Podcast
The End of Human-Speed Cyber: Mythos, Glasswing & the AI Exploit Race with CrowdStrike’s Drew Bagley
Season 3 Episode 20 •Show Notes
Cyber defense is entering a machine-speed era. With Mythos and Project Glasswing bringing AI-driven vulnerability discovery and exploit development into the center of the cyber conversation, CrowdStrike’s Drew Bagley says organizations need to prepare for a world where vulnerabilities can be found, chained, and exploited faster than traditional patching cycles can handle.
Bagley joins Frank Cilluffo to explain why this shift is not just about one model, one company, or one headline-grabbing project. It points to a broader change in how attackers and defenders will operate: exploit stacks may make once-latent vulnerabilities newly dangerous, critical infrastructure operators may face risks they cannot patch away, and unmanaged AI agents inside organizations may become another source of exposure. The answer, Bagley argues, is not panic or patching alone, but continuous discovery, continuous remediation, visibility across the kill chain, AI-powered defense, and resilience planning built for a world moving faster than human-speed cyber.
Main Topics Covered
- Mythos, Project Glasswing, and AI-driven vulnerability discovery
- Why exploit stacks change how organizations should think about risk
- Continuous patching, prioritization, and machine-speed defense
- Critical infrastructure, OT systems, and unpatchable legacy technology
- AI agents, unmanaged access, and the next insider-style risk
Key Quotes
“We’re now in an era in which AI has been proven to be able to find vulnerabilities and write exploits at scale much quicker than humans can.” — Drew Bagley
“We should think about this as an opportunity to think through this problem set now and assume that this is going to be just a widespread capability pretty soon.” — Drew Bagley
“Previously latent [OT] vulnerabilities… [relied on] security through obscurity. That’s no longer the case. And now those are exploitable.” — Drew Bagley
“If you don’t have visibility and you can’t see the risk, then you can’t mitigate the risk.” — Drew Bagley
“It’s important to think about the ways in which AI has been incorporated over the past two years, especially in organizations to get work done better, but in ways that have often been unmanaged where AI has access to things you wouldn’t give an intern access to.” — Drew Bagley
Relevant Links and Resources
CrowdStrike’s Project Quiltworks
Guest Bio:
Drew Bagley is CrowdStrike’s Chief Privacy Officer, where he leads the company’s privacy and public policy work. In his 12 years at CrowdStrike, he has helped shape the company’s approach to data protection, cybersecurity policy, and engagement with government leaders as CrowdStrike grew into a global cybersecurity company.
Transcript
Drew Bagley [00:00:00]: It’s important to think about the ways in which AI has been incorporated over the past two years, in ways that have often been unmanaged, where AI has access to things you wouldn’t give an intern access to.
Frank Cilluffo [00:00:13]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the privilege to sit down with Drew Bagley. Drew is the Chief Privacy Officer at CrowdStrike. He’s been one of the originals since almost 12 years at CrowdStrike and leads their policy efforts. Everyone in D.C. knows Drew. He’s been doing phenomenal work for a long time in the field. He’s a regular witness before Congress.
Frank Cilluffo [00:00:46]: I think we’ve shared the dais before testifying, and a good and longtime friend. There’s one conversation dominating D.C. right now, and it’s Mythos and it’s Project Glasswing. And couldn’t ask for a better guest than Drew Bagley, since CrowdStrike is steeped in all of these efforts. Drew, thank you so much for joining us.
Drew Bagley [00:01:07]: Thanks for having me. Great to be here.
Frank Cilluffo [00:01:08]: Let’s start with, I mean, you cannot go two seconds without a conversation surrounding Glasswing and its implications and what it means. For our audience that maybe isn’t reading every day, what should we be thinking right now?
Drew Bagley [00:01:25]: Yeah, I think, as you said, we hear this conversation in just about every cyber conversation these days. And sometimes, interestingly enough, I think it’s even breaking out of the traditional cyber community where people are thinking about this era post Mythos. So essentially, we’re now in an era in which AI has been proven to be able to find vulnerabilities and write exploits at scale much quicker than humans can. With that said, there is a lot of talk about specific models, but we should really be thinking about this as something that’s going to become a lot more normal in the near future, because conceptually, every single thing that we’ve seen where you apply AI in a way where it can scale things, then naturally there’s some sort of disruption. And so we’re in that period right now with discovery of vulnerabilities as well as the compressed timeline for patching those vulnerabilities.
