Genealogy of Cybersecurity - Startup Podcast
Interviews with founders, startup-advising CISOs, venture capitalists, and analysts discussing the issues of cybersecurity, new threats, and emerging technology. The Genealogy of Cyber Security brings listeners into forward-thinking conversations with industry visionaries, to explore big ideas, and discuss out-innovating the competition.
Genealogy of Cybersecurity - Startup Podcast
Ep. 8 CISO Sebastian Goodwin on Advising DSPM and Automation Startups
Chief Trust Officer Autodesk and recent CISO of Nutanix Sebastian Goodwin discusses advising startup, Concentric AI, in the new data security posture management (DSPM) space, and the importance of locating your data as a prerequisite for security. Sebastian and Paul discuss the recent maturity of natural language processing (NLP), and how ChatGPT and large language models (LLMs) are impacting the startup world. Also discussed are key questions, like how to wade through the AI hype and setting expectations in this new generation of AI.
Sebastian discusses what it’s like on the Night Dragon Startup Advisory Board, advising startups during ideation and early stage, including tales of brainstorming key product categories over coffee years before anyone heard of them. Paul and Sebastian discuss his work with StrikeReady and the AI virtual assistant space, as well as several other automation startups.
Sebastian discusses the future of automation and highlights a couple more startups, like Reach Security, which automates and enables optimal configuration and usage of cybersecurity products. Sebastian also discusses Hadrian which auto-maps attack surfaces and automates finding exploits and vulnerabilities.
Sebastian explains the benefits of a non-traditional career path and spanning fields, and Paul and Sebastian discuss the downsides of hyperspecialization.
Sebastian Goodwin can be found on LinkedIn.com/in/sebgood
Concentric AI can be found at Concentric.ai, on LinkedIn.com/company/concentricinc, or Twitter @IncConcentric.
Hadrian Security is at Hadrian.io on Twitter @hadriansecurity or LinkedIn.com/company/hadriansecurity.
Reach Security is at Reach.security on Twitter @ReachSecurity or LinkedIn.com/company/reach-security.
Find StrikeReady.com on Twitter @strike_ready or LinkedIn.com/company/strikeready.
NightDragon is at NightDragon.com, on Twitter @nightdragon or
LinkedIn.com/company/nightdragon-security.
Send feedback to host Paul Shomo on Twitter @ShomoBits or connect on LinkedIn.com/in/paulshomo.
And then when we met, you were, I guess, the ciso at Nutanix. And you're also a professor at UC Berkeley. That's right. You got a lot of stuff going on. I was going to ask you like, what do you want to do when you grow up, like be president, or go to Mars or something? You know, I've served on a corporate board and I really enjoy that as well. And think that some more board service might be in my future. But yeah, contributing to the academics was near and dear to my heart because I feel like there's not enough out there, especially at the graduate level for leaders to really understand managing cyber risk, which is the name of the course that I created at UC Berkeley. The genealogy of cybersecurity is a new kind of podcast. Here we'll interview notable entrepreneurs, startup advising cisos, venture capitalists, and more. Our topic, the problems of cybersecurity, new attack surfaces, and innovation across the startup world. Welcome. I'm your cybersecurity analyst, Paul shomo. I'm Sebastian Goodwin, chief trust officer at Autodesk. You want to talk about a little bit like your in what capacity do you do? Startup advising are you involved with any venture capital firms in like what's that look like? I am an adviser part of the night dragon advisers network. So night dragon is a pretty big cybersecurity specific venture capital firm. And yes, I advise several startups most of them in the cybersecurity space. A couple of them are just more enterprise IT. Do you typically get involved? Because I know I've seen in these type of advisory boards. In some cases, they're actually looking at product demos, maybe beta testing, other cases, they're getting the initial pitch. And then in some cases, they're cisos will actually be there kind of describing problems to entrepreneurs before they even build product. Like, where do you kind of fall into that spectrum? Yeah you know. Where I really love to be involved. And I have been involved many times is really still at the ideation phase. Thinking about what product do we want to build? And so I've had the opportunity to sit down with founders really before they've even decided what product they want to build and just kind of throw around ideas, which is really fun. And it's especially fulfilling to see to see the product you know from ideation to launch and success. But I've also got involved with startups that already have a fairly mature product. And in some cases, they want to sort of move into the security space or they're just looking for an adviser to help from I also have background in product marketing, I worked at Palo Alto networks for a few years. So I'm kind of an unusual ciso in that respect. Both as an operator and a technologist, but also with the experience on product marketing. So sometimes they want to tap into that experience in terms of honing their message. It's interesting and one of the actually the reasons I started this podcast is the general population in cybersecurity doesn't understand that there are these incubation spaces where they bring in certain sets of cisos. A lot of times the brainstorm stuff before people even incorporate or build product and you're having conversations, I mean, just the early startups that come out state