AI, quantum threats, and the evolution of securing the endpoint at HP (Ian Pratt, HP)

Speaker 1: 0:22

This is Sander. I'm at HP's Amplify partner conference and I'm here with Ian Pratt. He's Global Head of Security for HP Personal Systems. Welcome, ian. Hello. I would like to start with a rather broad approach. So what is the role of a company like HP? Or, more broadly, of Endpoint in the security stack for customers in general, more broadly, of endpoints in the security?

Speaker 2: 0:47

stack for customers in general.

Speaker 2: 0:49

So at HP we really see security as a key differentiator for us.

Speaker 2: 0:52

It's an area that we've invested in for a long period of time. It was really 20 years ago that we set up the security research lab as part of HP Labs, and there are so many things which we take for granted for as regards security in the PC world today that that lab folks in that lab saw the coming threat, you know, created a solution, worked with the product groups to get it into HP products and then beyond that sort of worked to try and drive it as an industry standard to raise the bar for everyone. And we've had this leadership position and a few years ago that got broadened where, rather than just worrying about securing the PC platform, we now see it as part of our role to help secure the operating system, the applications and the user data too. So that's really expanded what we do. So we still have a lot of focus on the hardware, but also security software and services which we offer not just on our own PCs but on PCs from other vendors, helping so we can support the whole of the customer's estate.

Speaker 1: 1:58

And I'm guessing there will be listeners now who say, well, okay, but there are lots of existing endpoint protection kind of software stacks that are already on the market. What do you add, as HP, to this layered security stack?

Speaker 2: 2:15

Yeah, so there are a number of areas where we have really differentiated capabilities, some of which are enabled by the fact that we're building the hardware, so we can actually create custom silicon that we build into the hardware, or where we work with our silicon partners Intel, amd and our Qualcomm to build in capabilities to those CPUs that we can then take advantage of with our software. And so that's a big part of what we do and it means that we can take a different approach from traditional security software vendors. And so what I would say is, in the SMB world, we can offer a complete solution for customers' endpoint security needs. In the enterprise world, it's more about sort of augmenting what customers have. All customers have antivirus or EDR or MDR services, but we have capabilities which are, you know, differentiated and unique, which add to what they have and solve the problems of, you know, security of the hardware itself.

Speaker 1: 3:24

And yeah, like I assume you can send that data or telemetry to other solutions as well. Right, so you can add that to the stack. In general, absolutely.

Speaker 2: 3:35

I mean these days. You know customers expect everything to be integrated. You know they want to have a single pane of glass where all of their security events are flowing through to one place. And you know we absolutely work with partners to provide that.

Speaker 1: 3:49

And do you see an impact of the shift towards more platform approaches to security rather than the old not necessarily old-fashioned, but endpoint focus right? You hear lots of EDR vendors going to XDR and going to lots of other platform plays, vendor going to XDR and going to lots of other platform plays. Do you see an impact on how customers or how the market perceives endpoint security?

Speaker 2: 4:19

Yeah, I mean, it's certainly the case that you want to be able to follow events across not just the single endpoint, multiple endpoints and perhaps where that threat interacts with your active directory or with things on the network, and it's important to enable all of that information to be pulled together. And that's what everybody is doing, either through buying its XDR products or using just the capability to pull the information together, whether it's into a SIM tool or Splunk.

Speaker 1: 4:49

Yeah, you still need all the endpoint information and telemetry anyway right. So that's never going to go away, even though there's maybe not as much focus on it from a pure security perspective.

Speaker 2: 5:00

Yeah, I think one of the things you have to you know people sometimes forget is that if you look at how breaches play out in, in over 70 percent of the you know of breaches it's the end point, is the point of entry for the attacker. The end point is where you've got the coming together of vulnerable technology and fallible users and you know you vast majority of these attacks. You lure the attacker, lures a user into clicking on something which exposes vulnerabilities on the machine to attack and then, having compromised that machine, it's then the launching point for moving across the enterprise and if we can keep that initial compromise from happening, then we can keep the enterprise safe.

Speaker 1: 5:50

So there's a big role for endpoint security still and just shifting gears a little bit because we have to move on, even though it is very interesting what is the biggest challenge at the moment around endpoint security in general?

Speaker 2: 6:05

So I think one of the things we've seen, which is we're beginning to start seeing have real impact, is that the bad guys have been quick to adopt generative AI technologies and we're seeing a real surge in phishing email, the lure emails luring people to click on things that have sort of perfect English. In fact, we're actually seeing Not even English, right?

Speaker 1: 6:31

Yeah, other languages as well.

