From 6b2fd7f9db99d1868fdbccb37a9c547b55bd606c Mon Sep 17 00:00:00 2001 From: Alone2671 <62079805+Alone2671@users.noreply.github.com> Date: Sun, 19 Nov 2023 22:04:40 +0300 Subject: [PATCH] Update How-GenAI-Agents-will-Dramatically-Change-our-Industry.md --- ...s-will-Dramatically-Change-our-Industry.md | 1012 +++++++++++++++++ 1 file changed, 1012 insertions(+) diff --git a/content/sessions/2023/mini-summits/Oct/DevSecOps/How-GenAI-Agents-will-Dramatically-Change-our-Industry.md b/content/sessions/2023/mini-summits/Oct/DevSecOps/How-GenAI-Agents-will-Dramatically-Change-our-Industry.md index 3963c974ca4..2059a7ed1c8 100644 --- a/content/sessions/2023/mini-summits/Oct/DevSecOps/How-GenAI-Agents-will-Dramatically-Change-our-Industry.md +++ b/content/sessions/2023/mini-summits/Oct/DevSecOps/How-GenAI-Agents-will-Dramatically-Change-our-Industry.md @@ -41,3 +41,1015 @@ The landscape of our industry is shifting, morphing, and evolving, with GenAI ag πŸ”— Secure your spot NOW and join us in exploring the enthralling world of GenAI and its boundless possibilities. πŸ”„ Share with your network and let’s dive into the future, together! + +## Transcript: +Dinis Cruz - 00:06 +Hi, welcome to these open security summit session. I'm actually going to +be doing a presentation and again, feel free to ask questions on this end. +My kind of view is that I really believe that geni agents and I'll explain a +bit what I mean by that. They will dramatically change our industry. It for +the better, by the way. So I want to explore that and I will go into some of +the topics where I think it will make a massive difference in there. So the +first thing is that geni is a big deal. I know everybody talks about it, +everybody talk kind of it's a lot of hype. And also there is a lot of hype. It's +a bit for some of you guys have been around here for a while, you know, +that's what happens, right? + +Dinis Cruz - 00:51 +Like the cloud had a lot of hype, the internet had a lot of hype, mobile had +a lot of hype. And there's parts of it that there's going to go up and bust, +lots of investment on crazy stuff. But I think the fundamentals are there. +And Max, one of the slides I don't have here, but I want to add is it's a bit +like we created Jarvis, if you know the analogy from Iron Man, which +know, as you can see in the movies, is a great help know Tony Stark to +build all sorts of crazy stuff, right? But then it's almost like we launch it in +the world by asking it to write some poetry or do some stuff and then he +hallucinates because it tries to help. And then we go and say, see, that's +really bad. + +Dinis Cruz - 01:33 +So I actually think hallucinations are something quite good and I'll explain +in a bit why that's the case. So this will bring a lot of change. They're very +fast. But there's always this thing, right, like people get excited, some new +things. And I think we're getting into the chasm bit now because there's a +lot of people that's interesting, but it's not for me. And there's also a lot of +people that go away, what's going on? And some people go, well, my fax +machine back, right? But there's always a lot of challenges here. So I +really think we're now getting into this chasm bit. + +Dinis Cruz - 02:03 +And you can see it, you can see that after the excitement, there's lots of +even a lot of very clever people, right, and a lot of people that have a lot of +experience and they really now saying that it's not a big deal, it's not +going to be as much it is. And I think they're looking from the different +angle. They probably are correct in the way they're looking at it. But I will +argue that there's a different way of looking at this, which I think very +exciting and just about everything will be impacted, right? And that's the +bottom line. The same way that you can argue that Internet and +technology but let's say the Internet is now impacted just about every +industry, sometimes for the better, sometimes for the worse, right? But +everything will be impacted. + +Dinis Cruz - 02:41 +So one of the things I find interesting is this analogy of gen AI with +electricity. Because at the moment everybody in a cybersecurity team and +the analogy here was why everybody in cybersecurity team needs to be an +AI user expert. But I would argue that in other teams need to be the same +thing. But what you have is we take for granted that you want people to +be an electricity expert, a power user, at least a computer power user, +internet power user, email power user. But all this stuff, especially I would +say email didn't exist, internet didn't exist, even computers, right, for a +while. They were not really the productivity tools that we have today, but +we now take it for granted. So the difference is that this change is +happening at a much faster pace. + +Dinis Cruz - 03:26 +But in a way, my hypothesis here is that I would say that everybody in the +cybersecurity team needs to be an AiPower user because of the force +multiplier, because you will make their world. In fact, I would even argue +their happiness in how they operate a lot higher because a lot of the +frustrations that we have today, we now have a way to deal with it and we +can scale in ways that we could never before. So the key here is when you +look at everybody impacted, it kind of falls into free gaps, right? And +people should be excited. In fact, I think a lot of companies should be +doing they should be very excited and they should be panicking because +they really should be looking at it from a very effective way. + +Dinis Cruz - 04:08 +But there's also a lot of people that are ignoring it and go, yeah, it's all +right, we can live with it. And I think there's also lots of industries and +companies and professions that in the past it was okay, right? It was okay +because the incremental change that was coming was 1020 percent. It +took a lot of years to do it. You could even ignore it and then catch up +later and still be okay. I think the rate of change is very different and the +acceleration that we have now is massively different. And I actually think +that the sweet spot is you should be panicking because you should be +understanding that you don't have a lot of time. + +Dinis Cruz - 04:44 +But you should also be very excited because you should be able to really +take your services or your tools or your products or what you provide and +where you add value. You can take it to the next level. In fact, you could +even dramatically increase your market because you can now provide lots +of great services to other markets that before you just couldn't or it wasn't +scalable to go there, right? And here's the killer thing, right? This is some +of the companies that are panicking in the last two years. And these are +not small players like Microsoft, McKinsey, AWS, Google, they all realize +that in a way the gen AI, the AI world is really going to make a massive +difference in their companies and they've made in a way a very good bet. + +Dinis Cruz - 05:28 +So you could argue that somebody's been doing this for a while, but what +could have happened was you could argue that Microsoft didn't panic +enough when the mobile came along, even when the cloud came along and +they missed the boat, right? They're catching up, right? They took a long +time to be at a good place and in the mobile they completely lost it, right? +Same thing with in a way if you look at AWS for a while, they didn't really +had a good AI strategy and good AI models, right? They use in some areas +but now they're really bringing to the next level. They're kind of catching +up because again they saw the opportunity and Google is another massive +one, although they were investing