innovation sandbox, they're building stuff that you know is going to be cool four years from now. And you're having conversations 5, 6 years you know, in the past from where the leading cool kids in cybersecurity are basically adopting. So you're kind of you're kind of like living the future and it kind of way. Yeah, it's so fun and to be involved early stage and not only is it fun, but you get to really you know your feature requests end up in product so quickly sometimes, and that's a completely different experience than you have with giant vendor asking them for a feature. So you really get to mold the product and I've had that experience where you know I get on a call to see a new release from one of my vendors and they say, well, we added this feature because you asked for it. This was your idea and it makes our product better and other customers love it. Thanks for this idea. And I love that. I've heard that a lot from the sisters that they bring. But I think they specifically bring in certain cisos that are very good at explaining the problem space and understanding what existing vendors aren't doing. But I want to ask about two areas. The first is data security posture management. It's a new category, gardener, just named it last summer. For those that don't know it's the kind of cloud native iteration of products that answer those age old questions of what data do you have, where is it, who's accessing it? And I met you through the startup concentric AI, which is actually going to be the next episode. So you want to tell me about your work with DSPM and concentric AI? Yeah, sure. I think this is a really important category. And in particular, I've always found that the really difficult data to deal with is the unstructured data. Because it's messy, it's documents floating around sitting anywhere. And someone's online cloud drive. And you don't know which documents are have you know the companies most critical secrets. Yeah. So data security posture management, I think it's a tough one because the proliferation of cloud document repositories is just growing like crazy. So I was introduced to concentric AI. And I was really impressed by their ability to label and cluster documents, like nothing I've seen before you know. I've had a lot of experience in old school DLP products and classifying data and things like that. And of course, using regex patterns and it's incredibly easy to find social security numbers, credit card numbers. Everybody can do that. But what's incredibly difficult is to actually read the content of documents and figure out what kind of document it is, let's say, an NDA versus a proprietary formula for a pharmaceutical, right? What kind of classifier is going to tell you the difference between those two documents? And they've really figured out using a sort of natural language and AI so that it can really understand what it's reading. Which was pretty clever. So what I found is that if you haven't read millions of documents, it'll classify them, and if it doesn't know what a certain category is, it'll just label it, hey, this is cluster 85. And you can look at cluster 85 and there's a number of them for you. You open that up and look at examples, and then you can say, oh, I know what type of document this is. And you can just change the label name. And from that point forward, it'll classify those types of documents correctly. And then so that's the classification piece. And of course, then it gets a lot further into. Now that we know what each category is, how do we know if there's if data is at risk? And that gets into a whole another set of functionality around, is there high risk sharing going on? Is does this document type normally not get shared outside of the company? Because it's so sensitive, but there's the one document that's shared to the whole world you know. Let's flag that as high risk. And also doing really interesting stuff around sharing to personal email addresses and stuff like that. It does seem like natural language processing got better or matured a little bit a good bit in the last couple of years. Is that your experience too? Absolutely. And you know these guys have been doing it you know. I think we first met even beyond two years back. So I think they were one of the leaders in this space, especially as it relates to data security posture management. But yeah, I mean, now look where we are today with chat GPT and everything. It's incredible. Yeah, I wanted to ask you another question. Kind of around that area and I was curious to get your opinion. So you know computing power and storage has been increasing and reduce increasing in power and reducing costs. And I guess my question is, how much in your opinion is the growth and the maturity of AI and NLP and large language models based on new math coming along versus the industry finally using the older math because we have the computing power to do things that we could have always been doing. I do think a lot of it has to do with just access to the compute power. And GP being able to rent GPUs at scale. So yeah, that's, I think, what has allowed companies like OpenAI to come into existence and create these new technologies, for sure. Yeah, it's interesting too, because in AI/ML, we've kind of we've kind of created this kind of class of kind of hype merchants that they're really kind of using math terminology as new buzzwords, right? And I mean, these example you go back to like the first wave of ML in cybersecurity that we all experience was the late 2010s, right? We had, you know, silence was the kind of the tip of the spear and, you know, they did, they did a good job for a primary machine learning based product. But you had back then you had marketers running around talking about