#336 The Future of Cyber Defense: AI, Behavior, and Access Control

But where most corporations are feeling the brunt of these attacks are on the human element, right? Because at the end of the day, we are humans. We're going to make mistakes. And that's I think where we're seeing again, majority of the attacks happen. So absolutely on the human element. See? Welcome to Embracing Digital Transformation, where we explore how people process policy and technology drive effective change. This is Dr. Darren, Chief Enterprise Architect, Educator, Author, and most importantly, your host. On this episode, AI is supercharging cyber attacks. How do we defend ourselves? With Senior VP of Consulting Solutions, Amit Patel. Amit, welcome to the show. Thank you for having me, sir. I appreciate it. Hey, before we dive into cybersecurity and our teams and things like that, I think we all agree the weakest link in cybersecurity are people primarily. I think everyone that knows that, right? But we can't get rid of people. People are important. But before we dive into all of that, everyone that listens to my show knows that I only have superheroes on the show. And all superheroes have a background story, an origin story. So Amit, what's your origin story? I love that intro, by the way. Thank you for that, Darren. My origin story, I would say I'm truly probably tech-nerd at heart. I love technology. I love everything about it. Over the last several years, especially, I think technology has rapidly changed with the adoption of AI. And so I'm excited at where things go. I've been in the tech field my entire career, but I'm also an entrepreneur at heart. I love working with organizations. I love working with people. I've been fortunate enough to see a thousand different environments, a thousand different personalities. And so I feel like I've got a good grasp on all different avenues across the board. So I've been very, very fortunate from that perspective. I'm also a father of three little girls. You can see some of their artwork on my wall here. Oh, sweet little girls, man. You're outnumbered, man. I am. It's a tough job, but I wouldn't change it for the world. I love every minute of it. They definitely have me wrapped around their little fingers. Girls do it. It's amazing that girls do that, but they absolutely do. Because I got four girls and six boys. And the boys, you just kind of rough and tumble. They don't have me wrapped around their finger, but my girls, whatever they want, they get. And they all know that. So they all come to daddy. What do you want? And they're all adults now, and they still get whatever they want from me. So, Darren, is that 10 that I heard? Yeah, 10. Kudos to you and your wife. Yeah, it's been a little bit of a crazy news, but we survived. So, hey, all right, we could talk about families all day and raising children, which is almost like handling cybersecurity in an organization. You got personalities. You got a lot going on. But before we dive into the personal thing, I want your take on AI's role in cybersecurity. Have you seen that it has changed anything in this realm at all? Or is it just the same things over and over again, maybe faster? Or are we seeing any fundamental changes? No, I think the last several years, we've seen a lot of changes. I think AI, there's pros and cons to it. We, as the defenders, we have access to the same tools and capabilities that the threat actors also have access to. So email spiffing and phishing emails, the sophistication has skyrocketed. Before, you and I probably all, some of the annual cybersecurity training that we've done, right? Hey, look out for grammar issues or changes in font and things like that, right? Just the normal stuff. And now these sophisticated email campaigns, I mean, they're skimming through LinkedIn. They're looking at the way you and I write our emails, the tone that we typically use, and they're able to mimic to the tee. And sometimes write emails better than you and I would write them. Yeah, these threat actors, they have access to these tools that these things are getting so sophisticated that just the average human, we're having a tough time. I'm not the world's greatest expert by any means, but I'm relatively tech savvy. And so, but even I get fooled by some of these campaigns. And so it's getting a little bit more complicated. These campaigns are getting more sophisticated and they're using AI to their advantage. And so do you see that they're primarily doing this in the phishing attacks? So it's really an attack on the human nature of things, right? I mean, are we seeing AI really attacking frontal attacks on machines and technology itself? Or are they always trying to come back through the back door through humans? I think, you know, majority, if you look at majority of the cyber attacks is always through the human element side of the house. You know, are our threat actors, you know, spending time and leveraging AI to go through deep encryption and all that gets, yes, absolutely. But where most corporations are filling the brunt of these attacks are on the human element, right? Because at the end of the day, we are humans, we're going to make mistakes. And that's I think where we're seeing again, majority of the attacks happen. So absolutely on the human element. Since these attacks are becoming more sophisticated on the human element, what do we do? I mean, I even had on my show, it's been about a year, I had a cybersecurity expert on the show that cloned my voice, right? Captured my domain name. Yep. I mean, took over my domain name, sent emails as me to