EP 12: There is No Magic Wand for Cloud Security with Paul Mazzucco and Howie Xu

00:01 - Introduction to Howie Hsu and Paul Mazzucco

Matt Pacheco
Welcome to the Cloud Currents podcast, where we explore the innovative technologies and minds shaping the future of cloud computing. I'm Matt Pacheco, the head of content at TierPoint, and I help businesses understand and implement cloud AI and security solutions to improve their it infrastructure and give them the competitive edge. This episode is going to dive deep into transformative potential of AI and machine learning when applied to cloud architectures, automation, and cybersecurity paradigms. We'll discuss how these cutting edge techniques can unlock new levels of cloud optimization, threat prevention, and simplify deployment models. Today we're joined by Howie Xu, a longtime technology visionary who has been at the forefront of virtualization, software defined networking, and now generative AI breakthroughs. How he's pioneering work at VMware in the early two thousands led the foundations of cloud computing as we know it today. He has since founded multiple successful startups, leveraging applied AI for cybersecurity, and led those initiatives as the SVP of engineering and AI and ML at Palo Alto Networks.

We are also joined by Paul Mazzucco, Tierpoint's chief information security officer. Paul oversees the TierPoint comprehensive security protocols and ensures compliance with key standards like PCI, ISO, HIPAA. With a rich background in it security, including roles as a security entrepreneur and defense contractor, Paul has developed advanced security policies and disaster recovery plans across various industries. He's also played a pivotal role in transforming cobalt computers into a leading IBM integrator serving notable federal agencies. Paul's expertise and leadership in cybersecurity are extensive, to say the least. I want to welcome you both.

Howie Xu
Thank you, Matt. Thank you, Paul.

Paul Mazzucco
Thank you, Howie. I like it.

Matt Pacheco
Cool. So, Howie, tell me a little bit about yourself and what got you started in your career in cloud.

Howie Xu
Sure, I started a cloud before there was such a word cloud. Like you mentioned in the intro, I was doing virtualization VMware 20 some years ago. It's fair to say that a cloud wouldn't have happened without virtualization because the physical machine was too much to do cloud. So you have to jam a lot of the workloads together one physical machine. Oftentimes not always. So I was one of the very early guys at VMware. I started a VMware networking team and did a software defined network, and after VMware did other startups in software defined network. And then I ran cloud networking at Cisco. So I've done a bunch of the cloud and the networking and the security stuff.

03:07 - AI and Machine Learning in Cloud and Cybersecurity

And then in the last decade or so, I've been doing a lot of the how to apply AI machine learning technology to the cloud, to the cybersecurity, to a variety of use cases. So that's pretty much my background. 1st 17 years or so doing cloud infrastructure in the last nine years or so doing AI machine learning, but with the infrastructure security as the key use case.

Matt Pacheco
Excellent. And what are some of the biggest lessons you took from that foundational period that still resonate with you today about like approaching new domains like AI?

Howie Xu
Yeah. So one of the things that I love about genitive AI, you know, everyone's talking about OpenAI foundation model, how much wonderful things it can do, you know, sure, I can do a lot of wonderful things. Right. You know, one of the things from my point of view is very much like, you know, the cloud and then the value of the virtualization. You probably wonder how and why, right? So if you think about the virtualization cloud, it is really about putting a lot of resources together. And from that point of view, from that point on, it's much easier for you to stand up a machine, stand up a workload, and then you can go things left and right. If you're kind of a managed individual machine individually, it's much tougher, right? So you centralize it first, you kind of are putting the resource together.

It's hard, but once you put it together, it's so easy to do the rest. And if you think about the latest breakthrough of the foundation model of the generative AI, it's actually very similar because you probably heard it would take months and months to train the OpenAI model, sometimes three months, six months or potentially longer. So to me it's kind of almost like putting the training resources together. From that point on, it's actually much easier. Relatively speaking, nothing is easy, but relatively speaking it's much easier for you to do individual AI tasks. Sometimes. For instance, I'll give a concrete example. In the past we do sediment analysis. You would have a data engineer getting a lot of data together, label it and they have data service, the truth Turner model.

And eventually you have a sentiment analysis model and then you can do interesting things, right? But now you have the foundation model. It took, it would have taken months and months to build it. And then from to do sentiment analysis, it's actually only proper engineering. What gets you to do that, right? You can just pass them, pass the sentence over and say, hey, here's my definition of the positive and the negative. And then you tell me for the next 100,000 sentences, are they positive or negative? So to me it's kind of the pre training or the AI foundation model is very much like you putting all the resources together. It's tough initially, but once you have done that, it's actually much easier to do the individual task, in this particular case, individual AI task or machine learning task, like sediment analysis.

