years back, when I came to the U S dartmouth funded my thesis and it was funded by the US air force where I actually had created a search engine using neural networks and a singular value decomposition. At that time it was not really called AI. It was just called machine learning only. And, I didn't realize this was an important thing until Google started their search engine and realized, oops, what did I do? So, so my journey was in AI was more by an accident though I've really had fun since then

Stephen Boughner: For myself, I'm a patent attorney. And so typically it's all dependent upon, the company I work for and what technologies they're working on and what the inventors for the company are creating. And, and the last four years, the company that I Do a lot of work for a they've focused on AI and of course, neural networks, whether it's from consumer products or for particular functionalities or for the actual internal operation, your own networks. So actually from mine, I've actually only been working on them for a few years, but it's my responsibility at our law firm to make sure that all the other associates understand the technology. So I've really had to ramp up and understand this technology substantially more than maybe someone usually would have had to in the short period of time.

Leif Jackson: That's awesome, so can you talk to me about what you guys are doing today?

Visha Gupta: Sure. So, you know, I joined UNISYS as a, about a year back. And, I think one of the things that excited me to join UNISYS was there was a huge opportunity to transform our technology products, our service platforms, and I thought AI would be a great enabling technology to do that. And so, I've, you know, I'm lucky to have a significant team of several thousand engineers all across the globe in sort of six delivery centers all over the globe. And, I've, you know, had the opportunity. We were not doing any AI in our products before I joined, but since then we have built a very strong competence and we already now have two products that leverage AI. And in another six months we'll have three more. So we'll actually have five products using AI. so it's been an interesting journey. And prior to that, I was at Symantec and in Symantec and cybersecurity is a big user of AI, because cybersecurity, the difficult problem to solve otherwise. So I've had, you know, interesting blushes with AI or different, domains.

Leif Jackson: I think that actually leads me into my next question. So how, how is AI machine learning affecting cybersecurity today? So a lot of our audience, obviously we have. Two and a half million users across the world, largely in the cybersecurity and it space, how would you say it's improving operations detection, you know, across the board,

Visha Gupta: you know, when you think about cyber security, you really have to think about the entire life cycle of cybersecurity, right?From how do you detect, how do you protect? How do you predict, how do you apply? So when you think about that entire life cycle of cybersecurity, and you think about that for your entire digital landscape, which means you're thinking about, you know, things like cloud, you're thinking about your servers, you're thinking about your mobile devices, your desktops that you're using. You can understand it's a very complex problem because a, the IT landscape is so complex. And so desegregated, right. You've called all kinds of network devices. Things are connected and, it's, it's complex also because, you know, you've got NIST tracks, number of vulnerabilities that are now up 210,000. In fact, NIST is based in Maryland itself. Right. And, every employee has become a vulnerability itself because people's credentials can get easily stolen. Because people use the same credentials in consumer sites as they end up using within the company. And so this problem has become very complex and this is the reason why companies have started to apply whether we think about the companies in the DC Metro area. And there's a number of cybersecurity companies based here or, or across the U S in general. they've started to apply AI in many different ways. Some of the three, three big ways that I have seen application of AI, both at Symantec and at Unisys has been one in the threat detection space, because when you think about detecting a threat, there are two things that you have to do. You have to map. You know, you have to sort of figure out, is there an indicator of compromise, which means is there a certain malware signature that I can map to? And AI is very good at pattern recognition, so you don't have to have an exact match. It can match a particular pattern. And that's what typically unstructured learning does. The second piece is that AI can be very good at where it is used as a detecting. If there is something different going on. So a lot, because the problem space is so complex. One of the things that AI provides is called anomaly detection. And so the idea is if people start to, let's say you've got an employee who has never accessed source code and suddenly starts accessing source scores.And, you know, it's an anomaly, and maybe it's okay. But 99%, you know, there's something perhaps fishy going on. And so AI is also very good at figuring out what's normal, what's abnormal and having that with a level of confidence. so these two areas are very common. The third area that AI is starting to get used a lot in cybersecurity is really around simplification. because hyper is, is very complex. people end up even having cyber products, but not deploying them in the right way, not integrating them in the right way. So for example, we recently added AI in our product called stealth because we want the cyber product to almost tell the customer, how they should be configuring them, how the policy should be in sort of the customer, having the expertise to put those policies in. And so a combination of detecting the threat, of being able to simplify the policies, of being able to detect an abnormal behavior and then finally also assisting the humans who are working in cybersecurity, who are the SOC analysts, with a variety of, you know, figuring out which things are important to go after versus which ones are not.So these three or four use cases are big for AI in cyber security.

