Techzine Talks on Tour
Techzine Talks on Tour is a podcast series recorded on location at the events Coen and Sander attend all over the world. A spin-off of the successful Dutch series Techzine Talks, this new English series aims to reach new audiences.
Each episode is an approximately 30-minute discussion that Coen or Sander has with a high-level executive of a technology company. The episodes are single-take affairs, and we don't (or hardly) edit them afterwards, apart from polishing the audio up a bit of course. This way, you get an honest, open discussion where everyone speaks their mind on the topic at hand.
These topics vary greatly, as Coen and Sander attend a total of 50 to 60 events each year, ranging from open-source events like KubeCon to events hosted by Cisco, IBM, Salesforce and ServiceNow, to name only a few. With a lot of experience in many walks of IT life, Coen and Sander always manage to produce an engaging, in-depth discussion on general trends, but also on technology itself.
So follow Techzine Talks on Tour and stay in the know. We might just tell you a thing or two you didn't know yet, but which might be very important for your next project or for your organization in general. Stay tuned and follow Techzine Talks on Tour.
Techzine Talks on Tour
The tables are turning in favor of the defenders in cybersecurity (Jeetu Patel, Cisco)
For this new episode of Techzine Talks on Tour we sat down with Jeetu Patel, EVP of Collaboration and Security at Cisco at RSA Conference earlier this month. He has a rather positive outlook on the ongoing war organizations wage with attackers. We discuss why that is in this deep-dive into security architecture and infrastructure.
According to Patel, we live in an era of abundance, also when it comes to modernizing security infrastructure. With adversaries growing increasingly sophisticated, he explains why a cutting-edge overhaul of security infrastructure is not just necessary but urgent. However, it's also possible now. All of the components necessary for this overhaul are present. AI is an important part of this, but there is so much more that plays a role. We now have hardware acceleration, self-qualified patching and eBPF at our disposal. These components make it possible to significantly fortify the security infrastructure, according to him.
2024 is going to be a huge year for cybersecurity in general, and Cisco in particular, according to Patel. Listen to this episode of Techzine Talks on Tour now to learn all about why that is.
Welcome to this new episode of Tech Scene Talks on Tour. I'm at the RSA conference. I'm here with Jitu Patel, EVP of Collaboration and Security. Welcome.
Speaker 2:Thank you for having me.
Speaker 1:Yeah, so lots of things are happening at the moment, right when it comes to security. It's a very busy conference. It's a very busy year for Cisco as well. It's a very busy conference, very busy year for Cisco as well. So what's your perspective on the current kind of security climate, so to speak?
Speaker 2:Well, Sander, if you think about what's happening at a macro level, the adversaries have never been more sophisticated and they're the dumbest they'll ever be.
Speaker 2:So, they're getting more and more sophisticated over time. The attack surface has only increased, and while AI is amazing for so many things, it is also going to be used, in a way, to be weaponized against humans, and what's under attack is not just a mere inconvenience, but critical infrastructure around the world is under attack, and the way I think about it is security is critical infrastructure that, when breached, will actually impact all other critical infrastructure so your water supply, your power plants, your financial system, your health care system, so on and so forth AI being weaponized, with it taking extremely long for people to go out and update dated infrastructure, and how long it takes for vulnerabilities to get patched, what are the things that we're going to be able to do to go out and protect ourselves? And so I think what you need is not the next generation of something that already exists. You need to think about a fundamentally new architecture for security that has not existed before.
Speaker 1:Yeah, so and that's because…. So talk me through this fundamentally different architecture then. What are the components? Because from what I've seen from Cisco, you do that, but with existing technology, so not necessarily new technology. It's using it differently, right?