Matt Pacheco
Excellent. And we'll jump into exactly why we're here today for cybersecurity, cloud and AI. My first question about tying these things together is, how do we see AI impacting cybersecurity, AI and machine learning? What are the opportunities there for businesses to be using this technology?

Howie Xu
So I'm happy to take a lead on this. I would love to hear how, Paul, from a practitioner's point of view, what you think about it is this too, from my point of view, if you think about the cybersecurity industry, there is always, you know, half of that has to do with the product and half of that has to do with the services. When I say half, you know, roughly speaking, $200 billion industry revenue wise, and then $100 billion for firewall, sase, trust, intrusion detection, you name it, and then another $100 billion for the security services. A lot of that is a professional services. Some of that is not necessary. So to me, AI is going to help both.

We are going to have better products so that we can do the intrusion detection, we can do the data leakage prevention better, because now we can augment the model. As an example, in the past you train a DLP model, you may not have enough data points or the label the data. Now you can use generative AI to generate label the data. That's just one example. So I think the products will be enhanced here and there quite a bit. But another thing I'm quite excited to see this industry is going is that the AI is actually augmented the service side tremendously, depending on what number you are coding. In the last ten years or so, there are always millions of jobs, cybersecurity professional jobs vacant worldwide, whether milli or 5 million.

I've seen number ranges at different ranges, but there are a lot of the shortage or a lot of vacancies. Hopefully, this time around, this generative AI is going to automate or help to automate a lot of the things that you would have to do otherwise manually. So that's the two categories of the areas that I see how AI and generative AI is going to help for cybersecurity. We can get into the details, but those are the two categories of things I'm seeing.

09:29 - AI in Practical Security

Matt Pacheco
Paul, what are your thoughts on that?

Paul Mazzucco
I'm glad that how you mentioned product enhancements, because one of the things that we see from a practical security standpoint is that the rise offensive AI has really given threat actors an advantage over traditional rule based offensive protection. So using multiple machine learning algorithms, the attacks are now quickly learning your environment. They're adapting to new attack methodologies on the fly, and these hacking consortiums are now operating under an affiliate model, and they're very well funded. So having advances for defensive methodologies that doesn't just rely on threat signatures, but actually applies machine learning and autonomous orchestration is going to give companies like Dearpoint and everybody who's looking at this defensive methodology a much higher chance to defend against the speed and scale that these modern attacks have now reached.

Howie Xu
I think at the same time, we all know that when you have a newer technology, the implication is for good guys and also for bad guys. I think fortunately, unfortunately, depending on which side you're looking at it, this technology can be used for the bad guys, so that their attacks or their way of penetrating into the enterprise or data center can be more sophisticated, faster. So it's kind of an interesting cat in the mouse game. I do definitely see that it's actually, the game is more interesting for the good guys, more equipment, more technologies, but more sophisticated the bad guys out there.

Paul Mazzucco
And that sophistication comes at a very high price tag. So depending on the size of your enterprise, there's a spend involved with trying to keep up with what the threat actors who are again, very well funded, are putting towards their attack infrastructure.

11:36 - Unique Risks from Malicious AI Models

Matt Pacheco
Excellent. We're going to get more into that in a little bit. But I had a follow up question. So we asked about how cybersecurity, the critical domain for applying AI machine learning on the other side, what are some unique risks and potential attack vectors that malicious AI models could introduce to cloud environments?

Howie Xu
Yeah, I think a lot of that is just Paul and I both mentioned the sophistication level and the speed as an example. People will always come up with new ways of getting into you. Sometimes a phishing attack spear the phishing, but there is so much the bad guys can do. How fast, how sophisticated. For instance, if I want to trick you into giving me the credential, if I just write email, hey, log in. A lot of times people are not going to do that because people are educated enough. But if I write an email with sophistication, for instance, this is the promotion time. This is the annual performance review to it. I write you an email about this topic.

It's a topic that's dear to your heart and, you know, the time is coming, you know, that you're expecting to, you know, maybe getting a promotion letter, right? So, hey, Howie, John, you know, here's the letter. You have a lot more tendency to click or fill in your own corporate credentials into that link, right? Because you know that, hey, I'm expecting from my boss about, you know, am I getting promoted or what's my raise, right? In order for the bad guys to do something like that, they need a lot more sophistication, right? They need to study the company. They need to look into understanding. They may do a lot of research in the past. There's so much you can do about the research. I mean, bad guys always do go with the low hanging fruit.