Leif Jackson: Are they using AI much for just the straight automation? Cause it's like, if you detect a threat and then you wreck it, maybe it's interpreting that there might be a threat or that if something seems someone seems to be probing, is there any automation going on right now with AI for that?

Visha Gupta: Yeah. So I think that, actually, that's a great question. Thanks for asking that. So there is a big field in cyber called SOAR, security, operations, and orchestration and response. And this is one of the companies that Palo Alto had recently bought called the demisto for almost 450 million and what SOAR intends to really, integrate a lot of these pieces together.So that way you can orchestrate a response in the past, they have been silos. And so where AI comes to play is, you know, you could do automation even without AI, but where AI comes into play is intelligent automation. So you, instead of always saying if something happens, this is the thing to go, AI can help things be a little more unstructured, so it can almost recommend what to do and almost do it for you. So you can set up very interesting rules that can help, AI, you know, automatically say, if you detect this pattern, you know, maybe you should download this type of software and close these ports or perhaps isolate this user. So these are definitely some very upcoming examples of AI where it's getting used mixed by RPA, which is robotic process automation.Together with pattern recognition to do what I can do is which is intelligent automation.

Leif Jackson: Very interesting. What would you say the kind of critical skills are for people and in AI machine learning nowadays and how have those changed over the years? and how do you think they're going to change in the future?

Visha Gupta: I've actually seen a lot of change in terms of skill sets for AI, because in the past, everything was based on very, people, really knowing mathematics. To a very large extent. And I think if you want to be a data scientist, that's still an important thing because you need to know the algorithms, but what cloud has done. So if you think about, Google with TensorFlow, Azure with all of the AI capabilities they have brought on AWS with Sage maker, these companies have democratized the use of AI. They have made the use of AI much more simpler. Where people who do not have that PhD, who don't have that deep math background can still figure it out based upon identifying the business use case, which is the right problem to attack. And then the tools will recommend the type of algorithms to apply. And they will obviously leverage the data that the company will have, and sometimes they can even add some synthetic data to it. And so I think, if you look at the skills that you need today for AI, It's definitely, you do need some level of programming, like Python, you need some level of maths. So that way you don't need a deep math background, particularly to some level of Mac's background, but then you, what I find people to be most useful is when they can understand those business use cases. They can say, okay, does this problem fit in AI? Number one, number two, which algorithm type of problem it is. And so I think that is causing much widespread use of AI where now it's becoming almost like a defecto when every product was having to be something that's very, very specialized.

Leif Jackson: Do you find that helpful to have like a specialized, employee base for the determination of the data? Or what data to collect for the AI or?

Visha Gupta: Yeah. So I think maybe one of the things that companies can do and we try doing this at Eunice's is I wanted all my engineers to have what I would call us a level, one type of understanding of AI, because I want all in genus to know, do I have a use case where it might be useful?, so I want them to know the lingo. I want them to know. You know, Hey, when is, when should I be using classification types of things versus neural networks? When, you know, what type of problem statements would there be? What type of data sets do I need? And then I think you need a small set of data scientists who are very specialized, but they themselves are really needed just to build that machine learning model and not necessarily do the, all the programming, your developers can still do the programming.And so I think a combination approach where you have a people who have a broader set of knowledge, and then a narrow set of people who have very deep knowledge in actually saying, is this model valid, right? Is the, is the edit rate. Okay. Right. Is it worth using this model or am I just fooling myself?, that I think is a good approach of bringing two sets of talents together. And that way you have a much more scalable model. The other approach many would take is that not there's lots of specialized companies. The VCs have funded, literally thousands of companies who have either taken a narrow functional approach.They'll say I will solve the problem for recruiting with AI. And then so they can bring that expertise. If you don't have it yourself.

Stephen Boughner: I guess that's the question?

Leif Jackson: Yeah. I guess one thing we had talked to maybe a couple like a month ago, and we'd also talked maybe a little bit like small businesses or small companies to startups and kind of like, I guess there was a concern versus large companies that have the capability to collect their data as it already exists and just kind of correlated or to organize it and smaller companies that. Are just starting out and collecting data. And I guess the conversation we kind of had was if you're a small company, you just keep collecting as much data as possible. And I guess, I mean, it's not my specialty in that this part of the AI, but it's from my understanding, it's kind of also one of those things where it's be a little proactive and if you can essentially create the app or create the product that, that if the people give the information and improves the product, But she also gives you more data, which maybe you can expand your data. And then later on, you'll determine that you can do other products and so forth.

