Artificial Intelligence and the Talent Shortage in SecurityHuntress CEO Kyle Hanslovan on Why AI Can't Surpass Human Feats on a Scalable Level
Since its launch in November 2022, ChatGPT has taken the world by storm. While artificial intelligence can be useful, it has certain limitations and gaps. According to Huntress co-founder and CEO Kyle Hanslovan, AI is a tool for augmenting humans rather than replacing them, and AI is far from surpassing human capabilities on a scalable level.
Although AI platforms can currently generate realistic images and believable text, Hanslovan said they still have a long way to go in detecting anomalies and deception techniques against cyber defenses. On a more concerning note, he said, hackers can use ChatGPT to write better phishing emails and create macros that can perform malicious actions when enabled in documents (see: Huntress Buys Security Training Provider Curricula for $22M).
Hackers also are getting democratized, Hanslovan said. "They are a lot better at using the English language now in their phishing email than they were even a couple of months ago when it was broken English and typos. So it goes both ways: Defenders are getting better using it, but attackers are as well."
In this video interview with Information Security Media Group at RSA Conference 2023, Hanslovan also discusses:
- How the talent shortage has led to an increase in automation;
- How organizations use technology to adapt to the down economy;
- Why investments in cybersecurity technology must connect to business outcomes.
Hanslovan previously served in the U.S. intelligence community, where he supported defensive and offensive cyber operations for the past decade. He actively participates in the ethical hacking community as a Black Hat conference trainer and STEM mentor. He also served in the Maryland Air National Guard as a cyberwarfare operator.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. We're going to be talking about artificial intelligence and the talent shortage with Kyle Hanslovan. He is the co-founder and CEO at Huntress. Hi, Kyle, how are you?
Kyle Hanslovan: Hey again! Just stoked to be here.
Novinson: Stoked to have you. I know it's been approximately five months since the launch of ChatGPT, a lot of dialogue in the past few months about all of the things that AI does. What are some of the things that AI really struggles with?
Hanslovan: So I love, obviously, all the automation, but a lot of people forget that there are real limitations. My favorite example is like for the audience out there if they were googling the words creepy Mickey, that's a weird word to Google, right? But there's tons of creepy Mickey Mouse images on there. And you can train some of these models, whether attended or unattended machine learning, and still, sometimes these AI models will say that is still Mickey Mouse. But the difference is a 3-5-6 year old child can still spot out and be like, "That's not Mickey. That's creepy Mickey," right? And that kind of shows these gaps that sometimes exist in this automation, where oftentimes the automation will help, it'll bring a good enough, but I tend to use the word, instead of replacing personnel, I'm seeing it as a kind of a revolution for augmenting. And I always just throw out that creepy Mickey analogy of it's not quite perfect. That's not the Mickey you're looking for in this case. I think sometimes AI is a little bit more blown up, but it's not quite the solution you're looking for either.
Novinson: So if you're talking about augmentation, what are some of the things that you feel AI does really well? What are some of the things that humans are still better at?
Hanslovan: Yeah, so I'm obviously knee deep in the cybersecurity side of the house, and we're getting ready to see and if we've already kind of seen like the generative, you know, AI platforms that are out there right now are building beautiful things: pictures that you can't tell if they're real, the same thing, text that seems believable. But when you start really get into detection of the nominal anomalous, especially like trying to figure out somebody who's purposely trying to deceive the detection algorithm, I personally have a bias toward; the AI is really flourishing and creating new, generative, beautiful, you know, creating works of art, but trying to be able to identify somebody who's trying to game the algorithm itself, we're just not seeing the same monumental leaps and bounds as you're seeing kind of in the other places in the space. So that's me saying, I embrace it, I love it. But we still see a whole lot of humans augmenting AI for the very, very near future. And I would even say, into the distant.
Novinson: So at this point, and I know, it's still really early days for generative AI, are there any areas where you see it really adding value from a cyber perspective, and if so, where?
Hanslovan: Yeah, so being able to make some of these things, I would call it almost like democratizing certain parts of cybersecurity of like, hey, there was a very heavy bar to be able to create maybe some of these proofs of concepts, or being able to create like a pattern or a thought process. And we see some of this in software development. Let me give you a basic example of code that you can then build upon on your own or, you know, in your own element, or tailor it to your own needs. That's amazing because then you take somebody who has a junior baseline expertise, and they can build on it. So they're standing on the shoulders of a lot of this AI. And again, I've just not seen any of these cases where it's truly blowing things out of the water, maybe in limited circumstances, but truly scalable, especially if you look. Attackers are starting to use some of this AI as well. They're also getting democratized, they're now writing a phishing email, they're a heck of a lot better at using the English language. Now, their phishing email than they were, you know, even a couple of months ago when it was broken English and typo. So it goes both ways; defenders are getting better using it. But also attackers are as well.
Novinson: So what are some of the more interesting ways you've seen attackers use it? You mentioned in terms of getting kind of that authentic English emails, what are some other novel interesting things you've seen adversaries do with AI?
Hanslovan: In the early days, we started seeing, you know, this is the OpenAI ChatGPT abuse that they're trying to lock down, not to do bad things, per se. But what I think was probably most of the novel attack was, "Hey, can I get some of these basically call macros?" Those are the embedded features that you put inside documents that when clicked, someone opens a document says, "Yes, you know, enable this automation, or enable macros," it does bad things that required somebody who used to know how to code or how to be able to cobble together things off of like GitHub or Stack Overflow. And now being able to see actors come out there and create kind of like a template, which at ChatGPT, and then adding their basic functionality, that again, that's lowering the bar for a threat actor to be able to do something. And to me, I'm obsessed with that. Don't you know, my whole business is being able to make more junior people stand on the shoulders of kind of great automation and great experience. And I think I was not surprised to see attackers do the exact same thing.