supervisor versus unsupervised learning as if those are like buzzwords to decide which product you buy. And I obviously things like NLP and large language models. There is a big difference there, but I guess the question is like, how does someone like you navigate through that you know being someone who's more familiar with the AI/ML side than many others? You have to be able to just cut past all the buzzwords and just say you know, I like to get a technical description of how something works, not everybody likes that, but I'm more of a techie, so I ask them really give me the technical description. Don't give me the marketing slides and buzzwords, but really explain to me how this product works, and what outcomes does it achieve for me, which is that's the important thing. But you know with all these tools, I like it to be explainable, especially when it relates to security things. I tend to shy away from black box you know. We don't know how it comes up with the answers. But that's not always possible, especially these days as we get into you know AI and neural networks and stuff like that. Absolutely. I noticed too another vendor that you advise with a strike ready and coincidentally group two is actually basically my first guest on my first episode. Oh, wow. Yeah. Actually, I had interviewed him last year he was kind enough to let me use an off the record interview from something I wrote for dark reading, but very smart X fire eye product leader. Yes. Everybody should go back and listen to episode one if you're listening, but for just in a nutshell, they have a virtual assistant that does part of the incident response for you. That's right. Yeah. So I'd love to hear your thoughts on strike ready and your work with them and you know the future of virtual assistants. Yeah, just met them a couple of days ago here in San Francisco at RSA conference. But yeah, I've been advising them for quite some time now. A couple of years. You know, essentially, they had before way before the days of chat GPT. They already had a chatbot that was helping with security operations. It was very impressive. And you can ask it questions. We call it Kara. CARA is stands for something. I don't remember right now, but so you can ask Kara questions. You can just in a chat box. What are the top incidents that I should look at right now? Let's do some threat hunting. What should we look for? And also in terms of incident response, it's very useful, you can have it search for IOCs across multiple tools, and you can say you know, block this hash in my endpoint tool, and we'll just go do it for you. So really nice kind of centralized command console where your soc analysts can get a lot of work done and be a lot more efficient. So I saw the thing last fall yeah. Obviously, everyone's adjusted. They're thinking with chat GBT. I was looking at them like, you guys are like space cadets. Like what is this? This thing here and they demoed it and it seems to work pretty well. So it's a wild little product. Yes. Yeah, it's very cool stuff. So yeah, it's interesting too to think about you know one of the things that I thought was particularly interesting was it could take a malware sample and put it into like some large number, maybe 50, 50 malware analysis engines. Oh, yeah. And then correlate the results. And they're probably, you know, as their founder pointed out or their cheap product officer, you know, not everybody has the experience to like correlate through the different malware analysis engines. And so it's been trained from some of the best people to do that. And it's, it's kind of like you're renting out a high end IR person, but it's AI. Yeah. Yeah. It's incredible what you can do with it. And yeah, like you said, it's tied into a lot of other third party tools. So you get the benefit of those as well. That's the other thing that's interesting about it is so ChatGPT at least at the moment really just talks to you. But there's actually there's actually interacts with the environment. It's more like because Siri has apps that it knows how to use writer and his fingertips. It's a little more like that. Yeah. It connects via API to all your security tools and to a bunch of third party data sources. So you can have an interact with your own stack to actually do things if you want to go block something on the firewall, block something on your endpoint product. So it's kind of giving you that orchestration and automation as well. And also third party threat Intel and absolutely. Well, you know, one thing I wanted to also talk to you about too and get a feel for sizing the development efforts of AI functionality because I'm going to strike they shocked me it was before chat GPT. I think everyone's kind of adjusted our thinking in terms of what you can deliver with AI. But you know there was just reliance AI, you probably haven't bumped into them, but they were just innovation sandbox and just real quick to fill in that detail. They're going to be on a future episode, but they touted a product that had an intelligence, it can understand legal compliance documents from like a requirement standpoint, and then it can understand the code and do static code analysis and kind of kind of correlate or impose requirements on code. So that's yeah two pillars of intelligence that are it's a pretty high-tech product. And you know these companies have only been around for a couple of years. And as I'm running into the new, this new breed of products they're doing either NLP, large language models, or some of these approaches, it kind of breaks my old engineering manager brain where I used to be able to size how much time it takes to build functionality and the velocity of feature development because they're coming right