Speaker 2: 6:33

Indeed, and I think that's a particular problem for some of the Nordics countries, where folk you know have perhaps been conditioned to think that if something comes through written in you know, in Danish or you know or their local language, that it's probably okay.

Speaker 1: 6:51

It's also much easier to put the triggers in for people to actually click right. So you can ask it please make it relevant for someone from Copenhagen or from Oslo.

Speaker 2: 7:02

Well, that's it. It used to be the case that you might have to have a human to actually research a victim if you wanted to create a targeted attack, whereas now you can just have generative AI, research someone on LinkedIn or social media and then be able to create a customized email which they're more likely to click on. Also, another area which we're seeing happen is if, having compromised one machine and having access to a user's email inbox, look at all of the people they're communicating with and then take the context from those email exchanges and then use that information to then compromise people on the other end of those conversations, or even look in the directory to find out the next person to attack in that organization. With emails appearing to come from the user of the machine you've just compromised, it's extremely hard to detect. I think it's basically impossible as a human to.

Speaker 1: 8:06

I know of some companies that have some of the phishing email kind of detection capabilities.

Speaker 2: 8:14

Yeah, but it's getting increasingly harder for them to do that.

Speaker 1: 8:19

Even though even Gen AI has some telltale signs that it's probably it does right now.

Speaker 2: 8:24

But already we're seeing with each new iteration that the and we're seeing the language become more natural. There were certain phrases which are a bit of a giveaway for ChatGPT, but those same phrases don't crop up if you're looking at output from Lama or a Gemini and so expecting that you can detect generative AI just by looking at an email, I think it's not going to hold for much longer.

Speaker 1: 8:55

No no, and as HP, I've known about your ESC kind of component inside laptops for a while. With the new generation you've also improved on that chip as well, but that's not used for those purposes in general right To combat, for example, the Gen AI generator kind of stuff.

Speaker 2: 9:28

Yeah, so that's quite separate what we do with that chip. It's our fifth generation of security controller chip that we've announced and are building into our commercial PCs from March, and we released the first generation of that chip back in 2013. We're now up to our fifth generation. Over the last few years we've seen Apple come out with the T1 chip, google come out with the T1 chip, google come out with the Titan security chip. So you know other vendors are now sort of you know, catching up and having their own security chips, but you know we're up to a fifth generation still in the PC world.

Speaker 1: 10:05

And just to be clear for listeners thinking what is this chip? What does it do? It is the chip behind things like Sure Start and Sure Run, all that stuff that keeps your firmware uncompromised, and all that.

Speaker 2: 10:22

Yeah, it's a chip which is powered on even when the machine appears to be off, and it's what enables the PC, to say, be managed. If you leave your PC in the back of a taxi and you want to contact it over an IoT wide area network to be able to lock the device or to wipe it or turn the GPS on and find out where it is, one of the things it does is to validate that the firmware hasn't been compromised, that it hasn't been tampered with and that it's running genuine firmware. And, crucially, if it does detect a problem, it can always get a pristine version of the firmware put back onto the CPU. So that's one of our promises is that the machine always gets back to a clean state.

Speaker 1: 11:16

But that's been in the ESC chip for I mean probably since the inception.

Speaker 2: 11:22

Yeah, what's new is, I think, from what I understand, is that you're actually adding some more features, or maybe I'll just call them features, but more capabilities of the chip, maybe also towards cryptography and and things like that right, yeah, so that chip one of the things that chips always been responsible for is is checking the firmware hasn't been tampered with, and one of the the capabilities we announced as part of that fifth generation security controller chip is support for quantum resistant cryptography.

Speaker 2: 11:56

So so the reason that's important is obviously, you know, right now there are a lot of organizations across the world racing to build a quantum computer, and some of them making quite good progress, and one of the things that you can do with a quantum computer is implement something called Shor's algorithm that enables you to factor very large numbers in a relatively short amount of time, which is something which has not been possible before. All of the cryptography we use today for checking signatures on documents, on transactions, on signatures on software, also for checking that the website is the website you think it is it's all built on the fact that factoring prime numbers, or factoring large numbers, is very hard. If that's suddenly not the case, all of that cryptography fails.

Speaker 1: 12:50

But isn't it the case correct me if I'm wrong that AES-256 is still quantum proof?

Speaker 2: 12:56

Yeah, so AES. That6 is still quantum proof. Yeah, so AES. That's an example of a symmetric key algorithm. But before you can use an algorithm like AES, we have to agree on what the key is. And the way that that is done today is using what's called public key cryptography or asymmetric key cryptography, and it's those algorithms that rely on that factorization problem and if that suddenly becomes possible for people to break, all of those schemes cannot be relied upon.

