Episode 15 - The Right Eyes: Mythos, and the Future of Vulnerability Discovery
Episode 15 - The Right Eyes: Mythos, and the Future of Vulnerability Discovery
0:00 / 0:00
About the episode
The emergence of advanced large language models like Anthropic's Mythos represents an epochal shift in cybersecurity, fundamentally altering how zero-day vulnerabilities are surfaced and remediated. In this episode, host Richard Bejtlich sits down with Corelight Co-founder Greg Bell to analyze the security implications of this AI-driven bug explosion, highlighting recent AI-assisted vulnerability discoveries across infrastructure mainstays like FreeBSD and Firefox. Together, they challenge the classic open-source maxim that "with enough eyes, all bugs are shallow," arguing instead that the arrival of the right automated eyes exposes an overwhelming pool of latent software flaws. Moving beyond the immediate operational chaos, Richard and Greg discuss the economics of declining token costs, the critical survival need for an assume-breach mentality, and how Corelight’s new agentic triage capabilities help defenders automate mind-numbing log review to achieve a resilient, human-led cybersecurity equilibrium.
Episode transcript
Download transcriptEpisode 15 - The Right Eyes: Mythos, and the Future of Vulnerability Discovery
Welcome to Corelight Defenders. I'm Richard Bejtlich, strategist and author in residence at Corelight. In each episode, we explore insights from the front lines of NDR, network detection and response.
Today, I'm pleased to speak with Greg Bell, co-founder and chief strategy officer at Corelight. Welcome back to the podcast,
Greg. Hi, Richard. It's a pleasure to be back. Thank you. I'm glad you're back. We have a great topic today. We're going to discuss Mythos, but I think it's less about Mythos specifically, and more about what a Mythos capability means for security. Is that a, is that a way you might frame this discussion also? I think that's right.
If we thought Mythos would be the only model capable of doing what it's been described as being able to do, we could say the topic is all about Mythos, but I think it just represents an epoch in the development of language models, and other models will catch up, and probably in the future exceed the capabilities of Mythos. So we need to be thinking about that a little more structurally, not just in terms of one model.
Yeah. I, I think Mythos has been a good catalyst for high-level discussion of this. You've seen the Treasury Secretary hosting a meeting to discuss this with financial leaders.
Uh, I know in the financial sector, that's one of the three sectors that's gotten access to Mythos as a model. Um, I know someone who has been using it, and they have been shocked by how good it is. And what's tough about this is that there are NDAs in place, and so the people who are saying this is just a marketing ploy by Anthropic, it's tough to come back and say, "No, that's not necessarily the case." Just to sort of give some more context around this, I track the FreeBSD project. It's a operating system that I've been using for, for many decades, and the security officer at FreeBSD, Colin Percival, he announced that six of the eight vulnerabilities that were released for FreeBSD in the month of April were discovered by AI or heavy AI assist. And of those, uh, two were found by
Nicholas Carlini at Anthropic using Claude, and Carlini has several other vulnerabilities coming out, most likely discovered by Mythos, but they're going through the vu- the, uh, responsible disclosure process on that. Uh, three more were found by
Isle Research, so those-- that's another group that uses AI models. And, uh, then there's another one that was found by Calif.io. So you don't need just Mythos to do this, and I think that's probably the more important aspect of this conversation, huh? It's a great point. Uh, that pattern that you just described of, uh, human experts utilizing Mythos or similar models in order to accelerate their work and create greater insight is probably the pattern we'll see more often than a, a purely Mythos-disclosed bug.
And I hadn't tracked those statistics for FreeBSD, but I'm interested in them because I too used to be a FreeBSD admin, so it's a project near and dear to my heart, and, you know, to the heart of our
Zeke, uh, project as well. One of the key aspects of open source security is this idea that with enough eyes, all bugs are shallow. And I think there's two ways to look at that. One way, this was my initial take, was to show that's not true at all. It's, it's not true. We've had eyes on certain projects, many projects, for, for decades now, and yet, now we're discovering these vulnerabilities. So there's been this question of whether there are tons of bugs out there. Are there only a few? It appears to be that there are tons of bugs. But the other way I think you could look at, look at this is to say, with the right eyes, all bugs are shallow. If the right eyes are now AI or AI-assisted humans, that is a more, uh, positive message,
I think. Yeah, I think that's probably the right message with the caveat, and the important caveat, that the eyes seem to be getting better over time.
So the, the fundamental question, I think, or one of the fundamental questions raised is whether there is an inexhaustible set of future vulnerabilities to be discovered with better and better eyes, or actually if we're, we're beginning to climb down a slope, and we'll sort of exhaust the set of vulnerabilities.
