Ep 4: Fighting Fire with Fire: Using AI Security Tools to Defeat AI Cyber Threats with Former Home Depot CISO Steve Ward

Evan Reiser: Hi there, and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyberattacks. In each episode, Fortune 500 CISOs share how the threat landscape has changed due to the cloud, real world examples of modern attacks, and the role AI can play in the future of cybersecurity.

I'm Evan Reiser, the CEO and founder of Abnormal Security. 

Mike Britton: And I'm Mike Britton, the CISO of Abnormal Security. Today on the show, we're bringing you a conversation with Steve Ward. Former Chief Information Security Officer at Home Depot. Home Depot is a Fortune 20 multinational home improvement retailer with nearly 500, 000 employees and over 150 billion in revenue.

In this conversation, Steve shares his thoughts on defensive strategy in the cloud era, how AI can impact resource management and cybersecurity. And fighting fire with fire when combating emerging AI threats.

Evan: Well, Steve, first of all, thank you so much for joining us today. Super excited to chat with you as always, and excited for you to share more about your experience with our listeners. 

Steve Ward: No, thanks for having me. 

Evan: So kick us off. Um, you know, Steve, you have a very storied career, right? And you've taken a unique path to get to where you are today. Do you mind sharing a little bit about how you originally got into cybersecurity? 

Steve: Yeah, very unconventional. My initial introduction into it was, Just making general arrests in the secret service and, and happening to stumble upon a very good hacker that we were able to transfer into to being an informant for us.

So I like to say that I'm self-taught. That's really not true. I learned a lot from hackers and just sitting down with them and listening, sitting side by side at, uh, computer terminals and really just watching them do their work and picking up along the way. And back in the day, a little bit of Barnes and Noble reading on top of it.

That's how I got in back in the Secret Service days and just sort of carried over from there and you know, right time, right place. 

Mike: One of the things, Steve, you, you've seen the cybersecurity landscapes change and shift and. Now that most organizations have kind of made that digital transformation into the cloud and SaaS, how are you seeing the threat landscape shift along with that?

Steve: I think the biggest shift is the fact that your environment is now three x. So we went from, you know, an on-prem environment that we were worried about that was very, very difficult to protect back in the day, to, I call it a three x now. 'cause now you've added all these SaaS environments and you've added all these cloud environments.

You could say Four x from a, a, a third party supply chain standpoint. So I think the biggest challenge for us is the fact that there's just that much more that we have to protect. And we have to admit we weren't really done with what we were working on 10, 15 years ago. It's not like we all stood up back in the day and said, okay, all of our data centers are protected.

Now we're good to go. Give me a three x and I'll start, you know, working on more. So the, I think specifically the threat landscape has changed just in the fact that there's more environments that we have to deal with. Pretty difficult protecting environments that you don't necessarily have full control over, like an A W S or A G C P.

It's probably the biggest challenge I hear just across the board is we get into that observability category of like, do I really know what I need to protect? And it's amazing that that hasn't really changed over the last 10 to 15 years. 

Evan: The surface areas you had to protect 10 years ago were kind of finite, right? You got your network, you got some endpoints, you got your email, you gotta lock the front door.

If you kinda did those four things 10 years ago, you're at least in like B minus level cybersecurity, right? Maybe, maybe c plus. But today you have this rise of always SaaS applications, right? IT teams are deploying a new thing every single day. Anyone can access that data from anywhere in the world.

There's APIs now to these things, right? Some of these platforms have modules you can install in little apps that all have their own access and data sets and APIs, and they're all interconnected. Can you maybe talk a little bit about how the rise of enterprise software has, you know, created these new surface areas that expose kind of data to the to criminals?

Steve: So I'll give you a great, a great example, like a live example. We used to have alerts back in the day in JP Morgan that were really like, almost like travel alerts. It was such a static environment that if you popped up an access to V P N from Romania, it was an immediate alert, and we would balance that and correlate that off of like a vacation database or you know, a corporate travel database.

But you look at how finite that was and how static that was for users versus where we are today. It's exponentially more difficult to figure out who's supposed to be where, that we've actually kind of given up on that and we're much more into that business of access anywhere, anytime, right at the right time for just enough time when you start getting into that space a little bit more.

