In this episode of The State of Enterprise IT Security, host Brad Bussie, Chief Information Security Officer at e360, welcomes special guest Svetla Yankova, CEO of Citreno, to discuss the evolving landscape of SecOps, the role of Google in shaping its future, and how AI and cloud-native solutions are transforming enterprise security.
About Svetla Yankova: Svetla Yankova is the founder and CEO of Citreno, a proud Google and e360 partner focused on implementing and maximizing Google SecOps. She was a founding member of Google SecOps, formerly known as Chronicle, and joined the project in 2016 at Google's Moonshot Factory, X. Over the years, Svetla played a leading role in Google’s Cloud Security Customer Engineering, drawing from Google’s immense potential in security innovation. In 2023, she founded Citreno to help organizations realize the full potential of Google SecOps.
Mentions & References:
[00:00:00] Svetla Yankova: organizations today have call it cameras and motion sensors all over their perimeter and they produce all kinds of alerts.
[00:00:10] Svetla Yankova: Something happened. You may want to take a look at that. Right. And with the complexity of. how this tooling has evolved, how the attackers have evolved. This just becomes one of the most complex operational issues that organizations have to deal with is just tracking and monitoring and making sure they don't miss something.
[00:00:30] Svetla Yankova: So SecOps in, I think in my very simple terms is kind of the art and science of looking at a million things a day or a billion things a day and doing your best not to miss something.
[00:01:04] Brad Bussie: hey everybody, I'm Brad Bussie, Chief Information Security Officer here at e360. Thank you for joining me for the State of Enterprise IT Security Edition. This is the show that makes IT security approachable and actionable for technology leaders.
[00:01:22] Brad Bussie: And I'm happy to bring you a special guest today, CEO of Citreno, Svetla Yankova. Welcome to the show, Svetla.
[00:01:33] Svetla Yankova: Thank you, Brad. Glad to be here.
[00:01:36] Brad Bussie: Awesome.
[00:01:36] Brad Bussie: So today I thought we'd explore, what we see as the evolving landscape of security operations. And I think we're going to focus a little bit on Google SecOps.
[00:01:54] Brad Bussie: And I think what would be helpful, because we've got kind of a wide viewership and a wide group that listens to this. So I think what we could do is start a little bit around the foundation of SecOps. And I think we'll talk about the promise of SIEM, or in some cases the broken promise of SIEM. And How we recommend that clients, as well as listeners, would do SecOps, and I'm gonna do this in air quotes, right.
[00:02:34] Brad Bussie: But, honestly, first, like, I think what would be interesting, for the viewers is, Can you tell me a little bit about your background and Citreno? Because when I first talked to you about this, I thought it was super interesting because you've got such a great background. Hearing a little bit about that would be, would be pretty cool.
[00:02:55] Svetla Yankova: Oh, I would love to. So, so glad to be here, Brad.
[00:02:58] Svetla Yankova: A little bit about [00:03:00] myself and my background in 2015, I believe, or 2016, I received a very serendipitous email that said, do you want to join a secret moonshot project at Google that wants to reinvent cybersecurity? And I did, like every other security person, I thought it was phishing.
[00:03:19] Svetla Yankova: So I'm just gonna put it in my phishing list, but kind of other serendipitous consequences around that I actually ended up joining the project and it was, it was very exciting. I had to keep it secret. I couldn't tell anybody at the time what we were doing. Enjoying very, very early on, we were brainstorming.
[00:03:40] Svetla Yankova: How would we take the technology that Google developed in the aftermath of the Aurora attack? How would we take all those lessons, all these learnings, all that kind of data first mentality into the world of security? And the insight at the time was that Basically, Google had this incredible rocket ship tooling, right?
[00:04:04] Svetla Yankova: And anybody outside of it was kind of a surgeon with a Swiss army knife. The tooling was just too primitive. It didn't have kind of the data processing capabilities. And so with that insight, Mike and the founding team, really kind of built something special. And I was lucky enough to be a part of that.