Visha Gupta: Yeah, I think that's a great question. So, you know, if I think about there's a lot of success we see with small technology companies now, how were they able to beat big companies like Symantec? For example, we recently saw CrowdStrike go public, right?And this started from scratch. They were a startup. And just in one area, they have, you know, really excelled, which is, obviously the endpoint detection and response and their market cap is now $14 billion. And so one of the very transformational things that cloud has done is if your platform is running on cloud, your ability to collect that data is much more easy, right? So instead of creating a very sophisticated elementary that we had to create in the past, That would kind of call it home and send the data from where the customer is deployed. If you are using an application that's being natively built on the cloud, it'll give you a built in capabilities as the customer is using it to collect the data. And so I think, What is needed is even if you're a small company, as long as you educate your people about, Hey, data's the new gold, this is the differentiation. We want to collect the data about every experience the customer has, but every employee experience about, you know, because how do you differentiate now? You differentiate based on experience. You need great people. You want to give them a great experience. So you collect it. You know, the, the data on the employees, you collect the data on the partners, on the customer. If these things are running on the cloud, then I think it gives you, irrespective of your scale, a much easier way to collect and massage and analyze that data than you ever had before. So I feel, the field has become much more level playing than before. Now. We have ourselves in many cases where we didn't have the data we had to recently. Create an AI project for border crossing. , we didn't have the data for that particular country. So we had to take the data from another country. In this case, we took the data from us because we had that data for many, many years to be able to predict for another country, you know, what patterns might happen. So sometimes you can leverage our data from a different problem or a different region to predict. Sometimes you can also create synthetic data. Meaning, if you have certain patterns, you can almost create a data which we do in case of biometrics to almost predict, you know, because it's hard to buy a hundred million biometric samples for Trane. So, there are, I think, many techniques, you still need data, but I think by leveraging public data sources, by leveraging cloud, by leveraging you know, the ability to, even use synthetic data, perhaps data from other use cases, I think, the problem. For smaller companies it can be a very solvable problem. And we're already seeing great success in AI by small technology companies.

Stephen Boughner: I think that's one thing interesting, like, from in my field is as AI becomes more prevalent or not prevalent, but more like, it's spread out there's more and more technologies, whether it's agriculture or whether it's robotics control systems are, you know, like face recognition or speech recognition or Who knows, cybersecurity, it's the underlying engineering and the technology understanding for the, for example of automobiles, you still need to have, sometimes it's in my field for a patent or to someone who has an engineering background to understand how that AI fits in. And so it's kind of, it's a little similar where you have. The AI, a person who you want him to know that basic level, it's kind of one of the things that we need to get my people to understand the basic level also for AI. So they understand when they get AI that it's unique in this situation and why it makes this application more special than just a plain old controller.

Visha Gupta: Yeah. I almost feel this AI discussion is a bit similar to you in 1990. We used to say, if you are not on the web. You will become irrelevant. Right? And so nobody really knew how to use HTML, how to create a website or a domain name, all the things we take for granted. Right. We feel like the world has moved, but that time that was a differentiator.So I feel like we're at that crossroads again, right. That, Hey, if you're not going to be using AI, you're going to become irrelevant because. To your point. It actually has so many applications in, in anything you do, right. It can be used to make it simpler, cheaper, and better.

Stephen Boughner: And it's also interesting cause it's like we have data in your concern.Initially a couple of years ago was a, too many big companies have all the data or maybe one country has, has so much data. So they're ahead of us. Um, it's now there's this big advertisement of a push of 5 G and IOT. And as we have more sensors and more data, and essentially everything it may be in five years might be connectable to some type of wireless network. And as long as security is there, they will be able to share data. And so I wonder if there's going to be just, there's going to be substantially more public data. And the future and the, now we have data, but now the concern, the future will be, how do you use all the extra data around you? And, you know, that's, there'll be like another,

Visha Gupta: I think that's a great point.I think almost governments just like in healthcare will have some role to play. So in the past, the government ended up creating a level playing field by saying I'm going to have a bank that can lend to all support people. So I almost expect governments and the US to do that but to some extent all countries don't actually make them available for free. Like you can go to NIH and get any data source you want provided, you can show them why you need it. Right. They'll obviously give you an w with, with limited ways. So I do think, the point that you're raising is a very valid point that, you know, The, this will be one of the areas where I think even the government can start to play a role to say, okay, I just like China is really try to invest in to say, how can they be out of AI?As we think about us, as we think about some countries in Europe, right? Where the government will create a set of data with a set of safeguards to make sure that their industry has a level playing field compared to other companies. , so they can continue to innovate to continue to operate at the same time, protecting the privacy of where the data came from.I think , I think will be important.

Stephen Boughner: I think we were going to talk a little bit about that.

