Tom Eston and Sean Martin discuss the relevance of certifications, the importance of internships, finding your niche in the industry, and the future of AI in cybersecurity. Learn about the challenges and opportunities in this rapidly changing field.
Guest: Tom Eston, VP of Consulting & Cosmos at Bishop Fox [@bishopfox]
On LinkedIn | https://www.linkedin.com/in/tomeston/
On Twitter | https://twitter.com/agent0x0
On Mastodon | https://infosec.exchange/@agent0x0
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
This Episode’s Sponsors
Pentera | https://itspm.ag/penteri67a
CrowdSec | https://itspm.ag/crowdsec-b1vp
In this new Redefining CyberSecurity podcast episode, Tom Eston and Sean Martin debate the value of certifications such as the CISSP. Tom emphasizes that, in his area of offensive security, experience, cultural fit, and ability to learn are more important than certifications or formal education. The two also discuss the role of internships in providing real-world experience and hands-on learning opportunities for aspiring professionals.
The conversation also touches on the importance of finding a niche within the cybersecurity field. Tom highlights the need for specialization and encourages listeners to explore different areas and technologies to find what excites them the most. He also stresses the importance of learning the fundamentals before diving deep into a specific subject. Sean and Tom consider how job descriptions may evolve to embrace specialization and the need for experts in different aspects of cybersecurity.
Tom and Sean also discuss the role of AI in cybersecurity, both as a tool to assist in detection and response, and as a potential risk itself. Tom believes that learning how to interface with AI and understanding its capabilities is crucial for professionals in the industry. While AI can be an efficient assistant, it is essential not to rely solely on its output, as human analysis and verification remain vital in ensuring accuracy and security.
Listen to this episode and you might begin to determine what your cyber chameleon might look like.
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist
ITSPmagazine YouTube Channel
Be sure to share and subscribe!
Shared Security Podcast: https://www.youtube.com/c/SharedSecurityPodcast
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Are you interested in sponsoring an ITSPmagazine Channel?
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
Welcome to the intersection of technology, cybersecurity and society. Welcome to ITSPmagazine You're listening to a new redefining Security Podcast? Have you ever thought that we are selling cybersecurity? insincerely buying it indiscriminately and deploying it ineffectively? Perhaps we are. So let's look at how we can organize a successful InfoSec program that integrates people, process technology and culture to drive growth and protect business value. Knowledge is power. Now, more than ever. Crowd sec, the collaborative and open source cybersecurity solution, analyze behaviors, respond to attacks and share signals across the community for free. Let's make the internet safer together. Learn more at crowd sec.net entera the leader in automation security validation allows organizations to continuously test the integrity of all cybersecurity layers by emulating real world attacks at scale to pinpoint the exploitable vulnerabilities and prioritize remediation towards business impact. Learn email@example.com
Sean Martin 01:40
Hello, everybody, you're very welcome to new episode of redefining cybersecurity here on ITSPmagazine. This is Shawn Martin and I have the distinct honor and pleasure of having a former guest on and a fellow podcast host on the show today, Tom Eston, how are you? I'm great, Sean, thanks for
Tom Eston 01:58
having me. I'm excited. I know it's gonna be second time.
Sean Martin 02:04
Well, I think Well, Mark and I had you on talking about podcasting. Yeah, really, really cool. And I would encourage everybody to, to have a listen to that episode and hear about Tom's journey and some of the things he he does and knows and learned and still learning and shared with us all about podcasting. And your podcast shared security podcast, obviously, is about cybersecurity. You have talked about all kinds of different things in your professional in cybersecurity as well, not just a podcast host. And I was like you and I have to wrap on some stuff. Yeah, just a few things, right. Let's set podcasting logistics and operations and all that aside. And let's get into some fun things for redefining cybersecurity here, where I hopefully help people operationalize security. So think a little differently about the tools and techniques and how they build their teams and run their programs. To not just do it for the sake of security, but to help grow the business and then protect the growth when they actually can achieve it. So so here we are. Tom, a little bit about you, for those who haven't heard that episode yet. shared security podcast, maybe maybe closer back to I say what I was hatched, or earlier on kind of your journey into where you are now?
