Sounil Yu lays out his framework for thinking about all variety of subjects on the latest episode of Between 2 Kernels with Kelly Shortridge. The two cover his sentiments on useless security products, AI-enabled quantum trust, and giving 3 year olds automatic weapons.
Kelly Shortridge: Welcome to Between Two Kernels. I am your host, Kelly Shortridge and to my left is Sounil Yu who is gainfully unemployed. Welcome.
Sounil Yu: Thanks. It’s my pleasure to be here.
Kelly Shortridge: Yes. So I think the most interesting thing for our viewers is you have been playing around with something called the DIE model and it is supposed to replace the CIA model. Does this mean you want the CIA to die?
Sounil Yu: Well, that would be something that I think my family would have issues with because then they may come after me. But no, it’s a different type of CIA. So confidentiality, integrity, and availability. I want that to die because instead I want something else that helps us not have to worry about security at all. So, no, I don’t want the CIA to die.
Kelly Shortridge: Well if we see helicopters and the SEAL Team Six coming through, then you know we need to plan an escape.
Sounil Yu: I think that’s where the story of being able to outrun a bear definitely comes into play here. But I think the CIA is faster than that so.
Kelly Shortridge: Can bears climb to the 34th floor? I don’t know. So you do want cattle to die. So tell me about this whole notion of pets and cattle.
Sounil Yu: Well, when we think about our space and cyber security we have, I think the issue is that we have way too many pets and not enough veterinarians. In fact actually, even the pets, it’s like we have a cat colony and they’ve become feral, and it just creates a burden for us. And so what we want are fewer pets that you have to take care of and love and feed. Instead, just have cattle where you just don’t care anymore, when they get sick, you shoot it, and you move on.
Kelly Shortridge: I like that analogy because I’m very familiar with the agony that comes with trying to wrap a cat in a towel and brush its teeth. And I feel like that’s a really good analogy for a lot of security work. You’re trying to like brush a cat’s teeth, which kind of obviously like you don’t want to have to do that. So cattle seems a lot easier, right?
Sounil Yu: I’m a dog person.
Kelly Shortridge: Okay, well I won’t hold it against you then. Should we stop or should we keep going? That’s okay. Okay, whatever. It’s fine. So the Cyber Defense Matrix, if the viewers aren’t familiar, it’s a great matrix, kind of outlining how you should think about different security solutions that you’re deploying in your environment. The problem I have with it though is there’s no category for useless and I think a lot of security products are useless. So how are you going to address this deficiency?
Sounil Yu: Well, it actually wasn’t a deficiency. The category for useless, there were just so many things in it, that at the end of the day I put it next to pew pew maps.
Kelly Shortridge: Pew pew maps, yes. Have you seen any at this conference? Do you think there will be any?
Sounil Yu: There’s a conference going on this week?
Kelly Shortridge: Yeah, I think so. I forget what it is.
Sounil Yu: I just have all these meetings all this week, so.
Kelly Shortridge: Yeah, no, same, yeah. I think it was, it’s related to some company they got backdoored so maybe it’s like an anti-backdoor conference? I’m not sure. Kind of cool. So where does threat intel on the blockchain fit in? Or dark blockchain? That’s whatever, that’s a thing.
Sounil Yu: Yeah, I have to go in through a really deep, dark place to figure that one out but I think it goes next to AI enabled quantum trust.
Kelly Shortridge: Sounds like a web of lies to me.
Sounil Yu: Yeah, I think that’s one way to characterize it. I think in the context of where we find most of this, it’s usually in Russia. Oh no, actually Ukraine. I’m sorry.
Kelly Shortridge: Ukraine?
Sounil Yu: Yes.
Kelly Shortridge: Okay, yes, definitely don’t confuse the two. So if you had to choose your favorite category of security solution based on your Cyber Defense Matrix, which would it be and why?
Sounil Yu: Oh it would definitely be in the category of “APPLICATION-RESPOND” because there are no vendors there and it’s so quiet and peaceful.