A, uh, key document in that debate, I think, was the recent Mozilla blog post where they described patching two hundred and seventy-one vulnerabilities in Firefox, and also expressed optimism in the second scenario, that the bugs are finite, and we'll get to the bottom of the, of the pool. I don't know about that. I don't, I don't think I have the right insight and information, and maybe nobody does, to really say what the right answer is, but it's a critical question. I've noticed some of the criticisms of that.
Uh, there's a few people that I saw really pick apart or try to pick apart that argument. They think they picked it apart. I don't think they were as effective as, as they might have thought. And the reason is, apparently, many of those bugs required getting around or disabling some of the other protections in the, in the, in the code base in Firefox. Mm-hmm. I think in any other discussion, if you had brought those bugs up, it still would've been devastating because what that means is if you do figure out a way to get around that sandbox or whatever, you have hundreds of bugs waiting. So it's not great to say, "Well, this other mitigation would've taken care of it," because, okay, well, that mitigation falls, and suddenly the, you know, the whole, the whole house comes down. Yeah, I think that's right. It, it raises the important point that not all the bugs are equal, and some are exploitable in some circumstances, and some are other. But, um, the fact remains two hundred and seventy-one were found that hadn't been seen by anyone, by human eyes or, or, uh, language model eyes before, and that is a really material fact, and it's sobering, and we need to prepare for the implications of it. You mentioned a important point just now.
If the number of bugs is exhaustible, and I don't necessarily need to think that the, the number of bugs is exhaustible if it can be too expensive. So that's another- Mm-hmm ... uh, criticism we're seeing, is that it's costing a lot of money to find these bugs.
I mean, uh, in some cases, tens of thousands of dollars, and I think we sh- we can expand on just the cost aspect in a moment. But-Could, could we get to the point where it is beyond most organizations, let, let's say most intruders' capabilities to spend money on these bugs? And so in that sense, for them, it would be exhaustible 'cause they just can't get to that point. Now, that takes out... Or there would still be nation state funded and probably well-resourced criminal groups who would be willing to spend hundreds of thousands, possibly millions of dollars on individual bugs.
I mean, the way that they used to do it back a couple decades when I was involved in a, a group that did that, you had a contract, and you were paid, you know, big defense dollars to find these exploits to accomplish these national missions. So that might be another way to look at it, is to say, well, can we get to the point where finding these bugs for the average person out there who's just trying to, you know, the, the modern-day script kiddie type attack, it's just not possible for them to find them 'cause it would cost so much in compute. I do think token costs, which-- well, which it should be said token costs are declining rapidly over time too, but probably they'll always be fairly expensive for the leading, leading-edge models.
And that will set a, an economic disincentive around for c- for certain classes of attackers around finding the bugs. And also, it's important to remember that attackers have been very successful without zero days in the past, continue to be every day. So it's not the only, um, means of access.
But, but it's true that token costs are another variable in this complex, uh, equation of, of many, many variables to consider when we're trying to figure out what the implications of mytho- Mythos will be going forward. Yes. Okay. You brought up something that is so important. I was talking about this with my wife, uh, yesterday when we were doing our walk, and sh- she works in cybersecurity also.
And we, we talked about how you could get rid of every software vulnerability in the world, and organizations would still be compromised. There's misconfiguration, there's insider threat, there's someone who is tricked into doing something that they didn't know was, was bad, but they did it. There's, there's so many ways to compromise a, you know, quote-unquote, "completely secure system." Absolutely true, and social engineering is just so generally effective, so devious, and so unlikely to become a solved problem in the future that that alone represents a really big, difficult-to-control risk surface. So it's yet another consideration when we try to figure out what the impact of Mythos is for the organizations that we defend, uh, with finite budgets and finite staffing going forward. I was thinking about the rise of the North Korean IT worker and getting into organizations.
They weren't doing that because that's easy or cheap. They were doing it because i- in my opinion, uh, the way I, the way I analyzed the situation, it was cheaper to do that and more effective to do that than to go in through a digital network exploitation method. So back when I was the director of incident response. at
General Electric, I' would tell the chief of physical security, Frank Taylor, I said, "General Taylor, my goal is to make the security problem your problem." Because if it's so hard. to get into the network, then they'll go to a physical solution. They'll, they'll do close access operations, they'll try to steal laptops from people at a hotel. They'll do all of that, and that is i- in many ways, a much easier problem to deal with because you. can have surveillance, um, you' can have... Uh, it's difficult to, y- you know, enter and leave the country if you're a foreign national and you have an intelligence, uh, organization who's, who's watching for this sort of thing. So Mythos, may- might make it' cheaper now to go back towards attacking software because we're discovering that software has vulnerabilities again. Exactly. There's always a way in. Some walls are higher than others, and a low wall can always be scaled. The Mythos moment, uh, puts a spotlight on this particular wall, and it seems to be lower than we believed it had been in the past and, and that's why it's so? interesting at' the moment.
