Caleb Sima: [00:00:00] There were 137 talks for AI. So out of the 600, I'm actually surprised it was that small of a percentage. Really? Everything was AI. I felt man, by the end of RSA, I was sick of AI. I told my company, if you want to go and enable AI, we have to go through and fix all of these things. We've got to do least privilege.

We've got to patch our systems. We've got to get our AI pipeline and platform in a secure manner. And then I will enable AI and man, the whole company was on board because at the end of the day, AI is just a way to accomplish a task to deliver some value. If you can't concisely talk about what value you deliver, it doesn't matter whether you use AI or not.

Ashish Rajan: This episode is about RSA conference, the cybersecurity fringe festival, as Caleb and I would like to call it. It is one of the largest cybersecurity conference in the world. And of course, in 2024, the largest theme across the board in all the fringe conversations we had was around AI [00:01:00] security and we had to bring that over to you.

We also talk about BSides SF, which is a large practitioner run conference that happens beside the RSA conference, super grateful to be participating in it. We did a couple of interviews there as well. So shout out to the RSA conference team, as well as the BSides SF team for letting us do interviews and have all these conversations.

Both Caleb and I were invited for events whether it was fireside chats or panels or just having conversations for interviews that we did for AI Cybersecurity Podcast. For those of you who could not go there, who are cybersecurity leaders and trying to find out what the theme of the conference was, what stood out for us, what were some of the things we took out as notes.

By the way, I ended up coining a term called AI native security, which you hear a lot about, and I'm pretty sure it's going to hit over the next few years, so I'm definitely harping about it overall. I think it was a great episode. If you are someone who missed out on the RSA conference or BSides SF, definitely a must check for you.

If you know someone else who probably missed out on it and you wanted to share your insights, definitely share this episode with them. And in case you're here for the second or third time, I would really appreciate [00:02:00] If you're watching this on YouTube or LinkedIn, definitely give a subscribe, follow, or if you're listening to us on Apple podcast or Spotify, definitely give us a subscribe and follow there as well.

All these reviews and ratings definitely make a big difference. So more people find out about us. We're only a year old, but we definitely creating a lot of buzz in the AI cybersecurity world as the only practitioner led AI cybersecurity conversation. So all support is appreciated. Enjoy the episode and I will see you at the next event.

Welcome to another episode of AI Cybersecurity Podcast, where we start random conversations before actually get to RSA conference and BSides conference. So RSA is one of the largest cybersecurity conferences in the world, held in San Francisco every year. And it also has an adjacent conference called BSides SF.

And Caleb was the keynote for BSides SF for the second day to talk about that later as well. But essentially the goal for today episode is to cover ai highlight from the one of the largest cybersecurity conferences in the world and BSides SF, let me start with BSides SF. I do wanna give a shout out to your keynote.

I think it stood out.

Caleb Sima: So it was basically, it was a [00:03:00] positive and optimistic view on AI and security, which I think was a little bit unusual, although I did see threads of that throughout the conference. But it was more about, if you take a look at the top security challenges that exist today and do a little bit of prediction and say, okay here are the top challenges, in two or three years, what are the ways in which AI is going to help solve these challenges and I broke down a little bit of, you have to predict a little bit about where AI is going to be in a year or two. You also have to say if AI is going to go there, how's that going to impact the organization as a whole, the company and specifically engineering, what are the kinds of changes we should see?

Happening because of that on top of that, how security going to change. I think I summed up a little bit of what I think the top three real challenges that underpin the top 10 issues in security are and why AI is good at that, and then painted a little bit of, here's what [00:04:00] I hope to see solved in the future, based off of this, I basically consolidated all my presentations that I've ever done that were recorded into my YouTube channel. So you can actually go to subscribe to the YouTube channel. I don't have a subscription, but you can go to youtube.com/@csima. And I've consolidated all of them there.

So you can see my BSides presentation. I also did this really funky identity presentation that's going to cause a huge amount of paranoia with people. So there's a bunch of really old stuff, like from 2006 presentation. There's some random things in there.

Ashish Rajan: I love it. You started by saying you had a positive outlook and then you just end by saying, by the way, there is this identity talk that you might be shitting in your pants off. Watch that one.

Caleb Sima: Yeah, that one's basically where I'm like, we need global identity. So let's hear all of the privacy crazy people. They're gonna give me a lot of crap for that.

Ashish Rajan: Worthwhile calling out though, I think there was definitely a lot of safety and privacy conversation as well.

There was a panel. I [00:05:00] believe there were people who were practitioners more than anything else. I obviously didn't get a chance to go into the panel, but I know there was a panel. That was talking about privacy abuse, that people from DoorDash, Microsoft, Google Cloud, eBay, talking about privacy and safety, which is pretty awesome.

I think the other one, and we have an interview with Clint Gibler from TLDR Sec Newsletter. We obviously spoke about in the interview that we did with him at the B Sides SF, by the way, shout out BSides SF for giving us an awesome venue. It's like an ESPN sports style venue. Any thoughts on how would you describe Clint's talk?