Kelly Shortridge: Just going to throw out there we do some of the “respond,” but anyway, this is not supposed to be an endorsement. Why do you think there isn’t anyone there?
Sounil Yu: Well, it’s because a lot of it, there’s a lot of idiosyncratic aspects of doing that function. And it’s hard to generalize, but ultimately when we look at the solutions out there, you’ve got to be able to have market penetration. You have to be able to scale this out and unfortunately that’s just something that’s hard to scale.
Kelly Shortridge: Makes sense. So similarly, why does no one care about recovery?
Sounil Yu: Well, I think it’s sort of like the pharma industry where you just don’t want people to get better. So when you go to recover, if you come up with better solutions like D.I.E., which is really a recover-oriented approach, then you no longer have a problem to solve. If you are a cyber veterinarian, don’t you want sick pets? And so I think the market will not focus on that until we as practitioners change that.
Kelly Shortridge: Interesting. So you’re saying if there was a conference where it seemed like a dog and pony show and most of the vendors were talking about how you’re really, really sick and then you propose something like DIE that basically was like, “What if you can re-architect yourself so that you wouldn’t get sick kind of by design?” Do you think the vendors would be mad?
Sounil Yu: I think so. It would turn the tables on the vendors because right now for practitioners like myself… I’m on the endpoint of the “distributed tear network” and it’s very traumatic. I have this post-traumatic vendor syndrome oftentimes. And so I think when we can turn the tables on the vendors and have them understand that, “Hey, we can actually build systems that, we can have systems that will be healthy and will remain healthy,” I think they will have post-traumatic syndrome of their own sort after that.
Kelly Shortridge: So what you’re saying is that we need some sort of mechanism to automatically generate Kleenex on the dark blockchain to eliminate the distributed tear network?
Sounil Yu: Yes. Oh, that would be excellent. I think that would be a solution that we could all embrace.
Kelly Shortridge: It could be even in buzzword bingo land, like proactive response.
Sounil Yu: Bingo.
Kelly Shortridge: Yeah, there you go. That’s perfect. So, what do you think about false advertising that may or may not happen at some conferences with vendor halls? For example, things like automation. What does that mean to you?
Sounil Yu: Well, I know what it means to me. I’m not sure if they know what it means. But false advertising. Oh, shock. Shocker. You know, marketing people, false advertising. Well, I think that when you have people who are gullible… And the interesting thing is in security, we are the most paranoid people and so false advertising doesn’t seem to be really well… wouldn’t be very effective against people who are supposed to be paranoid. So I think it’s actually a very good filtering mechanism. If you fall for the false advertising, you’re probably not a very good security professional because you’re not paranoid enough.
Kelly Shortridge: I can agree with that. You know, the whole point of security, you’re supposed to challenge assumptions and if you aren’t able to even challenge the assumptions of vendors who very obviously don’t even understand what their own product is doing, what are you even doing, right? It’s a good question, it’s a good question.
Sounil Yu: Maybe you’re not good enough to be a vet.
Kelly Shortridge: Damn, damn. Hot takes from Sounil Yu right here. So, one way I think you can think of the vendor hall, it’s almost like a grocery store and it feels like some vendor halls, all you have is a bunch of horrible, horrible junk foods that’s just going to rot your teeth. What do you think about that? Oh, you have popcorn. Whoops.
Sounil Yu: Well, it’s sort of like that pharma example I gave earlier where many of the products that we see are not necessarily going to get you better, but just treat the symptoms, never address the root cause and so that sort of mentality doesn’t ever help us get past where we are today. And it’s also unfortunate that when you go to the grocery store, you have the candy and the worst possible products available. It’s as you check out. And so that’s another thing that takes advantage of our weaknesses.
Kelly Shortridge: So what we need is a grocery store where it’s the toothpaste and the floss are at the checkout and not the candy.
Sounil Yu: Good hygiene, right. And that will be an excellent model for a cyber grocery store.