And I, I do think most organizations are taking the risk pretty seriously. Most of them that I'm talking to are doing stress testing and table topping and, and trying to imagine what it' would mean if their pipeline of vulnerabilities suddenly expanded by a factor of ten. How would they staff for that? How would they prioritize?
How would they communicate? It's, it's led to a lot of internal analysis and discussion in, within, among our customers and in our company as well. When we first, the two of us started talking about this a few weeks ago, we talked about how this reminded us, as people who have been in the field for, you know, a while now, it reminded us of the situation in the 1990s where it was generally not possible to run a secure, and again, secure in quotes, infrastructure. You could not run a mail server or a web server or whatever, es- especially something that's, something like that that is exposed to the internet, without getting it hacked at some point. The software s- uh, security industry was not really in existence.
Secure coding was not a practice as it is now. Um, you didn't have people who were, who were advancing that as a discipline, or we didn't have the tools. The patching infrastructure wasn't there. Many times the vendor support wasn't there. So it was tough to, to operate in that environment, and that sounds a lot like potentially today.
So what did we have to do? We had to turn to watching our stuff to see if it was compromised. And a lot of people didn't do, that. They sort of buried their heads in the sand and said, "Oh, well, this won't happen to me." But other people invested in detection and response, and that's, that is the environment in which Zeke was born, as, as one example. Does, does any of that resonate with you? It does. It's just like a flashback to my earliest days working at Lawrence Berkeley National Lab before the advent of endpoint detection and other technologies we really take for granted now. That was an environment with lots of embedded systems, probably tens of thousands, that were effectively unpatchable, certainly couldn't be monitored.And they were doing valuable mission science work, data acquisition, and computational work. And the way to defend them was to gather real-time data, watch very carefully, and understand their behavior and the mechanisms of attacks that did happen. And that's exactly the environment that gave rise to Zeek, the software that we're commercializing here at Corelight.
So it feels like we've come full circle. It's, it's a strange... If you're not, if, if you don't l-live and work in the world of cybersecurity, it's a little strange to take that assume breach, um, position.
But i-in some ways when I think about it, it's the, it's the way our bodies work in the world too. We can't perfectly defend ourselves from every bacteria and every virus, but we have a good immune system that monitors what's happening and responds in real time. And that's the sort of system that, uh, the most sophisticated organizations have been building for years. They rely on that system for gathering real-time data, processing, making sense of it, using it to drive prioritized responses.
And it seems to me that Mythos, really underlines the importance of those systems, uh, going forward into the future. Yeah. And you touch on a point there that I think is important as well. Thankfully now, we can use these systems for defense, and we don't have to do it all manually.
Uh, uh, people will probably not believe this, but it's absolutely true. When I was at the-- in the Air Force, at the Air Force Computer Emergency Response Team, we had two teams, batch and real-time, and at one point I was in charge of the real-time group, and we had another captain in charge of the batch group. The job of the batch group, and I kid you not, was to look at every single connection that was human text into and out of every Air Force base every day. So we had, we had full content, uh, transcripts of every web session, every Telnet session, FTP session or whatever, and we had human analysts who were assigned to different bases, so they had a p- a sense of what the base normal activity looked like, and they looked at every single connection. And that was how we found some of our most interesting intrusions, because someone would look at a Telnet session or they'd look at an FTP session and say, "I know this user. This is not how they act normally as, as this user." And sometimes it was obvious, right? You're catting etcetera password or you're-- whatever it is. But they would say, "Something is off about this." And they would call the user and they'd say, "I'm not actually working this week. I'm on vacation, so somebody was using my account." The fact that we can use these AI tools now to automate so many of those really mind-numbing activities, I think is a real benefit for the defender. Our security culture is a little suspicious, a little paranoid. It's just an occupational hazard, and there's been some understandable resistance and, and around trust, especially towards AI automation. This just seems like one of those areas that cries out for language models, uh, to help humans just get away from work that is really burdensome and boring and, and reserve their precious human brain cycles for analytical work that's at a, a different level.