Frank Cilluffo [00:02:22]: So we’ll unpack that more, but scale and speed, I think, are the two words that, and you’re right, I’ve spoken to a number of CEOs that have had board meetings, publicly traded companies, and they’ve always had a bit of a cyber discussion. But Glasswing seems to be the discussion, so it is resonating. Firstly, just how did CrowdStrike get involved?
Drew Bagley [00:02:48]: Sure, yeah. We were the, to my knowledge, the only pure play cybersecurity company asked from day one to join both Glasswing with Anthropic as well as OpenAI’s program. And we got involved because I think there was a recognition that it was important to include cybersecurity expertise in evaluating the model, in ensuring that Anthropic could think about how to, how to ensure the efficacy safety of their model, but also that we could leverage that technology to make sure that our customers were reaping the benefits. And so as part of that, naturally we’ve been thinking about this as the early innings, right? It really is the early innings with seeing what we can do with this. But also right away we thought about how to operationalize frontier AI models and we launched a project that we call Project Quiltworx. And so what that is is we’re bringing together CrowdStrikes technology, frontier AI models, as well as systems integrators that can help with the patching. So in other words, we’re able to help our customers discover vulnerabilities much quicker, but then also operationalized patching because there’s always, even in slower times, the slow times, a delta between discovery and patching.
Frank Cilluffo [00:04:11]: And I want to get to that in a second. But before jumping into the how and how we prioritize the what, when I look at this strategically, and dispel, disagree with me, but it seems like Anthropic’s been a very responsible partner in all of this.
Drew Bagley [00:04:31]: Absolutely.
Frank Cilluffo [00:04:32]: Recognizing the potential power that is behind Mythos and some of the other frontier models that are obviously coming soon. What do you think this means from a policy standpoint? If China had had a similar model and rolled it out, do you think it would have been as responsible or do you think we’d be even more in freak out mode right now?
Drew Bagley [00:04:56]: I mean, I think we’d find out about it, but perhaps in a different way.
Frank Cilluffo [00:04:59]: Yeah, yeah.
Drew Bagley [00:05:00]: And I think we should assume-
Frank Cilluffo [00:05:01]: They’re not going to advertise it necessarily.
Drew Bagley [00:05:02]: Exactly. I think we should assume that’s going to happen, but I think we should also assume there’s going to be open source versions of these types of models. I think we should also be thinking about the fact that not every model that’s going to be capable of doing this, and in fact some of the models that will be capable of doing this much better aren’t going to be large language models necessarily. They’re going to be smaller models that are more precise and how they’re trained and much more specific. And so we should just think about this as being an opportunity because we had a responsible player opening this up to the community. We should think about this as an opportunity to think through this problem set now and assume that this is going to be just a widespread capability pretty soon.
Frank Cilluffo [00:05:46]: Awesome. And it’s not just going to be Anthropic. It’s going to be others with their models. Can we play this out again or do we need new systems and processes in place?
Drew Bagley [00:05:56]: Well, I think about, you know, first and foremost, we should be looking at existing infrastructure to share vulnerabilities that are discovered and figure out how to update that for scale. And then also leaning in on some of the ways that we already think about vulnerabilities in a much more practical way, like with the KEV. So that definitely was something where
Frank Cilluffo [00:06:21]: Known exploited vulnerabilities.
Drew Bagley [00:06:22]: Known exploited vulnerabilities. When we, when we took, you know, vulnerabilities and we were looking at them kind of in a more theoretical setting and scoring them, practitioners did not find that to actually be helpful after a while because that was not what was actually most likely to wreak havoc, the most significant types of vulnerabilities or those that they would want to prioritize. So then that’s where I think that for any sort of system we’re looking at, and I know, for example, you know, CISA has VINCE.