out of the gate with like a lot of functionality. So like how does somebody like you you know kind of wade through that and get a feel for like, what do we expect with these new generation of AI startups like? You know, in terms of what kind of they do all these things like, should we invest the time to test them if you catch my drift here? It's such early days. It's still hard to tell. But yeah, the pace of the innovation in this space is just incredible. And you see you know all these companies popping up. I think even the company that won the RSA innovation sandbox was doing something related to large language models and generative AI. So there's a lot springing up and the velocity is just incredible. Yeah, HiddenLayer protects the machine learning text layer. There are actually my last episode, you have a very interesting folks, yeah. But pretty much innovation sandbox, I'm all over that thing. That's where I came out of the last 7 years covering that, but yeah, absolutely. And I did I actually grill a lot of them too. Like, wow, this is a lot of functionality. How are you building it so fast? And there's some interesting answers. They're giving me about you know prototyping with generative AI is one, and you know there are certain things they bring in like NLP that does a lot of stuff for them. Yeah. Well, it's incredible. Yeah, it really is. Let's talk about the other side of it too, though, is miseducating AIML, maybe I'll call it earlier. Because traditional software didn't age that well, right? You occurred too many lines of code. We'd call it legacy code, would slow innovation. It was had a lot of inertia to it. What do you think the equivalent of that is going to be with these AI products where they're building up intelligence? Do you have any feel for that? It's still early though. It's early and you know we all have to be very careful when we build these products in terms of how are they going to iterate over time? And what will be the outcomes in terms of we have to worry about bias, for example, and just bad data, LLMs that will lie to you and make up stories, right? And you know so it all I think for a product developers and this is actually part of my remit as chief trust officer and Autodesk is to build out a data ethics function. And data ethics includes responsible use of AI and ML and being very responsible, transparent with customers about what data we use and how we use it. But also making sure that we have guiding principles in place to ensure that our developers and product leaders engineers are very cognizant of the risks around these technologies and making sure we don't train off of the wrong data, bad data have unexpected biases and things like that. Yeah, absolutely. The statistical way of thinking is not the best of human psychology and there's a lot of that going on in the AI/ML. Yes. So let me ask you kind of an open question because you definitely have a lot of startups that you're advising. What are the big areas where you have problems that the existing industry isn't solving? Where you're going to the startup world and saying, hey folks, help me out with this. One area, and this is actually an example of one of the startups where the founders came to me and asked that question, what are the challenges? And we talked about it over coffee a few times. And I ended up building a whole product and a startup around it. And it's really fascinating. And successful. It's called reach security. And what they're doing is helping you optimize your existing security stack because I think as cisos, we have so many security tools. And at any given time, I think we're not getting the full benefit of each of those security tools. Now, why is that? It's because when you first deploy something, you might deploy it at the optimal state. You might read all the documentation, or you might have professional services come in. Experts deploy it for you, turn on all the bills and whistles that are available at that moment in time. So that's best case scenario. Oftentimes, we don't even do that. But best case scenario, you deployed an optimal state. And then from that day, it starts deteriorating. And what I mean by that is a couple of things. One, they'll keep releasing the vendor will release new features, but you might not turn them on or enable them. Some things are not on by default. So they release new capabilities, but you're so busy off deploying the next new thing that you're not sitting there reading product release notes every day necessarily. Unless you have enough people to do that. So what I observed is that I had some tools that you know we were not using half of the new features that came out. The other way it deteriorated was just through some bad configurations. Take, for example, email filter. What I found in one case was that people were adding things to the white list, the global white list, IT was adding things to the global whitelist that really should not be on there. So there's sort of like a configuration audit aspect as well. Is this thing configured in a reasonable way or not? And we should keep checking that over time to make sure that we're still getting the best security benefit from the tool. So they put together a product that actually plugs into your whole existing stack of security tools, whether it's up to sentinel one, Palo Alto networks, or whatever you're using, Proofpoint, and it checks the configs and also observes what attacks are getting through and why. And then it gives very prescriptive guidance, including scripts that you can just run to go modify configurations on things. And it shows you how you can improve the effectiveness of your existing stack, which I think is especially important these days when budgets are getting