What is the future of security operations with AI in 2024?

View Show Notes and Transcript

How can AI impact Cloud Security Operations? Ashish sat down with Ely Kahn, VP of Cloud Security and AI at SentinelOne to talk about the evolving landscape of cloud security and the future of Security Operations Centers (SOC). Ely spoke about the shift from centralized to decentralized SOC operations, the increasing complexity in cloud security and its benefits.

Questions asked:
00:00 Introduction
02:10 A bit about Ely
02:47 Has Cloud Security become simpler or more complex?
05:09 How has the threat landscape for cloud evolved?
08:00 Who is managing all the alerts?
09:53 What will happen to SOAR?
11:03 How AI will impact Cloud Security in 2024?
18:36 Is there a skillset change coming?
20:06 The Fun Section

Ely Kahn: [00:00:00] When you don't have a lot of tools or processes in place, things look good. That's right. Yes. Then you get better at security. You're like, Oh crap. There's all this like broken stuff I need to fix. A lot of the alerts that customers see are similar to each other. And so why is every customer triaging and investigating each of these alerts themselves?

Why should you go through that effort? And like our philosophy on this now is why do that within the silo of just your company? When there's hundreds if not thousands of other companies just like you doing the same work on the same type of alert.

Ashish Rajan: Have you thought about what the next evolution for SOC would be in this cloud world?

A lot of you may have seen that initial cloud security alerts were going to a lot of the vulnerability management team. They were primarily two big departments initially when we started with cloud security center of excellence. And then we later on matured on to become a lot more, Hey, we need a separate department for cloud security.

And now we have two. Kubernetes security, AI security, the SOC team is definitely feeling the brunt of the wave coming towards them with cloud. We had a conversation [00:01:00] with Ely Kahn who has been in this cloud space for a long time. Conversation we had was on how the threat landscape has evolved from what it used to be to what it is today in 2024.

As leaders who are building cybersecurity programs and thinking about as a SOC director perhaps, what does that new world look like where I'm also dealing with not just my on premise. But also cloud also AI and Kubernetes and other things that may be going through as well overall we spoke about what skill set and how AI could be enabling this and not in the intelligent chatbot but more in terms of productivity that increase that can come in for your level one level two level three SOC all that and a lot more in this episode with Ely Kahn If you know someone who's working on the SOC problem and looking at how do we evolve to the next stage from a strategic or tactical perspective, definitely share this episode with them.

If you are here for the second or third time, I would really appreciate if you're watching this on YouTube or LinkedIn, give us a follow, subscribe. If you are listening to this on iTunes, give us a five star rating and follow us on Spotify. So more people get to find out about Cloud Security Podcast. It means a lot when you are sharing this.

And helping us [00:02:00] get the word out for all the awesome content we create for cloud security. I hope you enjoyed this episode of Ely Kahn, and I'll see you next one.

Welcome to Cloud Security Podcast in RSA. We have Ely, welcome to the show, Ely. Thank you. Maybe to start off with, can you tell us a bit about yourself?

What's your journey into the cloud, cloud security space, man?

Ely Kahn: Currently VP of Cloud Security and AI. at SentinelOne. I've been there about two years now, and I started my career in the federal government doing security before cloud security existed, and spent time doing cybersecurity at the Department of Homeland Security and then at the White House, and started a company called Sqrrl, which was a pioneer in threat hunting.

I started that with a group of folks out at the NSA, and ultimately Sqrrl was acquired by AWS in 2018. That became Amazon Detective and I started AWS Security Hub as well at AWS before joining SentinelOne

Ashish Rajan: I guess a lot of security leaders, some of them ,were put in the deep end very much on day one by cloud security.

Over the years, has it become more simpler or has it become more complex?

Ely Kahn: There's basically two big trends that I've noticed in cloud security, [00:03:00] one from a process perspective and one from a tooling perspective. From a process and organizational perspective, cloud security, when it originally got started, when folks really started adopting the cloud heavily in the mid 2010s.

Cloud security, even for the biggest organizations, like big banks, it was essentially a couple people inside a cloud center of excellence. Yeah, cloud security architect and cloud security engineer, you go figure out cloud security for this entire bank. And, that was never sustainable.

So the goal always was to evolve so that more of the security operations center was taking on more of cloud security functionality. But I think folks also realize that's not scalable either. Yeah. Because every day. There's more misconfigurations created in the cloud that even a SOC can deal with.