Drew Bagley [00:06:53]: And so as we, as we look at different existing systems, the benefit to that is you already have lots of organizations that through APIs have already built, either ingest or even the way they’re feeding vulnerabilities back into the system around those systems, communicating with those systems. So I think it’s easier to really update those systems than start from scratch. So that’s one thing. But I think we should be thinking about how do we figure out and help practitioners at machine speed know what is a priority and that’s what’s actually known to be exploited. Now I’m sure we’ll get into that a bit. What’s known to be exploited is kind of thrown on its head. But I think just conceptually that’s really important because we could have all kinds of theoretical vulnerabilities and it could be a vulnerability that could be really, really bad. But those devices are no longer out in the wild anymore, right?
Frank Cilluffo [00:07:44]: Exactly, exactly. And you brought up the KEV list, the known exploited vulnerabilities and CVEs, generally speaking. Our systems are built for a different time though, right? How are we, as far as I know, there are about 1,500 known exploits on the KEV list. That’s going to be quadrupled overnight.
Drew Bagley [00:08:06]: Yeah, we should, we should assume that the volume is going to jump, and so-
Frank Cilluffo [00:08:10]: Exponentially.
Drew Bagley [00:08:11]: Exponentially, and there’s, so there’s even an ingestion problem in and of itself from a, from a pipeline perspective that needs to be solved. There’s the issue of duplicates that we deal with today. And imagine how many of those duplicates are going to occur. So, so there’s all of those. But also-
Frank Cilluffo [00:08:26]: And I want to explain that in a second, but sorry.
Drew Bagley [00:08:29]: There’s always been a lag time between when a vulnerability has been discovered and then when it gets patched, even by those who are actually able to do the patching. So now that delta, we can assume, is going to grow drastically unless there really is a mindset shift. And that’s where there needs to be this notion of instead of thinking about patching on these long timelines, think about it as continuous discovery of vulnerabilities and continuous patching. And that cycle needs to just be sped up.
Frank Cilluffo [00:09:03]: And just on that issue, I do want to sort of get to. Some people are saying this is all hype. I don’t believe that to be the case. But it’s somewhere in between, obviously. But the reality is, is with patching, that brings about its own challenges, doesn’t it? I mean, we don’t have a great track record as is, and that can bring about new vulnerabilities to one extent or another if they’re not, if we’re not careful. Correct?
Drew Bagley [00:09:31]: Correct. And that’s, that’s where I, I think that, a few things. One, I think defenders leveraging AI to do patching is going to be paramount to be able to operate at machine speed. But also I think it’s a losing strategy if the entire security posture of an organization is oriented around whether or not their vulnerabilities are patched. Right? There has to be mitigations in place. So we think about the kill chain and you can think about, you know, reconnaissance in the beginning, but then shortly thereafter you’re talking about discovery, discovery either of vulnerabilities or other ways in. Right? And an adversary can get in the front door with legitimate credentials.
Drew Bagley [00:10:06]: And lots of what we see today with infiltrations happens that way through the back door with vulnerabilities and writing exploits. And that’s certainly changing. But then once they’re in, it’s not game over. Right? So that’s where it’s important to have that visibility throughout the entire kill chain and the means to stop adversaries every step of the way. So even if an adversary successfully finds a vulnerability, gets into an organization, they shouldn’t be able to move laterally throughout the network, exfiltrate data, etc. And that’s something where that’s paramount to be part of a security strategy.
Frank Cilluffo [00:10:37]: Do you think the kill chain, the framework, is durable? Will it survive? The way we are thinking about it now, does that survive? I think most of it is pretty timeless, but I’d just be curious what your thoughts are.
Drew Bagley [00:10:51]: I think that the kill chain framing is really the right one. I mean, I think obviously we always think about different ways that adversaries can infiltrate, different tactics they can use. But conceptually, I really think that’s the right way to think about this, is that it’s not game over just because an adversary breached a perimeter. We used to think about the perimeter in terms of the network, and that went away a very long time ago. And then maybe now people are thinking about perimeter in terms of the code itself. But similarly, the fact that a large language model might be good at analyzing static code and finding ways in is not the full story of how to defend your enterprise.