[00:04:22] Svetla Yankova: And here we are eight years or so later. And, We're seeing incredible growth in the adoption of the solution. More importantly, the what I call the true adoption, that moment where SecOps teams get data hungry and they start really kind of extracting that, that value, that gold out of their data. So, I spent a lot of time in Google and last year we started a company called Citreno that was basically designed to, realize that promise, right?
[00:04:53] Svetla Yankova: Help teams implement SecOps transformation to their finance through the Google innovation.
[00:05:00] Brad Bussie: I love it.
[00:05:01] Brad Bussie: So we're talking about Chronicle, right? And this is something you and I had said we were talking about names, and now Google has rebranded a lot of this into just Google SecOps, but a lot of what we're going to be talking about today, is basically Chronicle and a little bit of one of the acquisitions that they had made around the SOAR solution with Siemplify.
[00:05:30] Brad Bussie: And they've, they've put those together. And Svetla and I were talking about it being the Chronicle SIEM and SOAR solution, but now known as SecOps. So when we're talking about that, just, just think about it.
[00:05:44] Brad Bussie: But I think maybe what would be interesting to kind of start this whole thing off with would be a foundational understanding of what SecOps is.
[00:05:57] Brad Bussie: So Svetla, from, from your standpoint, [00:06:00] if you were going to describe to somebody in an elevator, like 90 seconds, what, what really is SecOps? SecOps now.
[00:06:10] Svetla Yankova: Okay. So, be explained to me like I'm five trick. Okay. That's a good one. the way I usually describe it is, that organizations today have call it cameras and motion sensors all over their perimeter and they produce all kinds of alerts.
[00:06:33] Svetla Yankova: Something happened. You may want to take a look at that. Right. And with the complexity of. how this tooling has evolved, how the attackers have evolved. This just becomes one of the most complex operational issues that organizations have to deal with is just tracking and monitoring and making sure they don't miss something.
[00:06:52] Svetla Yankova: So SecOps in, I think in my very simple terms is kind of the art and science of looking at a million things a day or a billion things a day and doing your best not to miss something.
[00:07:06] Brad Bussie: Couldn't agree more. And I think more and more organizations are getting to the point where there is so much data, so many sensors, and they are afraid of missing something.
[00:07:17] Brad Bussie: And that's part of the reason why we're hearing about automation, orchestration, and taking what used to be our level one and level two analysts and turning more and more and more of that into machine learning, automating certain pieces of it, orchestrating, and, and leveraging AI because I think that's actually one of the things that it's good at.
[00:07:44] Brad Bussie: And I, I think a lot of our listeners know by now, I don't consider it artificial intelligence. I call it augmented intelligence. So we're, we're telling these systems what to do. And then we're saying, look for patterns, look for things that are out of the norm, and then maybe do some things on your own.
[00:08:05] Brad Bussie: But here's the box. You have to stay in the box. And if you go outside of the box, Then we need to let people know, and then we have a human that steps in and kind of does the thing. So, I think that's, that's where we are currently for SecOps.
[00:08:22] Brad Bussie: I think what would be interesting though is, what's, what's gone on the last year or two?
[00:08:30] Brad Bussie: I think we, we kind of seeded this a minute ago with Chronicle becoming SecOps, and some of The shift that Google, is making towards this, this new thing, because we've seen acquisitions, you know, we saw Mandiant get, pulled in. they're doing some interesting things there. So if you were going to say like, what are some of the changes?
[00:08:55] Brad Bussie: that have happened, like what, what would you say?
[00:08:58] Svetla Yankova: Well, I [00:09:00] think I want to talk about two themes when it comes to SecOps technology. One is kind of the decade that can measure, be measured in decades theme. So the theme of the 20s, if you will. I don't know if I've ever heard anybody refer to it as the 20s.
[00:09:14] Svetla Yankova: but, if you go back to, let's say the year 2000, there was a theme of putting kind of, structure and meaning around everything. There was a theme around categorization and normalization, making meaning out of the data until like ArcSight were doing a lot of work in that. And then they ran into scale issues, right?