Now with the genai, it's possible I can do some very sophisticated research at the tip of my finger. Just type a few things to the chagpt, potentially, possibly, and then get write up a very sophisticated things that look so real. Another example would be supply chain attack. These days, a lot of people reference the supply chain. You have the bad things, bad code, the malicious code in the open source code or even in the proprietary code base. But how do you get into that? For the bad guys to get into that, they need to do sophisticated a lot of the study, research and in order to get into it, right? So the genai or the AI technology will help the bad guys to do that.

So I think we are going to see sophisticated attack at a much higher speed, higher velocity, more sophistication, right? Not, I don't think it's necessarily brand new. Brand new, you know, attack, you know, different from what we have seen in the past. But the velocity, the speed of generating those malicious content will be sped up.

Paul Mazzucco
I agree. I think when you think about the cloud and some of the security risks is that what used to be inside is now outside. Your attack vectors have greatly increased, sometimes exponentially increased. Having that much infrastructure with that many possible attack vectors. We see a lot of security practitioners that just get into alert overload. Like they're getting so many alerts and they're not sure how to prioritize. So one of the things that we're excited about AI and machine learning, is really to autonomously take those alerts, categorize those alerts, look at risk registers, do challenge responses, and break down what could be millions of attacks a day into an ecosystem and really give you a priority as to what is moving. Why is it moving? Where do you have gaps in your security model? And then once you've identified some of those gaps.

Really what we see across the cloud and when we get involved with client clouds is that they suffer from a misconfiguration. It's not uncommon, no matter how big the organization that they've deployed test labs and dev labs and they've deployed into the cloud as they've grown in the cloud. And we find when we go into do audits and security audits that a lot of these older accounts have just remained. They've been abandoned. Nobody's paying attention to what they're doing and why they're doing it. And yet they may still be on a similar network, they may still hold a similar email scheme. It doesn't take long for these AI models from the threat actors to realize, here's your email, here's how we attack you, and here are the ways that we're going to hit you.

Having those insecure layers and infrastructure using the AI in order to see those alerts and quickly act upon them is where we hope this industry finally settles on and we're moving there quickly.

16:51 - Ransomware Evolution and AI

Matt Pacheco
Excellent. A follow up question. We've talked about AI, and that's just one angle of this. I'm curious about ransomware and how that's changed over the last few years because there's ransomware as a service. There's other ways to get ransomware to the intended target. What are you seeing in both of your roles as far as an evolution of ransomware? Are they leveraging AI? What's going on in that realm of the world?

Howie Xu
Yeah, as kind of mentioned. Right. AI in particular, Gene AI. The way I look at the gene AI is almost like you have a lot of the professional resources working for you or maybe working against you. If you are on the defending side. What happens is in the past, most of the bad guys on the security side, they are scripted kiddies, right? You know, they download the scripts and then they do a bunch of things. It's not like they know what is the vulnerability of the, you know, the windows. They actually sort of download the scripts and then figure out, you know, stitch things together. That's usually what people do. Right. You know, and with ransomware, the sim. Right. You know, you have to do a lot of the stitching things together.

You have to, you know, so from that point of view, you know, I do see that the genitive AI playing the role of automation in the automated things faster. So again, as I mentioned, I don't necessarily, I would love to hear what Paul gets to see from the practitioner's side. But from my point of view, it's just things are going to be faster and the velocity is a different ballgame is a different level. That's how I see it. Paul, what do you see?

Paul Mazzucco
We certainly see an acceleration based on the threat actors using AI and machine learning. About 80% plus of ransomwares come in through compromise credentials. Somebody gets an email, a phishing email, and as Howie said before its review time, its time for your raise, notification or training or something that you think youre going to see from a trusted email source. Used to average about six months and a couple hundred hours worth of email testing to try and come up with scripts that were very human readable and that looked like they were generated from someone who actually had authority within an organization.

Now with AI, these affiliate groups can run millions of simulations in a couple hours, and it reports back to them that these four email chains or these email scripts are going to have the best chance of not only making it through a secure email gateway, but theyre going to have the best chance on having somebody click on it. And unfortunately, as Howie said, give your credentials because its something that human nature, we want to please somebody or we want that reward. So you have a lot higher chance through this AI automation for threat actors to make it through those gateways and to actually land in the mailbox. And that's stage one for a lot of the ransomware, as I said, about 80% plus.