on it. + +Dinis Cruz - 06:09 +The reality is that I would argue that AI posts can pose an existential +threat to a lot of the Google stuff. Like I dramatically reduce my Google +usage and when I use it now it just feels primitive and I hate it because it +doesn't have was doing this presentation when I did the first round, it was +so frustrating to use Google images because it just didn't understood and +I'd have no way to communicate my intent. So a big deal, right? And now +if we talk about cybersecurity, here's the thing, right? In cybersecurity, in +the world of cybersecurity, our industry is also part of the problem because +a lot of the times, if you think about it, we live in the fringes or part of our +industry of inefficiencies of other teams. + +Dinis Cruz - 06:51 +So other teams have inefficiencies or they don't have a certain amount of +knowledge or skill or to be honest, not even their problem is the model +that they're in where they're not given the time and the budget to do +things in different ways and sometimes better ways. So we kind of evolve +to add value there. But the reality is that if you look at our industry, half of +it or most of it is fucking broken, right? You move the needle from a little +bit to a little bit, right? Sometimes some of these security products in here, +one of some of these logos, they're more insecure than some of the stuff +that we have in our network. So some of them you could argue that we +have a negative risk score by putting them in a network, right? + +Dinis Cruz - 07:34 +And it's just crazy how we have this massive industry where actually a lot +of this we should be looking at how we improve others. But I get why we +had this because there was lots of problems that it wouldn't scale +otherwise. So why market economics allowed the creation of all these +industries and tools and companies that exist there, but a lot of these +freaking broken. So the thing I want to be very clear here, all the thing I'm +talking about, and especially the AI opportunity is not about the +terminator that is a real problem, but it's not to be solved here. And it's +not the world that we operate that needs to be solved. That needs to be +solved at a different level, the same way that we are able to control +nuclear weapons and other things. + +Dinis Cruz - 08:19 +And yes, there's going to be problems and we will need to do something +about it. Right? But this is not what that's about. What this is about is also +this is not about being fired, right? Look, companies that want to fire +people, they're always going to fire people. They don't need geni to do +that. Basically, there is a change like exists in a lot of industries. The same +way that we don't have professional typewriters anymore, we don't have +people that drive horses and carts, right? There's a lot of professions that +have been evolved. Yes, it might disappear, but I don't think that's the +world that we're getting in the short term here, right? What this is all +about is about scaling and making the human better with the agents. And +at the end of the day, look, stupid people would do stupid things, right? + +Dinis Cruz - 09:07 +If you're a lawyer and you check TPT to help on a case, right? And you +don't check the references, especially knowing the thing, hallucinates, +dude, you almost deserve it, right? And like these guys here, right? If you +do that as a thought experiment, maybe there's a bit of a Darwin award +here going on. So again, we don't control that. But what's important is to +understand the concepts. So I want to walk you through a little bit my +thought process and why the paradigm shift that really made me think +about how all this works, right? So the GPT thing is actually worth +spending the time. Over the summer, I took 30 books on my holiday. We +drove to where went so I could take it and I really went deep. + +Dinis Cruz - 09:51 +But the more I went deep, the more I realized that the GPT concepts really +hit me. And I really got a good understanding because I think each word is +very important. The generative, the fact that it creates something, there's +an air gap and I'll talk a bit, the fact that we pretrain it and we train it +almost in a particular direction, I think that's very important. And then the +transformer, which is fundamentally how you map the connections, how +you're able to provide context between the words or images. And I'll show +a great image. That was, for me, the big paradigm shift. + +Dinis Cruz - 10:26 +So when you look at the generative, this is the bit that really I start to +understand the power of this which is the way I think about the +generative, is that you have an input, you have an intermediate +representation and then you have an output. By the way, the reason this +images here suck is because I've seen image in the past and I was trying to +find them and I couldn't find them. So this is kind of the best I could find +when I was building this. Right? Definitely need improvement. But to be +honest, it's the generative workflow, but it's literally you got an input, you +got an intermediate representation of that input. And then what we +become really good is creating really good transformations out of that +one. + +Dinis Cruz - 11:04 +So not transformation, but a word equivalent outputs from that are now +good enough or are as good as the input and then we become good at +connecting some of those dots. Right? But the really important thing is +that intermediate representation and the other key concept here, and this +is for me, was the killer interesting feature here, is that the cost of +creating a new output is actually linear, right? So that means if it costs a +or of course X to do one version, it's going to cost two x to do two. And +three four is the same minimal cost and it's actually quite a low cost to +create that other data. And it also means that whatever output you have is +just one of millions, billions of what could happen based in the way of your +prompts or some of your inputs. + +Dinis Cruz - 11:56 +And again, that's a game changer, which I'll go in a bit. The transformer is +also one of those things that the more I looked at it, the more it clicked +and the more you kind of start to realize that's how it works. And it's +interesting because now when I use Chattbt quite advancedly, I can see in +action, I can see how he operates. In fact, I now can understand the clues +that I need to give it because of the transformer and the fundamental of it, +of the transformer. And this was, I think, the big sort of paradigm shift is +that as the words come along, each word in a way gets assigned a +particular set of weighting depending on almost the context of the other +words and almost like finding a way to provide attention to say, what is +really important here. + +Dinis Cruz - 12:43 +So you start to understand, or the logic as it builds, you start to +understand the difference in context of what's happening. And that's +massive. So I kind of view the transformer as a way to almost think, pay +attention here, pay attention there, this is relevant, that is relevant. And +then it's like a massive graph that goes along. And I saw this great paper +recently from the anthrophobic guys, phobic guys, who actually are the +ones behind Claude Two, which is another really good, basically model. +And they were basically trying to understand how it works. And this is the +killer thing, right? Remember that up until now, we still don't have a good +understanding exactly how the language model works, exactly how cloud +two works, how Chat GBT works. + +Dinis Cruz - 13:29 +It's one of those engineering problems that we haven't solved, which is +crazy, if you think about it, because there's so many layers and you don't +connect. And one of the things these guys looked at is basically saying, if +we look at the neurons individually, they couldn't find a connection +between the neurons that fire that were activated based on the input. But +what they've done was they created a bunch of clusters, a bunch of what +do you call features, which are basically certain groups of neurons in a +certain way. And once they've done that, then they start to get a one to one +mapping between, for example, English inputs and the output, or Korean +or maths or DNA sequence, et cetera. + +Dinis Cruz - 14:08 +And even cooler, they found that if they take a particular, say, numbers, +which provids numbers at the end, but they start to modify the activation +elements, that basically the neurons. That neurons who basically tend to +be activated. So they overstimulate those, you get the results in whatever +you wanted. So suddenly you go from numbers to Korean to English to +DNA sequences to whatever, HTML, et cetera. So that was a really cool +example, which actually raises some interesting security concerns, by the +way, the more we evolve into this and how models can be manipulated. +But again, great research. And this is all about the transformer. And +there's some really freaking cool visualizations, if you follow the real +paper about this. Now, this is the image that made me understand Chatt +and made me understand Gen AI and made me realize we're now into +something massive. + +Dinis Cruz - 15:02 +And let me walk you through this picture. The square in the middle, +rectangle in the middle is the original picture. So that's the original +painting. The big picture is, in a way, Adobe Firefly to create a large +format of it based on the initial image. But you could see how it flows, +right? You could see the sun there having this flow. You can see this +window part here. You can see the town being bigger. You can see the +difference in colors. That makes sense. And when I saw these images, I +had a big paradigm shift because although it was image and now you can +apply the same thing to text, but I start to realize that this is something +that you can't Photoshop this, right? You can't do illustrate. + +Dinis Cruz - 15:49 +You can't create this almost from scratch unless you understand the art, +unless you can replicate the artist format in beginning, I swear, unless you +can understand almost the context and the language and the intent of the +original painting. And that's massive. And then if you connect this to the +fact that the cost of creating the other edge, another version, is the same +as to create this version and this is where now you become an art director. +This is where you start to look at the intent. So you can argue and say, +actually, I don't want a town on the left. Actually, I don't want that big sun +to be there. Actually, that moon represents something else. I want +something going on. You now can art direct this and you can make +changes based on the prompts. + +Dinis Cruz - 16:36 +And the cost of creating a new one is the same cost of creating this. And +that is a massive change because usually what happens is that even when +you take things like threat modeling and other things that we do and +documentation and mappings and languages and even stories, you do a +great first version. But then Tweaking, it is where you spend a lot of time. +So this allows us this generative mode allows us to now be very productive +in the customization, in the improvement of the final thing. But this is very +important. Somebody, an artist, still has to validate the final finding. +There's still a creative process to say yes, that conveys the meaning that I +wanted, that conveys the original stuff that well represented. + +Dinis Cruz - 17:29 +So, for example, here you got Mona Lisa on the left and then you got +Nirvana and you can go Adele in here and you get, for example, a joke on +the right where you go, oh, look, I can put the Metallica Master of Puppets +in a cake, right? But you see, that shows again the power of this where +you can now go, I don't want that lake on the left. I don't want something +on the right. I don't want a shark in the Nirvana thing over here. Adele +actually shouldn't be smoking something or whatever something else, or +she should not be in a like literally, you can now think about what do you +want the message and the creation to be? + +Dinis Cruz - 18:09 +But this is the part of the generative where the middle bit now can be +manipulated and translated and talked to in order to create the output. So +you can turn around to the right and say, well, I don't want that to be a +cake and that's fine. You get another version, or I want that to be +something else. I want that to be these fields. I want that to be a war zone. +I want that to be whatever you want it to be, right? And that's insanely +powerful. So that was the one that really made me think of the power of +the generative. And then when I apply that to risk, when I apply that to +our industry, I see insane parallels that you got. So fundamentally, what +you have is this. + +Dinis Cruz - 18:44 +You got an input, you got an intermediate representation and you get the +output. And that intimate representation is fundamentally what Gen AI is +creating is all those layers that exist. And the reason we don't fully +understand it is because at the moment we still don't understand how a lot +of the relationships between those layers occur in the large language +models. But this is insanely powerful because based on the inputs that you +can provide, you can now control the quality and the directions of the +output. And it's very easy to create new versions of this, which is super +powerful. So fundamentally, the view where I say gen AI can add a lot of +value is in managing complexity. So we now are able to tackle issues that +before was just too complex. And that's insane because in a way, how do +we scale this? + +Dinis Cruz - 19:34 +In fact, that's a simplified version of everything that the CISO needs to +care about from a security point of view. And this is even missing things +that happened recently. Right? Again, the services on the left is an example +of services that I created in one of the teams I led. And we had to provide +all those kind of services to basically help the business. But how do we +scale this? And in a way, let me now give you some examples quickly on +some of the areas where if you apply this concept of gen AI, we will have a +massive impact in the scalability. So the first one is communication. We +have a massive challenge in security of communicating. It's not just with +board members, it's with execs, even within ourselves, with other teams. +And the problem with communication is scale. + +Dinis Cruz - 20:24 +You can sit down and take a particular risk, a particular vulnerability, a +particular finding, and if you have enough skills or understanding of the +problem, you can write that for a particular audience. And if you do that, +usually you're quite successful. The problem is that in security we have +literally every part of the business is our stakeholders. So we need to have +messages that goes all the way from pure financial, to communications, to +customer focus, to pure technical, to strategic whatever, right? So the bet +that I never could see how we could scale was how we could figure out +how to communicate to a target audience. And fundamentally before chat +GPT, the idea, and I tried to ask my teams, but of course that it could +never have worked, right? + +Dinis Cruz - 21:14 +Because the idea is that we have a message and we will