Tom Eston 03:24
Yeah, yeah. So like I said, I've been hosting the shared security podcast for over 14 years now. So that's my little labor of love or side project. But my, my day job is, so I'm a VP of delivery at Bishop Fox, where I lead our consulting and our product delivery teams for the company. So I've spent, I'd say, the majority of my career, well over 17 years now in offensive security, so kind of grew up as a pen tester myself. So I've always been a hacker and then somebody one day and in a job told me, it's like, you know what, you'd make a great manager. And I'm like, management like, well, we're
Sean Martin 04:11
done. Yeah, exactly. Like,
Tom Eston 04:13
I don't know about that. And in my one job, as a consultant, I kind of played the dual role of being a manager and a consultants. And then I ended up getting burnt out, and I had to choose one path, right? Either I go the business path, or I stay as pentester and the technical path. And I'd say that was probably one of the hardest decisions I had to make, because I love doing both things. But actually found out that getting more into the business side, ended up being more of a challenge because you probably you probably know this, but in managing people is much more challenging than some of the technical challenges that I've had to overcome. So I kind of look at it that way now. And And honestly, I think that As part of being in management or being in leadership has been just seeing my teams grow, see people, helping people grow, helping mentoring them, helping them be better at their jobs. And that has given me just a lot of satisfaction in my role. But But yeah, I've been from pentester. There management, and now I'm an executive. So it's been quite the journey.
Sean Martin 05:23
That's awesome. That's awesome. And I, this isn't about me, but we're going to talk about something that's relevant here. So I was fortunate enough to have many tactical roles at a big yellow company. Many, many, many moons ago. Yes. From from QA, to engineering, to project management, program management, product management, product marketing, and sales enablement, and yeah, Project Office for sales and all these different things. And then managers for all those roles as well. So the hands on doing and then leading a team to do it. And they each have their channels, I can say, it's easy to get burnout in both. Yeah. Oh, totally. Yeah, doesn't matter which. But I know one of the things. Reason I mentioned that one of the things I want to we want to talk about is kind of the this idea of the talent gap, and a lack of skills. And and where do we really sit with that? I know you have some opinions on? Is there a gap? Where do we sit? And I will, we'll see where the conversation goes. Yeah. But I think the point is, we talk about and I actually I've heard this point from other industries as well. People are burning out and they don't have the skill I heard in legal space or in HR. And All right, so everybody has this problem. We're not unique, we'd like to think that we are in security, right. But then, is it really a problem? Or is it just something to talk about? In the context? So your initial thoughts there? And we'll see where we go from there.
Tom Eston 06:54
Yeah, I mean, I've heard the same thing you have, you know, everybody has a skill shortage, we don't have enough people or enough talents in our company. And whenever I hear that, I kind of think about, have you looked at your own employees? And have you tried to skill up your own employees to get them into those positions that you want to fill is usually my first response. And then I actually look to see what type of jobs are they posting for the skills that they say that they're missing? And I find it kind of funny that a lot of these job positions and and when I read them, they all say they want very senior, very experienced people to fill these roles. And so I often go back to, you know, what is your training program? How are you developing your internal employees to get them to those skill levels, instead of just like throwing out to the world, hey, we need all these skills, and we need the senior people. And then there are oftentimes a lot of junior people that you know, are very talented, maybe they don't have the years of experience you're looking for. But there's a lot of times you just got to give people a chance, or maybe you give them, you know, maybe a more entry level role that they can prove themselves and then move up into that that more senior role. But a lot of it is just people not actually advertising for the correct skills are the correct positions that they're actually looking for. I think it's like, check the box of whatever HR job description says, and they're not hiring managers aren't really thinking about that.