Novinson: Of course. And sticking with that human element to know you were talking about the idea of AI being able to augment humans. I know it's been approximately a year since we really started into this economic downturn, the two-headed monster inflation and interest rates, and what has the economic environment meant in terms of the ability of end user organizations to access skilled cyber professionals?
Hanslovan: Yeah, I mean, anybody you talk to say, "I can't find great security people and I'm even struggling to find the more senior IT people." That whole work from home, remote world, kind of really put pressure. And now some of these great talent that were locked away in areas that maybe were available to local companies are now available on a remote or global scale. And so the end result is still no great talent. And if you are finding great talent, you're paying for it, which means you have to try to retain it too. And so bringing those two conversations together, we're actually seeing a lot of this automation of if you do have that great talent, how do you help automate, manage, take care of the majority of the heavy lifting, and that's applying in IT, that's applying in security and say, "Hey, can I make that more junior person stand on the shoulders of this technology and have essentially the expertise of somebody that's more mid or more senior?" And I think that, you know, I'm biased, I'm an Air Force guy, right? And so one of the things most people forget is like, when World War II was won, it actually was won by air power; a lot of people say, and when you look at air power, we didn't make it. So pilots became, you know, amazing pilots, and just grew infinite numbers of amazing pilots. We actually made the planes easier to fly. So I'm seeing right now it kind of has a similar analogy, we don't have a lot of these great texts. We don't have a lot of these great texts that are these superhuman security skilled folks. But what we are doing is we're making again, the planes easier to fly, then the security products, the IT products, they're using this automation that enable again, a more junior talent, just like a more junior pilot to fly this plane. So I think this has been done before. But I don't see many people thinking about it that way of how to leverage this technology.
Novinson: But to double click on that automation piece and get a sense of really what tasks, what functions in a cyber context. Are you seeing automated? And what's still being left to maybe that more mid or more senior level personnel?
Hanslovan: Yeah, if you think of budget driving this, almost everybody we're talking to is saying how do I do more with the same and sometimes more with less because of the economic conditions? But what's beautiful about that is when they're saying, "Hey, I need to do more with the same." Double clicking on that, they started asking, "Well, can I outsource? Can I have somebody else take care of this?" Somebody with the expertise that maybe he can deliver my expertise that I need at the price of a product. And that's where you get your SAS products that come in, and some of the SAS products that are starting to use whether it's just better automation, or thinking through the value that you have to deliver, it's really kind of - I would call a renaissance of IT first generation of these products like EDR. Well, here it is, now you have to manage it. Second generation to this is wait, you could have somebody else manage that at scale, at a price that makes sense. And if you can take that with the savings you have, you don't necessarily need to do more with less. But if you're talking about how to do more with the same, have somebody like that take care of it for you. And then use those awesome IT and security people you have on your true hardest business problems. And so I'm pretty pumped to see that, in some ways, economic conditions, plus new creative technology is kind of like really making a big difference, at least to the companies we're talking to.
Novinson: Want to get a sense as well, in terms of this, terms of the economic constraints: What it's about in terms of measuring the effectiveness of security tools, and the focus on return on investment. What do IM users do to assess questions round? Is the money spent on this product actually worth it? How do they answer this?
Hanslovan: I always keep it super simple with it like is the juice worth the squeeze? That is what everybody is asking in some of these things that I love is for a really long time, it was just, "Can I buy a product? Can I feed all the data?" I need all the data, right? And then you're like who's going to manage? Who's going to look at it? Who's going to tell me of their signal and noise? And so the things that I'm loving probably the most right now is that it's not calling technology out. It's just holding technology accountable and saying, "Well, I need an outcome." Like, what's the purpose of all this data, if I can't make a decision based on it? Like one of the simplest things that blow me away is, think of your old school antivirus. Right? Nothing special about it. But you need to know is it turned on? Is it up to date? And if you had, for instance, an incident, was that incident - that was quarantined? Was it really quarantine because it did its job? Or was it because there's a threat actor doing something multiple times. And what blows me away is asking about that accountable results, we're starting to talk to more and more like, whether it's CISOs, or even just IT directors that are like, I have this, I don't have the cycles to manage it. And so if you think about that combination of automation, it's like, Whoa, I can actually now manage this technology, have somebody be able to take care of the heavy lifting, deliver me exactly what I need to do with it. And then again, have those more senior people take the next heavy steps of like, there is a threat actor, I need to respond to that. So it's just a really novel time for us to be more accountable and say, "Well, we're not going to let it slide that we just have technology for the sake of technology." And for those that are reporting to board members, or for the outsourcers that report to like, you know, their own customers, they're having to answer that question of what have I done for you lately, and this is what I spent the budget on. So that's kind of a cool moment for a geek like me to all sudden be able to say like, oh, the geeky nerdy stuff that we're doing is actually delivering value to business folks, not just the CFO and CIO, but actually the CEO and the board, understanding what have we done for them lately.
Novinson: Absolutely. Kyle, thank you so much for the time.
Hanslovan: You've been awesome. Thank you again.
Novinson: Thank you. We've been speaking with Kyle Hanslovan. He is the co-founder and CEO at Huntress. For Information Security Media Group, this is Michael Novinson. Have a nice day.