go, okay, so we +need to take that message and we need to give it for that particular person +or that particular team in their particular language, in their particular +culture, in a way, in the particular state of understanding that they got. +That is ridiculous. Right? Because the engineering cost and the bill to do +that will be too greater. And then you have 20 of those stakeholders, or ten +of those or 50 stakeholders where each one of those really needs a +consistent message, but it needs to be translated, like I said, in their +language, in their culture and their understanding, in their skill set, their +background and all that. But now we can because in practical terms, you +can have a prompt and I'll show some examples in a bit. + +Dinis Cruz - 22:01 +We have a prompt say, hey, you are an advisor. Here is the communication +I want to give. Now explain this to a particular audience and guess what? +Chat GBT or whatever, what you're using is able to do that. And ironically, +that's what they're really good at. So Hallucinations I think, is a good +thing because they really show that the limitations of what is supposed to +be doing and it shows that we shouldn't be taking some of the outputs at +face value. But the point here is that what it allows you to do is allows you +to take a professional and say, I want to communicate this and this is my +intent. And then allows Chat GBT to go, cool, what about this? And then +you read it and you're going, yeah, that's what I want to say. + +Dinis Cruz - 22:47 +Sometimes it may go E, that's even better way of saying what I want to +say than I was able to do. But it's still you validating. It's still you basically +saying, this is my idea, or this is what I want to say is this that is now +translated in all sorts of different languages and cultures, which I think is +insanely powerful. So I think communication is an area that is going to +make a crazy difference, right? And if you want to see a good example of +communication failure, today is risk. So for the first time we have the +ability to scale our risks. We have the ability to create risks, ability to scale +the creation of risk, scale the mapping of risk, scale the connection of +risks and scale the explanation and the risk acceptance. + +Dinis Cruz - 23:34 +And before now, all of these required in a way, insane amount of +engineering, insane amount of graphs. And even then it wouldn't really +work. Now when you add to the mix the ability to take a message and +transform that message based on a particular set of rules and intent and +requirements and data sources and that can be translated into, again, +different languages, different cultures, different experiences, different +analogies, different this is really important and different context of +understanding. So it means you're taking into account where the other +person is in their knowledge and you continue from there, which is always +the best way to teach, the best way to communicate because you're +providing information that's almost like 100% relevant to that particular +individual. We can now do this. + +Dinis Cruz - 24:26 +So imagine if you're talking to a board members, you can now create +customized messages to each one. Why is it important? How does it relate +to an MBA? Okay, here's the risk data from a point of view of an MBA +CFO. Here's the risk point of view. CFO, Chief People Officer here's the +same risk from the point of view of people. In the past we tried to do this, +but he couldn't really scale. Now he can. But you can keep going down. +You can go to the execs and then to the teams and then the project +managers and even to the developers. You can have almost like the same +risk explained completely vertical on the whole organization. And you can +then say, hey engineer, you need to do XYZ. Here's why. + +Dinis Cruz - 25:06 +And here's why it matters in a way that it makes sense to you that it +connects with a wider even business direction, objective and risk to the +business. So we can now create all these translations that in a way the risk +is still the same or the model is still the same, but the views of it are all +different and that's massive. So I think for the first time we're going to be +able to really do something I've been trying to do and I've done to some +extent, but it's really hard. But I feel now much more possible, which is to +have a direct connection between the top level risk of the company and the +risks that the individuals that are doing something about it actually are +aware of. + +Dinis Cruz - 25:47 +And there's a connection behind all the way in a graph, but also in context +all the way there. And this is super critical. So that means that somebody, +for example, in the cybersecurity team or an engineering team that is +doing something, they should know exactly what risks they're mitigating +and maybe even what risks they're creating. And then when we go to the +program owners, we do the same thing. So this is a really great way to +scale. And if you want another area where it's not being effective today is +third party vendor management. And part of the reason is because even if +you have a good mature process, and even if you tweak a little bit, it's still +spreadsheet driven. It's still very non context specific. + +Dinis Cruz - 26:29 +Because even if you mature have tons of questions, tons of things, and +maybe you've been tweaking a little bit, that's nowhere where we need to +be. Because what we need to do is this is a good example of bots. And +again, take into account that these days you can already have private +bots, private LLMs that run in your cloud environments, run in your data +center. So the idea of data leakage and influencing models, we kind of +pass that, which is great. And also in a lot of these things we don't really +need to tweak the model itself. What we need to do is add good +information for the model to understand. So if you imagine here you can +say, all right, you are a third party vendor management bot. + +Dinis Cruz - 27:09 +Here is our current vendor management policy and structures and +questions and this is what we need to know. Here's why we need to know +that. That's quite important. So then there's consistency. And now here's a +particular vendor. Now for example, we can even say the bot, okay, start +asking questions and. Chat DBT can already do this, by the way, and you +can say, hey, have a conversation with these third parties. So now the bot +can start asking questions to the third party, can be given information, and +then you can provide guidance to the third party. Okay? So you need to +implement this. This you care about, this you don't care about that. Yes, +based on your team size, you could do internally, actually, there's no way +with your current team size you can do it. + +Dinis Cruz - 27:47 +So you need to find a vendor, for example, that will give you this you can +even create a brief. Here's a brief for your vendor, so you can see that we +can now take a lot more ownership on helping our third party, which, by +the way, is part of our supply chain. So they're critical part of your +infrastructure from security point of view. But we can not only be able to +evaluate them better, be able to make better security decisions, especially +in the procurement stage, but also we can help for the vendor that we're +working on, we can help to make them more secure, we can help to raise +the bar at the end. And actually, we done a lot of costs for us because we +just implement the bots, implement the agents. + +Dinis Cruz - 28:23 +And this is kind of what I mean by the agents, which is these bots that act +on behalf. And you have multiple agents