Threat Vector 12.19.24
Ep 47 | 12.19.24

Why Big Data Will Rule Cybersecurity in 2025

Transcript

Nir Zuk: Personally, I think that quantum computing is one of Silicon Valley's biggest hoax. It's going to turn out to be a really, really expensive hoax where any physicist that is not working on quantum computing, the least of it's not going to happen and only those that work from compound quantum computing and will benefit from quantum computing, think it's going to happen. [ Music ]

David Moulton: Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] Today, I'm speaking with Nir Zuk, Founder and Chief Technology Officer at Pala Alto Networks. Nir's journey began at the age of 16 when he developed some of the earliest computer viruses on his Dragon 64 computer. His passion for technology and innovation is evident. After serving in the military, he worked at Check Point, Net Screen Technologies, and then in 2005, Nir founded Palo Alto Networks with a vision to revolutionize network security. Today, we're going to talk about Palo Alto Networks' 2025 predictions. These seven predictions cover a wide range of topics and you can read them all on your website. For today, Nir and I are focusing on three. First, in 2025, organizations will shift toward unified data security platforms that integrate code development, cloud monitoring, and SOCs for seamless AI-driven threat analysis. The consolidation will enhance visibility, streamline operations, and dramatically reduce detection and response times, positioning organizations to better combat advanced threats. Second, establish organizations with massive datasets will lead AI-driven innovations, their data volume for continuous improvement, partnerships between incumbents and as your newcomers will drive collaborative breakthroughs. Finally, we'll talk about quantum attacks. While they're not immanent, "harvest now, decrypt later" tactics by nation states, will target sensitive data. Organizations should act now by adopting quantum-resistant technologies in preparing with new cryptology standards to safeguard their systems as quantum capabilities evolve. Here's our conversation [music]. Nir, welcome to Threat Vector. It's exciting to have you here.

Nir Zuk: Thank you for having me.

David Moulton: Before we get started on our conversation about 2025 predictions, I want to ask you a few questions that I saw in an interview with you from 2010 in computer world. I won't hit the entire interview, but there are a few that I thought could be kind of fun to go back to. The first question was, "Ask me to do anything but..." How would you answer that today?

Nir Zuk: Ask me to do anything but...stop innovating.

David Moulton: What are you reading right now?

Nir Zuk: I'm reading a lot about quantum physics in order to better understand quantum computing.

David Moulton: And what is your favorite technology today?

Nir Zuk: My favorite technology today is YouTube. I know it's an old technology; however, I think there is some amazing content on YouTube and it's a great resource to learn whatever you want to learn to a certain depth, right? After that you get to start using things like Brilliant which I use in other ways to really go deep into learning a subject. There's just so many people out there that have so much to share and to teach. YouTube is my favorite technology today.

David Moulton: That's a great answer. I use it all the time whenever I'm trying to fix things here around the house, figure out how to cook something. So, for listeners, I'll put a link to the original interview on the show. I think it's really interesting to go back and you can see what top-of-mind for near back in 2014. Today, we're going to be getting into a handful of the 2025 predictions from Palo Alto Networks. I'm really eager to hear your thoughts on these predictions. So, let's get right into it.

Nir Zuk: Let's do it.

David Moulton: Our first was a prediction about how to the landscape will transform and the adoption of the unified data security platform that integrates code development, cloud environments, and SOCs. So, how do you think that the unified data platform will revolutionize cyber infrastructure in 2025?

Nir Zuk: Sure. So, it's very clear that it needs to happen, and the reason it needs to happen is, because cybersecurity is becoming more and more data-based, meaning, more and more cybersecurity functions need a lot of data in order to do what they do versus the past where we were strong with signatures or some basic rules on whatever it was traffic files and so. And now that more and more cybersecurity functions need a lot of data, what we are observing is that there is a superset of that data that is, of course, shared across all of them, meaning, if you look at what the SOC, the Security Operation Center needs in terms of data to perform its tasks of the detecting and responding to attacks very quickly, that data contains pretty much everything that all the other cybersecurity functions need. And when I say other functions, I mean things like IoT and OT security; detection based on DNS, cloud security, and quite a few other functions. And then the question is are we going to see ten different data lakes each containing tons of data, or are we going to see one data lake containing all the data? And I just don't see a good reason for the former, not a single good reason, and only good reasons why. Everything will be in the same data lake. It's, of course, cheaper, it is much more environmental friendly, because you store once, you process once, so you need less resources. And more importantly, it works better. Probably if you have all of the data in one place, our very smart engineers and data scientists will be able to some extra data that's in the data lake to make IoT security better in ways that we didn't think about before. Okay, so bringing all the data into one place just makes a whole lot of sense, running many different cybersecurity functions of that data lake makes a lot of sense, and that was our first prediction. In 2025, we're going to see it start happening.