Sean Martin 08:32
And it makes me wonder, because, I mean, in each of the positions that I mentioned, I had, I'd never done them before. Yeah, first time, right. I was doing it. And thankfully, I was given the opportunity. And I had to figure out it, I had to learn how to code. I had to learn how to code. I mean, I need to learn networking. And so I guess the definition of the skills and what's really needed and I know certifications are a thing, right? You have to pass the the filter of Do you have a cert or not?
Tom Eston 09:06
Oh, yeah, that's that's a huge debate right to this day. You know, we're always talking about this the like, CISSP, right, ISC squared, all their certifications that really matter anymore. And then you start digging into the organization itself. And there's a lot of controversy over how they run their board and like the different things and then as a security professional, you're like, Is this really going to benefit me in my career? Am I learning anything from it? Or is it literally now just a check the box exercise, like you said, Get past the HR filters in a resume pool. But I'll tell you just at least in my area of offensive security, we rely less on certifications. We really I mean, frankly, I don't care like when I hire somebody, or my directors do and managers have we're not looking at the first thing we are looking for is experience cultural fit, ability to learn. It's not necessarily certifications or what college you went to. And, you know, all these grandiose things that at the end of the day, from what I find, at least an offensive security is skill set desire and passion is much more important, and I think generates better results for the company to
Sean Martin 10:24
Yeah, certainly and aptitude to do something cool. Yep. Yeah. And then on this point, I mean, I have a CISSP from 20 years ago. I maintain it. Me too. I got it, because I had I learned all this stuff on the fly. Yeah. And I wanted to prove to myself that I actually knew what I was doing based on some standard. So that was the first reason I got and then and then I was ended up in marketing. And I figured nobody trusts marketing, maybe with the CDs. Believe me a little more. Yeah, sure. With that. My point is, though, that I don't know the certs train something. I just finished recording an episode on networking and fundamentals and networking related to cybersecurity. You know, them Justin LZ. And Nick Douglas. And one of the things we talked about was understanding networking details, enough to apply those fundamentals to how you build security controls around the network, to do the right thing and not kill, kill the business. Yeah. And one of the things we talked about was, like the OSI model, it's one of the things is used for training. It's something you can learn from. But both MC and Justin pointed out that you don't apply that model to a real network, not in the real world. There's no way, there's no way to translate that into hands on until you get hands on. So I guess my RAM coin with this is, even if you have a cert, even if you follow a model, even you have a deep understanding of standards, it's the hands on piece, it really matters. Is there an opportunity that we're missing? Do you think from like an internship perspective?
Tom Eston 12:21
Oh, absolutely. Yeah, yeah, I'm a big fan of internships. And, in fact, one of the cool things that we've done at Bishop Fox is we have a big program down in Mexico, where we have a big presence, and we partner with the universities down there with a lot of their top talents. And that's how we bring in a lot of our interns from the university programs. I mean, we could we've even done this in the United States where we're trying to find that talent or that interest in cybersecurity. And through an internship, we find that you're, that's where you really can showcase a lot of the talent. And they're getting that hands on skill by actually working on real engagements in real environments with tools and techniques, they're learning all these things from practitioners in the field. And they're not going to get that their book knowledge, they're not going to get that they're taking a Sans class or, you know, another type of training or, like, like you see nowadays, hack the box and other types of these learning environments are awesome. I mean, I wish I had stuff like that when I was getting started as a pen tester, you know, for me, it was like, I had to build my own lab by hand at home with VMs and start exploiting and hacking and things like that. And now it's become very easy to develop those skills. But what the internships do is give you that real world experience of, okay, this is how you use these techniques and tools in a real world environments. And I think that's the only way you can get that actually doing it on the job.