Yeah, definitely. And this is one of the aspects of the, the new agentic triage function that we've released with Corelight that
I really like. It's not simply an alert based on a signature with a high priority that was assigned by a programmer. It's, it gives you that, "We think this system is compromised," and then you can drill a layer down and say, "Well, here's how I made the decision."
And you can drill a layer down and say, "Here's all the related activity." And you can drill another layer down and see all the related activity. And if you wanna go even further, you can pivot in any direction that you like because we collect all this rich evidence. I think that's really giving defenders a chance to deal with this because you could imagine in a scenario where the defense is getting overwhelmed and you have to make a decision that, okay, we're, we're no longer at Defcon 5, we're down at Defcon 3 or maybe we're down at Defcon 2 or even 1, we're gonna start auto-containing, we're gonna start auto-remediating. Whatever you've decided previously with your, your customers, your business units, that under these situations, we're gonna start taking these activities.
I think that's another way to deal with, uh, this onslaught. I've been really excited about that agentic triage feature as well, in part 'cause our customers are so excited. And I think the element that you described is really important.
We give defenders access to the underlying data that the models, are using to make judgments so they can see, "Hey, do I agree that this data, um, leads to this conclusion?"
And we also have, I think, pretty thoughtfully created agentic roles within that system that are well-defined, that are well-bounded.
And so the agents know what they need to do. They have a lot of guidance in making their decisions, and we're not simply handing a bunch of logs and a problem in a one-shot, uh, query to a language model to get a response. It's much more nuanced than that, and I think the-- you can really see, see the, uh, care that's gone into the product and the results that we're getting. I'm wondering if maybe we could s- conclude our conversation by talking about what does the future look like. Because I kind of... If you break this up, into different, uh, eras, I think in the, in the short term, there's gonna be a lot of chaos. People are still trying to figure out what's going on. There's gonna be a lot of software discovered that has vulnerabilities. We saw with the Copyfail exploit that was released for Linux, every Linux distro, uh, or kernel version essentially since twenty seventeen has this vulnerability. Uh, bad disclosure, you know, they disclosed to this kernel security team, but it was out in public before the distros had a chance to get their patches out. So I think we're gonna have a lot of short-term chaos. And then over the medium term, I think there's gonna be this period where you're trying to get these models to look at code before it goes out to the world, just like what happened with Firefox one fifty.
Uh, but it's not gonna be uniform. But then hopefully in the long term, this will just be part of your CICD pipeline, regardless of what size your project is, because these models will hopefully be so ubiquitousThat everybody can use them to check the q- the, uh, security of their code before it gets published. Does that sound reasonable, or am I too, too optimistic, or am I not... Am
I-- Do I need to be pessimistic? What do you think? I think you're right structurally, that there will be a period of disruption, and then a new equilibrium, and then ideally we incorporate everything we've learned and can learn from the new models into our pipelines. And the one caveat I might offer is that it's possible that periodically models will really develop step function increases in capability, so we could enter multiple phases of disruption followed by equilibrium in the future. And I, I don't know how that will shake out. I-- The world is not coming to an end. I've had fa-
I've had, uh, friends ask me how concerned they need to be about Mythos. Do they need to take money out of the bank? And I've told them, "Please do not do that. That's not the right answer."
But it will be a bumpy road, I think, for the rest of this. year. We're beginning to see evidence of that' before we settle into an equilibrium. I'm, I'm pretty confident we will settle into that' equilibrium, but many things will need to change in terms of software development practices and, and cybersecurity defense practices in order for us to get to that new equilibrium. Equilibrium is. such a great term because it' doesn't necessarily say, it's good or bad. Because we could completely, and we're not-- This, isn't gonna happen,
I would assume, but we could completely solve the new code is secure, again, secure quotes, um, problem, but all of the legacy stuff that's out there, and as we talked about con- misconfiguration, insider threat, all of that is still gonna be an issue.
But if you at least can get to an equilibrium, you can say, "This is the, this is the situation. Here's how I'm going to handle it, and it' is manageable." I think that's exactly right, and it's one of the reasons cybersecurity is such a fascinating domain to work within because there are so many variables. There's technical complexity interacting with nation state complexity, criminal model complexity, sociology, psychology.
It's, it's everything all summed up together. And so it's a little too complex for, any one human mind to model. But I do think we do reach these states of relative equilibrium from time to time, and we're, we're, we're leaving one now, and we'll get into another one in the future. But in the meantime, we need to work and think very hard about how to absorb the impacts and implications of these new models. Well said. It, it reminds me, one of my, my two wise people, I can't remember if it was either Tony Sager or Dan Geer, but, uh, one of them said that, uh, he considered cybersecurity to be the most complex endeavor that we have, uh, embarked upon. I'm not quite sure if I believe that given we just thankfully returned four astronauts from a trip around the moon.
