Resilient Cyber

- For those that don't know you, can you tell us a bit about your background and your current role?

- I know you help lead the ATLAS project for MITRE, what exactly is ATLAS and how did it come about?

- The AI threat landscape is evolving quickly, as organizations are rapidly adopting GenAI, LLM's and AI more broadly. We are still flushing out some fundamental risks, threats and vulnerabilities to consider. Why is it so important to have a way to characterize it all?

- When it comes to AI Security, there is also a lot of hype, buzz and dare I say FUD out there. Why are you so adamant that we take a data-driven and actionable approach?

- I know you recently helped participate in the first big AI security incident focused TTX, including with CISA and other Government and Industry partners, can you speak a bit about the experience and why exercises like this are important for organizations to do when it comes to AI security?

- As someone close to the AI domain, when it comes to security, what are your thoughts on both where we're headed for security of AI, and AI to bolster security? 

- For folks wanting to learn more about ATLAS, and the work MITRE is doing around AI security, where should folks get started?

- What are some key open questions and opportunities for the community to help shape the future of AI security and assurance?


https://atlas.mitre.org/ ← Check out MITRE ATLAS!

In this episode we sit down with GenAI and Security Leader Steve Wilson to discuss securing the explosive adoption of GenAI and LLM's. Steve is the leader of the OWASP Top 10 for LLM's and the upcoming book The Developer's Playbook for LLM Security: Building Secure AI Applications

-

- First off, for those not familiar with your background, can you tell us a bit about yourself and what brought you to focusing on AI Security as you have currently?

- Many may not be familiar with the OWASP LLM Top 10, can you tell us how the project came about, and some of the value it provides the community?

- I don't want to talk through the list item by item, but I wanted to ask, what are some of the key similarities and key differences when it comes to securing AI systems and applications compared to broader historical AppSec?

- Where do you think organizations should look to get started to try and keep pace with the businesses adoption of GenAI and LLM's?

- You've also been working on publishing the Developers Playbook to LLM Security which I've been working my way through an early preview edition of and it is great. What are some of the core topics you cover in the book?

- One hot topic in GenAI and LLM is the two large paths of either closed and open source models, services and platforms. What are some key considerations from your perspective for those adopting one or the other?

- I know software supply chain security is a key part of LLM and GenAI security, why is that, and what should folks keep in mind?

- For those wanting to learn more, where can they find more resources, such as the LLM Top 10, your book, any upcoming talks etc?

In this episode we sit down with the Founder/CEO of Horizon3.ai to discuss disrupting the Pen Testing and Offensive Security ecosystem, and building and scaling a security startup - from a founders perspective.

From HP, to Splunk to JSOC - all leading to founding Horizon3, Snehal brings a unique perspective of business acumen and technical depth and puts on a masterclass around venture, founding and scaling a team and disrupting the industry!

---

- For those not familiar with your background who Horizon3AI, can you tell us a bit about both?

You are building something special at Horizon3AI and I will dive into that here soon, but you've also been posting some great content about building a security startup, the team, the market dynamics and more, so I wanted to spend a little time chatting about that. 

- First off, your company was recently listed by Forbes as one of the top 25 venture backed startups likely to reach a $1 billion dollar valuation. How did that feel and what do you think contributed to your team landing on such a prestigious list?

- Speaking of venture backed, you recently participated in the Innovators and Investors Summit at BlackHat where you and other panelists dove into the topic of what founders should look for in investors and how VC's can stand out in a highly competitive market. As someone who's navigated that journey and is now being listed on lists such as that from Forbes - what are some of your key lessons learned and recommendations for early-stage founders?

- You've stressed the importance of the team over the initial idea and what you've called "pace setters" and "ankle weights" within the team and the importance of both. Can you elaborate on the terms and broader context around building a foundational team to scale the company successfully?

- You also have discussed the 4 advantages iconic companies build over time, what are they and why do they help differentiate you?