me saying, hey, check out the voicemail I sent you. I have some important things to ask you in that voicemail. So then they sent me a voicemail says, hey, I need the account number to our bank account because we're making deposits and I've got a digit wrong and won't go through. Yeah. And it was my voice. It's your voice, right? Yeah. Right. So I mean, these attacks are getting highly sophisticated, extremely. So Amit, what do you want me to do? Yeah, it's there, you bring a great point. These attacks are so advanced, it's tough for the average human to decipher what's real and what's not these days. And so I tell all of our clients at the very least, minimally start with behavioral education, right? And it's not just about awareness, right? I think previously, a couple of years ago, it was all about, you have a typical annual cybersecurity training, right? And then the fishing attacks, simulated fishing attacks all year long, right? I got those all the time. Exactly, right? But the annual cyber attack or cybersecurity training, right? It's largely theater, right? Because employees will just kind of click through those 45 minutes of slides and once a year, they'll do it and they'll forget 80 to 90% of it within a month, right? And so, meanwhile, like you mentioned, AI-powered fishing campaigns, they evolve, they're evolving weekly, right? Which means that once a year, static training, it's fighting a dynamic threat, right? And so, again, you used to talk about bad grammar and suspicious fonts, but now, again, AI writes better emails than you and I do. And it's crazy where things are going. I think, again, we've got to get better at dynamic scenario-based training, right? That builds like long-term memory instead of just checking the box for compliance, right? And so, what we recommend is, you know, these short monthly, like almost like micro-sessions, right? Maybe five, 10 minutes or so, sessions that are far more effective than the annual marathon long training sessions. So, that's one part of it. I do think that simulation campaigns are great, but make them contextual-based, right? So, you know, finance team, for example, they'll see a lot more invoice fraud issues, right? HR teams might see, you know, attachment, you know, fraud issues, right? The dev team might see DevOps or access, you know, fakes and things like that, right? So, make it contextual to the employees and kind of create the awareness around that. Actually, go through that. You know, again, an employee's always right, should be trained to pause and verify, right? And especially if it's asking for urgency, right? Like, hey, I missed this digit. I need this right away right now. Okay, it's asking for urgency. Let's take a quick pause. Let's verify before we do something, right? Because, again, that human element, I think, is some of the area that needs to be, is the biggest vulnerability. And I think we've got to figure that out. But it starts with that behavioral training, not just the annual. I really like that behavioral training thing where once a month, five to 10 minutes, it ends up in the front, frontal cortex, right? Yeah, like, see in the front of my head going, oh, yeah, cybersecurity is important, right? I need to take care of that. I need to watch out for that. It's almost like reminding when you work with Chatchu BT or anything. It's like dropping in, hey, we're going to talk about this, you know, at the beginning of the chat, right? Right. We're going to talk about this, okay? So let's make sure we focus on this. It just brings it to the forefront so that it's in the front of my brain. Yeah, the good thing about those types of behavioral training is you can also meet the training, you know, advanced and more sophisticated as time goes on. So it just builds and builds and builds as well. And again, it's not a one and done. It's not a once a year thing as well. It's a continuous. Yeah, it stays in front of people, right? Again, it's like out of sight, out of mind mentality as well. So no, I really like that approach. I think that's smart. But how do I, that means that my training has to be constantly being updated, right? Because the attacks are becoming more and more sophisticated every day. Yeah, 100%. I mean, there's some great tools out there. We even internally, for our word, an IT consulting firm, but yet we still leverage internal training for our own employees. Oh yeah, I would hope so. Yeah. Yeah, same thing, but it's about once a month. It's five to 10 minutes of these sessions that our employees watch. Maybe there's a little bit of quiz at the end or throughout the engagement as well. But now these training sessions, I mean, they're like a, you know, a Hollywood blockbuster movie almost. And it just builds and builds the scenarios built. And it's fun almost now because you want to see what happens next. And intuitively, you're also building your cybersecurity awareness at the same time. So it's kind of a great one to one. You made cybersecurity training fun? How? I've got to see examples of that. Well, and do you have some of this out on YouTube so people can take a look at it? Yeah, absolutely. Now, I'll send you some links as well, Darren. I'll send you some links. I'll put it up on the website. Yeah, because I'm interested in seeing this because right now I take a lot of training because I deal a lot with governments all over the world. And they want me to take their data privacy, data handling training. And it's like a snooze fast, man. I mean, it's like, some of them even talk about fax machines. Can you believe that? When you get a fax, I'm