The SaaS apps, I think is really what broke the glass again here. So you had the mobility from like a Covid standpoint. Then you also had the mobility from a SaaS standpoint of accessing those SaaS apps from anywhere you want, especially on the collaboration side, right? With Zoom and everything else on how much we're, we're, you know, just communicating over those apps.

That has changed where I think we've seen a lot of solutions pop up lately of, okay, how do we really understand how to protect that ability the users want that. That's great. There's a business need for it; you have to solve that problem without being a barrier to progress.

And we're always talking about these phrases of, the business wants to go in a certain direction because the users are asking them to go that way. And that's really where SaaS apps were born. It is supposed to enable. Business strategy. What you don't want is for security to be a barrier to progress for it.

We have to be just as seamless as the IT groups, so it's been really fun to watch. It only gonna get worse, so we're gonna have to get better and better on really just making sure that anybody can access whatever they want from anywhere and that we're able to pick out those bad actors in the process. A lot harder to do the old traditional way of like traditional log sources, traditional alerting and monitoring.

Almost impossible now to really do it that way. So when we get into the, you know, the AI side of it, you get into just being much smarter about that mobility, I think we'll be okay in the next couple years, but right now it's a, it's a struggle for most if you look at productivity across the board. For employees, it's through the roof, not just on how much more successful we are and how much more productive we are, but even the hours that we're working, that translates to data being transferred, right?

The more productive we are, the more data transfers, the more access requests there are. That's voluminous based off of where we were 10, 15 years ago, where you access things between nine and five, you know, off of a desktop that was in an office, where now you're accessing things 24 by seven from multiple devices.

That's incredible. But that brings risks from an intrusion standpoint, meaning an access standpoint. It brings a tremendous amount of risk on how you control the data that flows and keeping the integrity of that data over time. Very difficult. To maintain productivity and balance that with security and data protection.

Mike: So if you were a CISO today, Given that most organizations have, you know, some limit on time, money, and energy, where do you think you'd be spending more or spending less?

Steve: I think we still have major labor wastes within cyber. That's like the number one feedback that I get from folks is I spend too much money on labor to get this thing working as designed and as pitched. And if you can help me get better speed to value, faster speed to value, that's amazing for me because it saves me money on labor.

And then it's that maintaining that we just end up throwing a ton of labor into to maintain the solutions. So when someone says, oh, we, we won this deal, it's a $2 million deal. I'm constantly reminding founders, it's not $2 million, it's $2 million to you, but it's a half a million in labor to get it operationalized.

And then it's another 200,000 in labor for them to operationalize it and that run and maintain. And I think we spend a lot of money on labor throwing bodies at tech to get things running because the technologists and the product folks don't focus enough on making it so easy. To get that thing up and running and get that tech operationalized.

I'm not gonna name names, but I remember plugging things in a year later. We're like, oh, the project's over. That's a year of labor. To get that thing to do what the original use cases were. I just think that's too long. Cloud is helping with that. SaaS is helping with that, but I think we got a long way to go there.

Evan: So Steve, you, you talked a little bit about one of the big challenges being like the labor costs, and I think that whether you're in cybersecurity or any other function, right? This is a big deal. You look at your ratio of how much you're spending kind of investing in the team and all the labor that has to get done versus kind of, you know, your software, right?

And that's like a big, you know, challenge. There's certainly improvements in, you know, all software is creating, you know, improvements and productivity improvements for the team. What's the opportunity you see around AI to help. Further improve the, you know, productivity of security operations. Not necessarily because AI is gonna replace, you know, SOC analysts, but there's certainly a lot of mundane, you know, data analysis, you know, kind of rote investigation that's being done, you know, by, you know, junior analysts today that could certainly be done with AI and, and, and ideally, right?

That allows more senior analysts to go kind of invest their time in higher leverage activities versus things that come down to. Log analysis and data analysis and cross connecting data points. 

Steve: You know, I've heard numbers upwards of like 90% of the alerts that come in are machine to machine.