Sean Martin 13:57
And so many directions to go here. Because what I'm thinking is, I mean, let's be real that the environment that you created when you started testing, and testing looks very different now. And oh, total ailable. Right, even at the box that those types of things exist. And what I'm what I'm going to with this is that you might, I think it's important to understand the fundamentals, the basics of how things work, for when things go off the rails. But in reality, most programs, use slew tools, right? I have a ton of data that the that that gets analyzed for them and points them in the right direction, kind of the right direction anyway. And so, are we are we expecting too much of people given the fact that technology is an assistant in May In the cases where the abstraction layer is where you really need to have the understanding for the general team view, and then maybe there's you have some experts in different aspects, somebody in clouds, so many networks, endpoints, those kinds of things. Do you think?
Tom Eston 15:16
Yeah, well, I definitely say that you can't be an expert in everything. I mean, we all we all know that. At one point in my career, I tried to be the person that wears many hats, hats in pentesting. And, you know, I even ventured into being a developer thinking that Yep, if I learn how to code, I can write exploits, and maybe get into more exploit development found out that wasn't really for me, I had to experiment with different types of technologies, different techniques, what did I like what I didn't like, and for me, I found out that I gravitated more towards application security. And so that became, for me, my kind of forte, and an area that I wanted to focus in on. But before I even got into that, I had to learn the fundamentals, I had to learn the basics of application security, not just being a coder, because app SEC is much more than just code. It is, you know, how to be a good developer, how to secure code, how to write secure code, there was so many aspects how to secure the infrastructure that the code is sitting on all those things. And I think that's the the challenge that new people coming into this industry find is that there's so much to do. And I just tell people, great, try to specialize in something, what is it about cyber for you, that gets you excited? Where do you spend most your time? What do you like tinkering in the most, and then start exploring the fundamentals of that particular thing, and then get better at it. And then as your knowledge grows, and as you network with people and start, you know, going to conferences and listening to other people talk about the particular thing that you're interested in. That is a huge benefit to your career. Because I can tell you like, I mean, being a generalist is awesome. But where you're really valued in a company, especially in offensive security is going to be that niche skill set that you have, and that you can perform really well.
Sean Martin 17:16
And I'm wondering if not unlike the number of protection, detection, response, recovery technologies that come out of this industry, we just, we never get rid of anything, we just don't add to it. I'm wondering if the job descriptions are the same, where we just build on to and say, we also need this and we also need this, which is the complete opposite direction, what you just said, right, as a very specialized, let's embrace that. And, oh, that's probably gonna be good. And we can we can stretch them and, you know,
Tom Eston 17:51
yeah, oh, I can tell you this recently, you know, Blockchain or crypto type of skills right now are in still in high demand, despite that, what is going on in the blockchain, you know, arena, and, you know, tanking and Bitcoin and all that, but, but I still get clients asking for that. And we have some clients, some consultants that specialize in that, and they are very, they're highly valued for that particular skill set. The next thing that, you know, is gonna come as AI right there, if we have consultants that specialize in AI, and how that works, or if that's something you're interested in, you know, maybe just trying to get into the industry, that is going to become something that's going to be in high demand. We have people that have hardware testing skills, right. And clients that have hardware that needs to be tested, is equally as important. It's not just all about, you know, whatever, the biggest thing everybody's talking about, like dev SEC ops and app sec, or if it's networking, or cloud, that's all great, but I tell people, you know, still try to specialize in that bigger, that bigger topic. You know, Cloud is a great example. There's so many careers and so many things that people get involved with and find that niche that makes them maybe a little bit different than the next candidates is what I try to tell people
Sean Martin 19:11
what does that containers and
Tom Eston 19:13
Kubernetes Oh, yeah, yeah, whatever that is the craziness.
Sean Martin 19:19
That's yeah. You touched on it so let's let's kind of go this direction now with with AI and I mean, AI self is a big topic. Oh, yeah. And there are different ways to look at it. There's AI to help with both detection and response in the sock for example. There's AI to help right perhaps drive maybe generate a van and I was talking about this earlier with, with Nick with Mick and Justin. can generate AI generate AI agenda. If I can only speak, I can't even speak. And it, can it answer questions we ask of it, that maybe some tools can't. And then there's the other side of the coin of what, what's it being used for? Where's it being used in the business? And what risks does it bring? So we, oh, yes to detect and respond to this stuff. I know where you want to go first.