I guess for people who may not have heard it.

Caleb Sima: So I think he focused on the more real practical things that exist that are out there that have AI in it that help you accomplish security tasks. I think in our talk, Clint was saying. He had over 160 different examples, or maybe, I don't know if that's the exact number, but it was definitely,

Ashish Rajan: yeah, it's took him a while to get the entire thing as well.

Caleb Sima: Yeah, just every tool or [00:06:00] process that helped you do that, things like this will help you come up with remediation factors for code vulnerabilities and it uses AI, or there's just a bunch of different things that he put together and went through his presentation on here's of all of the different tools, utilities, processes you can use to help make your job a little bit easier.

Ashish Rajan: And I would definitely recommend checking out his newsletter as well. He's been covering a lot of AI security in there. So definitely worth the conversation.

Caleb Sima: I noticed this year in talking to a lot of people, oddly enough, I don't think people understand what B Sides is versus RSAC. So I wanted to throw a little thing in here because I was surprised.

Most people aren't in the industry, as long as we have been. So I ran into Oh, what's B Sides and how does B Sides work? And I think the simplest way to explain it is. I feel like B Sides is a practitioner conference, right? Like you go to B Sides if you want to hear real [00:07:00] talks and hang out with practitioners.

These are the people who are doing the job in security teams, right? Like the guys who are running detection and response, the guys who are doing offensive, the guys who are doing pentesting. Like these are real practitioners. So it's, considered a lot more technical In nature, in terms of what it is, and it's smaller, the vibe is awesome.

I think the community and vibe is really fun. For example, in my keynote, I brought my kids and my family to sit in the audience because I think it's just BSides has that vibe. You can just bring your kids, they watched at least the beginning part of my keynote before my wife had to drag them out because they're too noisy.

But that's the fun part. You go there, you're casual, you could do a keynote, your kids can play around and, you can just like interact. So it's much more practical, much more community, very technical in nature. And it usually happens in different cities. [00:08:00] BSides during RSA is usually done the weekend prior to RSA.

For those of us who've been in the industry, I call BSides the new DEF CON, I feel, and DEF CON has become the new Black Hat has become the new RSA has become the new Comdex or whatever it's like, it's all, like you get this sort of like evolution of like security conferences and in Black Hat this year, BSides will be happening.

Also right prior to BlackHat or was it the same time as BlackHat no.

Ashish Rajan: It's always a day before. Yeah. So B Sides Vegas, Las Vegas.

Caleb Sima: Yeah. So we can highly encourage people to go check out B Sides if you want the more technical practitioner view sets.

Ashish Rajan: Also fun fact, it's called B Sides because always beside another big conference.

Oh, yeah. There you go. So if you notice any of the conferences that say B Side, there's a larger conference happening either day after the conference.. So BSides SF happens right next to RSA BSides Las Vegas happens right next to Black Hat. I guess there's a few other ones around the world, but

Caleb Sima: they're like city local ones [00:09:00] also.

Ashish Rajan: I feel like that happened. Yeah. Yeah. There's definitely a lot. There's heaps, like we had one in Melbourne, in Canberra and other places. And so everything I'm sure. People should go look it out to bring back the conversation. BSides SF definitely is a practitioner led conference.

And if people who are trying to get into cybersecurity, I think it's a great place to go and meet people from Netflix, from Adobe. Think of all the everybody, everybody goes, yeah. I think Shilpi and I have been going there for the past three years. We've seen people. The first year as interns, the second year they're getting a job.

So it's you see the maturity in them every year. So it's amazing. I did want to wrap up the B Sides one with another talk. There was a talk by Adobe, funny enough. That's why I thought of Adobe. They had a talk about how to fine tune your LLM logs for identifying security events. I don't think a lot of us got a chance to go through all of the events, but I wanted to call out the one that were from practitioners and definitely sounded like interesting ones to call out.

I want to see that I can, so I'm going to link the talks here anyways, but that was really, it looked really intriguing. And I'm like, I'm waiting for the, I [00:10:00] think the video is out as well. So I'm going to go through that one more. I'll call out. Have you heard of Sigma rules by any chance?

Caleb Sima: Sigma rules. I have heard of this.

Yes, but I'm not as familiar with it.

Ashish Rajan: Feedly we had Dave Johnson. We did a recording for that as well. Dave Johnson, he has been experimenting with using Sigma rule automation for, building your, how do you use LLMs to create a Sigma rule query?

Are they other way around? And for people who don't know what Sigma rules are, it's like when you go and look into a SIEM and like Splunk would have its own language, another tool would have its own language, but as an industry, there's an open source version called Sigma rules, which you can translate into Splunk language, Sumo logic, whatever else you want to do.

So you just write the rule once in Sigma rule, and you can transform that into whatever you want. And the talk was called next gen detection. And it was mainly around how do you use LLMs to because the reason there's a whole talk on it is because Sigma rules are like regex, it takes a long time to figure out the exact one that you need.