David Moulton: I mean, what are some of the potential challenges in implementing, you know, this huge data lake in a platform across really diverse organizations?

Nir Zuk: First, I think the big challenge is going to be how do you do that in a multivendor environment, if there is one data lake? And the answer is, one, you're going to have less vendors, and two, there are going to be some strong partnerships in the industry between sets of vendors that will decide to work together. So, that's-I think that's going to be the main challenge. Other than that, you know, it's probably going to be a political challenge, meaning, convincing different parts of the organization that today maintain their data lake and some of them like the data lake to run on top of "stack" technology like whatever Elastic and some of them prefer it to run over another technology like BigQuery or some-something, some other data lake technology. How do you convince all of them that, okay we're taking it out of you and we're bringing it into one data lake and that the other data lake is going to be actually chosen and run by your main vendor which is probably your SOC AI vendor, sorry, you're just going to use the data lake. It's not something that you're going to choose and maintain anymore, which is great. It makes everything much simpler for the organization, but it causes some political challenges.

David Moulton: Right, the front side of any change is always fraught with some anxiety, but once you start to see the benefits of those changes, you realize that it opens you up to being able to do other things simpler, because you have fewer tasks that you have to manage. Can you talk about some of the potential risks and benefits of centralizing cybersecurity into a single platform?

Nir Zuk: So, I often hear about concerns from customers when we talk about those things, and the main concern that they have is vendor lock-in. And my answer to that is, you know, "Sorry, that's the way the world is." Meaning, you have one CRM solution in your organization. So, if you picked Salesforce.com, you're kind of locked in with Salesforce.com and switch you from Salesforce.com to another vendor, as your main repository for all the data, is going to be very difficult and the same is true for your ERP and other data-driven solutions that you have. So, there is going to be some vendor lock-in of course. We need to look at vendors that have partners that use the same data lake for different functions, and we need to make sure that that vendor lock-in can be mitigated. So, that's probably the biggest risk that I'm hearing about from customers from their perspective. I think that many other risks are not as relevant, for example, customers say, "Hey, if I put everything in one place what if you hacked?" And my answer is, "Number one, it's much easier to guard one data lake than ten data lakes." And number two, "There is a smaller chance of one data lake getting hacked versus ten data lakes." If you spread you data with replication across ten different data lakes, you at a higher risk. There is the risk of what if I work with one vendor and that vendor misses an attack that another vendor would have found? The answer to that is usually, it's not about the vendor, it's about the data, meaning, machine learning or in other types of AI, differ from each other not by how good your algorithms are because these algorithms are all known, they differ a little bit by how good your data models are, but that's only ten percent of the picture. Ninety percent of the difference between different AI-based solutions is the actual data and it's really the quantity of the data. So, this idea that if I work with one vendor versus if I work with five, I might miss something, is actually-it's actually the opposite; is if you work with one vendor and you put all of the data in one place and you work off five times the amount of data, you have a much better chance to detecting things versus separating these [music] different data lakes.

David Moulton: Right, the ability to look across and correlate and stitch things together happens when you're not moving from lake to lake to lake; it happens when you're looking at one-one big repository of data so things come together. [ Music ] So, Nir let's shift to our next prediction, and this one is about AI innovation and cybersecurity. Why do you think that the larger incumbent organizations are going to have more success in AI compared to startups in the cybersecurity field?

Nir Zuk: The main difference between AI-based systems from different vendors is the data that they have. The algorithms are well-known. They've been around forever especially the machine learning algorithms. The data science is important, but is a small part of the picture in terms of the differentiation. It's all about the data. It's about the quality of the data and it's about the quantity of the data. So, in terms of quality of the data, you need to bring the right data from the network, from endpoints, from the cloud from cloud logs, from workloads in the cloud from applications in the cloud, including SaaS applications, not from identity, not just management systems and so on, and of course that data will be better if the vendor has full control of the data source. So, if you're buying from a large vendor that's providing you also the network, data sources which we call firewalls or the endpoints, data sources which we call EDR or your cloud security and so on, you'll have much higher quality data versus if you buy your AI from one vendor and different parts of the infrastructure that collect that data from other vendors. It still works if you do that, the latter, but its lower quality data from the perspective of AI. And in terms of quantity, that's really where the big vendor versus small vendor comes into play, because I said, the more data you have, the better your AI will be running. If you're a large vendor and you already have a lot of data, like you know, we have x bytes of data, then your AI will work better and that creates a snowball because your AI works better, customers will be more inclined to buy your product because when they test your products versus a small vendor product, they will just work better because, again, ninety percent of why they work-the AI works is the amount of data and because your products work better, customers will more likely choose you than the larger vendor as their provider which will provide you even more data.