Howie Xu
Yeah. Let me just add one thing to what process, which hopefully captured the gist of it. So what happens is in the past, you send a script, you send something, and then that's one size fits all, hopefully one of the victims will become the victim. But what happens now is with Genai, it's a lot easier to do personalized, contextualized attack because the saving of all the research work you have to do all that kind of thing. So the personalization is a big deal when it comes to both the offense side and the defense side. So I think that's what's happening. A lot more personalized attack, a lot more personally contextualized, whether in the context of the malware, the ransomware, the phishing, a lot more contextualized.

Paul Mazzucco
I think you're right, and I think that context is again what plays on human behavior and gives you again, that much higher chance of actually getting a hit and having somebody click on that unfortunate email and enter credentials.

21:36 - Proactive Steps for Cybersecurity

Matt Pacheco
So we talked a lot about the threats and you got into a little bit of where I'm going, what are some proactive steps that companies can take to reduce the threats on their infrastructure and raise their cloud security posture. What are some steps they can take to improve their security posture?

Howie Xu
Well, one thing that has been true for the last two or three decades, it's never about one solution, one layer of defense. It's always about multi layer defenses. And in the last few years, companies like Zscada, Paloto Network and the mini vendors started doing the zero trust architecture. That sort of thing is very important for the cloud. And in the context of the AI, I think people need to look at the AI aware security products now, meaning that in the past, intrusion detection is about pattern match of certain things. Now you may need to be aware that this is actually Genai solution. Not to say gene AI, the destination is good or the bad, but you need to be aware of that because there could be security, those kind of things. So essentially more AI aware solutions, I think that's needed.

We have been talking about layers of defenses. This is almost, we need to add a few more layers of defenses. And unfortunately those solutions are kind of maturing. And.

Paul Mazzucco
That'S what's happening on the application side. We see a lot of companies moving towards defensive products, as Howie said, that not only give you a good defense in depth, but we're moving away from the standard age old signature based protections. Signature based protections now just don't keep up. You need to look for anomalies and you need to look for pattern differences in order to have a protection infrastructure that even has a remote chance of keeping up with the volume of attacks and the types of attacks that are being generated today by the modern threat actors.

25:49 - Magic Wand for Cybersecurity?

Matt Pacheco
Excellent. And that leads me to my next question. This one's a fun one. If you had a magic wand, what's the one massive change or investment you'd make to the cybersecurity ecosystem to set businesses up for success in all these turbulent landscapes.

Howie Xu
Magic wand. I want a few magic wands, but if I only have one magic wand, from my own point of view, the security is always about product, process and the people. If I have one magic world, I want to stitch them together tighter, meaning that it's not just about better security products, it's also about better people awareness and better process and how to stitch them together. I think that's a challenge for a lot of the enterprises. That's part of the reason that I think there is a rise of the, I mean, cloud arise rose for a lot of reason, but one of the reason is look, security, at the end of the day, it's too hard.

Some people just say, hey, I just give the security protection to someone else so that they manage it, so that they will update the rule, they will manage the product, they will make sure that there is right people, right culture, right process there. That's a way to think about it. There are many other ways to think about it. So I'm just thinking that how to stitch those stakeholders together, title is going to be very important.

Paul Mazzucco
I would like to have one magic box that automatically does micro segmentation of all my network infrastructure, automatically applies patches across an infrastructure. I want to take away as much of the human element as possible, because that is where the monotonous work happens and the work nobody wants to do. I mean, as we move into containers and infrastructure as code, and these things are becoming easier and more intuitive, I would just love to have that. Boom, here you go. You put in this device, and now all of your networks are micro segmented. So if one network does get compromised, it's one box instead of 400,000 boxes across a large ecosystem.

Howie Xu
So, Paul, you don't really need the magic wand. You know, AI gives you everything. No, I'm just kidding. AI doesn't give you everything you need. At least not today yet. But that is the hope, right? You know, the, you know, a lot of things in the network will be more self healing, right. When you have seen the alerts, it will give you. Hey, why do you see the alerts? Or in other magical way? Right? But yes, you need the magic wand, I'm hoping.

Paul Mazzucco
And if you make that, send it to me, please, I'll beta test it.

Howie Xu
Okay, cool.

27:06 - AI's Future in Cybersecurity

Matt Pacheco
Yeah, we need some magic wands for you guys. So with that, where do you guys see all of this going in the next three to five years? Where do you see the impact of this change in the cybersecurity landscape, this change in AI and cloud computing? What do you see happening in the next few years?