Frank Cilluffo [00:11:31]: So I clearly don’t have all the details here, but speaking to folks who have had access to Mythos and the like, there are some very new zero days that are being discovered, but a lot are known vulnerabilities. But I think, and you explain this to me in a very articulate way, in a way that I cannot really articulate it, but just because it’s a known vulnerability, there’s a second, third, fourth, fifth, sixth order effect because they’re building off of one another, piggybacking one another, combining, merging, converging. Explain that to our audience here, because I really like the way you frame that.
Drew Bagley [00:12:10]: Sure. I think that the way that we’re able to think about this now is that there’s an exploit stack. So previously we would think about an ad hoc exploit, or rather an ad hoc vulnerability being found and then an exploit being written specifically for that vulnerability. Then when we would think about which vulnerabilities mattered and which ones didn’t, oftentimes vulnerabilities that required local access were not as prioritized as those that permitted an attacker to have remote access. Today, it is much easier, through the use of these models, to figure out how to actually leverage a vulnerability that requires local access by pairing it up with a few other vulnerabilities. That eventually might allow for remote access. So that’s where you have this stack where essentially once you get the vulnerability with remote access, write the exploit for that, you’re in. And then to move laterally, you’re leveraging other vulnerabilities and having the exploits.
Drew Bagley [00:13:15]: And so if you can find all of those in unison, figure out how to make sense of them, and write an exploit that allows you to exploit all of those vulnerabilities, that’s where you fundamentally have that exploit stack. And by having that exploit stack, that means that previously latent vulnerabilities that may have provided some degree of, maybe there was security through obscurity, that’s no longer the case. And now those are exploitable.
Frank Cilluffo [00:13:39]: Well said. And we both have affiliations with SEC schools and, a Gator, so we both have new football coaches, but blocking and tackling matters, right? It’s not just the five star quarterback or running back. You got to hold the line. Right? And that’s sort of where we are here. We’ve got to be able to win games, but we also have to do the basics and do it well. Yes?
Drew Bagley [00:14:04]: Yes, absolutely. That’s 100% right.
Frank Cilluffo [00:14:07]: And at scale.
Drew Bagley [00:14:10]: And at scale. And, boy, do I wish I had AI when I was buying football tickets decades ago.
Frank Cilluffo [00:14:13]: You and me both. You and me both. So how, how does, so you have a number of clients and I’m not gonna ask you obviously to talk about specific clients here, but how do you tell them to prioritize, if everything’s on fire, nothing’s on fire, how should they go about prioritizing their work? And one of the concerns I have here around, and I think Anthropic’s been very responsible in terms of how they’ve handled this, but not a whole lot of critical infrastructure owner operators. If the lights aren’t on, if the banks aren’t working, if we can’t get gas and we can’t get water, kind of game over. So how do we, first question is how do we prioritize? And then how do we bring our critical infrastructure owner operators in?
Drew Bagley [00:14:57]: Sure, for prioritizing, I think the key is really prioritizing mitigation itself. Making sure you have security throughout your entire stack and have visibility throughout your entire stack. Because if you don’t have visibility and you can’t see the risk, then you can’t mitigate the risk. So that’s fundamentally important. And then when you’re looking at actually finding vulnerabilities and patching them, that now has to be thought of as a continuous process. So that’s something where initiatives like what we’ve launched with Quiltworx are really important, where you’re continuously finding them, continuously having the means to patch them, that’s really, really important. But then again, that model where you think about discovery and patching as some sort of separate thing, that’s, that’s going to be your end all, be all of a security program for organizations centered on that, they’re then, to use your football analogy, going to miss when you’re able to actually break free and run that touchdown still because nobody was watching you. Right?
Frank Cilluffo [00:15:56]: Exactly, exactly. And that is I think a good analogy. What do you think about critical infrastructure owner operators? And to me it makes sense. You prioritize, firstly, they can’t patch at the same speed. Sometimes they can’t take systems down to be able to patch or remediate or just, just that from a timing standpoint. And then you’ve got the whole OT set of issues which sometimes are legacy systems that have been around for decades. How do we get to that community?
Drew Bagley [00:16:29]: Yeah, I think it’s fundamental there to think about their challenges as being often very distinct from well funded enterprises. And a lot of that has to do with they have hardware that often is not patchable, that will be used for decades. And so a lot of them could literally be dealing with logic controllers from the 1990s today.