David Moulton: Yeah.

Nir Zuk: So, this snowball effect really shifts the advantage in AI, you know, Bing will never be as good as Google Search. Why? Because Google has the data and Microsoft doesn't, because Google started earlier, so they have much more data about, when you search for X which link do you click? And that's really what makes their search results much better, is knowing the correlation between what you search for and what you ended up clicking. So, Google is better, more people use Google. It becomes even better and Microsoft has no chance.

David Moulton: So, speaking of some of those smaller startups, how do they compete or collaborate with larger organizations?

Nir Zuk: I think that the larger vendors like us, will need to create an ecosystem where those smaller startups have access to the data so that they can make their AI good, because without access to the data, their machine learning models or what their AI they're using-type of AI they're using, is not going to be as good and they won't be able to succeed, and in order not to run into a chicken-egg problem of-to build startups you need the data, but to have the data you need be beyond the startup stage. We need to find a way to collaborate with them and to provide them access to the data so that they can become successful.

David Moulton: Can you talk to me about how the success of larger organizations and AI affect the innovation in and around the cybersecurity industry?

Nir Zuk: We're still certainly seeing a lot of innovation in the cybersecurity industry. I think that we're not seeing enough innovation around using AI in cybersecurity. Meaning, the most successful and by far the most successful AI-based solutions are coming from the larger vendors, because of that chicken-egg challenge I discussed. So, there have been a few attempts by extremely sharp AI experts, cybersecurity experts to build startups around them and they have great ideas; almost all of them failed and almost all of them failed because of the challenge in accessing the data, in having access to data.

David Moulton: Is the startup landscape now longer just how much funding you can get? And I go back to when you started Palo Alto, I think you collected nearly ten million, but I don't know that somebody also gave you access to data at that time, that wasn't the thing that maybe was needed. Is part of the startup landscape and cybersecurity a combination of capital and data such that you can run those number experiments and innovate quickly?

Nir Zuk: I think so. I think that money is important, and if you what you want to do as a startup is to use any type of AI as part of your solution and, specifically, I'm talking about the AI whose data come from your customers. You know, if you want to run some LLM whatever base AI in your startup, then you're not going to get the data that's fits the LLM from your customers, initially you're going to get a base model from some of the larger providers and then improve it. I'm talking about traditional real precision AI that needs customer's data in order to operate, meaning, it takes data from the customer environment and find bad things in it, or find what's wrong with it, or is working to improve something with the data, their funding is not enough and you need the access to data in the current architectures that we see, it's extremely hard to get access to that data and, we as a large vendor, have the responsibility to improve that, to change that.

David Moulton: And do you see an ecosystem coming where larger orgs get lock-in on data lakes and then startups have to make deals to build on top of that?

Nir Zuk: I certainly do. We tried to do it in the past. As Palo Alto Networks, we called it "Application Framework" and it didn't work out very well. I think it was too early. Data was not as important back then as it is today. I think that it will have to happen to right now, [music] or the entire responsibility of detecting bad things will fall on the shoulders of the large vendors and we don't have a unique look on the talent in the industry. So, in order to be able to use talents, that's not working for large vendors, we will need to find a way to give them access to the data. [ Music ]

David Moulton: Nir, let's shift gears to the last prediction that we're going to talk about today. This one is around quantum security and for years now I've been hearing these discussions that, you know, quantum computing is right around the corner. It's going to break traditional encryption. It's going to lead to significant risks in our digital world, and you know one of the topics that is coming up right now is this idea of "harvest now, decrypt later," and for our listeners, can you describe or explain what harvest now, decrypt later is?