So that was an interesting talk that we found was really interesting that I'll call [00:11:00] out. So those two I'll call out any other, and by the way, I think that's just some of them. There's a lot more. I'll leave a link for that. So people can go in and have a look at it. Anything else we want to call out?

There's an AI village as well, by the way, this year. What are villages supposed to be for people who may have never even heard the village concept.

Caleb Sima: You just go around. It's the area where all of the fun, small projects and things that you can go do hands on work and learn from real people doing like lab like activities.

Yeah.

Ashish Rajan: Like in a focused way, so AI Village is primarily focused on the whole AI conversation. So that's pretty much what I wanted to cover in B Sides SF. Unless you have anything else, we can move on to

Caleb Sima: the RSA part. I just have to say it's been so much fun. I feel like B Sides is becoming better and better every year.

Yeah, they definitely need to change that space. Although to think that apparently they started in like a little hall. I saw someone who has been coming for the past 10 plus years, had the original t shirt and he still walks around with an original t shirt from B Sides as if the first one. Here's my ask for B Sides though.

This is what I'd love to see. I [00:12:00] actually want B Sides to do an exhibition hall, but I want it to be restricted so that it's only Series A's companies and below. So if anyone is listening I want BSides to have just a hall of only startups. Series A funded is the maximum. Everything has to be below that.

Like it's gotta be like all the super small, cool startups building neat things. That's to me if I go to BlackHat, Defcon, RSA, I just want to go find the small booths with all the super small startups. Problem is these companies can't afford booths at these. And frankly speaking, if you could, there's sort of definition of whether you should, but I would love B Sides to host that. I guess they definitely follow us, so I'll definitely tag

Ashish Rajan: them on it.

But I guess to your point, would that be, like, obviously for the broader audience of practitioners coming in, do you think, is that more of, for CISOs to be coming in to B Sides SF?

Caleb Sima: No, like these are just like, think about all the fun startups that are out right now, right? Like many of these [00:13:00] cybersecurity startups, especially if you're a seed stage or, you just close your series A, you're super small. Like you can't rise above the noise. You don't have big marketing budgets.

You don't have, massive sales teams, but you're like building some cool utility. Or tool or product, and you just can't get any recognition. So there's a lot of great startup companies that have built really cool tools and products that have come and gone because they've died because they just couldn't get in front of like real people, that would use these tools, which is and I don't want to go to an exhibition booth where there's huge companies spending massive amount of money. I just want to go. And see the cool tools that people have built that are like, Oh, we just built this because we know it's helpful. It's that's the kind of stuff I'd love to see, but there's no place that just only does that.

Ashish Rajan: Yeah I'll make sure they come into that as well. So talking about RSAC, switching topics, it's really interesting. I would say [00:14:00] RSAC, because we started the conversation by saying it is one of the largest cybersecurity conference in the world, and would we say, is it more known for what happens outside the conference rather than what happens inside the conference?

Caleb Sima: Oh, yeah. RSA is definitely a what someone named the term, but I forgot what it was, but it's like fringe, right? Everything happens on the fringe. Yeah. When you at RSA, everything happens at the St. Regis, the W hotel, the palace hotel all the meetings, it's all dinners, by the way It's everywhere around it, generally very little in it, I find.

Ashish Rajan: Yeah, but maybe the way we can cover RSA could be, we can cover both sides. I can share insights from the RSA conference and I guess you'll find this hilarious. I'm pretty sure when I talk about this.

Caleb Sima: We should talk a little bit about the fringe thing because I think that was a little bit of an interesting topic of discussion during this RSA..

I don't know if you noticed, but Palo Alto had no booth. They noticed. Yeah. I did have a private event. Yes. Yeah. Yeah. They just booked a hotel and you know who else also, I think, I don't [00:15:00] know if they didn't have a booth, but I know Microsoft basically took over the palace hotel. You went to the palace hotel to go see and talk to all the Microsoft people.

So that was happening. I also noticed a lot of startups who can't afford booths. And actually most of them ended up saying I'm not going to spend budget on a booth. I'm going to spend it on dinners instead. Yeah. Definitely. And or events, which was.

Ashish Rajan: To your point, worthwhile calling out for people who are attending RSA 2025 or maybe after, and they're listening to this, maybe it might just be worthwhile, just maybe booking a hotel and flight.

If you're coming not from San Francisco, just land there and you don't even, cause a lot of these places don't even require you to have an RSA conference pass. To your point. Oh yeah. None of these. All you need to do is find the company that you want to talk to, find where they are. And if you know a rep.

They'll invite you to dinners as well. And they'll bring you in for conversations for CISO dinners or whatever. So you can totally be smart about it and not spend thousands of dollars on the whole thing. But I definitely find [00:16:00] that to your point about the fringe festival for lack of a better word, if you were to call RSA a fringe festival.

Fringe festival. That's a good word. Yeah. It's a word used in comedy quite a bit. Yeah. So it's a place here in the UK called Edinburgh. And they have a season for, I think even Adelaide in Australia has it as well. So it's like a comedy festival. What do they call it? Fringe festival.

Caleb Sima: There's the sort of cyber security fringe festival that maybe

Ashish Rajan: that's the episode topic.