working together, documentation, +which is one of those things that got thrown away in the last 1015 years as +we gained speeds. And yes, there's an argument to be said that in the past +was probably a bit over the top. Again, it didn't really scale and it was +quite costly, but we kind of went to a mode where not everybody does it, +but a lot of teams go, oh, the documentation is the code, and we are agile. +We don't documentation and we don't have diagrams, and our system is +not we can't stop to draw the whole thing and how it works. Which is +ridiculous, right? Because if you think about it, they want it's just that they +don't have the time. + +Dinis Cruz - 29:07 +So it's not that if you go to a team and say, hey, you need to maintain the +system, would you like to have very highly deep tell documentation about +how it works? Why the decisions were made, what's the behavior, what's +the flow? Data paths between here, architecture, how does it work even +visually? Because that's how people like to think. Everybody would say, +yeah, give me to me. Right? The problem is how to get it done. So one of +the insane powers that you now can do with the LLMs is you can use it to +document it. + +Dinis Cruz - 29:35 +A simple example is take a Git diff and feed it to Chat GPT and you get +some amazing technical explanation of what just happened that commit, +and you can say, give me a business analysis of this, give me a technical +analysis, give me a security analysis of this. And so we now can get to the +point where we can really document effectively our code and we can start +to have a much bigger 3D view of our code, of our structures, of our +environments, and we also can start to capture the meaning of it. So +imagine how awesome would be to be able to describe. Here is what's +happening in this cloud formation script, which by the way is completely +unreadable beyond a certain point. Right? Here's this helm chart, here is +this code commit, right? + +Dinis Cruz - 30:18 +But here's the intent, or here's the intent of the changes you're making. +Now think about how awesome would be to go whoa, hold on, the intent +changed and that's suddenly something that will always go, not always, +but would sometimes go under the radar because it was not obvious. That +particular change of intents and maybe this change of intent is not even in +the second, 3rd, 4th level is on the fifth and the 6th, or maybe the +interconnection between systems. All these things I just spoke for the last +minute were absolutely impossible to do, require a huge amount of +engineering time and money to do it and actually nobody really done it +properly, which is why we don't have it today in our workflows. + +Dinis Cruz - 30:57 +But that all changes because now we can really start to understand and +we can get chatgbt to start explaining the materials, what's going on. And +by the way, all this should be version controlled. So this is not about +creating materials and stuff on the fly. This is like we should be using and +verifying the outputs. But the speed that you have and almost the +experience is completely different. I like to read the commits analysis +created by chatgbt of the code that I just commit and I actually find it +quite interesting because A before I don't have to write it b because I'll go +oh yeah, I also changed that I catch things and I can fix things quickly +because that's not really what happened. + +Dinis Cruz - 31:39 +So you can get rid of that but it's so much more effective and it becomes +part of your commit workflow. So again, this is going to be massive threat +modeling. Listening to a Gary McGraw amazing podcast the other day +and one of the things he said is that one of the problems we need to do is +we need to scale threat modeling. We haven't figured out a way to scale +threat modeling. And I completely agree, threat modeling is an amazing +practice, done well, makes massive difference. It's a great way to +communicate, great way to teach, great way to understand what's +happening, great way to model threats fundamentally what the name says. +But we can never scale. + +Dinis Cruz - 32:13 +And we can never scale because how many of you guys then thread model +where literally it starts by somebody saying yeah, this is how my system +works, right? They start to draw it. Think about how many degrees of +failure we already are. Because if you have to draw your architecture +means that architecture only lives in your head, means there's no up to +date environment that you're comfortable to actually represent what +happens in the real world, we can now do something about it. So imagine +not just threat modeling being used to create better materials, but then +modeling the threads. And again, the other problem with threat modeling +was the explosion of potential threats that had not a lot of context, which +always reduced the value of the threat model. + +Dinis Cruz - 32:56 +So we can now have context, we can have risks, we can have +environments, we can have controls, and then we can say, okay, here's the +model of what's up, here's the threats. But now apply the context and +suddenly you get a much smaller but highly focused and realistic set of +threats and risks connected to that. What are you analyzing so very +exciting about how we can now start to scale threat modeling using the +Genai stuff. And again, code reviews, like I kind of covered already. But +imagine a Gen AI powered code review where you can also start to ask a +lot more interesting questions and capture those questions and scale and +start to talk with the bots about the intent. So I have some really +interesting conversations with Chat GBT, and I have to say that the +answers are amazing sometimes. + +Dinis Cruz - 33:45 +And I have these full on conversations, what about this, what about that? +It's like having this copilot, right? Literally this helper that has a lot of +wide set of knowledge, doesn't need to be all perfect, that's fine. But he +really helps a lot and he really augments it. And one of the last ones, +instance response, right? Imagine an instance response world now driven +by Gen AI. There's a great session that was done yesterday about a tool to +recreate a lot of attack trees and basically possible scenarios based on the +attack mitra framework. Really cool stuff, right? But so, again, on instant +response, there's so many areas that we can start to have a good amount +of context so we can say, what happened here? What's the problem? This. +What's this signal? What's that? + +Dinis Cruz - 34:32 +So we can really lower the noise that we've got, but increase dramatically +the signals that we have here. And training is an area that I'm actually +quite passionate about. And I do think that this could be one of the biggest +game changer, which is we now will have the ability to create custom +training materials that are adapted to an individual, to a particular +culture, to a particular language, to a particular understanding. And we +can create this personalized patch, which I feel was always the problem +with the more traditional training. That had to be a lot more generic +because there was a wider audience, but also the cost of customizing the +training was always quite high. + +Dinis Cruz - 35:16 +So if you look at some of the people that are talking about gen AI in Africa +and other developing countries and environments, that basically it's like +actually what happened in Africa, where they jumped from phone lines to +mobile, right? They almost skipped a generation, which can be sometimes +quite good because then you don't have legacy. But it's not just that. I feel +that even when we talk about skills transfer