Tom Eston 20:27
Sean Martin 20:28
maybe, maybe, let's talk, let's talk skill set for protection. Because we're, we just come off to the skill set thing. So how important is that? And where does that fit into?
Tom Eston 20:39
I think I think that the more that you can learn about AI, and how to interface with it is going to be an extremely valuable skill for for you, or for anyone that honestly anything that you're doing in cybersecurity, I think you can't be oblivious to the fact that AI is here. It's going to be integrated into the products and the services that you're using, not just at work, but in your personal life. So the more that you can learn how to use it, or how to interface with it, I think the more valuable you're going to become to your organization. So, you know, just thinking of like, if you're a regular security analyst, that's, you know, maybe you're looking at logs all day and you know, things like that start thinking about like, well, how can AI help analyze those logs? How can it kind of automate some of the mundane things that you would spend hours doing yourself? And think about efficiencies? Right? So I look at AI as a lot of just efficiency, I don't look at it as like, it's coming to take us over and you know, like Terminator, Skynet type stuff, which, okay, maybe one day, but hopefully not in our lifetime, but, but really, it's, it's, it's there to, I think help you and be more of an assistant. So you can focus and you can do the things that maybe an AI isn't necessarily good at. But I do want to say that, you know, you can't rely on everything that the AI is going to do. There's going to be mistakes. We've seen this with chat GPT there's tons of hilarious, you know, tweets, since there's like a good chat GPT told me to do this is when I asked it, or if you tell it to write code. Now this code is incorrect. It's close, but it's not quite right. And of course, that's going to improve. But I don't think we're ever going to be able to replace like the human analysis part of I think there's going to be a lot of, okay, the AI has generated this. Now we need a human to kind of confirm or review this. Because if we chuck putting, putting our trust fully into the machines, I think that's a whole other level that I don't necessarily think we can quite do yet.
Sean Martin 22:50
Yeah, I view it is as a creation. I don't know call it a product, but they create stuff. And just like you would write a product, so it creates code to help with the product creates information you can use to make a decision. And just with anything, you don't build a product and release it without a QA cycle. No, right? And no look at the airline industry, or QA cycles years and years. 10 years in fact,
Tom Eston 23:21
automobile to the same thing. Yeah, safety systems, all of that. And so they're but they're also leveraging AI now. And these things are just going to get better. But I think it's we're entering kind of some uncharted territory. And I'm already seeing all these startups popping up everywhere. There's security startups. Now there's, you know, every marketing everything in between and saying, you know, oh, we got aI now. It's so much better than before. And then I start playing with some of these things like just in the podcast level, like the auto generated, you know, hey, here's all your Twitter threads and all your other stuff. And I don't like some of this is like, and I wouldn't just copy paste this stuff into Twitter. You know, it's not there yet, like a moron then you don't know. Right?
Sean Martin 24:13
Yeah, I was just thinking, let's play a little here. And then we'll go to the detection piece for inside inside the org. And then let's, let's look at the analyst role, and where it might be helpful or security operations broader if we want. Yeah. I have a couple ideas. I'll throw those out. And then I'd like to hear your thoughts too, because I kind of alluded to one already just I have a set of data. And this data I might need to in its current form, spin up Tableau. Yep, set up some, some tables and rules and things to get a visualization and find the story that the But I think I might want or might might need versus feeding that into generate a generate AI like GPT. To say, Where are the interesting things in this dataset? Now? Ya know, obviously, it's limited to how much data you can feed it. So then the question is, do you want to do you want to feed it to a public service like Chad TBT? There's a risk, which we'll talk about in a moment. But just this idea that it might, yeah, and I have to QA when it tells me to validate what that what it found is actually true. But it might be very your efficiency point a very fast, much faster way to identify an anomaly or something that my rules based system or my ml based detection system isn't finding. And we talked about QA here, and I talked about on the other podcast I was mentioning as well. What are you testing for? Yeah. And so using it to test some of your hypotheses around policies and, and are these the right controls and that they'd be implemented properly. Analysis of, of configurations and things like that could be, could be helpful. So I don't know, obviously, endless opportunities, but a couple that I was thinking about anything on your mind?