RSA conference, the cyber security fringe festival, a great topic for the thing. So I guess to your point for people who are attending, definitely you can be smart about still meeting people because we can meet people outside and also still smart about meeting the vendors you want to, because even if the vendors have booth at RSA, they all have a dinner or networking event they've organized outside of it because they all know evening everyone has to go everywhere. So people will decide something.

Caleb Sima: There's also a event calendar that goes around that. Yeah, that shows all the events, who has parties, where, what vendor.

Yeah. All of that. Yeah. Yeah.

Ashish Rajan: But there's the other pull now, I think maybe [00:17:00] RSAC has started realizing it, which is why they had celebrities this year. I think Alicia Keys did the closing keynote. I don't know if it, I don't know if it was a keynote but she definitely performed at the closing keynote and I saw a picture of one of the CISOs that I'm connected with just like all these phones, people just had their phones on top. You could barely see her. All you could see was phones. But so they're trying to pull celebrities if you. Want to see a celebrity maybe not a bad thing, but then you kinda get into this awkward phase where you realize you're too old.

'cause they're getting younger celebrities. And I think there was one of the, I can't remember the name of the lady and I don't follow her clearly. She asked attendees to call FaceTime their kids, all the kids who were on the FaceTime got crazy. The parents are like, , she's popular

They're like, I guess she's popular. So I was like, but so they all took selfies with them for their kids. But they had no idea, never heard a song. And that's nice of her to do that.

Caleb Sima: I was also in my head thinking yes, it is a fringe festival, but let's be clear, like RSAC is not suffering from an attendance perspective.

Like it's massive. There's so many people, [00:18:00] especially this year and I also have to say this year, I felt the first time. Really super up. Like it was normal, it was like this, the pandemic happened. Yeah. You had a couple years and then you had a couple, a year sort of people coming back, but it was still off.

Yeah. This year was just full blown, like even bigger and better than I felt prior to pandemic even happening. Like it was an event. Yeah. There was so many people.

Ashish Rajan: They had 41,000 plus attendees. Wow. Yeah. So I think I read the announcement that they released for the press because Cloud Security Podcasts is a press for RSA.

We get their press announcements and they had 41, 000 plus attendees. And I'm going, wow, that's insane. And I think as per the press, they also had, so they had about 600 exhibitors, 650 speakers, 33 keynote presentations across two stages. Apparently their potential readership was around 2. 8 billion people.

Wow. I don't [00:19:00] know how that comes through into, that's, I thought it was the world population, but maybe that's how many people are after RSAC. But the funny thing is I went through the agenda and I was trying to say clearly none of us could have gone through all the talks and they had this smart filter of people and you don't need to, maybe you don't need to log in for it.

And if I logged in trying to see how many talks they have for AI, I just searched the topic of AI. They were 137 talks for AI. So RSA is 600.

Caleb Sima: I'm actually surprised it was that small of a percentage. Really? Everything was AI. I felt man, by the end of RSA, I was sick of AI. I was on a panel, an AI security panel that I was on.

And my comment was, I'm tired of listening to myself talk about AI.

Ashish Rajan: Actually, let me ask you this. Did you actually get a chance to go to the floor? Expo floor?

Caleb Sima: No, I didn't even have a pass. So I only had a pass that allowed me to go directly to my speaking. I did a panel and a presentation at RSA and I only had a pass that allowed me to get to that.

So those are

Ashish Rajan: interesting, [00:20:00] because the reason I say that is funny enough, there's not a lot of AI on the expo floor. Would you believe it? I, that can't be right. I don't believe that at all. And I think I was talking to someone on one of the dinner tables and they said, this is a compliance requirement or something.

I don't know if it's a real thing, obviously made up, but they said, The AI conversations, funny enough, and because probably you and I were hanging outside of the conference as well and very little inside the conference. Like I only went for my talk, but I did get a chance to walk the floor. That was the only two things that I did inside the conference hall and take my conference pass.

But everything else was outside the conference hall because all the events and everything.

Caleb Sima: Yeah, but wait a minute, go back to this. Why? There's no way all the vendors didn't have AI plastered on everything on all their booths.

Ashish Rajan: So the reason I was called out was because unless you're actually using AI, you're not supposed to advertise it.

That's the compliance thing I was called out. That RSAC did? Like they made this. I don't know about that. Again, I will take that with a pinch of salt because it's over a CISO dinner conversation. Yeah. So this was, [00:21:00] I think on the second day that got me curious, which is why on the third day I walked the floors and I did not see a lot of AI.

Caleb Sima: Man if RSA made that as a mandate, man, kudos to them. That would be phenomenal if they were like, but I can't imagine there's someone who's okay, I'm going to actually audit you. And say, are you using genitive AI as a core factor of your product? And if not, you're not allowed to put AI in your booth.

Like I can't imagine someone actually did that, but if they did, wow. That's yeah.

Ashish Rajan: The first time I was skeptical, which is why the next day Shilpi and I walked the expo floor and we actually did not see a lot of AI.