Leif Jackson: I think you went through,

Stephen Boughner: yeah, it sounds like that

Leif Jackson: So the new world of ownership data is King It's gold, right? So we hear a lot about how to value data and information and how to utilize it in different ways, but really it's like how to secure it. And so what we hear from a lot of companies nowadays is they're trying to enable their entire enterprise to secure their data. Right. as well as utilize it. So could you, could you guys talk a little bit about that? How you're. How your companies are securing your data, and be enabling your companies to be able to utilize it.

Visha Gupta: So, you know, when you think about data, there's three things you have to think about one, you have to think about how you encrypt the data that a particular device or machine has. It starts, typically called the data addressed and it's around encrypting it. So that way, if somebody breaks into the device, the data does not get lost. Right. As we know companies like Equifax, perhaps didn't do that as much. So that way all the data got out. , the second thing you have to do is to encrypt data in motion. So that way, as the data is getting transmitted between the company and the cloud between different parts of the company, and a supplier, if somebody gets a man in the middle attack, you don't want the data to be compromised. And so if that data is encrypted with the right type of encryption that people can break. Typically like a 256 bit AEs, then that itself is a second factor. The third thing you have to think about as data classification. So if you think about requirements like GDPR, right? If the data is a sensitive data, which can identify a person it's called private data in the U S then you can actually get a final 4% of revenue or 20 million, whatever is more. And so you need to know. If you are not going to, some companies can say I'm going to encrypt everything, but that can slow things down. So instead you can say, okay, if I have a data classification, I'll know this data sensitive data sensitive, I'll encrypt both at rest and in motion, I'll make sure that this data is protected. The data has private health care information and credit card information can be used to personally identify somebody. We're going to provide special treatment with, through these types of means, not just in terms of encryption, but where it can be forwarded. That area is also called data loss prevention in industry DLP. So, I think given we all know data is the King. There is now a lot of focus around, encrypting it around, protecting it around, classifying it around, ensuring that it passes the different privacy hurdles so that we both from a reputational and, a regulatory perspective. You're not exposed.

Stephen Boughner: I guess my perspective is also from a, that'd be a small business and you have large corporations and not have, Well thought out procedures and even a small company can have well thought out procedures, but a large company may have more capabilities to implement them and protect themselves. And whereas sometimes the smaller companies, they try to do their best. And it's, it's interesting that it's on a different scale. So it's like, whereas a small company, a small business might have just an IT specialist. That I T specialist might also, it might, he might have a backbone of help, but it's, you know, it's interesting cause it's the level of protection sometimes is different because we try to protect. And essentially for us, we have clients for data and we really have to be pedantic as it's IP rights and it's patent information and. Some things have not been filed in the United States, or they have not been filed somewhere else before. And so we have to keep it secret, but it is, there's a balance also where we need to make sure employees can do their work. And so just like, you know, I take, I have a little iPad here. I'm trying to convert over to the digital world and try to kill less trees. But then there's an issue where I'm taking this around and. While it requires face recognition. It does have data and it does have access to my work email, know it does have, you know, my goal would be to be able to VPN in, to work, but that would also mean with a couple of clicks someone can immediately get into our system, but hopefully there's protection upon protection. And so it's one of the skills. It's one of the issues where it's interesting for a small company.

Visha Gupta: I think that's a great point. I think there are two things I would say about it. One is, as you pointed out, I thought your example about how it has face recognition is very key. , because we know a normal name, password credentials can be compromised very easily. And so I think there is going to be a big move towards Biometrics because. We also can't keep on changing our password every six weeks. Right? We're all sick and tired of trying to change these passwords, and put all types of special characters. We forget everything. And then we try to make it the same on every site. And one of them gets compromised and now we're more unsafe than before. So we need to bridge this gap between, you know, security and convenience. We need both. And that's where I think biometrics can play a big role. I think the second thing is that, You know, the bar is actually lower for small businesses because the governments realize that they don't have all the resources. And that's why, if you look at the GDPR points, you know, Facebook is getting a fine of $5 billion, but a small guy is not getting that fine. , because they know that, you know, it's going to be on a best effort basis. Now, going back to my cloud team, the nice thing is now a lot of these technologies are available through cloud. And so when you're buying say, you know, you're working on office 365, Microsoft is enabling some version of DLP by default for you, just on the basic thing, that's your part. And so if you simply turn it on, you don't have to pay any money extra. At least you have some level of protection. A bigger company can obviously do much more and they do.But I think even the small person now has a much better level playing field that they ever had before in this cloud and 5g era.