But, uh, it's, uh, it's definitely, definitely a challenge. And I'm glad you're able to, uh, join me today, Greg. I think, uh, this topic is one that we're all wrestling with, so I, I appreciate your views on the topic. My pleasure. It's always great talking to you, Richard. Thank you for joining us on the Network Defenders podcast sponsored by Corelight.
We will see you on the network. You've been listening to Corelight Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Today, I'm pleased to speak with Greg Bell, co-founder and chief strategy officer at Corelight. Welcome back to the podcast,
Greg. Hi, Richard. It's a pleasure to be back. Thank you. I'm glad you're back. We have a great topic today. We're going to discuss Mythos, but I think it's less about Mythos specifically, and more about what a Mythos capability means for security. Is that a, is that a way you might frame this discussion also? I think that's right.
If we thought Mythos would be the only model capable of doing what it's been described as being able to do, we could say the topic is all about Mythos, but I think it just represents an epoch in the development of language models, and other models will catch up, and probably in the future exceed the capabilities of Mythos. So we need to be thinking about that a little more structurally, not just in terms of one model.
Yeah. I, I think Mythos has been a good catalyst for high-level discussion of this. You've seen the Treasury Secretary hosting a meeting to discuss this with financial leaders.
Uh, I know in the financial sector, that's one of the three sectors that's gotten access to Mythos as a model. Um, I know someone who has been using it, and they have been shocked by how good it is. And what's tough about this is that there are NDAs in place, and so the people who are saying this is just a marketing ploy by Anthropic, it's tough to come back and say, "No, that's not necessarily the case." Just to sort of give some more context around this, I track the FreeBSD project. It's a operating system that I've been using for, for many decades, and the security officer at FreeBSD, Colin Percival, he announced that six of the eight vulnerabilities that were released for FreeBSD in the month of April were discovered by AI or heavy AI assist. And of those, uh, two were found by
Nicholas Carlini at Anthropic using Claude, and Carlini has several other vulnerabilities coming out, most likely discovered by Mythos, but they're going through the vu- the, uh, responsible disclosure process on that. Uh, three more were found by
Isle Research, so those-- that's another group that uses AI models. And, uh, then there's another one that was found by Calif.io. So you don't need just Mythos to do this, and I think that's probably the more important aspect of this conversation, huh? It's a great point. Uh, that pattern that you just described of, uh, human experts utilizing Mythos or similar models in order to accelerate their work and create greater insight is probably the pattern we'll see more often than a, a purely Mythos-disclosed bug.
And I hadn't tracked those statistics for FreeBSD, but I'm interested in them because I too used to be a FreeBSD admin, so it's a project near and dear to my heart, and, you know, to the heart of our
Zeke, uh, project as well. One of the key aspects of open source security is this idea that with enough eyes, all bugs are shallow. And I think there's two ways to look at that. One way, this was my initial take, was to show that's not true at all. It's, it's not true. We've had eyes on certain projects, many projects, for, for decades now, and yet, now we're discovering these vulnerabilities. So there's been this question of whether there are tons of bugs out there. Are there only a few? It appears to be that there are tons of bugs. But the other way I think you could look at, look at this is to say, with the right eyes, all bugs are shallow. If the right eyes are now AI or AI-assisted humans, that is a more, uh, positive message,
I think. Yeah, I think that's probably the right message with the caveat, and the important caveat, that the eyes seem to be getting better over time.
So the, the fundamental question, I think, or one of the fundamental questions raised is whether there is an inexhaustible set of future vulnerabilities to be discovered with better and better eyes, or actually if we're, we're beginning to climb down a slope, and we'll sort of exhaust the set of vulnerabilities.
A, uh, key document in that debate, I think, was the recent Mozilla blog post where they described patching two hundred and seventy-one vulnerabilities in Firefox, and also expressed optimism in the second scenario, that the bugs are finite, and we'll get to the bottom of the, of the pool. I don't know about that. I don't, I don't think I have the right insight and information, and maybe nobody does, to really say what the right answer is, but it's a critical question. I've noticed some of the criticisms of that.