Speaker 2:I actually think it's, and I want to talk about Cisco, but I also want to talk about the macro thing that's happening in the world. But you know, if you think about Cisco, no, we're not just talking about using existing technologies and putting some lipstick on it. We are thinking about how do you rebuild and reimagine a new way of going out and doing security for this hyper-distributed world. You know. But let's take a step back. What's happening in the world right now and what's, if you think about, we have for thousands of years lived in a world of scarcity, and what I mean by that in very practical terms is, you know, as an IT professional, you have a certain amount of confined resources and you're asked to do a little bit more every year with just a little bit less mm-hmm and that's actually been the state for as long as I remember being alive.
Speaker 2:This is the first time that we can actually flirt with the idea of being in a state of abundance, and what that means is that the ability for us to be able to augment human capacity with digital workers is unprecedented, so that we can make sure that not only can it do tactical tasks for us, but also certain workflows can get automated so because we have the compute, we have the gpus, we have all the infrastructure that we need to do this.
Speaker 1:Is that what you mean?
Speaker 2:so first I mean is what are the things that you're doing? If you think about it, if I have 20 developers in my team, I can actually make the 20 developers become 100 developers. If I have 40 customer service agents, those can become 350 customer service agents. And so I think it's not just in IT If I think about how an employee experience for onboarding will look in a few years, each one of us will have an employee benefits package when you go join a company which might give us eight or nine assistants.
Speaker 2:You might have a personal assistant, you might have a coach, you might have a healthcare assistant, you might have a financial assistant, you might have some kind of concierge, and those are that additional augmentation of capacity, what we call digital workers. The question question is where are they going to live? And they're going to live in digital cities called data centers and, as you were talking about in data centers, these data centers are going to need to be fundamentally reimagined because of the scale proportion that we're talking about. You cannot have data centers that are going to be architected the way that they were yesterday for tomorrow's workloads because, the scale is going to be very different, right?
Speaker 2:So the two things that are changing in data centers quite dramatically and I'll get to what you're talking about on the GPU side but the first thing that's changing is the application. Topology in data centers has completely changed. It used to be a three-tiered architecture, every tier sitting on a piece of hardware, pretty easy to go out and manage. We now have hundreds, maybe thousands of microservices all talking to each other via APIs, all sitting on multiple pieces of hardware. They're sitting on Kubernetes, containers. Some clusters can talk to some other clusters but not allowed to talk to a third set of clusters, and that has a very different kind of mindset that's required for how you go out and protect and secure those workloads. So that's the first thing that's changing is applications. The second thing that's changing is what you're talking about, which is this notion of the infrastructure in data centers is changing where it's moving from a, you know, sequential processing, general purpose compute environment called CPUs to now GPUs and DPUs, accelerated computes.
Speaker 2:High-performance compute is actually meaningfully different now and you can do parallel processing. You can do vector math and matrix math. While it started with graphics processing, that could be done with a single operation. It turns out that how you go out and process AI workloads, both in training and inference GPUs are really really valuable. And so, as you have this new hardware acceleration, as you have this new topology change that's happening, the security infrastructure that secures all of this needs to fundamentally change as well.
Speaker 1:Yeah, but you also need to be able to predict what's happening in about four or five years time as well, because you can think you can secure the world today or maybe tomorrow or the day after tomorrow, but it's virtually impossible to predict what AI in general, and the security that goes with it, needs to look like in about five or six years time. It's very hard to predict that, right.
Speaker 2:It is and it isn't. I think it's very hard to predict exactly what kind of changes AI will incorporate in our lives. What's not hard to predict is that AI is going to be the major platform shift that we're going to experience, and what's also not hard to predict is that, as Sam Altman says, ai is the dumbest it's ever been today. It'll never be as dumb as it is today and it's the least resource intensive that it's ever been. I don't know if Sam Altman says the second part, but I say the second part right, which is I think you're going to need to have much more throughput capacity tomorrow, and we know that for a fact You're going to need to have much more throughput capacity than what you have today. So then the question is all right. So if you're going to need to have more throughput capacity and if you're going to need to fundamentally change the way that the security infrastructure operates to go protect this augmented capacity of AI workloads and digital workers, do we have the right technology building blocks to, in fact, solve some of the most important problems?