Stephen Boughner: And I think it's, it's interesting like the, the board level field, because I think there was a, at some point in time, there was a concern of fairness or fairness and competition and where you have this huge company. That has so many resources and had so many years to create this data. That's so proprietary and they have so many sources for data. And it's, it's interesting that you know, that as I was reading, sometimes it seems like the policy makers are almost behind the times a little bit, where you hear about a new policy of trying to level the field, maybe in this area, when you start hearing about the fact that there's more data sources that are equally valuable or that are public. And so it's interesting that the fair competition issue, it may become more minimized and less of a burden on an upstart company to compete with a large company.

Visha Gupta: I think so. I think, you know, now you're seeing more small businesses are the ones that are coming up. And if you look at the number of fortune 500 companies, a lot of changes are happening, right. Since 2000, I was reading a statistic that said almost 40% of fortune 500 companies that were then 2000 versus now. Have, you know, almost 40% of them have gone through either M and a, or, you know, simply shut down like a Xerox or a Nortel. So, certainly I think there is a lot of pressure on both sides, but we do think, more small businesses are getting started than ever before. So I think, You know, certainly there are some benefits that come with size, but also there's some disadvantages that come with size as well.

Stephen Boughner: And then also one thing that's interesting about that, I didn't really think about it, but I was reading it before we came here today. And one of the concerns about the data is that you have my large companies merging with large companies. We used to just think about the, you know, the competitive benefit they'll have in the marketplace or the products or the logistics will be cheaper for them. No, but now it's kind of potentially what proprietary data this company has that when merged with that proprietary data, all of a sudden makes a behemoth.

Visha Gupta: I think that's a great point right now, instead of just thinking about product overlap and customer overlap and region overlap, regulators will need to think about, you know, data or law and, you know, there's, do you have too much of an unfair monopoly or advantage? , with one, the other thing I wanted to mention is. , the other move I'm seeing in the industry is, you know, people are realizing that if a malware comes in or say, they're infected by ransomware, that they need to keep some kind of a backup of the crown jewels, they kind of slip back up every single thing, but they need to back up what they believe are the crown jewels fish. They don't want to get impacted by this ransomware. And so, for example, these companies like EMC have something called a cyber recovery vault. And, you know, so people are starting to almost like we used to have a vault where you would put all your valuables. Now you have a cyber recovery world where you put all your really, really critical data that if you know you shut down and then you have to reboot every server and destroy everything. You have something to start with, but now the hackers are so smart. They go after the cyber recovery type of thing as well, which is where now we're trying to secure that using, you know, our technology, which is called stout. So it's a little bit of a cat and mouse game, right? , we're always trying to be ahead of the hackers, get ahead. And then we try to take two more steps. That's very interesting.

Stephen Boughner: Also funny. Cause it's like, if you go way, way back in the day with tape drives that's right. That's what that is. Essentially. They would take the tape drives out. And then ship them off or take it to an alley company who is underground or putting some cave or whatever, some dry storage.

Leif Jackson: Yeah. Yeah. As a part of that, like, I mean that protection of the data, making sure that you store it in the right places, making sure that you double it right. , and encrypted. Maybe we're working with a number of companies that build sophisticated products. , one of the big problems that we see in product design is security tends to come at the end of the process rather than during the process. And it's largely because there's this like security team out there that kind of looks at the product at the very end rather than if it is something that is infused in the, in the actual team itself. So can you talk a little bit about how. When you're thinking about products or, how security is infused throughout it.

Visha Gupta: Yeah. So I think that's a great question, Lief . So, you know, there's two movements that are happening. One is called secure by design and also privacy by design because the same problem on security is also happening with privacy, where people would design the website that would take all kinds of information. And then you say, Why do you really need that information? And how long are you gonna keep it for? And so these two things are what come with the try to do is as they build products, they're trying to fuse these principles right at the design stage, in terms of how do you build secure by design and privacy by design that's one movement that's happening, the challenges, even if you do these two principles, you know, if I look at a company like at Netflix, Or one of the Silicon Valley companies, right. They're going from once a year release to a once a quarter release to once a month release to now multiple releases within a single day. And so if you take a traditional mindset of saying, you know, I'm going to create a product, then I send the ball to the security team. The security spends a couple of weeks, and then they come back and say, you need to fix these six things. That model can't work If you have to do a release every day or even once a month. And so there is a new moment in industry and it's called DevSecOps. And the idea behind DevSecOps is your development. In the past, you had three teams, developers who would develop. Then you had the guys, they would say, okay, here is the code. You guys rather than operate. And then there was a team security team that you had to go before. They could operate it to say, Hey, do I have vulnerabilities? Now they're bringing all of these three teams together because they're trying to drive a lot of automation, a lot of tooling to say, you know, all things that I'm going to deploy microservices as containers.Are they really secure by design? Or can I check all the boxes? So instead of always going to the security team and saying, Hey, can I get your permission security? I said, these are my set of principles. You codify these principles as automated scripts. So that way, right when you're going to be deploying things, they get automatically checked.If they are a problem, you can go and build it. If they're cleared out, then you can go and, you know, get your releases deployed. So it's very interesting how this field has sort of evolved from not thinking about security, to thinking about security by design, to not thinking about true DevSecOps.

