The Human Firewall: AI's Double Edge in Cybersecurity with Rob Gurzeev of CyCognito

Posted in: Season 8 Posted on

The Human Firewall: AI’s Double Edge in Cybersecurity with Rob Gurzeev of CyCognito

Rob Gurzeev is the CEO and Co-Founder of CyCognito, a cutting-edge cybersecurity company trusted by over 20 of the Global 100 companies. With a background in the elite Israeli Intelligence Corps unit 8200, Rob brings a unique blend of offensive security expertise and innovative thinking to the cybersecurity landscape. Prior to founding CyCognito in 2017, he led the Offensive Security group at C4 (later acquired by Elbit Systems), where he developed intelligence-gathering platforms for agencies.

Episode Highlights:

[00:00] Introduction: HumAIn and Rob Gurzeev

[01:01] Rob’s Journey: Intelligence to Silicon Valley

[02:03] Technology Potential vs. Implementation Gap

[04:02] Application Security’s Coverage Problem

[06:20] Attackers Exploit Path of Least Resistance

[09:03] AI: Double-Edged Sword in Cybersecurity

[11:35] AI Revolutionizing Reconnaissance

[15:40] Precision and Recall in Security AI

[17:19] Asset Classification and Attribution Challenges

[21:01] Scale of Vulnerability Management

[26:04] Critical Thinking in AI Age

[28:39] CyCognito’s External Attack Surface Management

[30:51] Closing Thoughts

Episode Links:

CyCognito: https://www.cycognito.com/

Rob Gurzeev’s LinkedIn: https://www.linkedin.com/in/gurzeev/

Rob Gurzeev’s Twitter: https://x.com/Rob_Gurz

PODCAST INFO:

Podcast website: https://www.humainpodcast.com

Apple Podcasts: https://apple.co/4cCF6PZ

Spotify: https://spoti.fi/2SsKHzg

RSS: https://feeds.redcircle.com/99113f24-2bd1-4332-8cd0-32e0556c8bc9

Full episodes playlist:   https://www.humainpodcast.com/episodes/

SOCIAL:

– Twitter:  https://x.com/dyakobovitch

– LinkedIn:  https://www.linkedin.com/in/davidyakobovitch/

– Events: https://lu.ma/tpn

– Newsletter: https://bit.ly/3XbGZyy

Transcript:

David: On today’s episode, we bring to you Rob Gurzeev, who is the co-founder and CEO of CyCognito. Rob, thanks so much for joining us on the show.

Rob: Hey, David, it’s a pleasure to be here.

David: I’m so excited any time I get to bring on founders and leaders who have been part of Israel. Where my dad is from. So really great to have you here on the show.

Rob: Oh, that’s awesome.

David: Yeah, so I always love bringing forward Silicon Valley and Israel’s tech scene. But together started, Rob, you’ve had an incredible journey, of course, serving in the Israeli Intelligence Corps unit 8200. And you founded CyCognito and built this great company in Silicon Valley.

To start us out, can you share a pivotal moment or experience from your time in the intelligence that shaped your approach to cybersecurity and led you to ultimately create, found, and scale CyCognito?

Rob: I remember there was this one point in time after I became the leader of this domain, very relevant to what CyCognito does today. I was looking at what’s available out there in terms of open source and commercial solutions related to this domain. And just feeling like:

  1. Very few organizations deeply understand the kind of problems you need to solve in this domain.
  2. There are such amazing technologies out there like NLP, natural language processing that are extremely powerful. Yet, to this day, crazily enough, are almost not being leveraged at all, or we utilize maybe 5% of their power.

For example, anyone who knows Salesforce and such platforms knows that when you manage people, it’s hard to understand who’s talking to whom at a specific point in time, what’s the sentiment of each group regarding each topic and things like that. These are problems that from a technological perspective, we could solve 10 plus years ago, truly. Yet, can you do that with Salesforce today in 2024? Not really. And there are many, many such examples.