like, what? Right. Didn't get a fax? What am I doing with a fax machine? Yeah, I know we were still in the 70s. Is that right? Yeah, exactly. So I mean, so if I want to upgrade my cybersecurity behavioral training, where do I start? Do I just have to go to you guys? Or are there some tips and tricks that I can start on my own? Yeah, I mean, honestly, there are a couple of great organizations out there. You don't necessarily need to come to us. There are some fantastic organizations out there that your listeners can also reach out to. Well, nowadays, it's getting relatively cheaper. So even the small to mid-sized businesses that don't have an unlimited budget, right? They can start layering in some of these training and these tools as well. So they can protect their own organization and their employees as well. Absolutely. There's a multitude of ways out there. There's several organizations that do, I think, a phenomenal job at it. And they get happy to get that list over to you as well, that'd be great. So for the listeners, go ahead and go to embracingdigital.org and you'll see that. We'll put that list up on this episode. So that'd be great for everyone. Yeah, I think this is important. We've got a lot of mid and small businesses that are now in the crosshairs of these big, conglomerate cyber bad actors, right? And there's nothing worse than waking up to a ransomware attack when maybe my revenue is only $10 million and they're asking for $500,000. I'm like, lots, right? For a small company, right? That would be devastating. Yeah, and it's funny because the majority of the attacks are actually towards a smaller and mid-sized businesses because the threat actors, they also believe that maybe they're just, they just don't have the resources or the money to put these tools in place or the training in place. So it's soft targets. Yeah, they're soft targets, exactly. Absolutely. That's pretty rotten. It is. Come on, you guys, you bad guys. All right, so let's pivot a little bit into creating a cyber defense now, right? Because we handled kind of the behavior thing for all of my people in my organization. What are some tips that I can have a better cyber position for my organization? A training? Great. I think we covered that one. And that's probably my biggest hole is that is training my people. But beyond that, what else can I do to protect myself? Yeah, absolutely. I think the non-negotiable is access governance and kind of these role-based controls. I think every organization, regardless of your size, needs to do it because we all know human error is inevitable. It's going to happen. But catastrophic damage, right? That can be isolated, right? Yeah, exactly. That doesn't have to be, you don't have to have it blow up, right? But access governance is kind of what makes that difference happen. And so most breaches, again, they're not caused by these amazing elite hackers that are breaking crazy encryption. It's they're caused because people have overprivileged access, right? Overprivileged accounts or even stale permissions, right? And you see these at some of the largest and most sophisticated organizations out there. So mind-boggling to me, this is still an issue because when I first started computing, beyond a PC, right? I got my hands on the Unix operating system in the 80s. And it had access control. And it drove me crazy because I was used to working on a PC, right? What do you mean I can't access that file? I should be able to access all files on the phone. So access control has been around for a really long time. It only got into Maltrex and even the IBM mainframes all had access control. So why are we so bad at it now? You know, a full transparency, I think it's because it's just easier if I just give everybody access. Like just open it up to everyone? Yeah, it's just that it's easier for me. I don't have to, you know, keep giving your permission every day and every hour, right? Yeah, that's true. Yeah, and that's I think that mentality was okay years ago when attacks, you know, did happen every second or every minute, right? I mean, again, Fortune 50 companies, we've had a client of ours, they record about 10,000 pings on their network by threat actors on a daily basis, 10,000 pings. That's a lot. Yeah, it's mind-boggling where things are going, right? But if somebody with excessive access makes even one small mistake, because again, human nature, it's inevitable, that that blast radius could turn into a massive financial headlines in the news, right? And so I think the principle of least privilege is extremely important. That just means that employees should only really have access to what they need right now, right? And that not like you put the time element on there, because I mean, that's a zero trust, that's a zero trust principle, right? Yep. Access for a certain period of time. Correct. Which is which is really critical. Yeah. That means I've got to hire a person to handover access control, or I have to spread that across the whole organization and say, hey, you know, hey, you least privilege is a philosophy we adopt here at this company. Is that what you're saying? I think that that's a it's a cultural thing, which is another topic that I'm extremely passionate about. But I think, you know, access should also be tied to roles and not to the individual as well, right? Because if you tie to individuals, then it's band-aid on top of band-aid on top of band-aid, and that just increases risk exponentially as well. But if you attach it to different roles, then you're able to, you know, you have a little bit better control over