That blows my mind

like that people talking about. So I made a few notes on , the people who made announcements for, Hey, we have AI and we have AI.

So those clearly for example, a lot of the conversation was AI security for, if I have a application security posture manager, ASPM. They talk about, Hey, if I do API security for your ML, there's product releases around, if you have AI generated [00:22:00] code, how do you validate that for application security?

They were not like, Hey, we are using AI. I think the only two companies that I know that made special announcements I think we spoke about, Palo Alto had a separate event. They spoke about Precision AI , had Keanu Reeves as their brand ambassador. And I know I think Shilpi was like, cancel all plans.

We're meeting Keanu Reeves. I'm like, okay, I guess we're meeting Keanu Reeves. The second one, I think was SentinelOne we got a chance to speak to Ely Kahn before they did the Purple AI announcement. But those two were the big ones. They're not like, obviously they're the top 10 RSA innovation sandbox.

Maybe you should talk about what innovation sandbox is as well.

Caleb Sima: There's definitely a lot of AI in the innovation sandbox. That's for sure. There was actually two companies at which I an investor in made it to the sandbox this year.

So good for you, man. Yeah. Yeah, Reality Defender and Dropzone. So they both Reality Defender won, basically identifies deepfakes.

Yeah, that's right. Yeah. Yeah.

Ashish Rajan: But which is I can imagine now with [00:23:00] elections coming soon, that'd be one of the big things that was going to happen. But I guess for people who probably don't know what RSAC innovation sandbox is. So RSAC does this innovation area for startups. And they run a contest called RSA Conference Innovation Sandbox.

I have to be careful not to say RSA only because they are separate. RSA is a separate company and RSA conference is separate as well. And the email called out, Hey, can you guys just call use RSA conference and not say RSA because RSA is a different company or otherwise we need to call RSAC, RSAC. I wanna put that out there 'cause they've basically been trying to call out because everyone just keeps saying RSA.

And people keep, I imagine people keep going back to the actual RSA security company, which is now a separate entity. But RSA conference runs an innovation startup and they run something called RSAC or R S A C innovation sandbox. They've been running for 19 years and apparently the top 10 finalists collectively have seen over 80 acquisitions and 13. 5 billion in investment so far over the [00:24:00] last 19 years. To Caleb's point, I tried making note of the kind of companies that were there. There were three AI companies, two data security companies, two identity companies, one SOC related company, and one cloud native workload security, and one threat intelligence platform.

That's a pretty tough competition for you. As you see the theme for three AI companies and two data security and two identity. Like we're covering zero trust as well as AI in there, I feel. But kudos to everyone who made it as well

it's not easy for people to get there. Yeah, it's not easy once you get there, it's definitely a lot of limelight for it as well.

Caleb Sima: And then you have to do a three minute pitch of your company. Bluebox, I made it as a finalist in the Innovation Sandbox a couple years ago. And my company and that three minute pitch is the hardest thing in the world.

Ashish Rajan: And you guys got acquired. So you have one of the, you ran one of those companies that basically pitched at Innovation Sandbox. Yeah, I was, yeah,

Caleb Sima: my company Bluebox got into the Innovation Sandbox. Yeah. We were finalists. We didn't win, but we were finalists. Every [00:25:00] finalist has to do the three minute pitch live and go up and do it.

And it's hard. It's really hard. Yeah.

Ashish Rajan: Just summarize everything you've done in three minutes. Yeah.

Caleb Sima: You have to pitch your company in three minutes and why it should be chosen. So yeah, it's a hard pitch. People think, if you don't do a lot of presenting, people think if you have an hour, that's really hard to do versus shorter.

And actually it's the opposite. It's way harder to do a much shorter presentation than it is to do a longer presentation. Given three minutes of time. Basically you have to memorize your scripts. You have to write it out. You have to memorize it and you have to time it because things like just standing up there and doing an introduction of yourself kills 15 seconds in like it's a thing.

Like it's hard.

Ashish Rajan: Oh my God. Oh I think it's funny as well. Cause I think what you said about long talks versus short talks I don't underestimate the amount of effort people like yourself and others would have put in just to, be there in the first place and then get that three minute just to level it up as well.

Kudos to [00:26:00] you guys, man, but obviously you've experienced it firsthand. So it's really good for the top 10 finalists as well. Really happy for them as well.

Caleb Sima: If you make it in the top 10, it's a tough gig. to make it in the top 10. And usually you can look at everybody in the top 10 and they are really probably top of the pile of the companies and people that built those companies.

So if you really want to take a sample and say, Hey, what are some of the coolest sort of startups tackling these things? You could like the top 10 as a great first place to go. Yeah, cool.

Ashish Rajan: And I'll just quickly shout out the other company considering called our Dropzone as well as Reality Defender

the other ones were Aembit, Antimatter. Bedrock security. Harmonic Mitiga, P0 security, Rad securityand VulnC heck. PO P zero Buddy. P zero. P zero oh, sorry. P zero Security PO O. Oh, sorry. Yeah, it is zero. I'm like P zero security. There you go. People

are

Caleb Sima: at least remember P zero, which means top

priority.