[00:09:35] Svetla Yankova: The data just kind of grew exponentially. The on prem kind of hardware and software at the time couldn't, couldn't deal with that. So you went from a very kind of structured theme to, hey, let's go a little bit more unstructured. Data and complexity is growing. Let's just kind of. So let's go a little bit more unstructured.
[00:09:55] Svetla Yankova: We may have some data models, but they are going to be hugely optional, etc, etc. And then you go into this decade where things kind of swung back a little bit, but with scale. So maybe, maybe a very kind of data centric view of the world. I kind of fancy myself more of a data enthusiast, but the data centric view of the world is that, things are kind of, swimming, swinging back to a more structured model.
[00:10:24] Svetla Yankova: And you go into kind of the more short term theme things with, Enrichment, Threat Intel, AI, etc, etc. There's this realization that in order to fulfill that promise of enrichment, of automation, of AI, etc. There's really years of kind of what I call data janitorial work that needs to be done, right?
[00:10:44] Svetla Yankova: Garbage in, garbage out. The data needs to be structured in a proper way to do that. So this kind of lends itself to that. So, I think Chronicle has been following Nicely, and I would hope to say ahead of the curve in these themes because it made a bet around kind of this idea of throw randomness at it and make a story out of it, which is a data modeling problem, right?
[00:11:08] Svetla Yankova: So, so you go into data modeling problem, which is not as sexy as generative AI, right? like generative AI makes a story, but through something else. Data modeling is take Fields, map them, create a model, make it consistent. Not as sexy, but very tedious, very hard to do, very, very labor intensive. So we made that investment, and we kind of created this story centric view of the SIEM.
[00:11:36] Svetla Yankova: Then that evolved with Now what? You have the story centric view of the SIEM, you have a data model, you have a story and a kind of a timeline, a chronicle, if you will. That name would never die for me, I'm sorry.
[00:11:50] Brad Bussie: No, me either. No, me, it's, it's forever, yeah.
[00:11:53] Svetla Yankova: Yeah, you have a chronicle, if you will, of what happened, then, We started infusing [00:12:00] different things to it.
[00:12:00] Svetla Yankova: The first part was the now what? The soar component. Okay, now you have a story of what happened. Well, can you backtrack that to make an automated determination or can you backtrack that to make an automated action? So that's where the Siemplify acquisition came in. And, you know, one of the, one of the best acquisitions in my experience.
[00:12:19] Svetla Yankova: They very rapidly integrated and kind of infused the two technologies together and it was really a case of one plus one equals eleven because you had the story but then you have kind of the power to make a decree over it, right, to make a command out of it. So, so, SOAR was a very powerful addition and I really love working with one of the only kind of Very well integrated, enterprise grade SimSource solutions in the market.
[00:12:45] Svetla Yankova: But then there's the subtle themes around it, which is First was the question, what if threat intel was just a natural part of the whole machine, right? What if threat intel isn't something over there, we get an alert and we see an IP and we're like, oh, Magic 8 Ball, is this IP bad? And then we kind of look through some of these things.
[00:13:04] Svetla Yankova: But what if, what if threat intel gets kind of moved, Upstream to this, right? And what are some of the wonderful things we could do with Threat Intel? So that's where the Mandiant acquisition starts adding a lot of value and just kind of their, their beautiful Threat Intelligence story, the IR story, and everything else starts to, adding this layer of thread and tell context, right, of state across the thing.
[00:13:29] Svetla Yankova: Not just what happened, but in what context does it happen. And then you infuse the layer of risk around it too. So you basically kind of become this threat-aware, risk-aware, Storytelling system that can take action. A lot of promise behind that. Oh, and by the way, you also have the promise of AI, which is starting to slowly materialize of like, Hey, some of these things could get really kind of enhanced with AI, they could be really sped up with AI and, not only can the actions be sped up, but also your learning of how to operate with it can be sped up instead of knowing a complex query, you can now do it.
[00:14:08] Svetla Yankova: speaking English and the system can help you translate that, et cetera, et cetera. So, so I think those are kind of the major themes around that. I know Brad was probably a long winded answer, but hopefully some nuggets to pick on.
[00:14:22] Brad Bussie: No, it's it's, I love it. And I, I think you're spot on. I mean, data is the reason.