Frank Cilluffo [00:16:56]: But some of them are netted with IIoT devices.
Drew Bagley [00:16:58]: Yeah, and that’s where there has been a lot of security through obscurity. And that might not be the same because you had devices that weren’t intended to be put online. They are online, they’re exploitable. And so for one you can absolutely get visibility still from those devices. And that’s something where when we’ve talked in the past even about Chinese pre positioning and routers and everything else, in unmanaged devices, we think about oh well, you can still extract data from there that’s relevant for visibility. You can put that in a next gen sim. But fundamentally if we’re thinking about how do you actually mitigate and patch here, it’s really about resourcing. So you could have a special remediation program which would need to be funded and really prioritize critical infrastructure as part of that.
Drew Bagley [00:17:42]: Some critical infrastructure might be well resourced and it’s really a matter of making sure that they’re following best practices, doing this sort of thing, deprecating anything that isn’t patchable anymore. But for others it might be a matter of making sure that there’s funding for some sort of special remediation program that could be spearheaded by the federal government to do so.
Frank Cilluffo [00:18:04]: Awesome, awesome. And I think we’ve had a conversation, the R word, resilience, didn’t come up yet. Thoughts around that? Because ultimately I think it’s a fool’s errand to think we can, just like in the counterterrorism environment, we’re not going to stop everything everywhere, all the time, from every perpetrator and every modality of attack. But you better be able to not only bounce back, hopefully bounce forward. What are your thoughts there?
Drew Bagley [00:18:31]: Yeah, absolutely. I mean I think it’s-
Frank Cilluffo [00:18:32]: And how AI can help turbocharge that.
Drew Bagley [00:18:35]: And I think that’s something where it’s important to think about that with the concept of resilience and having a quick recovery, not having something be an existential threat. So that’s where it’s important to build redundancy and really plan around it. So a lot of what organizations do is really traditionally do tabletop exercises, prepare for the worst. But I think here too, when we’re thinking about critical infrastructure, if there is a heavy dependency on a single system and that system is one of these systems where they’re unpatchable, it’s really important to think about how to modernize in a way where there is built in redundancy through the form of other systems, through the form of being able to actually get even incident response very, very quickly. So a lot of organizations, what they’ll do is they’ll prepare for an incident beforehand by ensuring they already have an incident response organization that they’re partnering with ahead of time, have a retainer in place. I think that’s really important. When we think about critical infrastructure, whether that’s going to be resourcing coming from the federal government, coming from local authorities, coming from the private sector, to have all of those partners lined up ahead of time and know which ghostbusters you’re going to call when-
Frank Cilluffo [00:19:49]: Including lawyers, right?
Drew Bagley [00:19:51]: Including lawyers, yeah.
Frank Cilluffo [00:19:52]: You need that too.
Drew Bagley [00:19:53]: But you got to build that out in advance in addition to figuring out how your system architecture is as resilient as possible.
Frank Cilluffo [00:19:58]: Well said. And I think that is important irrespective of the moment we’re in right now that we ought to be thinking about that before the balloon goes up, before the bomb goes off, whatever terminology. Let me ask a different question, and it’s sort of looking at the public private partnership as we know it. We always, I’ve been a little dismissive, long on nouns, short on verbs. Everyone talks about it, but we don’t always see it in practice. I think that that partnership is shifting a little bit. It’s no longer government lead, private sector follow.
Frank Cilluffo [00:20:38]: I think in this case, who holds the cards, it’s not necessarily government. So how do you think that changes?
Drew Bagley [00:20:46]: Sure.
Frank Cilluffo [00:20:46]: From a policy standpoint? And you are also a adjunct faculty member at AU. I’m sure this comes up in your question.
Drew Bagley [00:20:54]: Yeah, absolutely. I think even if I back up a little bit, in recent years, there’s been a lot of focus on public private collaboration. And so if we-
Frank Cilluffo [00:21:03]: Operational collaboration.