it, it doesn't get over burdening to the actual IT team themselves as well. And you're able to have better control over it. So I think that's one thing. Obviously having quarterly reviews, that should be mandatory as well. Don't just do annual reviews or anything like that. I think annual reviews are just way too long. And then also these, especially these privileged accounts, right? They should never become permanent. People have admin accounts all the time, right? They walk around with unrestricted access, like it's just a badge, right? That they walk around with. And that is totally a badge. I have rude access. Right. I mean, when I was a cis admin, I was like, yeah, I got rude access. I have keys to the whole kingdom, right? And with that becomes responsibility that sometimes I messed up, like I blew away our whole email server on accident, like, yeah, I just straight because I had rude access. Yep. Did I need rude access? Probably not. Probably not, right. And also it's, you know, just because you might need rude access one time a year doesn't mean they should just have that access all the time, right? And so I think again, some of these things are non-negotiable. Everyone should do it. Even some of the smallest organizations, minimally, again, multi-factor authentication is an absolute must have. There's another good multi-factor authentication. Right. Absolutely. And even, you know, for our organization, if you're blogging to email, especially nowadays with a lot of work from home or remote work, travel, I mean, these a lot of networks, especially in hotels, airports, right there, unsecured. And so always blogging to VPN, have MFA active. That is a non-negotiable as well. So you brought out something interesting because I've seen a trend on the role-based access. So RBoc, right, we hear the term RBoc. What about attribute-based access control or A-Boc? Do you see that as a viable solution or is that just more complex? Because there's been some debates, and I'm wondering, you're an expert in this area. What have you seen? Have you seen the emergence of A-Boc or is it just too complex? You might think it's going to go in that direction. I think eventually, especially with the advent of AI and able to do that, I think it's going to get there as well. It is a little bit more complex. It's easier for organizations to start with role-based because, again, it's simplified, it's easy. Again, even the smallest organizations that have very little budgets can do this. Can do that. Right. Start there. But AI, honestly, is also making it a lot easier. I think that's, that next topic is from these automated safety nets and AI detection tools. I think it's also a no-brainer, especially with where our role is going to. Okay, so you moved right into detection. I do need that too. So I put up my wall. I have great access control, multi-factor authentication is must. Maybe we'll move away from passwords completely. That would be wonderful. So now, defense through detection. Detection is the next major thing that we need to talk about. So detection is expensive. I've always heard that. I've got all these system logs. I've got my network logs. Do I need to go buy elastic to do this? Do I need Palantir? Everyone says I need Palantir to do this type of work. Are there solutions out there that give me some? Detecting people hitting my network is important or infiltrated my systems is important. I think it's super important there, and especially with where the world's going. Again, I think we also have to acknowledge the fact that people are busy. They're distracted. They're juggling 20 tabs right at once. Security needs to operate at machine speed as well. You look at even modern email security, for example, it shouldn't just detect spam, but it should look at tone shifts. It should look at impersonation attempts, abnormal payment language. All those things, it should automatically do. Especially when sometimes we're going to miss it. We're not perfect by any means. AI helps in front of that. The good thing about AI also is that where I think it differentiates us at the corporate level versus the threat actors is that it baselines how employees behave. It can baseline how executives typically write emails, for example, or what type of language they use, or the behaviors of your employees. Darren specifically logs in typically 99% of the time between these hours or here's what he typically does. We can baseline that, and if there is an abnormal change in behavior, AI can automatically detect that, put a stop to it, all that stuff. But that's where these large ring of models are great at, power and detection. If I get an anomaly, it can automatically go, this is not what we normally behave. We don't behave this way. Yeah. Exactly. Imagine if somebody in the county all of a sudden downloads 50 gigabytes of data at two in the morning. That's a little bit of an odd behavior. Let's maybe put a stop to that. I'm sure you heard about this breach that a very large organization had about a year ago. Somebody came in through a communication channel and they downloaded a bunch of data that they weren't supposed to, but had some of these things been turned on, they could have said, hey, downloading terabytes of data, it's a little bit out of the norm. Let's quickly put a stop to it. Let's investigate it. Let's figure out if this is supposed to happen. If it is, great. We'll unlock it. It's a little bit of time wastage, not the end of the world, but at least we can stop these attacks before they happen. I think, isn't that always the friction between cybersecurity