There are false positives. There are things that we kick to, you know, tier three. Okay, can you look at this? And it's just not something of interest. The finite number of things that we are truly interested in from a bad actor standpoint is a very, very small percentage. Now, that doesn't mean that those people go home.

It means we can retrain them or move them to other areas of focus that are gonna help us, again, more on remediation, more on the response, more on red teaming, and trying to find things before someone else does. So a hundred percent what I have already seen, even from the orchestration side with light ai, I think we're gonna see numbers upwards of 80% of the alerts that come in in a traditional SOC organization are gonna go away.

I think it entirely transforms domains like think of like access provisioning, right? Recertification. The amount of labor we put into that is incredible. When we talk about budgets across domains, like identity access management was always the most expensive org for me, and it was always a labor issue 'cause I had to put too many bodies in there to manually do things around research.

Things like that that I think AI takes out. I will also say that I think that it potentially solves the vulnerability management problem for the first time in a long time. If you look at, you know, GitHub, things like that, 40 to 60% of the code there is now AI generated, which means 40 to 60% of the vulnerabilities are AI generated, which means we're gonna need real vulnerability management companies to step up and build AI into the original platform to solve that problem.

I'm really, really bullish on these mundane commodity service type things of alerts of vulnerabilities and things like that that can self-heal or alerts that just go away. I'm really, really excited about those areas. 

Evan: When you worked at, uh, JP Morgan, right, you worked in threat intel, right, and if you look at kinda the general category of insider risk, a lot of it comes down to let me know, proactively let me know when people are doing things they shouldn't be doing.

And to do that in the modern age where you have a thousand SaaS applications and petabytes worth of data, right? It's only really possible to practically trigger that investigation. And even when you do it right, it, it can take weeks of, you know, analyst time to go investigate all the logs and all this stuff.

And if you look at some of the recent breaches, maybe won't name names here, there's cases where analysts were able to figure it out after three weeks, which is impressive because it means like the data was there, it's figure out a bowl. What's the opportunity for AI to go figure that out in three seconds, right? Rather than than three weeks. 

Steve: So yes, I think the time to discovery is gonna reduce big time in the, in the ops space, but I would even go a step further and say, using AI to determine the predictability of an attack before it happens. That's on the horizon. You're gonna have enough data. Enough scenarios, attack scenarios, whether you're getting threat data in that helps enrich it.

I think you're gonna be able to really, in an automated way, run those scenarios and predict what could happen and what the chain of events are. From a risk standpoint. I think it's gonna be pretty amazing if we can leverage the data the right way and do it a lot more quickly than what we have in the past.

But yeah, look, we're still very, very reactive. So there's a level of excitement I have on the last 20 years of being, you know, chasing tails and having breaches take a year to, you know, identify versus now getting in there and saying, Hey, the likelihood of this breach occurring for you over the next six months is really high.

Man. That's an amazing change of events that you go from being somewhat negative and reactive. 'cause reactive to me equates to negativity. To being proactive and energizing these ops teams where they can get ahead of something and feel like they're getting wins, I think is incredible. 

Mike: So we talked about a lot of ways that I think AI is gonna improve our security posture at organizations, but on the flip side, for everything that, you know, the defenders leverage attackers are leveraging similar technology, how do you think criminals are gonna use AI technology and, and what do you think those consequences are for security organizations?

Steve: I mean, look, I think they're already using it. I think it would be naive to think that they're not, typically they are, you know, the innovators around this and we're, we're a bit of, of laggers in some ways. You know, you wouldn't have the drive that you have right now in AI just across the board if, if it wasn't for the fact that it's gonna be used against us.

Right. I just left the Aspen Institute and it kind of dominated our conversations specifically on how it's, it's being used right now. The more they use it, the faster we move. Right? And it's unfortunate that that's what it takes, but I think there's two drivers for security to really adopt this faster.

And some companies have already done it. It's been around for a while, right? People forget that AI's been around for about 10 years from an application standpoint. Um, it's just, you know, right now it's getting the, the hype that it, it deserves. But I think you're gonna see the volume of attacks increase.