Top priority. It's a P zero problem,

Ashish Rajan: but it's worthwhile calling out. Another thing people actually go to RSA, [00:27:00] especially if you are a CISO, is the, they've been running a CISO they have a CISO bootcamp and then they have the CISO event that they run, which is Chatham rules for past 19 years.

I don't know if you've ever been to one of those.

Caleb Sima: No.

Ashish Rajan: Yeah. But apparently I would say if you're a CISO probably would know what happens there as well. There's a lot of conversation there as well, clearly. And the reason I brought up the search term for 137 results, because I guess this is the same access that everyone else would go. Prompting me for, Hey, are you looking for this? Are you looking for that? Funny enough, one of the talks that got a lot of attention because they had, they have villages there as well. So I typed in AI, I got AI security and democracy, AI governance, and then there was an OWASP stuff for AI security. And then there was a CSA AI Summit.

Did you attend this AI, CSA event? Yes, I did. Yes. What was any highlight from there that you can share for us?

Caleb Sima: So there's a lot. There's CSA did a sort of socializing event at Fang. They also did the CSA AI Summit, which was an all day Area where back to [00:28:00] back, they did AI talks, discussions, and panels.

I actually did a mini version of my B Sides presentation at that event. I also did a fireside chat with a CISA and talking about AI. So yeah, you can go there and there's back to back on some of these things. So bringing in some pretty top experts. And it was packed. There was a ton of people.

Ashish Rajan: I would say definitely worthwhile checking out the, I'm sure they'll make the content online at some point, but if they do, there'll be definitely, cause I think the two things that I looked at as a theme from CSA summit, cloud security, as well as AI security. Those are the two themes that kind of expected Cloud Security Alliance.

Yeah. Talk about anything else with that name, but yeah, I guess those were what I wanted to call out, but there was something interesting. The conversation that we have for this episode started off by talking about the technical implementation of AI security and the privacy and safety one. There's one talk from the secretary of Homeland security.

They were talking [00:29:00] about how they have a vision for AI core. And they've been building an AI security board with both individuals who are civilians and governments as well. And they were talking about the perspective that they want to build a core AI capability in the government department without the compensation, but for the love, which he called out specifically, which is understandable.

Like government would not have a lot of money to give to the talent, but you're joining a government firm for different reasons, not. Not the same as private firms, but that was a good talk there. It was a, for lack of a better word, it was a fireside chat between, it's the host and the secretary of Homeland Security.

That highlight was primarily talking about, like they've been having conversations on the AI security board. At the moment, as we've seen from all the previous episodes we have done so far, a lot of the threats beyond prompt injection is very theoretical and what it could be, but they're channeling it more towards the fact that, they're expecting it to have a lot more practical AI security things that would come out of it, which would be along the lines of why civil [00:30:00] liberties and civil rights are equally part of AI safety as well.

Which I thought was really interesting that we've been talking about the technical aspect of it, but then there's a whole people who are building this capability, how they're going to go for it as well. The last talk I'll talk about is AI Safety: Where’s the Puck Headed? This was on the last day.

This was run by a Microsoft host. And the only reason I call this out because it has Bruce Schneier in it. I think it's I just like seeing him as I think a lot of us have followed him. So it's an interesting chat. I don't they had Google people as well. So it was really interesting. But I would say if you are looking for one, not like a high level perspective, that was a good talk to listen to.

And in the last 10 minutes we have, can we talk about conversations in the CISO dinners and parties we've had as well? Happy for you to go first and then I can talk about the CISO dinners that I attended or hosted. I heard as a thing. It's,

Caleb Sima: everything that I was there was all AI oriented.

Ashish Rajan: It was a lot. Let me ask you this question then. Cause I think I, I took away certain things which were, and I, it'll be really interesting in the conversations you had. It was the same. I think everyone knows what [00:31:00] AI security differences like they understand AI security as a tool that they're using to enhance productivity.

They also understand AI as a security capability and how they can actually do security with it. They also understand there's a whole threat of what AI can lead to and the whole terminator and everything in there.

Caleb Sima: Yeah. There's a lot of, and I do think it's getting better, although there's still a lot of, fuzziness.

There's the AI and it's threat to humanity, right? Is it going to kill us? There's AI and threat to the nation. Which is, hey, when we think about defense and leading and, where's AI going there, there's AI and threat to our jobs, right? And how do we think about that and where that is.

And then finally, there's AI safety, which is, I think, more AI to like alignment, ethics and behavior from a practical enterprise perspective. And then finally there's AI security, which is how do we deploy AI [00:32:00] and either protect it from attacks And or bad guys using AI for their attacks.

I think people, there's still some munginess between AI ethics and safety threat to nation, threat to humanity there's a lot of munging a little bit around that still, but I do think there has been a lot more, as people are getting educated about the topic, they're starting to clarify between AI security and AI safety, which I think, is good to have an understanding around.