Speaker 2:Yeah, and the first question is what are the most important problems in security? Yeah, and I think there are three problems that are really really kind of crippling to society right now and I don't think people understand the effect that this has had, it's profound effect on what the damages of these three problems? The first problem is, if you assume that the attacker has already infiltrated your environment, right, how you contain an attack is through isolation of the attacker. That's typically in technical terms. We call it segmentation, right, and so that notion of segmentation- Something that we've been talking about for about 15 years already.
Speaker 2:For a long time, apparently still is not really very widespread. Well, the reason is because it's really hard to do, and especially in this hyper-distributed microservices world that we talked about. It was one thing. When you had to segment an application tier running on a dedicated piece of hardware and a web tier running on a dedicated piece of hardware, it was easy to segment that.
Speaker 1:It is very hard to segment 3,000 microservices running on multiple pieces of hardware, but that's also something that the industry, the security industry as a whole, should really take into account and so raise their hands and say, look, we did something, we had a good idea, but we couldn't really do it well enough.
Speaker 2:I think you're seeing us do exactly that, which is the segmentation is hard and the way that it was solved in the past is insufficient, woefully insufficient. What needs to happen in the future? So that's number one. Number two, the big problem is from the time that a vulnerability is announced today to the time when the exploit happens is now a matter of single digit days, and I think it's going to go down to hours and minutes. Right Updated technology something was not designed to ever be patched, all of those things, but it's also a sort of a risk-based approach, right.
Speaker 1:I mean, there are some companies that say well, I'm not going to waste my time on doing that, because this is way more important.
Speaker 2:So if you think of that and say, oh, wow, is there a different way to solve that problem, so that rather than having it take weeks and weeks to go out and do something for patching and you can only do it for a fraction of their vulnerabilities what if, in a matter of minutes, you can have an automated compensating control that can be applied to it so that you can immediately protect yourself minutes after a vulnerability is detected, so that you can prevent for exploits in a distributed manner?
Speaker 1:Ideally, you prevent them, but that may not be very realistic.
Speaker 2:No, no. What I'm saying is you can if you actually respond fast enough.
Speaker 1:Yeah, but that's prevention 2.0, I always call it right Because they're basically in but they can't do anything wrong.
Speaker 2:Ideally, you would prevent them from getting in the first place, and I think you might be able to do a little bit of both, but you have to assume that the endpoint is compromised, and so you're right. Assume that the bad actor is already in your environment, and what you have to do is you have to prevent them from lateral movement. That's the name of the game, right? And where does lateral movement happen? It happens on the network, and who knows most about the network? Cisco does so. That's one area. The third big problem that we have is dated infrastructure. Updating dated infrastructure is really hard.
Speaker 1:Why is that really hard?
Speaker 2:Because there's two change control windows that you might have in a year. You might have one at the end and you have downtime associated with it. Now I have to bring down my system. It actually disrupts my business, so I do it twice a year. If I miss my change control window, I have to wait for another six months. By that time the infrastructure has gotten dated. It's a mess. It's a hot mess.
Speaker 1:Those sound like excuses right to not do something, even though there may be some value in it or some truth to it. If you really want to, you should do it. So this is also something that the market or the organizations in the market themselves need to realize that they need to do better as well, I think about it slightly differently.
Speaker 2:The way I think about it is it's not that customers are lazy, it's that the amount of demand that is being put on them is physically not tenable to go out and address with the resources they have and the complexity that the environment has. So it's actually on the tech community and the vendors to do a better job at saying how can we make it easier for our customers so that they don't have to make this false trade-off of cost versus protection, which I think is completely a false trade-off? Yes, like you know, it shouldn't be the case, right? No, and instead what you should do is just make sure that you, we use automation for a lot of these things. So what do I think needs to happen? There's a certain set of building blocks that exist now, which did not exist until very recently, without which you could not have imagined solutions to these problems in an elegant enough manner.
Speaker 1:So there's AI, obviously one of those things. Ai is, of course, one of those things.