Uh, there's a few people that I saw really pick apart or try to pick apart that argument. They think they picked it apart. I don't think they were as effective as, as they might have thought. And the reason is, apparently, many of those bugs required getting around or disabling some of the other protections in the, in the, in the code base in Firefox. Mm-hmm. I think in any other discussion, if you had brought those bugs up, it still would've been devastating because what that means is if you do figure out a way to get around that sandbox or whatever, you have hundreds of bugs waiting. So it's not great to say, "Well, this other mitigation would've taken care of it," because, okay, well, that mitigation falls, and suddenly the, you know, the whole, the whole house comes down. Yeah, I think that's right. It, it raises the important point that not all the bugs are equal, and some are exploitable in some circumstances, and some are other. But, um, the fact remains two hundred and seventy-one were found that hadn't been seen by anyone, by human eyes or, or, uh, language model eyes before, and that is a really material fact, and it's sobering, and we need to prepare for the implications of it. You mentioned a important point just now.
If the number of bugs is exhaustible, and I don't necessarily need to think that the, the number of bugs is exhaustible if it can be too expensive. So that's another- Mm-hmm ... uh, criticism we're seeing, is that it's costing a lot of money to find these bugs.
I mean, uh, in some cases, tens of thousands of dollars, and I think we sh- we can expand on just the cost aspect in a moment. But-Could, could we get to the point where it is beyond most organizations, let, let's say most intruders' capabilities to spend money on these bugs? And so in that sense, for them, it would be exhaustible 'cause they just can't get to that point. Now, that takes out... Or there would still be nation state funded and probably well-resourced criminal groups who would be willing to spend hundreds of thousands, possibly millions of dollars on individual bugs.
I mean, the way that they used to do it back a couple decades when I was involved in a, a group that did that, you had a contract, and you were paid, you know, big defense dollars to find these exploits to accomplish these national missions. So that might be another way to look at it, is to say, well, can we get to the point where finding these bugs for the average person out there who's just trying to, you know, the, the modern-day script kiddie type attack, it's just not possible for them to find them 'cause it would cost so much in compute. I do think token costs, which-- well, which it should be said token costs are declining rapidly over time too, but probably they'll always be fairly expensive for the leading, leading-edge models.
And that will set a, an economic disincentive around for c- for certain classes of attackers around finding the bugs. And also, it's important to remember that attackers have been very successful without zero days in the past, continue to be every day. So it's not the only, um, means of access.
But, but it's true that token costs are another variable in this complex, uh, equation of, of many, many variables to consider when we're trying to figure out what the implications of mytho- Mythos will be going forward. Yes. Okay. You brought up something that is so important. I was talking about this with my wife, uh, yesterday when we were doing our walk, and sh- she works in cybersecurity also.
And we, we talked about how you could get rid of every software vulnerability in the world, and organizations would still be compromised. There's misconfiguration, there's insider threat, there's someone who is tricked into doing something that they didn't know was, was bad, but they did it. There's, there's so many ways to compromise a, you know, quote-unquote, "completely secure system." Absolutely true, and social engineering is just so generally effective, so devious, and so unlikely to become a solved problem in the future that that alone represents a really big, difficult-to-control risk surface. So it's yet another consideration when we try to figure out what the impact of Mythos is for the organizations that we defend, uh, with finite budgets and finite staffing going forward. I was thinking about the rise of the North Korean IT worker and getting into organizations.
They weren't doing that because that's easy or cheap. They were doing it because i- in my opinion, uh, the way I, the way I analyzed the situation, it was cheaper to do that and more effective to do that than to go in through a digital network exploitation method. So back when I was the director of incident response. at
General Electric, I' would tell the chief of physical security, Frank Taylor, I said, "General Taylor, my goal is to make the security problem your problem." Because if it's so hard. to get into the network, then they'll go to a physical solution. They'll, they'll do close access operations, they'll try to steal laptops from people at a hotel. They'll do all of that, and that is i- in many ways, a much easier problem to deal with because you. can have surveillance, um, you' can have... Uh, it's difficult to, y- you know, enter and leave the country if you're a foreign national and you have an intelligence, uh, organization who's, who's watching for this sort of thing. So Mythos, may- might make it' cheaper now to go back towards attacking software because we're discovering that software has vulnerabilities again. Exactly. There's always a way in. Some walls are higher than others, and a low wall can always be scaled. The Mythos moment, uh, puts a spotlight on this particular wall, and it seems to be lower than we believed it had been in the past and, and that's why it's so? interesting at' the moment.
And I, I do think most organizations are taking the risk pretty seriously. Most of them that I'm talking to are doing stress testing and table topping and, and trying to imagine what it' would mean if their pipeline of vulnerabilities suddenly expanded by a factor of ten. How would they staff for that? How would they prioritize?