Tom Eston 26:26
Yeah, I think like, thinking of like, like you said, you know, lots of data that needs to be analyzed and looking for anomalies, or, you know, things that we would normally, I just think of like Excel is a great example, right? I know that Microsoft is going to be putting in some AI automations into their Excel product, to do like, auto formulas, and to just say, take this data and give me this or, you know, you can actually through your voice, right, you could talk to excel and say I wanted to do this just like you would check GPT that is an enormous time saver for people, thinking of any kind of mass data set that you need to do something with and then find the good nuggets within that data, that I think that is going to be a huge, huge benefit of AI. One thing that's interesting that a few people have mentioned to me, though, that kind of goes beyond just the thinking of lab, okay, this is going to help automate the boring stuff. But what does that actually mean for critical thinking skills? Are we kind of taking that away? Now that we've, you know, let ai do all that thinking for us? Are we becoming like, just mindless, you know, button pushers? Or is AI going to really help us enhance our critical thinking skills? So I thought that was kind of an interesting, I've had a few people mentioned that to me. And what does that mean for us as humans? And how we process information? If we take that all away? Are we losing some of our own creativity? I guess.
Sean Martin 28:03
And I have thoughts on that. I mean, it kind of goes to my earlier point about abstracting how much how much of the detail to you know, the data, you know, and to me, in this case, it's, do I really need to know every bite in that dataset? To be smart at what I'm trying to do. And if I can be more creative and how I asked the system, yeah, to analyze. Whereas if I'm doing it manually, perhaps even based on my understanding of the data, which may be wrong, could be limited, which may be biased. I could end up being more creative and find multiple options for trying to solve Yeah, versus the one that I probably screwed up, because that's me. Yeah. So that's my thought on on this.
Tom Eston 28:54
Yeah. That's kind of like the old argument is like, you know, back, I'm kind of old and I'm dating myself. But you know, I had math class in high school or grade school, and they said, You're never going to carry a calculator in your pocket. So that's why you have to learn the fundamentals of math and how to do it in your head and write with pen and paper. And now, you know, we're carrying supercomputers in our pockets. That, you know, they didn't think was ever possible because the 1980s Right, but I look at the same thing. It's like you still have to have the fundamentals. Right. I think even if you're gonna let chat GPT or AI create these things for you. Like, in schools and education, I think we're, we're never going to not stop teaching the fundamentals of math, or basic computer programming or all of those things, because they're the basis of, well, this is how AI works, and we have to understand how it works. So yeah, there's some disinteresting interesting things that come out of that.
Sean Martin 29:51
Well, the fact that it's there and it exists and it is helping us be more creative, perhaps helping Let's do things faster, perhaps achieving new things that were previously impossible perhaps changes the environment in the world we live in. And we do work in. And so it's going to, it's going to make us think differently anyway, we're going to have to understand how things worked, how they work now, how they might work tomorrow, given this new new technology, and really evaluate, well, obviously, we're talking cybersecurity as evaluate the risk. Right? Yeah. Oh, let's go there. Let's go there. How? Yeah, the risk of something like a chat GPT in the business and how that impacts security analysts operations, what do you see in the near?