Speaker 2:That's the first one. And the way I think about AI is, as AI gets weaponized by adversaries to attack humans and critical infrastructure, we have to make sure that AI is used natively in the defenses. But the operative word being it has to be natively used. You have to think about AI from the time that you conceive an idea for a defense rather than an after fact that's been bolted on right. So that's the first one, but I think the second one I'm going to get a little geeky on. But the second one is really important, which is this notion of kernel-level visibility, ebpf, ebpf.
Speaker 2:And why is that important?
Speaker 2:Because if you assume that the attacker is broken in and if you assume the traffic is encrypted end-to-end, what you need to know is where does that traffic terminate and what exactly is happening in the guts of the operating system, which IO process was spawned, which process was spawned, which IO operation was actually occurring and can I actually get enough texture of what's happening in my operating system at the kernel level? And what eBPF does is it's this open source technology that can peer into the heart of the operating system at the kernel level. And what eBPF does is it's this open source technology that can peer into the heart of the operating system and figure out what actually is happening over there without sitting in the kernel. It has kernel level effect but sits in the user space, and so this allows a whole new set of possibilities, because now you've got visibility that you didn't have before, and, as you know, in security if you don't have visibility you can't protect something.
Speaker 2:And now we have visibility on the endpoint, on the network wire and at the host, and that end-to-end view is something that we've never had before. And if you can correlate data from that end-to-end view, you can actually have some pretty magical things happen. So that's the second big area of technology building block. The third one is hardware acceleration. And I think in security itself, when you start thinking about repetitive security operations and repetitive network operations like connection management, encryption, there's this hardware computation mechanism called a DPU, which is actually and you know this one and your audience for their benefit.
Speaker 2:A DPU is specialized compute subsystem for IO operations, and so you can do some remarkable things at least 1,000 times faster with a DPU, which just stands for data processing unit, than a CPU. The combination of AI, kernel level visibility and a DPU allow us to completely reimagine the kind of defenses you can have to those three problems we talked about Patching, updates and segmenting.
Speaker 1:But then, obviously, coming back to one of the magic words, that's obviously automation. You would like ideally to automate. Ai will allow you to automate all of this, yeah, but I mean obviously technically it's possible, but automation in security, that's a bit of a. Yes, great question difficult topic for a lot of corporate.
Speaker 2:that's a great question because you know that's a great question.
Speaker 2:Let's dig into that a little bit, because the reason that people have not automated updates, for example, is because if you update a firewall, um, the rules and firewalls were written like 100 years ago and you know, before you know it, there's something that's going to go wrong, and you don't even know what's going to go wrong, and now your entire system is going to go down.
Speaker 2:So what people did was they said I have to test this out in an extensive way before I even dream of upgrading and I have to bring my entire system down to do it and, as a result, consequently, what happened is upgrades just didn't happen as frequently enough.
Speaker 2:What you can do now with hardware acceleration, with these DPUs and with eBPF, is I can have two parallel data paths going in at the same time within a not a simulated environment, within a production environment, where I have a primary and a shadow and I'm observing both of those and doing a diff at the end and saying is my primary matching the shadow? And if my primary doesn't match the shadow, I'm going to continue to keep having those and getting them fixed at the end and saying is my primary matching the shadow? And if my primary doesn't match the shadow, I'm going to continue to keep having those and getting them fixed in the shadow. But once they match and once they're doing all right and I have pretty high confidence, I can flip them and make my primary my shadow and my shadow my primary.
Speaker 1:Yeah, so like VMs get updated behind the scenes in data centers and all servers. Exactly Like that.
Speaker 2:If you can do that, imagine what we're able to do. We are now able to have self-qualifying updates without having to really burden the administrator. But they don't have to worry about the fact is this going to work or not, Because it only gets updated after you've gotten enough certainty that it's working.
Speaker 1:Obviously, you first need to be able to demonstrate that right and so to get people to trust it, because you cannot have automation without without trust we actually don't even what we do is.