Which I know is a typical answer, you know, in the press and things like that, I think you're gonna see the sophistication change. I'm not sure if it needs to be more sophisticated, just think it needs to be smarter and the volume needs to be there. And that's gonna be really incredible because what we're talking about sort of in our private little circles is you will not be able to identify and defend an AI attack with the last 20 years of solutions.

You're just not, you're gonna have to use AI to defend against AI. The government is talking about that. We're talking about it, period. So if you look at the lagger that security has been over the years on how long it took us to get eds, how long it took us to get C S P M cloud security tools, it took a bit for us to look at the business application and then say, okay, these are the security solutions we want in place.

I don't think that's gonna happen here. I think that, you know, years are gonna turn into months. We're gonna see attacks on really good SaaS software security solutions. And those solutions are gonna fail and it's gonna raise a lot of red flags to go like, we can't defend this with old tech. And I think that old tech is gonna get dissolved pretty quickly, um, in these larger enterprises.

So, to be honest, in a weird way, I'm excited about it. Like, you know, you've been in the business a long time, Mike, so have I, and I love watching this happen. Right. Again, if you go back from the government days, I'm always in awe of my adversaries, and there's always something to learn there. And you sometimes gotta drop your ego here and really look at them and go, wow, this is how they're using this. Great. All right, let's react to it. 

Mike: So putting yourself in that adversary mindset. Maybe you could even give me a specific example of, you know, pull out your crystal ball and see, you know, exactly how the threat actors are gonna use either generative AI or AI in general to be more successful in their attacks.

Steve: I think the attacks are gonna be a thousand times faster than what we're seeing, which is crazy to even imagine that. And I think the level of accuracy on interacting with a human is gonna be really, really difficult for people to identify that this is an issue.

If you just take email in general, you look at a common spelling error or a grammatical error and you're like, ah, this isn't right, and you delete it, that goes away, right? The context of the email can now be generated in a way that is so accurate. I can do that across any SaaS app. I can lure you in any direction.

I think fraud picks back up from it. I think it makes it a lot easier to commit fraud. So I'm excited to see it, to be honest, just to be able to kind of play the cat and mouse game with 'em. But I think that human interaction, which typically happens over collaborative apps, SaaS apps, email, things like that, I think it's gonna be damn near impossible as a human to identify that that is a.

Malicious interaction. And if you're not using AI to, to defend against ai, I think you're gonna have a really big problem there. Um, I've seen some really cool examples already where it's like, man, I've been in this business for 20 years. Um, I think I would've clicked on that. And the more and more you get out into these other SaaS apps where you're so trusted to interact with someone in there, like on teams and things like that, and a really cool attack vectors there that if you can get in. It's gonna be really difficult to identify from a human layer. 

Evan: Help us like envision the future a little bit. If  it's, you know, 2027, what are criminals doing with AI and what are defenders doing with ai? Maybe scare us a little bit about what the future looks like, but then help us feel safe about, you know, how we come out ahead on this.

Steve: Yeah. I think that, I used to call it managing outrage up instead of risk down. So I'll manage the outrage up for a minute and then we'll manage the risk down on, on the second part, I touched on a little bit before, but the level of accuracy on attacks I think goes through the roof. The type of people like we always used to talk about, like.

Whether or not you had the motive, whether or not you had the means and whether or not you had the opportunity, right? Those are the three things that you always look at in, in law enforcement and the legal standpoint. Well, there's a little bit of like the means prevents a lot of people from doing things.

The motive and opportunity sometimes are, you know, pretty easy. If you take all three of those, the means mode of an opportunity. This AI allows you to be an amazing attacker, amazing hacker. Virtually no experience. I. You just need to have sort of the motive, everything else after that. Very, very easy to do.

So I think the volume goes through the roof and I think what people don't talk about enough is the level of accuracy of those breaches goes through the roof. You're gonna have very, very novice, like technologists look like amazing a p t hackers. That's really difficult. The other side that we're already seeing, the generative AI that gets used.

When you look at country to country attacks, it's pretty easy for us to identify China and Russia and Iran and North Korea. Those are the big four that, you know, we're always looking at. And when you look at attribution, that's who you, you know, you typically look for. I think attribution is gonna be damn near impossible.