How would they communicate? It's, it's led to a lot of internal analysis and discussion in, within, among our customers and in our company as well. When we first, the two of us started talking about this a few weeks ago, we talked about how this reminded us, as people who have been in the field for, you know, a while now, it reminded us of the situation in the 1990s where it was generally not possible to run a secure, and again, secure in quotes, infrastructure. You could not run a mail server or a web server or whatever, es- especially something that's, something like that that is exposed to the internet, without getting it hacked at some point. The software s- uh, security industry was not really in existence.
Secure coding was not a practice as it is now. Um, you didn't have people who were, who were advancing that as a discipline, or we didn't have the tools. The patching infrastructure wasn't there. Many times the vendor support wasn't there. So it was tough to, to operate in that environment, and that sounds a lot like potentially today.
So what did we have to do? We had to turn to watching our stuff to see if it was compromised. And a lot of people didn't do, that. They sort of buried their heads in the sand and said, "Oh, well, this won't happen to me." But other people invested in detection and response, and that's, that is the environment in which Zeke was born, as, as one example. Does, does any of that resonate with you? It does. It's just like a flashback to my earliest days working at Lawrence Berkeley National Lab before the advent of endpoint detection and other technologies we really take for granted now. That was an environment with lots of embedded systems, probably tens of thousands, that were effectively unpatchable, certainly couldn't be monitored.And they were doing valuable mission science work, data acquisition, and computational work. And the way to defend them was to gather real-time data, watch very carefully, and understand their behavior and the mechanisms of attacks that did happen. And that's exactly the environment that gave rise to Zeek, the software that we're commercializing here at Corelight.
So it feels like we've come full circle. It's, it's a strange... If you're not, if, if you don't l-live and work in the world of cybersecurity, it's a little strange to take that assume breach, um, position.
But i-in some ways when I think about it, it's the, it's the way our bodies work in the world too. We can't perfectly defend ourselves from every bacteria and every virus, but we have a good immune system that monitors what's happening and responds in real time. And that's the sort of system that, uh, the most sophisticated organizations have been building for years. They rely on that system for gathering real-time data, processing, making sense of it, using it to drive prioritized responses.
And it seems to me that Mythos, really underlines the importance of those systems, uh, going forward into the future. Yeah. And you touch on a point there that I think is important as well. Thankfully now, we can use these systems for defense, and we don't have to do it all manually.
Uh, uh, people will probably not believe this, but it's absolutely true. When I was at the-- in the Air Force, at the Air Force Computer Emergency Response Team, we had two teams, batch and real-time, and at one point I was in charge of the real-time group, and we had another captain in charge of the batch group. The job of the batch group, and I kid you not, was to look at every single connection that was human text into and out of every Air Force base every day. So we had, we had full content, uh, transcripts of every web session, every Telnet session, FTP session or whatever, and we had human analysts who were assigned to different bases, so they had a p- a sense of what the base normal activity looked like, and they looked at every single connection. And that was how we found some of our most interesting intrusions, because someone would look at a Telnet session or they'd look at an FTP session and say, "I know this user. This is not how they act normally as, as this user." And sometimes it was obvious, right? You're catting etcetera password or you're-- whatever it is. But they would say, "Something is off about this." And they would call the user and they'd say, "I'm not actually working this week. I'm on vacation, so somebody was using my account." The fact that we can use these AI tools now to automate so many of those really mind-numbing activities, I think is a real benefit for the defender. Our security culture is a little suspicious, a little paranoid. It's just an occupational hazard, and there's been some understandable resistance and, and around trust, especially towards AI automation. This just seems like one of those areas that cries out for language models, uh, to help humans just get away from work that is really burdensome and boring and, and reserve their precious human brain cycles for analytical work that's at a, a different level.
Yeah, definitely. And this is one of the aspects of the, the new agentic triage function that we've released with Corelight that
I really like. It's not simply an alert based on a signature with a high priority that was assigned by a programmer. It's, it gives you that, "We think this system is compromised," and then you can drill a layer down and say, "Well, here's how I made the decision."
And you can drill a layer down and say, "Here's all the related activity." And you can drill another layer down and see all the related activity. And if you wanna go even further, you can pivot in any direction that you like because we collect all this rich evidence. I think that's really giving defenders a chance to deal with this because you could imagine in a scenario where the defense is getting overwhelmed and you have to make a decision that, okay, we're, we're no longer at Defcon 5, we're down at Defcon 3 or maybe we're down at Defcon 2 or even 1, we're gonna start auto-containing, we're gonna start auto-remediating. Whatever you've decided previously with your, your customers, your business units, that under these situations, we're gonna start taking these activities.