So, I remember that while being very young, I saw this contrast between what’s possible and what’s almost obvious when you leave the problem and are obsessed with solving some of these problems, especially when it comes to saving human lives. And just feeling that a lot more is possible and wanting to be able to challenge myself and folks I work with and try to take on some big challenges that are meaningful that way.

David: Now, Rob, your company, CyCognito, recently released a report on web application security testing. How do you see generative AI impacting this landscape, both in terms of creating new vulnerabilities and potentially improving testing processes?

Rob: Great question. So maybe to build on what I just said earlier, with respect to deeply understanding where the problems are and being obsessed about solving them versus slowly, gradually improving very old approaches and technologies, one of the biggest problems in AppSec from what we’re seeing today is the coverage problem.

Meaning the tools and processes that were built 20 plus years ago and are still being used today, mostly require a lot of configuration and a lot of human validation of their output, which can really take between days and weeks per application.

One of the things we found in the research was that only half of the e-commerce and PII applications are being protected at all by web application files or equivalent controls. Meaning even when you look at the most important things to protect, half are not protected whatsoever. It’s not even misconfigurations, just complete blind spots in the broad sense.

And so when you look at the problem, which is attackers are going to pursue the path of least resistance, they will try to find the easiest way to acquire the data, the financial information, the sensitive information, to blackmail this company or do other things for usually economic reasons. If we’re not protecting a big chunk of our stuff, we’re not going to solve this problem.

The easiest thing to do and the most organic improvement you see in every industry is, you slowly improve what already exists. And you see some of these vendors and teams use LLMs and other AI technologies to incrementally improve some of those. And there’s some excitement about such things.

But when you look at the actual problem and you find metrics that are meaningful, for example, what percentage of my stuff is being tested at all and how frequently. And if the answer is only half the stuff, and sometimes it’s 10%, including maybe especially at very large enterprises, and the frequency of some of these testing is just annually or quarterly at best, while attackers do their thing every day.

And AI allows them to do that more frequently and exploit new vulnerabilities, new known vulnerabilities within days versus months now. So from my perspective, and when you know how attackers actually attack and breach organizations and the offensive process that way, you realize that putting more locks on the front door while the back door is unlocked is not going to solve this problem.

It’s really a security theater kind of situation where maybe the quote unquote TSA makes us feel safe, but maybe there is a teeny tiny fence around the airport and anyone can run over that fence with a $5,000 truck and do whatever they want.

David: It’s so fascinating hearing your perspective on AI tools. On one end, Rob, they’re being used by attackers to exploit vulnerabilities. Though on the other end, with your work at CyCognito, you’ve shared in the past that AI tools could promise to enhance security operations. Would you provide some specific examples of how today, generative AI is being used to effectively improve cybersecurity?

Rob: Absolutely. So speaking of these coverage challenges and mapping what you even have and then monitoring it and protecting it, we’re seeing many companies, for example, including Fortune 500 companies. If you think about, say, cloud environments, many breaches happening in cloud environments, even though most companies are now using very, very solid, quote unquote, cloud security solutions.

And when you talk to these security teams about how did that happen? You’re using really good tools which were supposed to be able to stop these attacks and these breaches. The answer is we didn’t know about the asset or we didn’t know there is a coverage gap of these CSPM, C&M security controls over that environment.

And so one of the most valuable processes approaches in cybersecurity has always been combining reconnaissance, which is the process where usually attackers, it can also be a red team, go from just company name and tries to understand the organization’s structure, what kind of things beat machines, applications, cloud environments, other digital resources, they have that as an attacker you can interact with and then actively, quote unquote, test them and find ways to really exploit those things to find, again, the path of least resistance to these sensitive information or critical access to interesting stuff.

And so traditionally, running reconnaissance on a large enterprise can take weeks or even months and then the testing portion can also take between a couple of days to a couple of weeks to compare application and large organizations can have tens of thousands of web interfaces exposed to the internet.

And so using AI today, you can do things like map the whole organization’s structure and contextualize the connections between these organizations. For example, if right now, the audience, the listeners, you go to Google and you ask Google, what are the subsidiaries of Deloitte or Google itself? And then you compare the answer, which would be very basic, to Wikipedia and Standard and Poor database and a few others. And then you compare it with what you’ve seen in the news or some filings in the last year.