- Pivoting a bit, you have a really unique background, blending both the private and public/defense sector. How do you think that's helped shape you and the way you've build your team and company and approach the market?

- Horizon3AI is big on the mantra of "offense informed defense". Why is that critical and why do you think we miss the value in this approach in many spaces in the security ecosystem?

- You all have poked some fun at the way many organizations operate, running vuln scans, doing an annual pen test, and having a false sense of security. How is Horizon3AI disrupting the traditional Pen Testing space and leading to more secure organizational outcomes?

In this episode we sit down with Chloe Messdaghi, Head of Threat Intelligence at HiddenLayer, an AI Security startup focused on securing the quickly evolving AI security landscape. HiddenLayer was the 2023 RSAC Innovation Sandbox Winner and offers a robust platform including AI Security, Detection & Response and Model Scanning.

- For folks now familiar with you or the HiddenLayer team, can you tell us a bit about your background, as well as that of HiddenLayer?

- When you look at the AI landscape, and discussions around securing AI, what is the current state of things as it stands now? I would recommend checking out the "AI Threat Landscape Report" you all recently published.

- Many organizations of course are in their infancy in terms of AI adoption and security. I know the HiddenLayer team has really been advocating concepts such as AI Governance. Can you talk about how organizations can get started on this foundational activity?

- HiddenLayer published a great two part series on an "AI Step-by-Step Guide for CISO's", can you talk about some of those recommendations a bit?

- You all also have been evangelizing practices such as Red Teaming for AI and AI Models. What exactly is AI Red Teaming and why is it so critical to do?

- Another interesting topic is how we're beginning to look to Govern AI, both here in the U.S. with things such as the AI EO, and in the EU with the EU AI Act. What are some key takeaways from those, and what do you think about the differences in approaches we're seeing so far?

- For those not familiar with you and ThreatLocker, can you tell us a bit about yourself and the ThreatLocker team?

- When we look out at the endpoint protection landscape, what do you feel some of the most pressing threats and risks are?

- There of course has been a big push for Zero Trust in the industry being led by CISA, NIST, and industry. How does ThreatLocker approach Zero Trust when it comes to the Endpoint Protection Platform?

- Another thing that caught my eye is the ThreatLocker Allowlisting capability. We know Applications remain one of the top attack vectors per sources such as the DBIR. Can you tell us about the ThreatLocker Allowlisting capability and blocking malicious app activity on endpoints?

- Taking that a step further, you all often speak about your Ringfencing capability that deals with Zero Day vulnerabilities. As we know, traditional vulnerability management tools can't stop Zero Day exploits. How does the ThreatLocker platform handle Zero Day protection?

- I saw you all recently had a webinar focused on CMMC and NIST 800-171, which applies to the Defense Industrial Base. Obviously endpoint threats are a big concern there for the DoD and the DIB. Can you talk about how ThreatLocker is working with that community?

- For folks wanting to learn more about ThreatLocker, where should they go, and what are some things to keep an eye out for?

Find out more about ThreatLocker!

- For folks not familiar with you and your background, can you tell us a bit about that?

- How about Resourcely, how did it come about and what problem did you set out to tackle?

- Why do you think Cloud Misconfigurations are still so pervasive, despite being fairly well into the Cloud adoption lifecycle?

- How have organizations traditionally tried to handle secure configurations, in terms of establishing them, maintaining them, monitoring for drift and so on?

- Where do you think we're headed, I know you all recently had your capability go GA and you discuss concepts such as blueprints, frameworks, paved paths etc. 

- You've been talking a lot about the Death of DevSecOps. Let's chat about that, what case are you making with regard to DevSecOps and where the industry is headed?

- First off, for folks now familiar with your background, can you tell us a bit about yourself?

- You made the leap from working for a firm to founding your own talent and recruiting company. Can you tell us about that decisions and experience?

- Before we dive into specific topics, what are some of the biggest workforce trends you are seeing in cyber currently? I have seen you talk about the pendulum shift from workers to employers on aspects like remote roles, and so on. What is the current dynamic across the cyber landscape broadly at the moment?