When you can use generative AI to code in any language you want, in any way you want, I can switch it up. So it's really hard for me to fingerprint you to know that this code is constantly used by this attacker group that gets really, really hard to say, this was a state sponsored Russia attack, and that's advantageous for us in the public and the private sector.

Now, how do we defend against that? I think. Right now we have a problem across security, is that there's too many security companies, right? You walk on the floor of R S A and Black Hat and you look around and go, wow, there's just too many, you know, how do I really distill this down into something that's gonna be useful for me?

I think there is going to be a pretty big shift of new companies in cyber that are built with an AI platform. That if you're not doing that or you haven't done that, I think you're gonna have challenge over the next 10 years. And I think we're gonna see a lot of companies pop up that lead the way. And I don't mean the gimmicky side of like, oh, we've integrated with check G P T.

That's not what I'm talking about. That's not real AI to me. I mean, companies that are going, Hey, I started an AI company, now I'm bouncing over to security. But it is an AI platform. We're building it that way intentionally so that we can, you know, identify and protect and, and defend against these attacks.

I think security sees a monumental shift in, in how we design software, and I think it's gonna be pretty incredible because I think there's a lot of companies that are around right now that it's really not much they can do to change their platform. And I think you're gonna see a pretty big disruption across the board, just like we are in general software and tech.

We're gonna see it in cyber too, and. I think it's gonna be great to, to capitalize on that and see where things go. 

Evan: So, wanted to kind of end with like a, a lightning round. Mike, you wanna fire off the first lightning round question?

Mike: So what, in one piece of advice would you give a security leader that’s just stepping into their first CISO job? What might they over estimate or under estimate about it?

Steve: I think they’re going to under estimate how difficult the job is, and my advice would be be patient and celebrate wins. And that day, and you didn’t get breached that day, you look at

Someone around you and go “Hey, good game”, like “we won today”. You’ve got to really, really micro this down and celebrate your wins.

Evan: You probably have more time these days to kind of stay in touch with the latest trends and technology, and AI. What would be your advice to CISOs, right, for them to stay up to date on how the world is evolving and how AI’s going to effect the future of criminal behavior and defense opportunities?

Steve: I think it’s an opportunity for them to really get integrated more into the the technology space as a whole, and collaborate a bit more with their peers. So my advice is to go ask your peers questions. Like what’s the business application here? What does the business want? What are you thinking about developing that’s going to make them more successful, and let me learn about what business wants this and needs this, what technology you’re going to build around it, and learn about the tech through them. I don’t think we ask enough questions of our peers, of like “Hey, why do you like this?”, like “How are you going to implement it? What the value prop for you?” We get very caught up in our own little bubble and it’s hard to break out. 

Some really smart people that are working on this across the board, security asks questions too late and they wait to ask questions until things are in production, and I think that’s a mistake with this. This is going to move really, really quickly, and if you don’t understand the basic foundational business application of this you’re never going to successfully protect it.

Mike: Yeah, I couldn’t agree with you more. So on a personal note, what’s a book you read recently thats had a big impact on you and why?

Steve: I just listened to a book called “Russians Among Us”, Gordon Corera. Amazing book. And then the other one, Bill Browder’s, you know, written a bunch, “The Freezing Order”. So, I’ve had a bit of a focus on Russia and spying, lately. Just with the geopolitical sides, so this are the last two that I’ve listened to that were really, really amazing on the spy vs. Spy, you know, Cold War side of it and how that played out and really how it’s almost, in some ways, playing out again.

Evan: Well Steve, thank you so much for, you know, as always, really appreciate you taking the time to chat with us, Steve. I always learn a little bit every time I chat with you and looking forward to talking again soon.

Steve: Yes, definitely. Good to see you guys and thanks again for having me

Mike: That was Steve Ward, former Chief Information Security Officer at Home Depot. 

Evan: Thanks for listening to the Enterprise Software Defenders podcast.I'm Evan Reisner, the CEO and founder of Abnormal Security. 

Mike: And I'm Mike Britton, the CISO of Abnormal Security. Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprise software. blog. 

Evan: This show is produced by Josh Meer. See you next time.