So now we're on to this third generation where cloud security is very much a decentralized effort. Certainly a central security organization has a role in making sure things are routed the right ways and [00:04:00] prioritized the right ways. But ultimately, most cloud security issues, at least in terms of vulnerabilities and misconfigurations, the goal is to try to route those directly to the developers that created them.

Ashish Rajan: Oh, yeah. Ultimately, they're the ones who can solve it. Security can only point at the fact that, hey, man, it'd be great if you can solve this.

Ely Kahn: Most large companies don't want their security team going in and messing with their business critical application that's running in the cloud.

Yeah. Usually, it needs to be developers that have certain change control processes. Yeah. They're really the only ones that can go and fix those things.

Ashish Rajan: Would you say it's becoming more complex since it's decentralized?

Ely Kahn: Yeah, I'd say it's definitely becoming more complex, but that's a good thing.

Because this is a common trend in security in general, in that there's usually like multiple levels of enlightenment.

Yeah. As you implement more and more security tooling, and more and more sophisticated processes, You learn about more and more bad things happening. There's almost when you don't have a lot of tools or processes in place, things look good.

That's right, yes. Then you get [00:05:00] better at security, you're like, Oh, crap. There's all this broken stuff I need to fix. There's definitely a trend towards more complexity. Yeah. But that's the only way that we can get more secure.

Ashish Rajan: And do you reckon the threat landscape has evolved quite a bit?

I guess obviously you don't hear, what used to be the normal, which is S3 bucket open to the internet that often anymore is a lot more, I would feel as the ransomware is more common. But how is the threat landscape also evolved now?

Ely Kahn: There's two big trends when it comes to threats in the cloud, and that's around automation and supply chain threats.

And these both relate to ransomware because ultimately the goal for most threat actors is either to exfiltrate data or conduct a denial of service attack. Or maybe do a little bit of both through a dual extortion, ransomware style attack. These attacks are getting much more automated. So we see this with a bunch of our customers that get compromised.

Adversaries are looking for misconfigurations or vulnerabilities. Yeah. Associated with Internet exposed assets. Okay. And they're constantly scanning the [00:06:00] entire Internet looking for these things. And when they find them, they'll just run a script, a fully automated script, To go drop ransomware on that server or on that cloud exposed asset and compromise it in a fully automated way without any human interaction.

Another big trend is, if I'm an attacker, why compromise just one company when I can compromise a software company and then get access to thousands of companies. Oh, okay yeah. XE Utilities being the most recent high profile example of that. The interesting thing is that in last year, in 2023, it was the worst year ever in terms of data breaches.

So in the U. S. there's no like central federal law around data breaches, it's decentralized so each state has their own data breach law, but there's like a great non profit organization called the Identity Theft Resource Center that basically aggregates data from each of the states. And 2023 was the worst year for data breaches, and it was [00:07:00] 78 percent higher than the previous high.

Oh my God. And, a big piece of that is automation and supply chain contributing to the spike.

Ashish Rajan: Because a lot of people confuse supply chain with open source vulnerabilities and all that, but this is supply chain in terms of my third party that I've been working with.

Ely Kahn: Yeah, it could be either. Yeah. And, when I talk about supply chain attacks, what I'm really talking about is a software provider that other companies use. Them being compromised and that being a backdoor into a company's operation. The two of the big ones that have been recently well known is one XE utilities.

That was an open source software package affecting Linux distributions. That was a near miss. But like another big one last year was the move it vulnerability, which is a file sharing service that most of the fortune 500 used. And a lot of people got compromised because. Yeah. Because move it was compromised.

Yeah. And it gave a back door to an adversary.

Ashish Rajan: Okay, we spoke about the complexity or the decentralization of cloud security. We also talked about the threat landscape as [00:08:00] well. There's another trend that I've been talking to a lot of people about the whole, like all these alerts, which was split between two people earlier in the cloud center of excellence.

Now that got expanded into let's just throw that to the vulnerability management team. I totally feel for the vulnerability management team, especially when you have alert fatigue is a real thing and every time someone has gone into a CSPM and they usually were thrown this wall of you have 10, 000 alerts to deal with.

Now there's also a movement more towards, hey, I think It's probably better that SOC looks after this, not just the vulnerability management team because sometimes there needs to be a proper incident response process, whatever. What's that thing that you're noticing in that space? You clearly seem to focus a lot on that as well.