[00:14:28] Brad Bussie: that we're doing it. Data is what we're trying to protect. It's what we're mining. It's, it's really the whole reason for everything when it comes to like, what are you trying to secure? And I know a lot of organizations, they, they start with the network or they, they start with identity, but honestly, it all comes back to data.
[00:14:50] Brad Bussie: So I think that's a, that's a great point. And I think you know, the, some of the additional acquisitions that Google has made, [00:15:00] pulling in VirusTotal and, and also augmenting the capabilities within the system with that information. I honestly think that it's, you know, getting to be one of, one of the best SecOps solutions.
[00:15:14] Brad Bussie: And I think that threat Intel point is spot on.
[00:15:18] Brad Bussie: So I think this, this actually leads us into a, an interesting segue of I mentioned the promise of SIEM, but when we were talking about this pre show, you actually said, you look at it more of the broken promise of SIEM. So could you give the audience a little more color around that?
[00:15:41] Brad Bussie: Like, what did, what did you mean by that? Because I thought it was super interesting.
[00:15:46] Svetla Yankova: Yeah, the broken promise of SIEM is interesting. I think, well, for one, SIEM promised to correlate data from different systems, and it promised to understand your, your data, your environment, your system. And when you look into the reality, Very few teams do proper correlation, right?
[00:16:10] Svetla Yankova: In some ways, it kind of still acts as the alert aggregation tool that it was 20 years ago in a lot of organizations, especially some of the sims that struggle with correlation, they have scale limitations around that, but, correlation is one of the promises that In some ways, rarely materialized, right?
[00:16:32] Svetla Yankova: Rarely we can look at a world of our cloud and our endpoint and our network and come up with some automated decisions around that. the other thing is just kind of this promise of having a full picture view. Yes, but you need to have an analyst that knows what they're looking at. And in some is just the faster way to not open the five different tools.
[00:16:57] Svetla Yankova: Right. So what did people end up happening is because they weren't able to solve it in SIEM, they started solving it in SOAR. Right. So they're like, well. I'm going to have my analysts do these 14 queries in my sim, but they have to know this product, and this source, and their data structure, etc, etc. Well, let's start moving that thing to SOAR, and then in some cases, SOAR even became kind of a pseudo mini SIM, right?
[00:17:22] Svetla Yankova: Another alert aggregator where they started plugging different things to SOAR because getting things to the SIEM was too difficult, right?
[00:17:29] Brad Bussie: Right.
[00:17:30] Svetla Yankova: So, so, I think there's a lot of kind of broken promises in regards to data. There's a lot of kind of broken promises and hard to keep ones around normalizing, making sense of the data, and At the end of the day, I think a lot of organizations find themselves where they, Hey, I have this SIM, but I realize no value out of it.
[00:17:51] Svetla Yankova: Right. Right. It helps every now and then when I have an incident, but I can't be in a position where every day I kind of go in and find new value out of my [00:18:00] data. So ultimately it kind of breaks down to that. I don't know if this is what you're seeing with.
[00:18:04] Brad Bussie: Yeah, I see. I see another piece of this too.
[00:18:08] Brad Bussie: where there was a movement around something that people called SIEM 2. 0, which actually was the user and entity behavior analyst. So it was like, you have your SIEM. That's where you're going to take all of your events, all of your logs. You're going to put everything into a data lake or a bucket. Then you're going to have this other thing that is going to try to make sense of it.
[00:18:31] Brad Bussie: and then give you a timeline and let you track back to an insider, some kind of a threat vector, somebody's getting ready to resign, so they're pulling files down. They're like watching this whole thing unfold. And I feel like that was, that was kind of the first two iterations, but I, I feel like where we're at, Now, as we're on the cusp of kind of that SIEM readout o, and that is where, I would say Google is definitely heading, because now you're enriching all of these things.
[00:19:09] Brad Bussie: SOAR is becoming more of that user and end of behavior analytic because of that. the way that it's designed, the playbooks, and how we're leveraging it, the automations, and the orchestrations that we're rolling into it. So yeah, I think there was a promise back in the day of what SIEM was going to be.