Speaker 2:We give people the choice to say do it when you feel comfortable. But I'm going to give you all the telemetry so that you can see exactly what's going through in both these data streams the primary data stream and the secondary data stream and when I can feel comfortable that both of these are showing a diff which is not substantive, then, and only then, should you do it. And, by the way, don't even feel comfortable doing it autonomously. You can have a human in the loop and decide to do it. For example, the first time I started updating my phone 10 years ago, I would always back up my iPhone. I'm like I'm not sure if I should update it. I'm going to back up my phone first. Now it happens overnight. Why? Because I've trust the system. You've got to earn that trust from people like you said.
Speaker 2:But while we're earning the trust, you can make sure that the administrator has full control over when they want to actually click the button to go upgrade once they've got all the data and over time they're going to start getting comfortable with this. They might not need to do that, but what this allows you to do, this sounds a lot like when the public cloud first came out right.
Speaker 1:There were a lot of people saying I'm not sure, not going to do it. After a while they said, oh, this looks good, maybe I will do it. Do you expect some sort of a gradual acceptance and adoption in this respect as well?
Speaker 2:In any technology. I think there's a time for ingestion, right. But what I do expect is not people saying I don't want to have this self-qualifying update. What they will say is I want a human in the loop in the beginning, and so we give them that flexibility and then, when they don't want the human in the loop, they can choose to get themselves out.
Speaker 1:Yeah, but do you think that, with attackers getting more and more automated and smarter and better at what they do because they're logically we would have to go to fully autonomous defense as well? If offense is going to go autonomous, I think they will.
Speaker 2:I actually agree with you that if you do not handle attacks at machine scale and if you only do it at human scale, it's not going to work. And, by the way, attackers are pretty stupid. When there was college student hackers doing some things. When you have nation states, it's actually pretty sophisticated, and so you've got to make sure that you're thinking through that I was trying to make the analogy with the AI itself being rather dumb compared to.
Speaker 1:In five years' time it's going to be the same for the attackers as well. Right, same for the attackers. But I think now defenders have sort of an edge. Defenders don't yet have an edge, no, but if this works.
Speaker 2:This is the first time in my professional career, sandra, and you and I have talked about this before. This is the first time I feel like, up until now, the adversary. Let's first talk about why did the adversary have an edge. Up until now, the adversary. Let's first talk about why did the adversary have an edge? Because they have to be right once. The defenders have to be right every single time. That still is the case.
Speaker 1:But this time around, I think we'll be able to make sure that the defender has a data and an architecture advantage that did not exist in the past. I think in one of our previous chats you talked about that. The tables have been turned, basically, but do you see them? I?
Speaker 2:see the possibility of the tables the scale tipping towards the defender. We're not quite there yet, just to be clear.
Speaker 1:I understand, because we're not really in the complete rollout and we're not in phase with this yet. But is it a temporary kind of turning of tables, if we reach it, because they will get to understand the defense better as well, right, so they'll try and find and work around it.
Speaker 2:I think the data advantage compounds over time, so I remain optimistic that you might be able to do some meaningful things, especially as you start exchanging telemetry with people. I think we have to get more open with the telemetry and we have to make sure that you start exchanging telemetry with people. I think we have to get more open with the telemetry and we have to make sure that we're exchanging incident response data and what's happening with threats and all of those things much more openly in the community and again, it's quite hard to actually predict what's going to happen right, Especially in AI.
Speaker 2:It's hard to predict what's going to happen, even two, three years out, because the rate of scientific progress is going to scale at probably 1,000x, and as it scales at 1,000x, it's very hard to predict.
Speaker 1:What I quite like about using AI as a defense mechanism is that what happens now is all those attackers have all the endpoint security, all the AV stuff, all the EDR stuff.
Speaker 1:They know how it works have all the endpoint security, all the AV stuff, all the EDR stuff. They know how it works. But it's virtually impossible to know how an AI works. So it's going to be very hard for the attackers to sort of make a foil, if you will, on their end of the defending side. So that makes me rather optimistic that it might just work quite well.