Ely Kahn: Yeah. One, SOCs themselves are becoming much more decentralized. Yeah.

Ashish Rajan: Yeah.

Ely Kahn: So like this idea of a big room with, 20 by 40 screens and three tiered SOC operations. Yeah. I think that's going away, and even at AWS, we didn't have a SOC. We had a bunch of really smart security engineers.

Okay. That worked, in a follow the sun model around the world. Alerts or incidents would [00:09:00] get routed to them. Okay. And they would deal with them. And I think that's the future. You don't really need everyone in the same room. You can have a more decentralized model. But the other big trend is moving away from one by one triaging of alerts or findings and really focus on correlated incidents.

Ashish Rajan: Okay.

Ely Kahn: So like a big job of SOC now is not to okay, do I have malware on this machine or not, but what was the full scope of this and how is it correlated to the misconfigurations and vulnerabilities in terms of, what was the root cause of the underlying issue and fixing things at the root cause.

So I feel like the SOC itself is getting more sophisticated, in terms of that correlation. Yeah, capability and they're able to because AI and automation is taking care of a lot of the lower hanging tasks Yeah, the more menial tasks. Yeah. Yeah, so that the analysts can focus on the higher level thinking

Ashish Rajan: When you say automation in the SOC context a lot of people say SOAR And it's a sore topic talk about SOAR for a lot of people.

Is [00:10:00] that what you refer to when you say automation for SOC or?

Ely Kahn: I think there was definitely some missed opportunity in unfulfilled promise around SOAR in that, when SOAR came online, probably about 10 years ago now? Yeah. Folks thought that was gonna be the panacea That was gonna fix the staffing and hiring problems and it's not good within everything

Ashish Rajan: yeah

Ely Kahn: folks found is that it takes a lot of work to get a SOAR really humming I think SOARs will stick around.

Okay, I think there's a new phase of SOAR coming Yeah, which is really AI powered SOAR. Oh because what SOAR are great at is, they've done all the hard work of mapping API connections. Yeah. Here are all the API actions as a SOC that you have to be, concerned about or that you might use.

Yeah. But what SOCs don't want to have to do is build these playbooks, write code, manage these things, keep them fresh. And that's a great use case for AI. Just, use natural language commands, use a recommendation systems to create and then deploy the right playbooks. Yeah. But use the SOAR infrastructure. [00:11:00] to really build out the connections into the rest of the ecosystem.

Ashish Rajan: Oh, actually, yeah, because now most things are API enabled. So you should be, to get to your quote, 10 years ago, the cloud usage was not as much. So the kind of things you could do on premise, which you are limited by.

There's not many API enablement. Now that we have, Gen AI or AI's popularity, It's at one time a high at the moment, if there's only two years old or one year old. And we had a great conversation on the AI Cybersecurity Podcast about what that could look like. The whole human versus machine thing as well in terms of, where you see the SOAR movement go.

And I think I'm thinking about all the leaders as well who are looking at this going, okay, if there's AI capability, I can do SOAR. Are there things in 2024 that cybersecurity leaders should consider from a tactical, from a strategic perspective for the SOC as they prepare for this, a, SOC in an AI world, but also SOC from a, which is already trying to get their head around what does a cloud alert look like?

Ely Kahn: I think in terms of 2024 priorities, like every CISO, every SOC director really needs to [00:12:00] assess how can AI save me time and effort? There's lots of AI assistant solutions coming online. Which is like this first generation of AI that can simplify how folks do hunting or investigations by using natural language commands to query databases, to query data lakes in a much more efficient manner than if you're doing it just manually.

I think what you'll see in 2024 is there's also this next generation of AI that starts to come online that goes beyond sort of those traditional assistant use cases and using AI to more automatically and autonomously do security operations for you. Similar to like the guide path for autonomous vehicles, there will be some incremental steps.

Okay. Like we're not going to just jump to like automatically remediating every issue that happens. That's a little too risky. We want autopilot mode. We won't go autopilot. We'll go autopilot on certain things that are lower risk. Yeah, we don't want to brick any networks. But right now [00:13:00] with AI assistant tools you're essentially using that AI to do iterative questioning more efficiently. But what I think you'll see this year is AI doing the full investigation for you. And then producing a set of results, like investigation results, like all the evidence that the AI system has collected.