Ashish Rajan: It's really good to hear that at least the conversation you're having a similar in terms of this, some clarity, I also ended up coining a term while we were having an interview on. The AI native security. Yeah, that's right. I'm going to be about to accept that as a thing.

I'm going to make a few posts about it as well, but I think the way I describe it is basically the same way people talk about cloud security. It's like either the provider of your LLM model, doing the security of it or native capabilities or security of how that function model LLM model.

But I think you had a great definition as well. Vijay had a good definition as well. I guess what I would love for people to share as well, what they [00:33:00] feel would be AI Native Security when they hear that term. The other theme that I wanted to talk about is that a lot of the, to what you said, threat to the nation and threat to the enterprise, a lot of the conversations that I had in terms of actual threats outside of the prompt injection thing, everything else was theoretical. It's like this could happen. Most are, but I think there were a couple of CISO conversations where I was trying to like, cause I was hosting it.

I was trying to bring it back to, Hey, let's talk about what's really concerning you because I guess the data security perspective that if you've never cared about data, but you have to suddenly now pick up that thing, but people kept going back into the, Hey, this is potential of what does this mean for my organization?

Am I allowing ChatGPT access? I'm going, there's a lot more.

Caleb Sima: I'm telling you this, that the whole data leakage thing is still man. Like I will say that it's less than it was last year. Like last year, a hundred of a hundred CISOs were saying data leakage in [00:34:00] LLMs and AI was the top concern. And I had to fight that sort of, downstream push by saying, Hey guys, this is actually a third party risk problem, not a technology problem. Yeah. But this year I would say it's better. I would still, I'd still like, I feel. 70 30, right? Like 70 percent for data leakage and 30 percent yeah get 10 CISOs in a room. 70 percent of them are going to talk about, data leakage, copyright issues, like this is still the, and then there's 30 who are like, Hey, I get it now.

This is not my biggest worry. We use, MSAs this is a third party risk problem. Not as big of a concern, but I think give it another year, I feel, that should drop down to, a little bit less, but there's still a lot of this, Hey, we don't allow our enterprises to use Microsoft co pilot because it's going to be looking at sensitive code that we don't want leaked on the internet and , this really is the top concern from people.

Ashish Rajan: Yeah. all so i guess that theme was similar in the conversation you had [00:35:00] as well that's really interesting the the final theme because i wanted it to be more actionable and i was asking people in terms of what are they walking away from RSAC and as they've had all these conversations, what are they walking away from RSA on the whole AI security side?

Is there something that they are taking away knowing that, Hey, I can go and implement this, or this was my big takeaway. Funny enough, a lot of the people who were there, they had a lot of interesting conversations around security, which all their peers, with you, me, and others as well. A lot of people didn't really feel any more confident on what they knew before they walked into the room versus what they're, and I say, when I say room, RSA conference.

Before they walked into RSA conference, I think they had some idea. They got a lot of mixed opinion. And at least the people that I spoke to in that 70, 30 circle, They still felt a bit lost because I think some of them were still looking for a tool to solve the problem. They were hoping they'd come in and to what you said, RSA conference vendors would have AI security plastered everywhere.

A lot [00:36:00] of people did not. So they were like, I don't know because, and I think Shilpi summed it up really well in Shilpi, for context, Shilpi is the producer of this podcast. And Cloud Security Podcast, she summed it up really well at one of the CISO Dinners. She was like, I guess security of AI is not that different to what all of us have been doing for all these years.

It's just that now we feel it's a different landscape. We feel a sense of unfamiliarity with this new terrain that we have to deal with. But it still requires us to do, be vigilant for things that we've done in the past, data sanitization, actually care about data security. Identity, network, all of those things are still there.

They haven't gone away. I don't know.

Caleb Sima: It's a new tech stack. Which by the way, we go through the same pattern every time. We went the same pattern with mobile. We went the same pattern with cloud. Going to the same pattern with AI. You think we figure this thing out. I need to block all access to Open AI from my employees, or I need browser.

This is the popular thing. Now I need browser plugins, which will show my AI [00:37:00] visibility across my enterprise, because that's really important, which by the way, I asked what's the difference between that and CASB and DLP and no one knows how to respond to that. And I'm like isn't AI usage is just another.

Like what's the difference between Dropbox usage and AI usage going to OpenAI? Doesn't your CASB offer this? Doesn't your DLP tool offer this? Why do you need an entirely new company to go and sell you this? And by the way, you won't care about this in two years. And I'll tell you why, because every product and every SaaS service will offer some AI model ingestion usage.

And you locally will be using AI model ingestion usage. So why is this the thing that's an important metric, and I will stand on my pedestal and probably yell till I'm like a horse in the voice about this, I will say I did talk to one CISO and I want to give a tip to if there's any CISOs who are listening to this, that he was brilliant.

Oh, so he told me is Hey, we blocked all [00:38:00] Open AI, in all AI usage for all of our companies, because we need to do that because, we need to, at least understand what's going on, because if we're going to do this, we're going to do this safely. And I'm like, I get it.