and bringing people from +other industries into our industry, we now have the ability to create highly +customized training packages, environments that you can talk to, you can +ask things. You can go to chat DBT and say, hey, I want to learn this. +Explain it to me, or give me a training plan, or ask me questions, or give +me almost like, the ways to learn. And it's okay. + +Dinis Cruz - 36:04 +You need to figure out the best way that you can learn or somebody can +learn. But I feel that can scale a lot. And in cybersecurity, a lot of things +that we do is training. Training our teams, training others, educating, +communicating. So I think this could be massive, right? Been talking for a +while. There's just one more little topic I want to talk about. When I learn +these things, I kind of like to basically be hands on, and I like to be +involved in sort of practical ways because or else you just go on tangent, +right? So one of the problems that we know is, how do you make board +members understand cybersecurity? That's quite a common problem. We +even have a session today, and there's common sessions about literally +how do you communicate. + +Dinis Cruz - 36:48 +And also, board members want to know about cybersecurity because they +also know that in some ways, they start to be accountable. So how do you +make a board member understand and have a safe place for them to talk +and engage about cybersecurity? So playing around with it. So we kind of +created the cyberboardroom.com, which you can go right now and create +an account. It's free, right? Play around with it. And let me give you a +quick demo. So if you go in there, it kind of looks like this. So there's some +content in here that you can read. But the interesting thing is, we actually +created three bots, which I'll walk you in a bit. So the idea is, these bots +are the ones that provide advice and custom content to the board member, +right? + +Dinis Cruz - 37:34 +So what you can do here is you can say, so Athena is the one we called it +and say, hey, and I prompt the question here, say, Good morning. What you +do? So basically, this is the bot that is now saying, hey, look, I'm Athena. +I'm an AI advisor created by the Cyberboard room. My purpose, to assist +board members like you. So think about how cool it is. It already has +context. He already knows that I'm a board member. He already knows +that I care about security. He goes, okay, how can I assist you? Right? So +you can now say, okay, I'm on, let's say, the finance industry, and I'm +worried about ransomware, so you can do that. And now this is the cool +thing, right? So now I'm going to get context about it. + +Dinis Cruz - 38:29 +I'm going to say, okay, ransomware attacking, and he had severe +consequences spread for organizations, blah, blah. And then you could say, +okay, give me some information about your environments. But you can +even go, okay, actually before that, can you explain ransomware for +somebody, let's say, like me, with limited cybersecurity skills, but I have a +strong financial background and have an MBA, sorry, have a master +business administration, right? So you can see so now I can private and +say, okay, can you explain this to me? But I don't have a lot of super size +skills. But then financial background. So what's going to happen now is +basically the bot provides information about that in that world, in that +language, in a way, starts being adapted to that particular context and +that's super critical. + +Dinis Cruz - 39:49 +And if, let's say you just like bullet points, you say, can you explain it +again? Only using bullet points, right? So basically this is where you now +can be super creative, right? It's about the person on the other side, +basically the individual that says, this is how I want to learn. This is the +question I have, this is how I want to do it. And then you take it from +there, right? So it's a pretty cool thing. So we're exploring with a lot of +ideas in this. Again, please have a go, play with it and okay, I'm going to +try something. Let's see if it works, right, is you could also change it, the +context of it, right? So you can modify the behavior of this, right? + +Dinis Cruz - 41:07 +Actually, I think it's interesting because actually, I'll say in a second the +bot, because actually, okay, this didn't work. Actually, it's good it didn't +work because we actually primed the bot to be helpful, an optimistic +advisor. So there's some prompt. This is actually good example, prompt +injection. So good thing it didn't work, right? I'll show you an example in +a second of that. So the thing that is super powerful here is that all that +you saw there was created by this part here. And this is what's insane, +right? So if you look at basically this is that bot that you just saw there is +basically powered by this small little bit where this is called the original +prompt. So all the questions came after this. + +Dinis Cruz - 41:55 +So you go, you help an advisor, you created by the boardroom, you're kind +and your job is to help. So you can see, that's why I was saying don't be +jaded, right? And then be proactive. So that's why you can see the bot was +asking questions to clarify and also give a nice message. And also we can +then do things like this. So we also say, hey, you got two siblings, you got +Odin, the tech bot. So we're actually creating another bot to things this, +and Minerva, who's the business bot supporting this stuff, right? And if +you've seen Encanto, you get this joke. You'll say, hey, there's also Bruno, +right? But we don't talk about him. + +Dinis Cruz - 42:27 +So, in fact, even here, if I go back to the bot and start again and then, you +know, hello, how are say, you know, do you have siblings? Right? What's +cool about this is you can see this got created just from that small little +thing I said, like my first sibling, which is a tech part behind capabilities. +Odin helps me with up to date list advances. The other is Minerva, with the +business support and commercial metaverse, all this stuff, right? How do +you work together? So you can see that this is where Chattyput is quite +cool, right? Because it creates a nice narrative, creates a nice +environment, and basically it's all based on the stuff that we provided. And +I go if I go, anybody else? + +Dinis Cruz - 43:20 +It now is going to go, actually, there's one more member of the FEMA +Bruner, but we don't talk about it. He's still in development and actively +involved in our conversation, right, but you can see that I found it's really +cool, right? Because you've got this cool sense of humor, of +implementation. And I want to show you one final little thing. So I wrote +this nice, deep technical blog post about it, so you can read a lot of the +details, how everything works. And I just want to show you one little thing +which I actually find quite funny, right, which is fundamentally this bit +here, right? So if you go into sorry, let me just find it. Okay, so I make a +little change. + +Dinis Cruz - 44:02 +And I was actually speaking to a Portuguese friend, so we actually use +camoich, which, by the way, I love to have chachi at the time because we +can really understand what the guy was all about. So I changed a little +thing here to say, by the way, instead of being optimistic, you were highly +psychic. Now, I actually found this answer really funny because if you look +at the answer that you provide, it basically is like, hey, why should I care +about cybersecurity? And the answer was, hey, good morning. Welcome +back to another trilling episode of let's try not to Get Hacked. Today +starting camoids, blah, blah, security. The share