[00:19:32] Brad Bussie: We kind of missed it. 2. 0, we got a little bit closer, but we were missing some of that. Now let's tie in other tools, systems, and the things. And I think now, we are pretty close to that initial. promise. And it's pretty exciting seeing the direction that Google's going.
[00:19:56] Svetla Yankova: Yeah, I agree with you. I think the UABA promise was that these alerts would be actionable and they just ended up too volumous and inactionable.
[00:20:06] Svetla Yankova: It's like Brad printed a thing and he never does that times million, right? and, it's, it's a powerful proposition, but it's, it's kind of interesting how you go from. I want more alerts, I want more alerts, to I want less alerts, to now it's, it's sort of changing, to say, okay, well, UEBA is not just the mechanism in which you look and identify a new alert of something weird happening, but it's also the mechanism in which you measure risk across this and it helps you prioritize your current alerts, right?
[00:20:45] Svetla Yankova: Okay. So that's how we try to guide our customers is, hey, you have all these low severity signals, some things end up in the tar pit. That's just the reality, right? we can tell ourselves that we automate, and we enrich, and the AI does [00:21:00] it, but no matter who throws the alert in the tar pit, it ends up in the tar pit, right?
[00:21:04] Brad Bussie: Right.
[00:21:06] Svetla Yankova: What ends up with this new generation of kind of fusing that promise is now UEBA and SIEM stop becoming kind of these two different things, but now they converge with the UEBA being not just a new high fidelity alert source, which sometimes struggles with,
[00:21:24] Brad Bussie: but
[00:21:25] Svetla Yankova: also being a prioritization source and a helper for assetizations for understanding, okay, this is a user and this is normal for them for kind of a decision assistant, if you will.
[00:21:35] Svetla Yankova: So really good point there.
[00:21:36] Brad Bussie: Yeah, makes good sense. And I think that the part that, that I'm often looking for with any system is the data hygiene and the hygiene of logs and events so you don't get overwhelmed with signals that don't matter. So, I think there's, there's something, and we could probably have a show just on that.
[00:21:55] Brad Bussie: I was just, I was just thinking about that, when you were, when you were talking through it. Because. That is where I spend the most time talking with clients is just doing basic things like sizing. And before you know it, we're talking terabytes and terabytes and terabytes. And it's like, well, you realize if you would just filter out a bunch of that stuff and, and, and put it in the tar pit, because that stuff just doesn't matter.
[00:22:23] Brad Bussie: Even from a signal perspective, it's not indicating much of anything. So if you were to just filter that and And send the stuff that really matters to your SIEM. Then we can have a different discussion and we stop getting overwhelmed with noise.
[00:22:39] Svetla Yankova: Yeah, absolutely. And I think as much as We're team SecOps and, you know, SecOps can solve all the world's problems, etc.
[00:22:49] Svetla Yankova: It does come after hygiene and not just data hygiene. And that's one thing I think we're trying to put too much burden on the detection and response. technology. and it, it really is such a complex infrastructure, especially with cloud and everything, where those efforts just need to be combined with infrastructure as code efforts, with efforts around proper posture, proper, Change management, because, you know, the, the really kind of fun thing about SecOps is that there's pesky interns and admins and software engineers, and people doing normal stuff every day that have to produce alerts.
[00:23:31] Svetla Yankova: Well, how do we kind of model and say that this is normal into a meaningful structure, is something that, I think it's part of the same conversation because otherwise you're just putting too much burden on. You know, the SecOps side of things and
[00:23:49] Brad Bussie: yeah,
[00:23:49] Svetla Yankova: the blue teamers.
[00:23:52] Brad Bussie: I agre h, you know, another thing I was thinking about is something that I I'm seeing is there's this [00:24:00] movement towards cloud native.
[00:24:04] Brad Bussie: And I'm really starting to see this in SecOps tooling specifically where I, and I'm also seeing this in, in networking as well, but that's, that's a different show. So. Are you seeing the same thing? Is there like this, this rise of a cloud native movement in SecOps tooling?