Stephen Boughner: Like for us, it's this, you know, it's, it's interesting. Because it's small, it's very small, we're a boutique and maybe like about 20 attorneys and a limited staff, but it's still kind of, we still have to have our IT people remind everyone, you don't click on things, you know, or worst case scenario. If you have to open something. Take your phone out, open on your phone. If you have to destroy your fourth to be infected before the machine gets infected. When, you know, if your phone is destroyed, we can replace it, you know, and it's that kind of thing. But it's, I dunno. It's interesting. Cause we still have to do it from that perspective. It's like old school, but we still have to.

Visha Gupta: Yeah, no, that's true. Right? I think studies show that people love to click despite educating them as much as you want. , there is some innate human curiosity that is there that makes them think that either they won something or somebody has said something really important for them. And, you know, the series is obviously called fishing and people love to click and so one of the interesting technologies that I've seen is called an isolation browser. And the idea is that instead of that click, that you do, which runs on your machine, either on your phone or on your machine and ends up infecting the machine, what if it ran outside your machine in an isolated cloud? And that way it could only if in fact that we are so almost, you know, outsource that whole concept of where the thing runs, because if it runs and ends up infecting, now it's something that in fact that we don't care about. And so this has become one of the other interesting technologies that people are adopting in a number of areas to say, okay, can I just, you know, You know, since people, no matter how much education campaigns around, they just keep on clicking.

Leif Jackson: Can I find a different way to address this problem?

Stephen Boughner: And the interesting thing about fishing as kind of, maybe it's like for a small company sometimes, and they're dealing with other small companies. And sometimes it's whether it's someone who spends a lot of time figuring out how to do it, or they have some, maybe an AI that's now better at it.They collect enough information to impersonate, the other party. It's one of those things where all of a sudden it's like man in the middle, but it's like all of a sudden someone nowadays electronically can mimic that they are someone and then potentially mimic a forwarded email list from so and so

Visha Gupta: right.Only if you actually look at the email and see the. Actually mail address. Can you tell otherwise it'll say it's from Apple or it's from Microsoft and it looks very Offishall right. So people have become very, very good or the hackers have become very good in person.

Stephen Boughner: I've actually seen some work or heard of somewhere.Like they also send like a fax or they'll send an, a letter or they'll send something to inform the law firms that they've changed their email or that they've, that they're having some technical difficulties. And so from this point on, they're gonna use the exact same name. With.net or this name with dot something that does, that seems perfectly legit, that you would have gotten another time. And it's one of those things that you're kind of more like, it depends on it's you have to also educate your workforce because all of a sudden, if someone just sees that and started sending letters or emails to that account, you know, and next thing you know, you're getting it's more than just emails.

Visha Gupta: Other people have become very sophisticated at, at, you know, this is called spear fishing and all kinds of things.

Leif Jackson: Go on. You may have a great course on it. If you guys want to check it out..

Stephen Boughner: I love. Yes, absolutely.

Lief Jackso-n So I mean, given all these, these threats out there, like how do you maintain privacy in this new world? Like, like what can we do to protect ourselves?