Tom Eston 30:47
Oh, it's huge. It's, I've already seen the debates of, Okay, we're gonna block chat GPT from our corporate networks, and, you know, like, there's schools now that are banning, it's and and, uh, you know, this is this gets back into the old DLP days of like, okay, guys, you can't send email anymore with sensitive information. So we're gonna put in all these monitoring tools, and, you know, make sure that everything going in and out of the network is authorized. And it's so difficult to control people and say, you can't use it, we've got mobile phones, we've got so many different ways of doing it. Right. And it's, it's been a battle, just trying to control corporate information to this day is still challenging, let alone Chad GPT. And these AI tools, you're not going to be able to block it, you're not gonna be able to ban it, people are going to use it. And unfortunately, data is going to get leaked into because that's what feeds AI. I think there needs to be more done on the like, open AI in these companies need to have ways of identifying when sensitive information is being uploaded or put in place. I know, there's already seen some interesting things coming to chat GPT if you try to ask it to do something that maybe thinks that it's illegal, or whatever, it tells you that I can't do that. But I think the work that we're gonna have to rely more on those organizations, because it's gonna be very difficult, if not impossible to stop somebody from putting sensitive information in, through a system that maybe not be monitored, right, by, by a company.
Sean Martin 32:22
Yeah, and, yeah, I think there, it's probably anything with security. And probably privacy is one of the easiest to connect it to, in the sense of protecting systems and protecting the data and watching, watching how and where it goes and redacting it or blocking it, or whatever. And everybody, I think, has a role to play in this. So certainly the people providing the service and the teams protecting the network that allow access to that, and the users that are doing it in the first place some awareness there, I'm sure back to the skills
Tom Eston 33:01
and where the data goes, and is where it's hosted. Is it self hosted, hosted by the company? And how are they storing and protecting that data? Is it intermingled with other day? I mean, there's so many questions to ask in these environments, and it's so new, and there's, I think, this hype around it. And so a lot of people now aren't quite thinking about the data security implications of of using something like this. They just see, this is really cool. This is going to help me in my job, so I'm just gonna start putting data into it. Maybe not realizing, you know, what they just did.
Sean Martin 33:36
Right. And it's too late at that point. Right.
Tom Eston 33:41
Oh, yeah. Way too late.
Sean Martin 33:42
Yeah. So so that's a that's a tough call.
Tom Eston 33:46
Nobody has a great answer. Right. Italy? Yeah,
Sean Martin 33:52
right. Yeah, that's not going to happen. All right. So I don't know if you're if you're aware or not, because I mean, the way chatty gppc works is that it has its service in the cloud. And, and you're feeding the service and, and training it as you as you're gaining from it. Yep. So it's getting better as you use it. But relies on in order for that to happen. It relies on you sharing that stuff to the public.
Tom Eston 34:25
Yes, massive amounts of data, least there. And biases, by the way, right. That's the other problem with it.
Sean Martin 34:33
So I'm wondering, are there are there ways to and you touched on it where the data is hosted and how its protected is? Do you know are there I mean, the chat GPT is probably the most popular but other other services that you've heard of maybe I don't know if you're not have or not, but that that allow you to use the knowledge from the cloud but share the data to a service on prem that you Your data actually doesn't actually ever
Tom Eston 35:01
go to the cloud. Part of I think there might be, I think there might be ways of doing that. Or there might be some type of filtering that's available, right. But a lot of this is going to rely, I think, on those the policies of these various cloud providers, right? have, you know, how are they may be, you know, taking that information, and then using it with other datasets, I think it's going to be a big data problem, that's going to have to be figured out. But from what I've heard, there are some that we'll have some more like self hosted type options, but I think it's going to be pretty limited right now. Because I've seen like, oh, you can use GPT three with this, but you're gonna have to wait until four and then change out your whole system, when the newer AI, you know, is available, and there's gonna be a lot of work right to take something self hosted, upgraded. I mean, it's no different than if you self hosted anything, right. But now we're talking something on a huge scale that needs and requires a lot of data, I think it's going to be very challenging.