Howie Xu
So, personally, I've been in the cybersecurity industry owned off for more than 20 years. The technology, a lot more sophisticated technology came and then matured. Virtualization, cloud AI, and then there are a lot more than that. Software defined, network software, defense, security, so on and so on. But one thing that doesn't change is, you know, it's, it is, it is almost evergreen industry because, you know, it's a cat in the mouse game, right? You know, we have a better technology for the good guys, and then we have a better technology for the bad guys. And that sort of a, we figure out a way to zero trust, you know, is a wonderful architecture, right? You know, it's going to prevent or the slow down a lot of the attacks. But guess what?

You know, bad guys will figure out a different ways, right, to get in as a security industry person, I don't think we are going to solve this problem. We are going to solve the problem we know today. And I'm also excited to see what's the next new problem, and then it's going to go. And that's sort of how I see it. So if you ask me where it's going, you know, it's continue its evergreen path, right? You know, continue, it will continue its new threat vectors, new, you know, new attack surfaces, right? Today it's about AI, how to deal with the AI things. Next we'll see new things, right? Who knows, right? Quantum computing, maybe a decade from now or so on and so on. So there are always new things. So we are now going to run out of excitement.

Paul Mazzucco
I think that AI adoption is going to tip the scales in favor of security teams charged with protecting these big infrastructures. Multiple layers of network and endpoint security are adopting AI detection of novel patterns and automated detections at a rapid scale. So where I think the future is going is to make all of this autonomous. So what used to take a security researcher hours again can now be done in seconds, sometimes milliseconds, depending on the ecosystem. So by growing the AI models as they mature and become more mainstream, I think we're going to see qualified orchestration and remediation engines that can very quickly parse data from multiple security devices, multiple network infrastructures, and give an instant view of attack surfaces and gaps, and not only give you that instant view, but act on it instantly.

So we're going to take away the human intervention and have systems eventually. What we're going to have is a war of the bots, good bots versus bad bots, who are constantly trying to run scripts against each other to see who has the best trained models.

Howie Xu
I like that analogy. Good bots versus bad bots, right? Not just the good humors versus the bad humors. We have bots working for us. And in that context, you know, Paul was asking for this magic wand. I think the next few years, he will have maybe not the entire magic wand, but a portion of the magic wand in reality.

Paul Mazzucco
I look forward to it.

30:50 - Closing - Advice for Aspiring Cybersecurity Professionals

Matt Pacheco
Last question, rapid fire question. What's your best advice for students or aspiring cybersecurity employees, future employees, when mapping out their career journeys like what should they know about the industry from you?

Howie Xu
Look, you know, the cyber security is ongoing thing. I love it because, you know, it gives me some mission, right. You know, it's kind of a protecting the enterprise, protecting the nation, protecting, you know, good people around. Right. So this is actually, if you like, some mission driven industry or the jobs or the things to do, this is a great things to do. So that's number one. And then number two, if you are a problem solver, if you like to solve the problem, you are never going to run out of the problem because there will be new problem after nether. After nether. So those are the two things I want to say. If you are kind of a mission driven person, you are a problem solver.

Cybersecurity industry is kind of a, is a great industry for you to be in and then be an expert.

Paul Mazzucco
I would tell kids coming up, go to school and study data science. Don't go to school for cybersecurity as a platform anymore because the tools are changing quickly, daily. Sometimes kids who come out of school with a cybersecurity degree, we find that we have to untrain a lot of the things that they learned in school that are and relevant from when they started. We recommend get your degree, go to college, but get your degree in management, business management and data science and all the other tools and all the other processes that we use on a daily basis, we're going to train you. And when those tools are obsolete two weeks from now, we're going to train you again on new tools that are out there in the market.

Paul Mazzucco
But having the foundation of data science, especially in the day of AI, that's, I believe, your ticket to being a world class cyber professional.

Matt Pacheco
Excellent. Well, I wanted to thank you both for coming on today. It was a great conversation. I learned a lot about AI, cybersecurity and cloud, and some great advice in there for people listening to the podcast. Thank you, Paul. And thank you, Howie, for being here.

Howie Xu
Thank you, Matt. And thank you, Paul. Thank you, Paul, for actually stating that you need a magic wand. I think the security industry is working very hard to deliver that magic wand to you. And then there will be kids, next generation kids learning, getting a degree in data science and helping to deliver that magic wand as well.

Paul Mazzucco
Thank you for letting me be a part of this. And howie, I'm honored. I am the beggar at the feast for the work that you've done. So I appreciate this very much.

Howie Xu
Thank you, everyone.

Matt Pacheco
Thank you. And thanks, listeners. Stay tuned for another episode of Cloud Currents.

Howie Xu
See you soon.