You’ll get different answers and each of these answers will have some false positives and some false negatives. And so as a security organization, if you don’t even know the organization’s structure, how can you find the related assets and how can you tell if, well, what exists and whether that’s protected or not.

So that complex process can be automated today where it’s in professional language, it’s a recall and precision challenge, recall in terms of, quote unquote, finding all the stuff, precision in terms of being very rarely wrong and providing evidence and context so that the user can understand why the machine believes that this random company or this random digital asset is actually mine.

So that’s an opportunity, for example, to save weeks and months of manual work. And extremely today you can achieve, call it, 99% recall and 95% precision, which sounded impossible to, I think, most people just a short while ago. And it’s really hard to achieve.

Another interesting challenge that is, well, very challenging at scale is classifying assets into their business purpose and attributing them to their organizational owners. So if you ask any risk leader or even IT leader, what do they think about their CMDBs? And can they trust them?

And one of my favorite questions is, what percentage of your IT assets on your CMDB is actually attributed to anyone or classified to anything meaningful? And the answer is usually between 10% to 30%. Well, if that information is supposed to guide risk prioritization and the remediation process itself of vulnerabilities, misconfigurations, et cetera, what chance do you have to have an effective process? Very low.

And security controls usually rely on what’s in your CMDB or similar data sets. And so that was also a problem that was extremely interesting to solve, which took a few years, by the way, using NLP and Bayesian ML models. It requires a graph data model of your all IT ecosystem, essentially, if you want to be precise with heuristics, which is also a different approach to this problem, meaning, deterministically, you cannot solve this problem at scale, because you literally need thousands of people at the Fortune 100 company, for example, to collaborate on this over months to get it done.

And I’ve never seen it done even once anywhere. If you rely on heuristics that are very precise, then you can solve this problem at scale. And that massively changes what you can do in terms of, say, mean time through mediation of critical risks.

And just to contextualize that and what these kind of shifts mean in numbers, because numbers are useful. On average, quote unquote, vulnerability scanners and the like, show you that 3% of all of their findings are high or critical severity. When this company got compromised, they had 8 million open vulnerabilities, of which 2 million were classified as high or critical by the most common vulnerability scanner today in the market.

What can you do about 2 million severe problems when you can maybe solve, I don’t know, 50, 100, 1,000, depending on the issue, per month? Absolutely nothing. What can you communicate with management in that situation?

David: Now, Rob, as we wrap up, I’d like to give you the opportunity to speak directly to our listeners. What’s the most important thing you want them to take away from our conversation today? And what’s one actionable step they can take to engage further with your work or the ideas that we’ve discussed?

Rob: I would say that so much is happening these days, both on the call it problem statement, beat in general in whatever space that you’re in. We need to be more productive as organizations, massively more so.

My number one advice is adopt critical thinking about:

  1. What’s happening around you and your actual organizations top priorities
  2. Do be curious, learn and challenge what leadership thinks that should be top priority
  3. Especially in terms of how do you get there and how do you measure that progress

Simply doing cool new things, which is often not a bad idea, will not necessarily get you to anywhere good. So critical thinking is just such an important thing these days and actually AI is making us sometimes lazy a little bit because there are so many low-hanging fruit scenarios where a lot can be done but it can only solve 80% of your problem.

Anyone who used any LLM learns that probably within seconds or minutes. So that’s just a dangerous trap or having critical thinking varies extremely important.

As it relates to CyCognito, we help many, many security teams now over 20 of the global 100 companies to understand how attackers see their external exposure and external attack surfaces using AI machine learning and many modern techniques as well as actual attackers experience and approach and making it extremely relevant to understanding what are the five things that can help attackers breach your company.

So I was happy to talk to folks who want to learn more about the topic and solving these problems with their organizations and excited about this space and everything that is going on.

David: Fantastic. Well, Rob, so great to have you on Humaine. Rob Goresy, the co-founder and CEO of CyCognito.

Rob: Thank you, David.