I think that's another way to deal with, uh, this onslaught. I've been really excited about that agentic triage feature as well, in part 'cause our customers are so excited. And I think the element that you described is really important.
We give defenders access to the underlying data that the models, are using to make judgments so they can see, "Hey, do I agree that this data, um, leads to this conclusion?"
And we also have, I think, pretty thoughtfully created agentic roles within that system that are well-defined, that are well-bounded.
And so the agents know what they need to do. They have a lot of guidance in making their decisions, and we're not simply handing a bunch of logs and a problem in a one-shot, uh, query to a language model to get a response. It's much more nuanced than that, and I think the-- you can really see, see the, uh, care that's gone into the product and the results that we're getting. I'm wondering if maybe we could s- conclude our conversation by talking about what does the future look like. Because I kind of... If you break this up, into different, uh, eras, I think in the, in the short term, there's gonna be a lot of chaos. People are still trying to figure out what's going on. There's gonna be a lot of software discovered that has vulnerabilities. We saw with the Copyfail exploit that was released for Linux, every Linux distro, uh, or kernel version essentially since twenty seventeen has this vulnerability. Uh, bad disclosure, you know, they disclosed to this kernel security team, but it was out in public before the distros had a chance to get their patches out. So I think we're gonna have a lot of short-term chaos. And then over the medium term, I think there's gonna be this period where you're trying to get these models to look at code before it goes out to the world, just like what happened with Firefox one fifty.
Uh, but it's not gonna be uniform. But then hopefully in the long term, this will just be part of your CICD pipeline, regardless of what size your project is, because these models will hopefully be so ubiquitousThat everybody can use them to check the q- the, uh, security of their code before it gets published. Does that sound reasonable, or am I too, too optimistic, or am I not... Am
I-- Do I need to be pessimistic? What do you think? I think you're right structurally, that there will be a period of disruption, and then a new equilibrium, and then ideally we incorporate everything we've learned and can learn from the new models into our pipelines. And the one caveat I might offer is that it's possible that periodically models will really develop step function increases in capability, so we could enter multiple phases of disruption followed by equilibrium in the future. And I, I don't know how that will shake out. I-- The world is not coming to an end. I've had fa-
I've had, uh, friends ask me how concerned they need to be about Mythos. Do they need to take money out of the bank? And I've told them, "Please do not do that. That's not the right answer."
But it will be a bumpy road, I think, for the rest of this. year. We're beginning to see evidence of that' before we settle into an equilibrium. I'm, I'm pretty confident we will settle into that' equilibrium, but many things will need to change in terms of software development practices and, and cybersecurity defense practices in order for us to get to that new equilibrium. Equilibrium is. such a great term because it' doesn't necessarily say, it's good or bad. Because we could completely, and we're not-- This, isn't gonna happen,
I would assume, but we could completely solve the new code is secure, again, secure quotes, um, problem, but all of the legacy stuff that's out there, and as we talked about con- misconfiguration, insider threat, all of that is still gonna be an issue.
But if you at least can get to an equilibrium, you can say, "This is the, this is the situation. Here's how I'm going to handle it, and it' is manageable." I think that's exactly right, and it's one of the reasons cybersecurity is such a fascinating domain to work within because there are so many variables. There's technical complexity interacting with nation state complexity, criminal model complexity, sociology, psychology.
It's, it's everything all summed up together. And so it's a little too complex for, any one human mind to model. But I do think we do reach these states of relative equilibrium from time to time, and we're, we're, we're leaving one now, and we'll get into another one in the future. But in the meantime, we need to work and think very hard about how to absorb the impacts and implications of these new models. Well said. It, it reminds me, one of my, my two wise people, I can't remember if it was either Tony Sager or Dan Geer, but, uh, one of them said that, uh, he considered cybersecurity to be the most complex endeavor that we have, uh, embarked upon. I'm not quite sure if I believe that given we just thankfully returned four astronauts from a trip around the moon.
But, uh, it's, uh, it's definitely, definitely a challenge. And I'm glad you're able to, uh, join me today, Greg. I think, uh, this topic is one that we're all wrestling with, so I, I appreciate your views on the topic. My pleasure. It's always great talking to you, Richard. Thank you for joining us on the Network Defenders podcast sponsored by Corelight.
We will see you on the network. You've been listening to Corelight Defenders. To stay informed with expert intelligence on today's cybersecurity challenges, please subscribe to ensure you never miss an episode. We'll see you on the network.
Subscribe now