Visha Gupta: I think, There are some common sense things you can do. And there are some things that the company, you know, whether it's big or small, is willing to do. So I think as an individual, what you can do is, you know, people care about, you know, we recently released as units is something called a security index. Yeah. It showed that people have a lot of fear for their identity. They care about their identity being stolen even more than they think the fear of the terrorist attack might be just because I think that has been counted much better. Over the last, maybe 20 years or so. And so I think what people can do is one, obviously, you know, have hygiene in terms of making sure that, you know, they're checking somebody who's using their credit or something like that. Right. They have some level, like not a lot of sites, let you monitor your credit or your credit score. Certainly they see somebody applying credit for them. They know that there's something going on. That's what they could do for their identity. , for the machines, you know, they have to make sure that they keep on with the latest updates.Like if you have a Mac, it'll tell you if a latest update is there and in the past, people would ignore it. But now these updates end up fixing what's called patches, right in the fixing a lot of security vulnerabilities. And so whether it's your phone or your machine, you want to make sure whether you're using Android or Apple that you really are taking advantage of the new releases. And that way, you know, you're doing things that at least you can control. The third thing you can do is to even as an individual backup your data, right? This would seem like very nontrivial, but even the cloud ends up backing some level of data. It's always possible that a machine may get infected. They may have to remake it. And you might lose a significant part of the data and, you know, these days storage is cheap. And so as an individual, these are very simple things you could do. And the fourth thing obviously is your credential, right? In terms of whether, if your machine allows user biometrics, which now windows allows Mac allows, can you, you know, can you leverage it?Can you leverage, you know, not have the same name, password, every place, that's what the individuals can do now at a company level, what the company can do is. , you know, there is a trend in the industry that's called zero trust. And then part is that, you know, in the past we built a perimeter.Whoever was within the perimeter, we trusted that. We gave them access to everything and clearly it's so easy to get four people to hackers, to cart men that that model doesn't make sense. And so zero trust says, even if you're in or you're out, we don't have any trust in you. You have to validate yourself every time you want to do anything.Interesting. And so, that's where. You know, when you see, if you go to a backing site, you will see that if you're, you know, you may be able to see a balance, but if you're trying to do any transaction, it'll say I sent you an SMS code type that in. Right? So whether you use it through a second factor authentication like that, or you ultimately use biometrics, which will be more convenient, you know, companies have to adopt sort of a zero trust approach. The other thing companies can do is zero Trust says, if you already get breached, somebody will come in. How do you minimize the impact of the breach? And so I think there's a lot of companies who want to invest, not just in the protection technology, which is what people did in the past, but in what we would call as isolation technologies that says that very quickly as quickly, if you detect something is wrong, can you isolate that thing in 30 seconds or less? Because if you can isolate it, it will not become the source of infection for everything, because what happens is as soon as somebody clicks on a. Link and a malware comes, first, their machine gets infected. Then the machine becomes a source for infection to spread to the whole enterprise.So if you can stop it right in that one place, you can detect it fast and isolated, then it will not spread. Right. So it will become a non event. I think these things which the individual can do and then the company can do with a zero trust approach and things like dynamic isolation, multi factor authentication.I think it can go a long way in solving what is a very complex problem.

Stephen Boughner: What kind of difference in products? I mean, for an enterprise, it's their capability to implement some enterprise level product versus maybe a company of five, say 500 employees or a company of maybe 75. Are there different types of products out there that would have. Provide potentially like the, something that isolation type.

Visha Gupta: Yeah. So, I mean, just to maybe plug in our own product, so we make something called stealth, you know, and the idea is that, you know, can you through micro-segmentation first make sure that you can only access what makes the most sense, right?And then through dynamic isolation, we can isolate you to make sure that if you somehow still get infected, for whatever reason, you don't become the source of infection for everybody else. And so I think what you want to do, whether you're a smaller, large company is to buy these things, you know, as a software, not as a Hartford, because that's much more flexible and then buy it as a subscription.So that way, if it's effective, you can use it, pay for it, but you won't have to incur a lot of costs one time and then realize it's not useful. And I think the third thing that they can look at as integration. that, you know, you want things that integrate and work well together, right. Even though they may be coming from many different companies, because then you want. Ultimately a security outcome, right? Not just these things doing just their work.

Leif Jackson: so if you were gonna say like what skill sets people need to build, especially in IT, eh, what security skill sets and specific to, to protect, what would you say those would be

Stephen Boughner: as AI moves along and AI becomes across many different technologies. Cyber security will have to follow. It's you'll have to have some type of level for your handycam. You're going to have some type of protection for EV for our controller, you know, an electric power plant. You're going to have anything that has an AI will have to some type of a level of protection. And so it may be at some point in time, a little similar where in my field that it. We've done a lot of education internally just to make sure everyone understands the AI we're working on are the neural networks and how they work, how they could be used. It's going to be something similar to, you know, they need to understand what the, if they're working in automotive, whether working in, you know, controls or. Wherever that, that they made you understand a little bit more so about the, how cybersecurity is going to interact with that controller or that processor. And also with the AI and also with the 5G and also, you know, so it's kind of all these disciplines. They still have to learn at a certain level, like a minimum level of your engineers. So that while they understand how the nuts and bolts work and they understand how, you know, the switching goes on, they also understand how it interacts with the rest of the world. That's what I see my future goal is. So it's like right now, I'm, I'm kind of making sure everyone understands as a new AI comes out.We get a new technology in a case that I teach everyone, or I make sure everyone gets up to speed and. That we can handle the work that we're working on and we can do more but it's also something that I have to think about like that where as I see cybersecurity, or if I started see if we start focusing more on IOT that's I think that's a bigger issue for us, maybe in the U S sometimes is can, can a company overseas, use that device without our control. And so it's, that's. It's an interesting perspective or it's an engineering almost the vendor level, but it's more of an engineer level that I deal with.