Speaker 2:I actually think that one of the things that we announced at the event at RSA. So we announced this product called HyperShield, which is this new architecture. What we announced at this event was one step even further with HyperShield, which is not just talking about known vulnerabilities the CVEs, the critical vulnerability enumeration that you can actually go out and prevent but also unknown vulnerabilities and making sure that if you have an unknown vulnerability or suspicious behavior, you can proactively start to go out and isolate, and so I do feel like there's a light at the end of the tunnel. I think it's going to require a very coordinated response. It has to have collaboration between public and private sector.
Speaker 1:I think critical infrastructure is going to be hugely at risk, but also between the security vendors amongst themselves as well. Right.
Speaker 2:Absolutely. And, by the way, you have to exchange telemetry. I tell this to my competitors all the time and I have a lot of respect for all of them the true enemy is not each other. The true enemy is the adversary. And you know, if we can exchange data and we can make sure that we can get each other enriched with what's happening so that our defenses get better, this is better for humanity, and I think commercial interests don't trump the interest of humanity. Yeah.
Speaker 1:Well, we talked about this before. Obviously, there are some limitations, especially when you're gearing up to this. Right, you still have lots of native telemany that you use to distinguish yourself from other companies in the market because I mean, yeah, you need to make money, you need to do business. I completely understand, but what's actually striking to me is that with your recent Splunk acquisition and with the Isovalent acquisition, Cisco has become a very big open source player.
Speaker 2:Of all of this, cisco is In fact, I don't know if you know this, but….
Speaker 1:With OTEL now and Cilium, you know.
Speaker 2:Cisco is in fact, I don't know if you know this, but With OTEL now and Cilium, you know, yeah, because OpenTelemetry and Cilium are the second and third largest contributors to the GitHub repo for any open source project, only exceeded by Kubernetes itself. So, as you know, opentelemetry, splunk is the largest contributor, and for Cilium, isovalent and now therefore Cisco is the largest contributor. And so Cisco is the largest contributor for two out of the three top open source contributor projects in the world. Who would have thought that about?
Speaker 1:10 years ago.
Speaker 2:And, by the way, this was not an accident. We believe one of the big reasons for the attraction to Splunk and one of the big reasons for the attraction to Splunk and one of the big reasons for the attraction to Isovalent was the open source. I think open source can make some really safe software and we should make sure that we engage the community in it.
Speaker 1:And the commitment remains the same, I would imagine oh no, commitment increases, but it doesn't decrease.
Speaker 2:Absolutely not, no.
Speaker 1:the commitment only goes up. Okay, well, that's going to be interesting. Do you see a lot of we're almost out of time, I think. Do you see a lot of potential for those specific open source pieces in the future of security for AI?
Speaker 2:Yes, I mean look open. Telemetry, as the name suggests, is going to be an extremely important kind of way to go out and exchange telemetry between different kind of platforms. And, by the way, in our platform, the way that we think about this is we want to build. Cisco is a platform company. It's an infrastructure platform company in four key domains Networking, observability, security and data and, of course, the collaboration side, and all of these need. The more we can exchange telemetry between control points, the more we can actually correlate telemetry between control points and between different points. The more we can actually correlate telemetry between control points and between different domains, the better we are going to be at not just detecting or determining effective defenses, but also for making sure that other things that allow for digital resilience, like better observability and lower downtime and better performance, are all thought through as well.
Speaker 1:Yeah, so a lot more to come in the next couple of years.
Speaker 2:We're just getting started, sandro, and, by the way, I will end with this In 2023, we innovated more than we had the 10 years prior, and 2024 is going to be a multiple of 23.
Speaker 1:Okay, and the pipeline is very full. I'm going to be even more busy this year. We're going to keep you busy, man. Okay, well, looking forward to it.
Speaker 2:Thanks for the chat, thanks for having me.