Drew Bagley [00:21:04]: Operational collaboration. So if we even think about some of our recent testimony a couple months ago where we were sitting together-
Frank Cilluffo [00:21:10]: We were both advocates for that.
Drew Bagley [00:21:12]: Yeah. We were thinking about this notion that obviously government’s going to have inherent authorities that are and should be only for the government. But the private sector is actually going to bring a lot of the threat intelligence, the capabilities and whatnot. So there’s absolutely always an organizing role, I think for government in many ways.
Frank Cilluffo [00:21:31]: And galvanizing.
Drew Bagley [00:21:32]: And galvanizing, using the bully pulpit to draw attention to matters and all of that. And so can think about that with potential takedowns of adversary infrastructure and whatnot. But if you, if you think about this moment now, it’s really the private sector that are the innovators.
Frank Cilluffo [00:21:45]: Yep.
Drew Bagley [00:21:46]: The private sector that are going to provide the, the means for discovering vulnerabilities or patching vulnerabilities, but also the private sector that’s going to provide the means for that further risk mitigation and defending infrastructure in a world that is going to be a lot different than, you know, the world from the past few years.
Frank Cilluffo [00:22:05]: You can wish it all you want.
Drew Bagley [00:22:07]: Rather than government. Yeah, that, that’s fundamentally clear. So I think it’s really important actually with government to really be prioritizing how do you bring that same technology to critical infrastructure? How do you actually bring that to modernizing government? That’s where I think it’s really important. Where in government you could look at how government could be deprecating technologies that they’re using that aren’t patchable, programs that are no longer managed anymore. Well, why are you still using that technology if it’s not patchable, if no one’s managing it? And that’s where I think it’s actually government leveraging the best of private sector technologies, understanding what works and then being able to resource that for those who can’t access those technologies as easily. I think that’s really important.
Frank Cilluffo [00:22:52]: Very thoughtful response there. And modernizing government is another, become a bit of a cliche, but in this case, if we don’t get it right, we’re overtaken by events, right?
Drew Bagley [00:23:03]: Yeah, absolutely.
Frank Cilluffo [00:23:04]: And I do think there are unique capabilities and responsibilities that only a government has. In our case, probably the most capable in many ways. But I would also argue that there is a responsibility for the next Anthropic that pops with the next LLM, with the next frontier model, and I just don’t know how we get our arms around that. But time will tell, I think. You know, you’re speaking to a lot of members of Congress, lawmakers, you’re speaking to a lot of executives. What’s the one thing they should be thinking about right now in this moment? Is it the same as business as usual, or is it something new?
Drew Bagley [00:23:48]: I think fundamentally we should use this moment to galvanize people to think about cybersecurity holistically. So rather than just thinking about this notion of scaled vulnerability discovery and hopefully scaled patching, that we actually think about this holistically, of, oh, this is a wake up call that we need to make sure that we’re thinking about the security of our critical infrastructure, the security of our enterprises holistically. I also think fundamentally it’s important to not be myopic. If we only think about the vulnerability and patching situation, even if that was completely solved, it’s important to remember that today adversaries are oftentimes actually using legitimate credentials to log in organizations. It’s important to think about the ways in which AI has been incorporated over the past two years especially in organizations to get work done better, but in ways that have often been unmanaged, where AI has access to things you wouldn’t give an intern access to. So all of a sudden you have all these agents that have access to all these systems. So whether you’re talking about an accident, an insider threat, or an adversary getting into an organization and then leveraging the tools that are already on the inside. It was bad enough when we worry about adversaries leveraging PowerShell and living off the land while adversaries can leverage all of those agents.
Drew Bagley [00:25:12]: And so that’s really important to be thinking about securing the AI agents themselves as part of this moment.
Frank Cilluffo [00:25:18]: That’s a really, I hadn’t thought about it in those terms, but in a way, the agents themselves are like an insider threat. So, so it’s a foreign counterintelligence issue as well as a security issue. Right?
Drew Bagley [00:25:28]: And you have to have visibility into those agents.
Frank Cilluffo [00:25:31]: And you need visibility, and you need to know how they’re behaving and that gets to the whole behavioral side, which is pretty interesting. So you brought up the, you didn’t bring it up verbatim, but governance guardrails, what else should companies be thinking and governments and others be thinking along these lines?