tight and we don't necessarily have budget to deploy lots of new tools. So how about getting a lot more effectiveness out of the existing stack? That sounds great to me. Yeah, I call reach the cheat codes for your existing securities stack because they told me stuff that I didn't even know I could do with some of my tools. They're like here, put in this custom rule. And I give you the code. And it's like, oh, that's a great idea. I never even thought of that. And so you just put that in and you're getting the benefits. That's pretty cool. It's a very unique one. Oh, I was just curious, when did you sit down and have coffee with them and have this conversation? Do you remember that must have been maybe two years ago? Yeah. I love this quote sci-fi author, William Gibson, the future is already here. It's not just not evenly distributed and that definitely describes this kind of inception phase of technology in the startup space. Yeah. So one thing I'm curious to see if you can help me out get a feel for what startups and venture capitalists are thinking because it does appear that there's one particular problem I want to discuss that startups I know are running into right now. And it does appear that artificial intelligence is probably hopped on an evolutionary curve that's really jumping up and that's got to create a conundrum because it used to be it was good to be first as a startup, right? Yeah. Of course. 6 months from now, OpenAI or some large language model or something like that, delivering AI as a service might actually offer what you spent a couple of years developing, right? Because you were first. How to power stars navigating this? What are people talking about in that startup world in terms of what's safe to invest in in terms of R&D? That's a good question. I think you know the startups now speaking with so far, don't feel particularly threatened by you know the generative AI and the large language models that are coming in. They're looking at it as an opportunity to integrate and add some capabilities to their product. The smart ones have you know they're ready for it because they've been building their stack. They've already labeled all their data and everything. So it makes it a lot easier to start training based on the data because everything's nicely labeled very smart. So yeah, I think that it's an opportunity for everyone to up their game and use this new technology as part of their product. I love that you brought up that with basically curating your David and labeling. It's for AI companies. It's such a big thing to accumulate and have that good normalized, curated, labeled dataset. It's kind of really the backbone of their tech. And if you don't have that you know, what are you building AI and ML out of, really? Exactly. And I think that's great advice for any company or any startup or any company in general. Yeah, label your data. In the beginning, when you're building the product, just plan for that now. You know, you span academia, you've been a CISO chief trust officer, startup adviser, and you mentioned product marketing. But you know we live in a hyper specialized world and it's hard to think of a good description for a positive description for generalists, but I have one here. It's you know they used to call these folks a renaissance man or a renaissance person we should probably say today. Centuries ago, they had these folks, you know, during the renaissance where they were like a mathematician a philosopher and an award winning playwright and we called them, you know, this renaissance person. Yeah. And some would say those days are dead, but I wonder if they are. And I'd love to hear your thoughts, especially because you spend many many topics. Do you think there's some value to bucking the trend of singular specialization and embracing that very human quality of general intelligence in spanning different fields? Yes. Absolutely. And especially in cybersecurity, I think cybersecurity, there's this creative aspect to it. Rather than just thinking through sort of the happy path, how do things work? Cybersecurity, people are thinking through, well, how would I, how would I abuse that thing? How would I make it do something that it's not supposed to do? And I think the more diverse backgrounds that you bring into the conversation, the better ideas you get. And some of the best cybersecurity folks I've worked with have come from non traditional non cyber backgrounds. Because they just have a different way of thinking. And that's what we need in our field. Are there any areas of I noticed too also you were advising some more general automation startups as well? Do you have things that you see in the future really needed from an automation perspective? You're not getting from existing vendors? I'm a big fan of automation. And you know I can talk about sort of some of the cool things I've seen actually, there's one really cool startup that I'm advising called Hadrian. And they are doing automation of offensive security. So it's like starts with a tax surface mapping, but not just automated attack surface mapping. It's then, once you understand the attack surface, actually attempting to exploit and get in. So you know it's based off of they're using some ML and stuff to do this. But basically, automating what hackers would do or what a bug bounty program might do for you you know. Where we're going next is just more intelligence around. Deciding what to do during that next step of the automation, like rather than have a very set and static if this then that have it actually bring some intelligence and make its own decisions on what it's going to do next. And I know strike is doing some of that, for example. Well, happy Friday and again, thanks for coming on.