Speaker 2: 13:30

And that's where we're seeing the new cryptographic algorithms being developed right now which are quantum resistant, that even if you had a quantum computer because they use a different mathematical property then they're going to still be secure even in the presence of a quantum computer. And the reason why it's important for things like PCs is some of the PCs that we're selling today are going to be in use for many years. Maybe not the desktops and laptops, which perhaps have a three or five year lifespan, but increasingly with circularity that is going to be longer. But some of these systems end up getting used in retail which might have a 10-year lifespan, or end up in doing OT control functions in factories and critical infrastructure and they may have very long lifespans. And if somebody comes up with a quantum computer. One of the things they're likely to do with it fairly early on is to break the signature used to sign firmware updates.

Speaker 1: 14:47

And just to get this straight, what does ESC do now, in this fifth generation, to prepare yourself for that?

Speaker 2: 14:55

situation. So it implements one of these new quantum-resistant algorithms such that all of our firmware updates will be signed with signatures using this quantum-resistant algorithm, so that even if somebody breaks a traditional RSA or elliptic curve signature, then the security is still going to be assured because they won't be able to use the quantum computer to break this new signature.

Speaker 1: 15:22

Okay, and so what does this mean for end users or for organizations looking to protect themselves against this future threat, which isn't necessarily there yet? Can you give us, just to close this off this conversation can you give us some first steps that you can take as an organization just to prepare yourself for this eventuality? Because I think somewhere in 2035, we expect, or 33, we expect quantum computers to actually be able to break traditional cryptography in a substantial way.

Speaker 2: 16:00

Yeah, I don't think you know. No one knows what the real timeline is going to be. There's a lot of uncertainty around it Could happen sooner, could happen later.

Speaker 1: 16:08

Like you mentioned, they're making quite big strides nowadays towards?

Speaker 2: 16:11

Yeah, and I certainly meet organizations at Global 2000 companies where they now have somebody assigned who is responsible for their transition to post-quantum crypto, quantum-resistant crypto and part of that is looking at their own use of cryptography within the organization and looking at how they would migrate to quantum-resistant cryptography, but also looking at all of the infrastructure they use, all of the various suppliers they have and all of their dependencies on cryptography. And we are now seeing how a number of governments are beginning to give direction on that. We're expecting the US government in 2025 to start requiring procurement to consider quantum-resistant algorithms for some of these key long-lived capabilities, Like if you're buying hardware that has got the cryptography built into the hardware, you don't want to have to replace that hardware because someone's built a quantum reuse.

Speaker 1: 17:18

You want to be ready for that. Is this something that you need governments to actually take action on before it actually gets interesting enough or crucial enough for organizations to do something about it, or do you expect some sort of a natural?

Speaker 2: 17:35

I think we're seeing a mixture. I think the, as I say, security, mature, global 2000 companies you know many of them already beginning to worry about this, building plans for how they're going to make that transition. And then governments themselves are saying you know, for their own equipment purchases. You know they want to see this quantum resistance and of course, you course, organizations will do the work for selling to government. That's going to enable the raise the bar for all organizations.

Speaker 1: 18:06

So it's a mixture. Yeah, and just to close off, because obviously we talked a little bit about Gen AI but we didn't really touch on AI itself with the AI-based PCs, because these new chips are going to be part of the new lineup of AI PCs. Does the AI that's in the new lineup in any way augment or help the goals of the ESC chip in general?

Speaker 2: 18:29

You know I would say it's kind of orthogonal to what we're doing on the ESC, but obviously we are using those NPUs for security purposes. You know we've got a lot of our security capabilities use machine learning. Today, if we're taking advantage of the NPU, we get to run bigger ML models than we could have done on the CPU, which gives us more capability. But also we're seeing how there are lots of software vendors that are wanting to take advantage of the NPU, perhaps to save compute costs in the cloud, but also because customers are wanting not to send that sensitive data to the cloud and be able to take advantage of inference on the endpoint. And I think there's a lot of potential there for us to make AI more private and more secure and trustworthy, taking advantage of that local compute.

Speaker 1: 19:32

Okay, that sounds interesting. I'm really curious to see where this goes from here, I mean, what the sixth generation of the chip is going to bring and we're going to progress and eventually get there, hopefully towards a secure future. Thank you very much, Ian, for this insightful conversation.

Speaker 2: 19:50

Well, thanks Anna.

Speaker 1: 19:50

Thanks for inviting me. Thank you.