- The cyber workforce is often discussed painfully, with talks of struggles to attract and retain technical talent, but I feel like it isn't just a headcount problem. We also often see absolutely awful PD's and processes that impact organizations hiring abilities. What are your thoughts here?

- You're often seeking out some of the best talent for leading organizations. What sort of experiences, qualities and characteristics do you find yourself looking for in candidates that make them stand out from the broader workforce?

- Conversely, what are some things you see organizations doing the best that really set them apart from others when it comes to building amazing security teams?

- What can folks be doing to try and best position themselves for their dream role? What are key things to keep in mind and emphasize from an expertise, personal branding, resume and other factors perspectives?

- For folks not familiar with you or the Miggo team, can you tell us a bit about your background?

- How do you define ADR and why do you think we have seen the need for this new category of security tooling to come about?

- Most organizations are struggling with vulnerability overload, with massive vulnerability backlogs and struggles around vulnerability prioritization. Can you share some insights on how you all tackle this problem?

- We're increasingly seeing the AppSec space become more complex, with Cloud, API's, Microservices, IaC and more. What do you see as some of the most critical trends in the AppSec space currently?

- First off, for those that don't know you or your work, would you mind telling us a bit about your background?

- You recently published a paper titled "Secure-by-Design at Google" which got a lot of attention. Can you tell us about the paper and some of the key themes it emphasizes?

- In the paper you discuss some of the unique aspects of software that are different from mass-produced physical systems. Such as their dynamic and iterative nature. On one hand you mention how the risk of introducing a new defect over time for a physical system after manufacturing is low, unlike software. I know Google are big proponents of DORA for example, and past papers have shown organizations that are capable of routinely delivering software to production at-scale also have more resilient outcomes, this seems to be both a risk and a benefit of software over physical systems?

- You also discuss the need for Secure Default Configurations. Historically it feels like producers have erred on the side of functionality and usability over secure default configurations, and we have even heard CISA begin using terms like "loosening guides" over hardening guides. Do you feel the two concepts of security and usability at inherently at odds, or need to be?

- One aspect of your paper that really jumped out to me is that "developers are users too". I feel like this is even more pertinent with both the rise of software supply chain attacks and the realization that most defects are introduced by Developers and also they are best positioned to address flaws and vulnerabilities. How critical do you think it is to design systems with this in mind?

- Some may pushback and say it is easy for Google to say advocate this approach of Secure-by-Design due to their incredible expertise and resources, but obviously, and conversely, Google has a scale in terms of challenges that most organizations can't fathom. How does Google balance the two?

- What role do you think leading software suppliers and organizations such as Google have to play when it comes to ensuring a more resilient digital ecosystem for everyone?

- First off, for folks that don't know you, can you tell us a bit about your current role and background?

- On that same note, can you tell the audience a bit about Anduril, the mission of the organization and some of the current initiatives it is working on?

- What are some of the biggest challenges of being a new entrant in a space such as the DoD, which has longstanding system integrators and large prime contractors who have deep relationships, industry expertise/experience and so on?

- I know you're passionate about the ATO process. What are your thoughts on how it stands currently and the impact it has on both new entrants, as well as impacting the ability to get innovative capabilities into the hands of warfighters and mission owners?

- CMMC

- We know your organization is looking to bring innovative commercial technologies into Defense, what are some of the challenges there beyond the ATO aspect?

- Outside of the technical aspect, we know the DoD and Federal space have longstanding challenges with attracting and retaining technical talent. How does that impact your abilities to be effective in this space with your Government peers, and additionally, how does Anduril navigate that when looking to attract modern digital talent to a space like Defense?

- Many are now arguing that cybersecurity is a domain of warfare and we're seeing the use of phrases such as "Software-Defined Warfare" by organizations such as The Atlantic Council. How important do you think modern digital capabilities are to national security and why?

- DevSecOps thoughts