experts and users of the systems? You're just getting in my way of me doing my job. You're slowing me down. I've done this myself as I'm not a cybersecurity expert. I play one on a podcast sometimes. All right. My PhD is in cybersecurity, but I'm not a cybersecurity expert. It does slow you down. It does. Let's be honest. No, you're right. I think there is, and that's a fair concern, right? Because especially if it's poorly implemented, security practices and principles, I think that could definitely create friction, absolutely. But the goal isn't about more friction. It's about almost like smarter friction, right? I like that. Smart friction. There's the term of the day. I'm going to coin that, Darren. Please don't steal it. All right. You gotta hurry, man. Because at the end of the day, security to me, it's embedded intelligently. If it is embedded intelligently, then a lot of the protections are invisible, right? Most people shouldn't see it, and most people shouldn't deal with it, right? Because again, a lot of these AI detection that runs in the background, I mean, they're not really interrupting workflow. For at least, again, 95, 98% of the use cases or 98% of the employees out there. So that's the way I look at it. I think the real question is not necessarily about, does this add friction, right? But more, does this add less friction than a breach, right? Because I think you hit it on the nose. When you were talking there, I was thinking, when I come into my house, I have a lock on the front door. Right. Right now, where I grew up, I grew up out in the country in Central California, out in farm fields. We never locked our house. In fact, when my parents sold the house, they couldn't find the key to the front door because the lock hadn't changed in 30 years, and we never locked the house. Right. So I was used to just opening the door coming in. The house was never locked, but now I live in the suburbs. I lock my house, and it takes me 15 seconds to unlock the door. Right. But that's a whole lot better than coming home to a house that's been completely ransacked. Exactly. Exactly. Same analogy. So I guess I'm willing to take a little bit of that smart friction of cybersecurity. But if it took me a whole five or 10 minutes to unlock my house, I would stop locking it. Right. Yes, exactly. And I think to that point, I think it's got to be that smart friction. Otherwise, your employees are not, they're not going to adapt to the technology. They're not going to adapt to those principles as well. And so it's got to be seamless. It's got to be frictionless. It's got to be more in the background, and it can't really disrupt their workflow. And I think, you know, to that point also is if you lead, and this is maybe even another topic, but if you start leading with that culture, especially from the top down, then it becomes second nature. Right. It's, yeah. Because now I go, I don't even have a key to my front door. It's all, you know, all computer. Now I can open it with my phone or with the keypad on the door. And it's all second nature. We just changed our lock combo. So all the listeners that already know the lock combo to my house because it's been mentioned before. We changed it so you can't come in. But now when I go, I go to hit that first number, it's not the same number. And I'm like, oh, crud. I got to remember what the new lock combo is. It's like changing your password. It's painful for a little tiny bit until that muscle memory gets in. So I get that frictionless concept that's pretty slick. Exactly. And I think again, when you develop that culture from leadership, then again, it becomes second nature. It's not just an IT initiative or an IT led, you know, nuisance. Right. It is, hey, this is what we do. We, regardless whether we are in healthcare or finance or any other industry, we're a security company and that's what we're going to be doing. That's great. Hey, Amit, if people want to find out more besides just coming to the website, how do they reach out to you or how do they engage with your company? I mean, yeah, tell us more about your company and how you guys engage. Yeah, perfect, Aaron. Thank you. Our company is called Consulting Solutions. We are an extremely large IT consulting firm. We help a lot of our clients with a lot of their IT challenges or initiatives. Anything from cybersecurity, AI development, ERP, program project management, anything that they themselves may not want to initially take on themselves. We've probably done it a dozen or two dozen times. And so we know the pitfalls, we know the nuisance, we know the issues, and we could probably help success. We deliver these initiatives for them. And so ConsultingSolutions.com, check out the website. And I'm also on LinkedIn. I think it's Amit Patel one, two. So feel free to, I was going to say, do you know how many Amit Patels there are? There's a lot. There's a lot. I think I have maybe a dozen in my phone alone. Sure. Very, very popular. So Amit Patel one, two. I believe that's it. Yep. All right. There you go. You're number 12. I was number 12. You're number 12. That's awesome. Again, thanks for coming on the show. This has been wonderful. Likewise, sir. I appreciate you having me. I love your show. And thank you for letting me part of it. Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community at patreon.com slash embracing digital, where we share bonus content and you can always connect with other change makers like yourself. You can always find more resources at embracingdigital.org. Until next time, keep embracing the digital transformation.