And I gave my viewpoint. And he looks at me and goes, I 100 percent agree with your viewpoint. What I'm doing is a chess move. And I'm like, what? And he's let me tell you what I did. And so he goes, you and I both know. And he's like talking to me is that you and I both know that 98% Of the security problem and AI has nothing to do with AI.

It all has to do with basic infrastructure, patching, permissions, lease priv. And I'm like, yeah, then why are you blocking? And he goes, just wait. And he goes, so I told them, I was like. I told my company, if you want to go and enable AI, we have to go through and fix all of these things. We've got to do least privilege.

We've got to patch our systems. We've got to get our AI pipeline and platform in a [00:39:00] secure manner. And then I will enable AI and man, the whole company was on board, all of engineering, executives, everybody said, yes, let's enable AI safely. And the way to do it is being driven by patching least privileges.

I was like, I looked at him. I was like, that is brilliant. He goes, yeah. And then we enabled opening up the AI stuff. And again, I was like, okay, that was a smart move.

Ashish Rajan: So I agree. I agree. I think I would shout out to one of the CISO I spoke to. I think another pattern that stood out for me is worthwhile calling out the people who understood and probably have been working in this space for a while, one of them called out, which is really interesting. So every time he's getting a pitch from person saying, Hey, company X saying, have you used AI? The first question that he's asking, and I think we have developed this theme after having a lot of these conversations.

The first question you would ask them is, Hey, are you creating your own LLM or AI model? That is you can explain to me what that does and how we can go into deeper. If the answer over there is a yes, and they can explain [00:40:00] that the next one is what kind of data are you using to train your AI, the LLM model that you created?

Those two need to pass, but he said 90 percent of them fail in the first one. Because if you're that if you're that big, you're definitely a cloud service provider. The kind of compute requirement, the kind of data, it's just impossible for any small company. So if you have

Caleb Sima: no one's training, however, they are fine tuning models, but yeah, no one is I don't know anyone that's literally training from scratch their own model.

It's almost asinine. Like it's, yeah. It's only to a point, it's I'm going to be my own cloud provider, right? Like it's that level of there are a few that can do it there. Don't get me wrong. There's no question. I think people, there are companies that can make that happen, but man, it's a, that's a huge investment.

Ashish Rajan: Yeah. I definitely say like those two questions are for people. For our CISOs that are listening and probably want to filter out the signal from the noise. I think that's also a theme that we've noticed after having all these conversations. [00:41:00] Third one I put is transparency as well in terms of, if the person cannot create their own LLM model.

And if you know that, if, and if they haven't had data for fine tuning it for a while, because they don't have that many customers. Third thing probably is the transparency. Like what are you using in the background? Are you using ChatGPT, Gemini, Claude whatever you're using. At least being open about it gives other people the assurance it's not a black box.

Because earlier, I think the people get nervous when you say it's a black box versus, Hey, this is what we use in the background. Oh yeah, I know those terms. I know those technologies and it makes you a bit more comfortable. But I don't know if that stood out for you in the conversation that you had.

Caleb Sima: Yeah, I think there was like, How do you filter actually, I was on a ForgePoint panel where that was discussed around, how do you filter vendors actually. And people selling AI solutions and what do you do? That's a simple tip. And my answer was really simple. I was basically take whatever message they're pitching you.

And if you [00:42:00] remove the word AI out of it, and it still makes sense to you as a solution that provides value, then it's a winner because at the end of the day, AI is just a way to accomplish a task to deliver some value. If you can't concisely talk about what value you deliver, it doesn't matter whether you use AI or not.

Ashish Rajan: Yeah. A hundred percent makes sense. In the last few minutes, we have any final takeaways that people should take away. I would definitely say the Fringe Festival of Cybersecurity RSA conference is definitely worth attending. BSides SF is definitely worth attending. AI or no AI of people who may have never attended those and check out the talks that they do.

Any final thoughts on this, man, before we wrap up the episode?

Caleb Sima: No, no final thoughts. It was great. I enjoyed the conference. I guess looking forward to Black Hat. Yeah, it's coming up fast. Six weeks. Definitely coming up fast as well.

Ashish Rajan: All right. Thank you everyone for tuning in. We'll see you next episode.

If you have any questions on RSA security, definitely drop them in the comments if you're watching this on YouTube. Thank you so much for listening to that episode of AI Cybersecurity Podcast. If you are wondering why aren't we covering all topics, because [00:43:00] maybe the field is evolving too much. Too quickly so we may not even know some of the topics we have not covered.

If you know of a topic that we should cover on AI cybersecurity podcast or someone we should bring as a guest, definitely email us on info at cloudsecuritypodcast. tv. Which reminds me, we have a sister podcast called Cloud Security Podcast where we talk about everything cloud security with leaders.

Similar to the AI cybersecurity conversation, we focus on cloud security specifically in the public cloud environment at cloudsecuritypodcast. tv, which if you find helpful, definitely check out www. cloudsecuritypodcast. tv. Otherwise, I will look forward to seeing you on the next episode of AI Cybersecurity Podcast. Have a great one. Peace.

‍