Sean Martin 36:10
And I will point back to Symantec. We bought IBM digital immune system technology when I was when I was working for them. And and that was a cloud. Basically, it was a malware assessment, analysis engine in the cloud, that you companies would submit their malware to their infected component or assets to and they've been analyzed and be told that this, in fact, is something new we haven't seen before. And this is what it does, and so required that exchange. But we allowed people to or organizations to have an on premises layer. Yes, I would interface with the clouds. Exactly. So you're an app guy, app set guy. Yeah. I have not yet had a chance to interact with open AI through API's yet. Because to me, that seems like a potential opportunity. Absolutely. Where, where you might present an interface, right? Most people just go straight to the chat GPT and interface on the web. Where if you can do three API's, maybe present your employees an interface that gives them parameters? And does some of the checks that that help protect IP another? Yeah, that's an update or whatever it is.
Tom Eston 37:31
Yeah, I think that is you're touching on something that's important is, I think organizations will naturally have to start providing their own interfaces for employees are for developers, if they're going to leverage this instead of blocking it and saying, Nope, you can't use it at all. Maybe giving them that outlet, as long as it's either monitored or filtered, or there's some process in place. You know, that is probably a better approach than just saying no, or and then that's when they start getting into trouble of Why'd my data go out this window? That wasn't monitored. So might be interesting to see how that plays out.
Sean Martin 38:09
I'm gonna ask Jett GPT what it recommends?
Tom Eston 38:13
Yeah. But to your to tie this all together. It's interesting, because, like API's, right? I'm just getting into the field like, and I want to use chat GPT. And I'm interested in that field, I want to learn the basics of how API's work, how they're secured, how how I would interface with Chet GPT through an API and tie that into maybe an application that I'm building. I mean, these are all fundamentals. Right? These are all things that you have to understand before you get to the really cool stuff. So it all ties in together at the end of the day.
Sean Martin 38:47
Jack of all trades Master.
Tom Eston 38:50
Yeah, that's right.
Sean Martin 38:52
I like your like your idea of I didn't I don't follow that advice myself. But being specialized in something I'm all over the place. Yeah,
Tom Eston 39:02
I think we all are in the works. Yeah. And I, I think that's okay to kind of be that generalist and have interest in lots of different things. But end of the day, I mean, even you probably have something that you really, really like, above all of the other things. And so maybe that is kind of your specialty, if you will, yeah,
Sean Martin 39:21
I'm not a general contractor, but I can build a hell of a lot of stuff. Yep. Let me figure out what tools I need and what materials I need enough. I go,
Tom Eston 39:33
yes. I'm actually known for building the airplane while it's flying.
Sean Martin 39:41
Ah, well, Tom, this this has been great. Yeah, I feel if we open up another topic, we'll drag this on beyond. They all want to hear you but they don't want to hear me talk much longer than
Tom Eston 39:54
Oh, that's not true. We'll, we'll stop it here but
Sean Martin 39:58
I don't know maybe irregular Uh, Gabby fine. Shall we join me on your? Absolutely, yeah,
Tom Eston 40:04
I'll have you on the shirt Security Podcast. I
Sean Martin 40:06
love that. invited myself. You see, I love it.
Tom Eston 40:09
I love it. I can I always need guests. So it's perfect. Thank you.
Sean Martin 40:13
Awesome. All right. Well, thanks, everybody for listening. Any resources from this? All over the place conversation. Yeah, I think great conversation with Elise. Thank you, Tom. Thanks for Thanks for joining us. Yeah, thanks, John did everybody
pen Tara the leader in automation security validation allows organizations to continuously test the integrity of all cybersecurity layers by emulating real world attacks at scale to pinpoint the exploitable vulnerabilities and prioritize remediation towards business impact. Learn firstname.lastname@example.org. Crowd sec, the collaborative and open source cybersecurity solution, analyze behaviors respond to attacks and share signals across the community for free. Let's make the internet safer together. Learn more at crowds sec.net. We hope you enjoyed this episode of redefining security podcast if you learn something new, and this podcast makes you think, then share itspmagazine.com with your friends, family and colleagues. If you represent a company and wish to associate your brand with our conversations, sponsor, one or more of our podcast channels, we hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society