Drew Bagley [00:25:51]: Yeah, well, for many years we’ve, for, gosh, I guess probably a decade or so, we’ve tracked the increasing speed at which adversaries are able to infiltrate their first laptop or endpoint of whatever type and then move laterally throughout a network. And we talk about breakout time and how that’s gone down. We’ve then been thinking about this in terms of adversaries moving at machine speed. And so I think it’s important that if now we at least have these conversations in boardrooms about vulnerability discovery being at machine speed, people should be thinking that adversaries are going to move in every way at machine speed. And so defenders need to be moving at machine speed. That’s, that’s really important. And so-
Frank Cilluffo [00:26:32]: Easier said than done though. Right?
Drew Bagley [00:26:34]: Easier said, easier said than done. But I think that’s something that people should be thinking about. How do you do cybersecurity in an era of machine speed? And that really is AI powered cybersecurity. And that’s something where, you know, what’s, what’s going on now with vulnerability discovery, we’ve actually been talking about this for a while. We’ve, we’ve been talking about it since at least last year that these time frames are going to be compressed because of machine speed. Well, everybody should be thinking about everything with cybersecurity at machine speed. I think that’s really important.
Frank Cilluffo [00:27:04]: And where’s the human in the loop in all this?
Drew Bagley [00:27:06]: Yeah, I think it’s fundamental that the human is the orchestrator. Human is the orchestrator of your security program. If you’re thinking about-
Frank Cilluffo [00:27:15]: Can’t just outsource it.
Drew Bagley [00:27:16]: Yeah, you can’t just outsource that decision making. Whereas the tasking that is repeatable, the tasking that is something that is really just a series of queries and then taking certain remedial actions, that’s something that absolutely should be automated in the same way you would want to automate anything else, but a human’s making the decision to doing that. And so as part of that, it’s important for a human to understand what actions are going to be done and what that outcome’s going to be and to be able to see an audit log of those steps in between. So that’s, that’s really fundamental.
Frank Cilluffo [00:27:49]: So let me ask, and I’ve asked this of many of our guests over the past year and a half, whether AI benefits red or blue, the attacker or the defender. I’m not going to lead the witness too much, but I do think the initiative remains with the attacker. That said, the defender can be a whole lot better if they utilize. Do you, do you think that Mythos and the Next Frontier models coming out provide a window for the attacker or the defender or both?
Drew Bagley [00:28:23]: I think absolutely, yeah, I think for both. Like any other time we’ve seen new innovation, we’ve seen adversaries rush to use it, and then we’ve seen defenders be able to leverage it, too. And this is no different. I think that what’s exciting is that defenders have been using AI for a very, very long time. Whereas adversaries-
Frank Cilluffo [00:28:43]: And CrowdStrike’s been on the front lines.
Drew Bagley [00:28:46]: Yeah. Since the beginning of our company, we’ve been AI native and cloud native, whereas adversaries using AI is much newer. So we’re absolutely going to see that. But the advantage that defenders have is the data. So take CrowdStrike, for instance. We process trillions of machine events per day. From that, we’re able to distinguish signal from noise and really see when there is adversary activity early on and stop it. And that’s something where defenders can really benefit from that. Defenders, day in, day out, across the entire industry, share best practices with each other.
Drew Bagley [00:29:21]: Technologies are naturally competitive, and that innovation is very good in the space where companies that specialize in defensive cybersecurity are competing against each other and trying to out innovate each other. And so all of that is very, very good. And then trying to simplify things and put that simplicity at the finger tips of downstream defenders is really important.
Frank Cilluffo [00:29:40]: And penultimate question, and again, disagree with me here, but I very much believe to stay ahead, we need to be in that persistent engagement environment where we’re grappling consistently. You got to be a little bit on the offense to be able to do defense, and otherwise you’re not going to know what the TTPS or the adversary are. Do you agree with that? And are we going to see AI agents do that for us, that it’s going to be like Krav Maga, whatever, whatever martial art or boxing or what does that look like?