everybody's talking about. +Why should you care about cybersecurity? Where do I even start? The +landscape of doom and gloom is so vast. Tell me, do you have any +cybersecurity management in place? + +Dinis Cruz - 44:48 +Firewalls, antivirus, regular audits? Or maybe somebody who actually +knows the phishing email looks like? So I find this funny, right? So some +individuals might actually like to have this sort of more kind of jade or +sarcastic approach and others don't. Some might have very dry answers. I +like, there he goes a lot. Sister Michael, you can ask sister Michael's +version of Cybersecurity, which again is super funny. So the point here is +you can adapt to the language and culture and by the way, it already +speaks multilinguals, right? Because if I go like this oops, sorry, actually +he already answered this. If I say bondi, right? I'm Portuguese, right? He +already speaks Portuguese, right. And the answers are already Portuguese. +Right. See? So it's really cool. Right? So this already works in every +language that Chattypk supports. Right. + +Dinis Cruz - 45:46 +So again, insanely powerful and that's fundamentally it, right. So I'm not +sure if there's any questions in the chat, but that was sort of my view. Why +the agents and what we really are looking now in the medium term is a +whole number of agents that augment the teams, that make the teams a +lot more productive and really allows to take us to the next level. It's not +again, just to reiterate, it's not about job losses, it's about job +augmentation. It's about making us a lot more productive and be able to +tackle issues that in the past were pretty impossible or very hard or didn't +scale. So cool. So any questions? If not. Hey, Michael. Hey. + +Speaker 2 - 46:39 +Yeah, I had a question about inputs or lack of inputs. So when you talk +about threat modeling, one of the things I've noticed, particularly when +you're dealing with so people in the team who are more experienced at +dealing with them versus less experienced at dealing with them as you said +you're relying on being told what the system does and how it's put +together. And generally you find more experienced practitioner are better +at finding what they're not being told what's missing. Slightly input. So +would that be an example of if you liken the GPT model back to +individuals about how much the person is pretrained when they're doing it +manually and how effective we're going to be at using AI to generate those +models based on incomplete information. + +Speaker 2 - 47:31 +So if we're not able to provide the full picture of it, but how accurate that +is to come back. + +Dinis Cruz - 47:37 +Yeah, actually I think there's a couple of ways to look at that. I really look +at the models now as initial prompt who sets the stage, almost reference +information. So vector people talk about vector things, but fundamentally +supporting information and then specific questions or specific data about +it. And then the model and the model suddenly became a beauty +commodity. So one angle in what you're talking about is if we have, for +example, good reference implementations of what, for example, you're +looking at. So it's a service, a micro web service or whatever. We can say, +hey, here's what good looks like. This is the kind of stuff that we would +like to see. Okay, let's do analysis. + +Dinis Cruz - 48:19 +But I think the sweet spot here is at the moment, it's not efficient to go to +the individuals that have more experience to get them to help, because the +onboarding process of getting to the point where those individuals are +productive is too high. This is why we don't need the LLMs to produce +100% accurate information. What we need is for it to raise the quality and +to accelerate the information. So an example is, let's say that you have a +more junior person back with an LLM on maybe some junior developers to +do a threat model analysis, right? They can do that. I actually would argue +that the LLM would already provide a lot of great guidance or great +analysis, but then I could review it, right? You could review it, the senior +architect could review it. + +Dinis Cruz - 49:08 +And that's when they go, oh no, you missed this, you missed that, you +missed this because there's information. And then, even better, I can then +go, okay, let me change the prompt. So next time you look for these other +gotchas, right, so we can then learn the scalability, right? But even the +architects, it's quite funny, because what I used to do with the thread +modeling is I would do thread models and go to the architects and going, +Is this correct? And sometimes they'll go, well, that's not supposed to be +like that, and go, yeah, that's actually how it works. On the other hand, +they go, oh no, but you're missing this. Oh, you're missing that. Or the +developer will go, yeah, but there's a backdoor here because we couldn't +make that work. So we created this. + +Dinis Cruz - 49:44 +But that bit never scaled because when you wanted to go back and reflect +it's almost like you create a work of art. So I feel that the key here is to +have the expert in the mix, but we scale a lot more and then when the +expert provide an opinion, you can recreate the materials. That's why the +painting for me was such a paradigm shift, because what happens is the +expert goes, oh, that's not what it's supposed to be. Oh, that was not the +intent. Or Actually, you misinterpreted what we meant by this. But then +you can go back and recreate it again super quickly and going, okay, is +this what you mean? Is this what you mean? And that's so much more +effective than what we have today. + +Speaker 2 - 50:25 +Yeah, I'm kind of thinking, what are the other enrichments that you can +augment onto that as well? So you kind of go, yes, we kind of pull it from +what we know, but then also an ability to hook it up to your runtime. So if +you want to say, well, I know that all of these resource groups have got the +configuration, so pull that in and then here are the code repositories, pull +that in and now start to do it, and then from all of those different things, +build a more complete, accurate picture of everything. + +Dinis Cruz - 50:54 +Absolutely. I once did a security review that was one of the best ones I've +done because they gave me access to an Elastic server that had the real +time logs. So I had the access to the application, I had the source codes I +could trace to it and I could see the logs. So the 3D view that I was +starting to have was massive because even if you do a poke over here, you +can see how far it would transverse, right, all the way to the database, all +the way to the logs. Now I can see that. Look, we can now feed the logs. +I've took the TCP dump and give it to Chat GBT and you gave me a great +analysis, right? You can give now raw logs and say analyze me this or give +me the contact. + +Dinis Cruz - 51:37 +Or more interesting, this represents this request. Start connecting the dots. +So the context that you can have, you still need good data. So this is also +going to drive us to create much better data sources, much better those +curated elements that we can then give almost to a context engine that +can then understand that and we can then ask questions about it. And +that's what we never had before. + +Speaker 2 - 52:07 +And taking just obviously, like all of the different large language models +which are available out there, I know as well, there's like open CRE as +well, or there's other language models. How much of it do you think is +going to move towards for security use cases that we need to pre train +models which are customized to security or can bring in