And then you, the analyst, are just reviewing the results of that AI generated and collected evidence. That has the potential to shave, thousands of hours of investigation time. Yeah. The other piece that I'm super excited about is using AI and AI architectures to do things like similarity analysis much more effectively.

Like a company like SentinelOne, we've got, I don't know, somewhere around 12, 12 or 13, 000 customers. A lot of the alerts that customers see are similar to each other. And so why is every customer triaging and investigating each of these alerts themselves? What some of the things that we think we can do this year is actually show you, Hey, this alert is actually quite [00:14:00] similar to these 100 other alerts that have already been triaged and investigated by other customers.

Like 99 percent of them thought it was a true positive. Why should you go through that effort?

Ashish Rajan: Yeah. The likelihood of this is a true positive is actually very high.

Ely Kahn: Yeah. So this idea of similarity analysis has of course been around forever, traditional similarity analysis is like very narrow where you're just looking at things like the hashes of the file or maybe like the title of the detection signature

Ashish Rajan: or whatever.


Ely Kahn: but with these more modern AI architectures that are built around things like vector databases, we can actually store every part of that alert as an embedding in a vector database. And do in this is like the same type of technology that's used in Retrieval. Augmented Generation architectures using RAG architectures.

We can use that same architecture to look at the similar alerts across our entire customer base and then generate recommendations about how you should triage that alert. Based on how all the other customers triage similar alerts. [00:15:00] Yeah. That part is AI powered wisdom of the crowds.

Ashish Rajan: To your point, it may not be at that point where it can be in autopilot mode, but it can be at that point where people who are CISOs or SOC leaders who are looking at what should I consider to increase productivity of SOC level one? At least they can focus on the fact that oh, okay Because cloud is just one more environment if I were to oversimplify this there might be AI challenges that's going to come through because a lot of organizations already work in AI projects and no one really knows what the threat model would look like for AI Yeah.

So instead of trying to work through like my existing problems, adding more problems on top of it, why not use AI capability to be able to at least get to a point where you feel you're increasing the productivity? And I almost feel like the initial triage piece you mentioned, which is where most of the time spent by SOC analysts is just, I get an alert, whether it's from AWS, Azure, Google Cloud, doesn't really matter.

I don't have the context. I don't have the why, I don't have the, Who, what, why that's where I'm spending most of your [00:16:00] time, but if someone can actually do that up front, that's that's a huge time saver.

Ely Kahn: And like our philosophy on this now is. Why do that within the silo of just your company when there's like hundreds if not thousands of other companies just like you doing the same work on the same type of alerts?

So we're also doing the assistant use cases. Yeah,

Ashish Rajan: of course.

Ely Kahn: But it's an additional take to that.

Ashish Rajan: Yeah.

Ely Kahn: So instead of just using like a large language model to generate, investigation guidance or alert triage guidance, actually just do similarity analysis using that same type of architecture. Which is like a different approach. I actually haven't seen this elsewhere yet

Ashish Rajan: We spoke about this in the AI cybersecurity podcast about separating the signal from the noise as CISOs and cybersecurity leaders look at different AI solutions as well. Yeah, it's what makes one AI product in security better than or Like more trustworthy than another AI security product and we talk about the data being that golden thing Yeah, that whatever you can use to train like what and you guys [00:17:00] have been I think it does I don't know if you still believe after having it's been a while since we had the conversation But as your stand on that change or you still believe?

Ely Kahn: There's a couple of different advantages or that can be conferred with AI based systems You know one is how good is your core underlying LLM? Because there's a lot of variability Yeah. And there's actually now a lot of good benchmarking out there about the different LLMs around different use cases.

And so from our perspective, our belief is that this space is going to evolve really fast. So we're just going to build with a swappable LLM architecture. We're going to, pick the right LLM that's best at a specific task or behavior. Being tied to a single LLM is a little bit risky, given that the pace of evolution in the area. But the other thing is your access to data.

This is definitely going to benefit the bigger platform players. Yeah. Because if I'm a startup, I can't do that similarity analysis use case.

Ashish Rajan: Yeah, you can't, yeah.

Ely Kahn: You can really only do that when you have billions of [00:18:00] data points. Yeah. Which we do. And if you don't have that, it's not gonna be very good

Yeah. Yeah. So there's definitely an advantage conferred if you're a bigger platform player.