Drew Bagley [00:30:16]: Yeah, I mean, I think that-
Frank Cilluffo [00:30:18]: And disagree with that point if you, if you, if you do. But I feel like that’s the only way we can get ahead.
Drew Bagley [00:30:24]: Yeah, I think if we look at the national cybersecurity strategy and we look at raising the cost for the adversary, that’s fundamentally important.
Frank Cilluffo [00:30:31]: Essential.
Drew Bagley [00:30:32]: And part of that is making it so that they can’t use the same infrastructure over and over again. That infrastructure should have some sort of cost to it and be burned after an adversary successfully used some infrastructure.
Frank Cilluffo [00:30:43]: So you think shadow servers are going to be a thing of the past now?
Drew Bagley [00:30:44]: So I think that, to answer the first part of your question about, you know, will AI be used to do some of those takedowns and disruption? I think absolutely. I think fundamentally, though, you know, it’s, it’s always going to be a situation where adversaries are going to innovate and keep getting in, and defenders have to, you know, be even better, you know, to use a-
Frank Cilluffo [00:31:10]: But that means you have to grapple, right? You have to be in the ring.
Drew Bagley [00:31:13]: You have to be, yeah, you have to be in the ring.
Frank Cilluffo [00:31:15]: Not just absorb.
Drew Bagley [00:31:16]: Yeah, not just absorb. I mean, you have to basically, you know, to, to use one of my favorite Christmas movies, Home Alone. You know, you think about Kevin-
Frank Cilluffo [00:31:25]: That’s a must in our house too.
Drew Bagley [00:31:26]: You know, they, so the fact that they, they think they can get in through an open window, the burglars, Harry and Marv, you know, that that doesn’t allow them to achieve victory or to go in through the front door or the back door. Right? So Kevin time and time again has defenses set up to block against them getting in, and then also, you know, is able to stop them even after they’re successful and persistent with getting through those defenses.
Frank Cilluffo [00:31:50]: Well said. I, I’ve never heard a home alone analogy on cyber. I love it.
Drew Bagley [00:31:52]: And then the government helps at the end when the cops finally show up.
Frank Cilluffo [00:31:55]: Exactly, exactly. You know, you unpacked so much here. There is so much more we could discuss. Let me ask, what questions didn’t I ask that I should have?
Drew Bagley [00:32:05]: I think you probably should have asked, where do we see things going? But since you didn’t, I don’t have to say it and I don’t have to answer it, right?
Frank Cilluffo [00:32:15]: No, where are we going? No, seriously.
Drew Bagley [00:32:18]: So I think where we’re going is we should project out that all of these things, that right now we maybe have some transparency. Right? The fact that boardrooms are talking about specific AI models and asking those questions, we should assume, like so many other technological things, that in a few years those things will just disappear into the tech stack. Right? You don’t have board members maybe asking the same exact questions about Internet connectivity they were probably asking about in the 90s when it was a lot harder to get online and people were thinking about modems and all that stuff. Right? The DNS itself disappeared into the tech stack. So we can expect this stuff will disappear into the tech stack.
Drew Bagley [00:33:01]: That doesn’t mean the problems themselves are, but that just means that this is an interesting moment where we have light shed on very technical things that in just a few years will disappear into the tech stack. So we’re going to have to be thinking about that and thinking about how much more commonplace all these things will be too. Sounds novel now, there is some disruption now. These things will not be novel in a few years. And that’s where we have to really, really be baking in that resilience, baking in that AI powered defensive cybersecurity, and then be thinking about this very holistically, not myopically.
Frank Cilluffo [00:33:32]: Drew, really well said. In the words of the late, great Yogi Berra, the future ain’t what it used to be. The best way to predict it, though, is to shape it and keep shaping. So thank you for spending so much time with us today.
Drew Bagley [00:33:44]: Thanks for having me.
Frank Cilluffo [00:33:45]: Thank you for your insights and and keep fighting the good fight.
Drew Bagley [00:33:48]: All right, thank you so much.
Frank Cilluffo [00:33:49]: Let me leave you with a token of our appreciation, figuratively and literally.
Drew Bagley [00:33:53]: Oh, I appreciate it. Thank you so much.
Frank Cilluffo [00:33:55]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.