Kelly Shortridge: Can you make a note? We need to change our messaging to be toothpaste oriented, like minty fresh. We’ll work on that. So how can the attack surface of the CISO be mapped. I was thinking things like hour long buzzword-filled product pitches, budgets getting slashed. What are some of the other things that can cause a CISO to have a meltdown and make it difficult to recover?
Sounil Yu: Well as you may expect, I think about these sorts of things as frameworks. So when I think about the attack surface of the CISO, I have to go through maybe like the five senses. So taste, sight, hearing, touch, smell. And so I think what would be the most effective against a CISO will be those things that hit most of those attack surfaces. So if I think for example, like a juicy sizzling steak, that will be hitting — what? — three, four of the attack surfaces of a CISO.
Kelly Shortridge: Is that why the vendors that fly people around the world for steak dinners end up getting bought?
Sounil Yu: Probably. But if all you have is a squishy ball, you only have one attack surface that you’re covering.
Kelly Shortridge: So what you’re saying is that we need to somehow, in vendor booths, incorporate all the senses. So basically having both the steak to eat and maybe like some sort of olfactory thing walking through. It sounds like a next generation tool to me.
Sounil Yu: I’m thinking maybe a steak that you could hug. Kind of like cattle.
Kelly Shortridge: Kind of like cattle. Well, our penguin is a mascot and you know, just sizzle it up, right?. That’s horrible. That’s really horrible. So then on a scale of one to Dark Trace, how bad is it when security vendors complete automation with AI?
Sounil Yu: Yeah, that’s a problem too. Well, first I think on that scale, there’s a lot of eleven’s there. And when it comes to conflating AI with automation, we oftentimes don’t realize that they are two separate things. And the best way to characterize it is: AI is how you think, and automation is what we do. Imagine if you were to ask.. if I asked you what age would you put to our current generation AI, what would that be? How old would you say current generation AI is?
Kelly Shortridge: Somewhere between terrible twos and horribly bratty preteen.
Sounil Yu: Okay. And then the next question is, what weapon would you give it? A pencil, scissors, a knife, a pistol, or an automatic weapon?
Kelly Shortridge: Are they named John Wick? Because a pencil, I don’t know.
Sounil Yu: Yeah, I should have added a library book to that too.
Kelly Shortridge: I would be pretty worried about giving any child a weapon in general. Let’s go with something like bubble wrap, like a fist made of bubble wrap.
Sounil Yu: Yes, so when we look at automation and AI, the AI is how it makes sense of things and then automation is the bubble wrap. So, if you’re comfortable with a three year old and bubble wrap, then that’s great, but we have a lot of people who will give a three year old an automatic weapon and that’s not so great.
Kelly Shortridge: Yeah, that’s not very desirable. One quibble I have though is you said that AI is what we think and then automation is what we do. Do you think a lot of these AI and automation vendors actually think or do things ?
Sounil Yu: I think that they claim to do so, but I don’t think they know what they think or do anything that they claim to do. So, neither is the answer.
Kelly Shortridge: There’s a solution to this as you said, on giving a three year old bubble wrap preferably. Do they just all need to nap? Is that really the problem in the space? Like everybody’s just really tired and cranky?
Sounil Yu: Or a spanking at least, but then again, I think we’re past that nowadays.
Kelly Shortridge: So next year at this I guess anti-backdoor conference, we’re going to see some anti-spanking technology? You know, now that AI has run havoc on your systems, you need the anti-AI, right?
Sounil Yu: Anti-antis. Yeah, that causes another war of escalation of antis. So, want to figure out a way to resolve that.
Kelly Shortridge: Anti-anti-next-gen. Next generation…anti-next-gen, next-gen-anti… AI… Machine learning?
Sounil Yu: That could be a new company.
Kelly Shortridge: Yeah. Anti, just anti. It just stops all threats using the power of AI’d automation. Do you want to make a billion dollars? I’m pretty sure we can raise money for that like tomorrow, today even.
Sounil Yu: Take my money please.
Kelly Shortridge: Perfect.
Sounil Yu: Thank you.