Ashish Rajan: Yeah. So if someone is looking at, I guess it's obviously not everyone may go down that path, but maybe everyone would. But for people who are looking at that AI path, that could be a differentiator for why the data set is more important than the fact that someone has a Gen AI on their poster,

Ely Kahn: yeah, look, when you're doing things like similarities and recommendations,

Ashish Rajan: Yeah.

Ely Kahn: the quality just can be better the more data you have to base it off of and yeah. It's definitely, something that we've been thinking about in terms of how can we capitalize on the fact that we have, 12 13, 000 customers.

Ashish Rajan: Yeah. And would you say? I guess it's the skill set changing for what we people would expect because I think some of the conversations and we've been walking around BSides SF over the weekend and a lot of the conversations where the whole job thing comes into play as well as here we talk about the future of, Hey, maybe by the end of the year, SOC level one is going to be potentially fully automated.

Do you feel there is [00:19:00] a change in skill set that would be needed from them? And it's almost like how quickly would the change be required as well?

Ely Kahn: I think in general the big change is going to be that you have mid tier analysts that can operate at more senior levels. I would be surprised if this means that like jobs are eliminated.

I think what it will mean is that work will be shifted to higher value activities. The reason why SOCs are a place for burnout is because most of those tasks are repetitive, mundane, and boring. Yeah, fair.

You have to go down multiple rabbit holes, one after the other.

And I think the goal here should be that, how can we shift this per these personnel towards higher value activities that are more about attack surface hardening.

Yeah. As opposed to the current whack a mole. Reactive mode, like I'm just chasing alerts that show up in my queue each day. I think that's what you'll see is that CISOs are able to start reallocating staff towards different types of activities.

Ashish Rajan: I think I [00:20:00] like that future. I think it's definitely would be possible.

I guess it's making predictions over here, but those are most of the questions I had. I've got three fun questions for you as well. You've done that, but years ago when you came in your AWS capacity the first one being, what do you spend most time on when you're not solving AI and cloud security problems?

Ely Kahn: If you're asking this five years ago, I was doing a Brazilian jiu jitsu and Muay Thai. Oh shit. Okay. Wow. Okay. Post COVID, post baby, post move to the suburbs, I've taken on more or less violence, more relaxing activities. All right. Okay. So I'm big into tennis. Okay. Play a lot of tennis.

Yes. In the winter I play platform tennis, which is like on this like elevated heated court. So yeah it's it's been a shift towards kinder, gentler sports.

Ashish Rajan: Okay, fair. I would say tennis is gentler. I would have thought gentler would be golf. But tennis is still definitely quite active.

So I'll give you that. The next question I have, what is something that you're proud of that is not on your social media?

Ely Kahn: I'm very proud of how beautiful my daughter is. [00:21:00] Oh, I'm going to give the recording to her when she's a bit older, yes. Yeah. I have a three year old. She's got this like amazing curly hair.

I love showing her. Oh, awesome. Just did my first daddy daughter dance last weekend, which was a lot of fun.

Ashish Rajan: Oh my god, I'm really happy for you guys. Final question, your favorite cuisine or restaurant that you can share with us?

Ely Kahn: My favorite dining experience I ever had, fortunately this restaurant's closed, but after we sold Sqrrl to, to AWS, we went to Momofuku Ko.

Oh, yeah. And Momofuku is, David Chang's restaurant chain Momofuku Ko was his elevated, high end dining experience in New York City. But, in general, I love Asian food. Yeah. And that was like a very memorable meal. Interesting. Was there a meal that stood out for you out of there? They had a foie gras ice cream, which wasn't a dessert.

It was like, an intercourse. Oh in the middle of the main course meal. Yeah. But it was really interesting and that one stands out.

Ashish Rajan: That's all the questions I had.

Ely Kahn: Where can people find you on the internet? Talk [00:22:00] more on what you work in the AI space and PurpleAI as well.

Check out SentinelOne. com. We've got a bunch of information about PurpleAI on there. That's the new AI product that we launched two weeks ago. Oh I'll put the link for that as well, but thank you so much for coming on the show. Thank you.

Ashish Rajan: Thank you. Appreciate it. Thank you for listening or watching this episode of Cloud Security Podcast.

We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video on tutorials on Cloud Security Bootcamp, definitely reach out to us on info at cloudsecuritypodcast.

tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast called AI Cybersecurity Podcast, which I run with former CSO of Robinhood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of ChatGPT, and everything else continues.

If you have any other [00:23:00] suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.

No items found.