[00:24:26] Svetla Yankova: There is, and it's, it's coming in all levels.
[00:24:30] Svetla Yankova: it's most fascinating to me in government where basically CISA years ago started issuing guidance around, Hey, don't be so scared of cloud native. It's superior technology for, for better security, right? let's just come up with the controls to that. So I think as some of those. Compliance controls are catching on.
[00:24:52] Svetla Yankova: Customers just have more faith and confidence in the cloud native tooling and that is combined with the fact that they're just sick and tired of managing all those failing over indexers on prem and basically spending most of their effort there, right? So, It seems that in the last couple years, the wave has been very, very big.
[00:25:16] Svetla Yankova: I think a big part of it is making cloud native affordable as well, right? so it ends up being more affordable with less to maintain. You know, just punch in your query, and if anything falls over, it's Google's problem, right? that, that makes it fairly easy. So, I agree, the cloud native movement is finally something that can materialize on the promise economically, and with scale, and can, you know, You know, you could throw a petabyte at it or 10 and it doesn't seem to have a problem with that.
[00:25:50] Brad Bussie: I agree. I think it's getting back to the original promise of cloud, which was an elastic service in nature. Something that can go very, very big when it needs to, and it can shrink back down when it needs to. And I think that is a very, that plays very well into SecOps. and the needs of that kind of a system or a platform.
[00:26:14] Brad Bussie: So I think that's, that's one of the big reasons. I'm always thinking of this as giving the audience a gift or at least a thought.
[00:26:30] Brad Bussie: And I think one of the main things everybody is wondering is, what does good look like? And what, what is like a best practice or a couple of best practices that they can take away?
[00:26:43] Brad Bussie: When it comes to implementing SecOps, really, I would say effectively, but I'm also, you know, always looking at efficiencies, but let's just, let's just look at it kind of holistically. What are some best practices that you would recommend? [00:27:00]
[00:27:01] Svetla Yankova: It's funny, I might go a little controversial on this, because everybody's going in a direction of humans not looking at alerts, right?
[00:27:09] Svetla Yankova: And AI looking at it, or the robot sorting it out, and all this is good and great, but I would say good looks like, for me, good looks like the fact that you've modeled your environment and your risk and your drift so well, that humans can spend a lot of time on it. time on the very high fidelity things that come out.
[00:27:30] Svetla Yankova: So that's, that's what good looks like to me. Good looks like a very tight collaboration between red team and blue team. Good means that the blue teams are sort of elevated to, in my opinion, the superstar status that they deserve. Right. And, they have this kind of tight status. Purple team collaboration.
[00:27:52] Svetla Yankova: They're constantly trying to break the infrastructure in various creative ways. And they're able to afford that because they saved themselves a lot of the kind of the toil and churn of the past through proper hygiene, through modeling, through help of automation, through help of technology, through, through the help of these things.
[00:28:14] That's my, definition of good and I would add a second bit to it, which is, owner, business owners are included in the equation, right? For me, good looks like the fact that the application owners are tightly coupled with the SecOps teams to define what good looks like and to have this kind of shared accountability.
[00:28:38] Svetla Yankova: They understand the risk, they understand how their applications are monitored, they have a say in this. It's not just. Stuff that goes to a SecOps team over there and we hope they catch something. The application owners are also heavily involved.
[00:28:53] Brad Bussie: I love that. I, I agree. I thin h, I don't think the business gets involved enough.
[00:29:00] Brad Bussie: And I think a lot of the time, and it's just people, people are afraid of things that they, maybe they don't necessarily understand. They're afraid of looking dumb or looking silly. And I hear it all the time. Well, that's, that's security. And I, I don't even want to look at that anymore. And I think. That ends up being one of the biggest problems in organizations.
[00:29:23] Brad Bussie: And I would, I would urge everyone, like, don't be afraid of it. Have a, have a basic understanding, of why, but as cyber practitioners, I think it's our job to help educate on the why. We get to figure out the how, and then we also go deeper into what it is we're doing. So I think that's something that would be good for any team that's looking at SecOps as a whole.
[00:29:55] Brad Bussie: So.