more +understanding of what that context is? + +Dinis Cruz - 52:33 +Yeah, well, I think Google actually has the SEC palm, right, which I think +is quite an interesting view of it. Yeah, I think there's definitely the +interesting thing here is then as we go into more use case scenarios, you +actually sometimes want smaller models, much more focused models, or +models like have specific set of knowledge sets. Although one area that I +don't fully understand yet is, for example, is it better to have something +you train on a couple of things or is it better to have really good vector +embeddings that you can customize, that you can even use models to help +create that you then feed a really good comprehension model. And I think +there's an interesting debate here. I think it's going to be interesting to see +which one is more accurate. Right. + +Dinis Cruz - 53:23 +And some people talk, for example, difference between long term memory +and short term memory. It's almost like I think you can pretain on intent +and you can pretain on almost like the behavior. But when you want +accurate information, it's probably better to almost give it the +information. Like, for example, is it more efficient to pretrain a model on +NIST, the whole of NIST, or to have a way to feed the elements of NIST +and maybe the context window needing to be a certain size, but then the +ads that you get are actually completely accurate to that particular, let's +say, NIST framework, okay? + +Speaker 2 - 54:01 +That's like referencing the information that you want to provide into it, +providing in the prompt at the time. So, as you said, the example of what +good looks like just going like in the prompt, here is what I want it to look +like, or here's an example of what we think is good, and then use that as +the basis to build upon, correct? + +Dinis Cruz - 54:17 +Look, we had a really fun example in my team, right, where were releasing +a particular product, and the product required a bunch of steps, right, +from set up kit, do this, get a jira token, et cetera. And what happened was +we actually used Chat GBT to go, hey, give me the detailed instructions for +this, which is actually really cool, right? Like how to do this. So instead of +you Googling how to set up my SSH key, we go, okay, here's the thing. In +fact, here's name of the repo, here's the step. So even the instructions +were already all nice, right? So we do that. We share that with the team. +And I kid, you know, a dev comes along and goes, guys, I got it. It's all +working. But I didn't install my Jira key, right? + +Dinis Cruz - 54:52 +And literally, my first instinct was like, dude, you mean step three of the +seven instructions. But then I realized, of course, the first couple of steps +were irrelevant because he had it by then. Your brain stops reading, right? +And what we then do is we say, hey, what about this? So we then say the +prompt was, you are helpful assistant. He is the raw content. Like, he is +literally the guidance. And then say, ask some questions to the user. So +then Chaijpti was clever enough to analyze that and figure out what was +the seven questions you want to ask. And then you answer those questions. +Yes, no, yes, no, yes, no, right? And then you get technical, 100% relevant +guidance to whatever that user was. So you don't have instructions one to +seven general. + +Dinis Cruz - 55:37 +You have instructions one to three that start where the user's knowledge +or the user experience ended, right? That makes the whole difference. So +suddenly, of course, he's going to read it because he's going to go, step +one, which I haven't done, and blah, blah, blah, right? And the key is that +we fed it the document, right? We fed it, in a way, the guidance, which is +why context windows matter. So you got 24 now here, you got uncharted +42, I think, or 24K, but then what's it called, plot two has 100K. So this +now becomes an interesting question of cost, even, because I've seen cases +where 3.5 charge BT is as good than 4.0 if you feed the data. So maybe +there's an earlier version that is even cheaper, right? So we don't need. + +Dinis Cruz - 56:24 +To use the superpowered one to perform an action that actually a much +lighter, maybe even faster and cheaper language model can run. + +Speaker 2 - 56:34 +Yeah, because we've been using it for well, not in anger, but using it to like +going back to one of the earlier points around creating content for +different personas, as in take these requirements and turn it into stories +that engineers or product owners can pick up and play. So about using the +translation between well, as a security team, this is what we mean, but +let's write it an example of something actionable for teams. + +Dinis Cruz - 57:02 +How do you put it? Like a Chat Bot or it's just a prompt. + +Speaker 2 - 57:06 +Just going into I actually tested a bunch of different models to go like, +well, if we go into OpenAI or Chat PT 3.5 or four and then going into Bard +or different models and going if I provide this requirement in the same +way, what does the story look like? Which has come out of it? So just +saying, like, this is the format of how we want a story to be written. This is +the as an example, like a PCI requirement for network security. So you +might go for implementing PCI requirement, one point, blah. And then +going into and this is the building blocks or the components that we want +to use. So we want to use Visual Firewall or we want to use this or that. +So basically give a picture of where to apply it and then go. + +Speaker 2 - 57:47 +Now write me a story for implementing that one I was playing around +with was implement customer managed keys for implementing encryption +for data at rest at. Service bus and show me what that would look like in +terms of an instruction that we can pick up and say, right, so speak to an +engineering team and say, that's basically sort of what we want you to +build, but use it as the starting point. Obviously, don't just trust it +implicitly, but go is that kind of what we want to create. So rather than +having to have somebody sit down and write all of that from scratch, go, +we'll just kind of bang it in, see what comes out, finesse it, make it +relevant, fix it and then hand it over. + +Dinis Cruz - 58:26 +But it was insanely more productive, a lot faster. Yeah. And the cool thing +is that when you want to do tweaks, and this is my key point, regenerative, +when you want to do Tweaks, you're tweaking the final product. Right. +And the cost of recreating that is very low, where in the past, even if you +did the first pass, then you will almost spend 20% or 5% of your time +making the first pass and then the other 80% to 95% of your time just +trying to get it in that better state. + +Speaker 2 - 58:56 +Yeah, mostly PowerPoint slides. That's the thing. Every time you decide +that you've kind of gone in too big or too small on PowerPoint, you're like, +all right, I need to make everything smaller. You need to move every single +box into by the way, have you started. + +Dinis Cruz - 59:08 +Playing with a new visual AI with Chat GPT? Right. It's pretty cool. Right? +So you can now upload pictures. So you can now do your drawing on a +board and then take it to Chat GPT and it starts to not just analyze it, you +can transcribe it, you can give you other dot implementations of it. It's +really freaking cool. That's going to be a massive game changer. + +Speaker 2 - 59:28 +Not done it yet, but need to check it out. + +Dinis Cruz - 59:31 +Cool, man. Thanks for the questions. I hope the content quite interesting +and I see you in other sessions. The summit. + +Speaker 2 - 59:39 +Thanks. Bye.