Visha Gupta: Yeah, no, I think that's a great set of recommendations, you know, so as I was reflecting on this question, you know, I thought, what is, you know, there's two things going on, right? One now we are in a mode where, in the past you graduated from college, you learn what you did and you apply that right now, these days. You have sort of migrated to this continuous learning concept, but the idea is that you want to really make half an hour available for yourself almost every day, to be able to pick up something new, because things are coming at you at such a fast speed, like you're describing, right. Whether it's by the way, about a half hour per user. So I'll walk in and say that learning. So that's kind of what we encourage also, because, you know, I mean, you could certainly say, spend a couple hours on a Friday, but. Sometimes it's hard to learn all in one go. So instead of taking one week of complete learning and then nothing for 51 weeks, you're better off doing a little bit every day. So you kind of keep up to your work. Your passion is, what we did with our engineers, as we thought, I thought about this problem really deeply. And because there's so many things they could learn. And I said, there were five disciplines that we picked that we took everybody through about three hr. In each of them, we took them through a three hour learning track. And those were because the world is a cloud first data first world. So we took, we wanted everybody, no matter whether they were working in security are in building a healthcare application or something else. We wanted them to first learn a little bit about cloud because we thought all applications will eventually have to deal with cloud. We wanted them to learn a little bit about AI, not to become an expert at it, but to be able to spot the right use cases and to be able to have the right conversation, the data scientists, then we thought about that any application will have a front end and a back backend.So we wanted them to learn about modern UI UX. So that way they get the experience for the end user is compelling because of the experiences that are great. Nobody will use that software and we wanted them to learn a little bit about microservices. Because microservices is the new way that things can be very scalable and reusable. , that way you can build things once and use it many, many times. They become like Lego blocks instead of people, everybody building their own thing. , so we see a lot of reusability. So that's how I would approach it to say, you know, develop a set of foundational capabilities. And then depending upon your area, you can specialize in one or two things.

Leif Jackson: Gotcha.

 

Stephen Boughner: And I think it's also something like in our field, it's like most of the people that go into a cotton field come from a certain field, whether it's electrical or chemical or civil or mechanical, and they expect to work in those types of fields. And so sometimes it's actually getting people out of their comfort zone to understand, or to learn something that they aren't used to. And so it may be that some people. Yes, they can't pick up the math. And so if you give them a difficult paper, they may not be able to really dig into it. But it's one of the things that we have to kind of get people that are not disciplined in a field to all of a sudden understand it's something that is. Substantially different than what they've ever dealt with. So like, you know, it may be that they're dealing with automatic transmissions, you know, they're not expecting some AI controller and, and so, but you kind of have to, you know, slowly encourage them how it's not that difficult.

Visha Gupta: Yeah. It's almost like you have to teach them instead of content. You have a piece then the art of learning.

Leif Jackson: Yeah. And that is probably the most important thing. It's almost like elementary school.

Stephen Boughner: It's like, there's some videos you can sit there on YouTube and you get to watch the bouncing ball, like tell you how the neural network works and how the backpropagation goes on. It's just, it's kind of funny.

Visha Gupta: I've seen the similar type of ones for blockchain. These ball videos are very popular.

Stephen Boughner: It's all of a sudden, all of a sudden the math comes out. You're like, absolutely.

Leif Jackson: Well, thanks guys. I really appreciate you coming today. , any, any last words for our audience?

Visha Gupta: No, I think I would just leave people with one thought, which is, you know, I think we live in amazing times.I am going to actually leave us on a note of optimism. , you know, we, we live in amazing times where technology, I think is leveling the playing field. It's giving us incredible types of immersive experiences to play with. It's giving us more innovation than we've ever seen before. And so my message would be to really embrace it head on, right. We could be afraid of technology or we can sort of join it. And learn some of those skills and take advantage of it and actually that way make life more interesting. And so, I see the glass half full

Stephen Boughner: and I, I think it's, I try to always get people to think about, find something that you love. And it's kind of more like, even if you're working on something, I work on some stuff that is so mind numbing, but it's. I love the fact that I solved a problem or that I can succeed and understand something and explain, and I can argue something stronger, but it's kind of like finding something in this. And I think in this, all these various technologies, there's so much technology, so much new stuff. There's so much to be so interested in, you know, that I wouldn't be afraid of anything. I would keep yourself, you know, options open and find something that really interests you. And you'd be amazed like how. Well more well you'll do it.

Leif Jackson: Fantastic advice. Really appreciate you joining today.

Visha Gupta: Thank you, Leif.

Stephen Boughner: Thank you.