[00:29:56] Brad Bussie: Last question that I would [00:30:00] have is if, I'm looking at the maturity of SecOps, because I'm, I'm big into, like, what's the evolution, not just of the processes that we're doing, but of the technology. And, you're, I would say on the bleeding edge when it comes to SecOps and the meetings that you have with Google, I can only imagine because you're still very, very, very involved with that.
[00:30:26] Brad Bussie: What are some of the things, and I'm not saying give us anything NDA or super secret, but like, what are some of the things from a maturity standpoint that we can look forward to and that organizations can look at from a evolution of process and technology?
[00:30:45] Svetla Yankova: I think. The two big themes for me are, as an evolution, on one side risk, right?
[00:30:53] Svetla Yankova: So being able to quantify Risk, and model risk is a really big and very complex step in the evolution of things. and the second thing is what we just talked about. You know, I don't want to call it kind of the DevSecOps evolution, but really building, bringing, the owners into that, not just from a development and all the applications that you develop, but, we've been kind of having incredible success with, Hey, can we go and talk to your Salesforce team?
[00:31:26] Svetla Yankova: Right? And you'd be surprised how many insights they have around really a huge risk vector for an organization and how much they can contribute to, to defining modeling that risk. So. Organizationally aware risk modeling for me is one thing that we want to encourage our customers to, to push forward to because that's one of the things that attackers cannot, cannot fake.
[00:31:52] Svetla Yankova: They can use new indicators, they can get around threat intel, they can get around detect Sometimes they can test every EDR product and come up with something new. They can come up with zero days, but they can't get around. This is my crown jewels and this is how things normally behave around them. And this is out of the norm.
[00:32:12] Svetla Yankova: And we're going to have someone looking really deeply into it. If that behaves out of the norm, does that, does that kind of resonate with what you're
[00:32:19] Brad Bussie: It does. And I think another one from, from a technology perspective is we've, we've talked about AI, but I honestly think. How I'm seeing AI being used today.
[00:32:31] Brad Bussie: I just was messing around with one of the newer features in ChatGPT, which is actually talking to it. So not, not just what you would imagine, like I'm not going to say the name cause it's going to pop up. But if I say, Hey, Apple's device, and then I give it a, a string or a command, or I say, would you do this for me?
[00:32:54] Brad Bussie: And it's like, yes, I will do that for you. But in playing with that, it gave me an [00:33:00] idea that I know is going to be rolled into a lot of these solutions when it comes to SecOps and that is, I'm going to tell the system what kind of a playbook I would like. This is, I'm going to set the stage, I'm going to prompt, I'm going to tell it these are all the things that I'm concerned about, I want to protect the crown jewels, these are the things that I would be looking for, and I'm just going to have a conversation, and then I'm going to hit the button.
[00:33:27] Brad Bussie: And the next thing I know, I've got the playbook, I just do some light modifications, maybe, and next thing I know, it's there. And we're not far away. There are some, I would say some tools that are already doing something kind of similar to that, but not at not at the scale that I'm talking about. So I think that's another maturity or an evolution of this, which is the kind of the unity between AI and humans and basically leveraging that technology.
[00:34:02] Brad Bussie: Yeah. to make both of us better.
[00:34:06] Svetla Yankova: You're absolutely spot on. I think in ML cases of the past, we tried to answer a question, right? Or make a determination or a verdict. Like, is this fish fishy or something like that, right? So that kind of reduced us to simple questions that started getting into the garbage in, garbage out, and all those kind of, problems.
[00:34:31] Svetla Yankova: I think now with the advent of using a conversation to achieve an action, right, we're only scratching the surface of what's achievable to do in that manner.
[00:34:43] Brad Bussie: 100 percent agree.
[00:34:45] Brad Bussie: Okay, Svetla, I, I've like really, really, really enjoyed this episode. I think the audience is going to get a lot of value from this.
[00:34:54] Brad Bussie: So thank you again for joining me. And we look forward to the next time on the State of Enterprise IT Security Edition. Have a good day.
[00:35:05] Svetla Yankova: Thank you, Brad.