Nir Zuk: Yeah, so some people are worried that quantum computers will be able one day that they encrypt traffic that we have today and encrypts the files that we encrypt today and so on. We can discuss later whether that's going to happen and if it's going to happen, when. But the worry is, one day in the future, and that day could be five days from now or ten days from now or whenever, it will be possible. And you can say, well when that happens I'm going to worry about it and I'm going to upgrade my equipment to be using, or my equipment myself to be using algorithms that aren't susceptible to being broken right off quickly by quantum computers. So, that's one camp. One camp is I'm going to worry about it when it happens. That account in saying, if someone is willing to spend enough money and energy recording my information today keeping a copy of it and then ten years from now decrypting it, then they'll have my data ten years from now. And now the question is, do you need to worry about it? So, I'm sure that if you're a government and you have some secrets that you don't want leaking out in the next thirty years, then you should worry right now about changing your encryption algorithms to be quantum-resistant or to not be able to be broken by quantum computers. And actually, the U.S. Government has mandated that across federal agencies, because they're worried about it. If you are a civilian agency or if you are a company and you don't worry that much about someone ten years from now being able to read your data, then you should not be worried about it right now. On the other end, it's not a huge deal. Companies that file out to networks offer software upgrades for their products so that the encryption algorithms that are being used become quantum-resistant. So, that's even if ten years from now someone will be able to decrypt the traffic and even if they bothered right now to record it and even if you don't think so, but they think that there's something sensitive in it, you're protected because you upgrade is to post-quantum algorithms. There is a downside to these algorithms, so it's not that usually, but they don't-but things will be slower, okay? So, that's something that-that's a downside of upgrade today to these new algorithms; things might be a little bit less scalable.

David Moulton: Right, so potentially slower and safer if it matters, and let's get into that. I'm curious, what gives you confidence that you don't think that Q-day is around the corner or even ten-fifteen years off?

Nir Zuk: So, personally I think that quantum computing is one of Silicon Valley's biggest hoax. It's going to turn out to be a really, really expensive hoax where any physicist that is not working on quantum computing believes that it's not going to happen and only those that work from-on quantum computing and will benefit from quantum computing think it's going to happen. But let's look at the facts. The algorithm for factorizing large numbers which is the basis for breaking the RSA key exchange which is the basis for instructing the keys to be used for decrypting the symmetric encryption. That algorithm called the Shor algorithm, S-h-o-r, was developed thirty years ago in 1994. The first quantum computer was built four years later in 1998, so twenty-six years ago. And in 2012; 2012 was the last time that the quantum computer was able to use Shor's algorithm to factor a number that's never been factored before in a quantum computer. You want to guess which number that was? So, in 2012 quantum computers were able to finally factor the number twenty-one and figure out that twenty-one is three times seven. And they have to use a modified version of the Shor algorithm, because they couldn't implement the Shor's algorithm to figure out that it's three times seven. So, the hard call-the actual hard call that things that relate to knowing the answer, twenty-one equals three times seven, you know, for the quantum computer to figure out that twenty-one equals three times seven, and any attempts since then to factor the number thirty-five which is five times seven has failed. So, really the only algorithm that we know about which is the Shor algorithm, some modifications of it, in overtime it optimize that's required to the amount of resources that are required, we're still stuck with twenty-one equals three times seven twelve years later, so what I extrapolate from that, I think we're very far from being able to factor it out. Another interesting fact about quantum computers, if you care to guess; what's the most interesting really useful real-world application that the quantum computer was able to demonstrate? You guessed right, none. None of the quantum computer companies and there are more than a hundred of those funded with billions of dollars, has been able to show one, just one useful use of quantum computer for something that's not at least as efficient with traditional computers, not a single one. And then in 2019 when you start seeing some of the large quantum computing vendors like Google and IBM and so on, start coming up with claims like "We now have quantum supremacy and we now finally were able to run something that would take a traditional computer to run ten thousand years," and then when you read into it and you figure out that what they have done is they have generated quantum random numbers, yeah of course, when you try to generate quantum random numbers on the computer that doesn't have quantum qubits, yeah it might take you a lot of time, but there are many other ways to do it in the computer that takes a second. So, when they start promoting these claims, you understand that, at least I understand, that there's nothing behind that industry.

David Moulton: So, not the top priority for you to worry about as a visionary in cybersecurity right now?

Nir Zuk: No, not at all. I think nevertheless, because post-quantum algorithms are available today, and since the only downside to using them is a slight decrease in the scalability, not of the encryption. So, if you have a product that's capable of doing ten gigabit per second encryption, it will continue to do that. It's just that the key exchange is less scalable, so you can exchange less keys per second which means that the number of new entities if you can talk to every second is lower, the downside is very small so why not do it? Maybe.

David Moulton: Sure.

Nir Zuk: I'm wrong and maybe everyone else is wrong, and maybe those that have the interest in getting billions of dollars in funding are correct and maybe it will happen. So, why not do it? I would say another thing, there's actually no proof that those quantum encryption algorithms are really post-quantum, meaning that there is no quantum algorithm that can encrypt them, because all these-this entire set of public key cryptography algorithms, starting with RSA and DCL in which we know that theoretically quantum computers can break, this entire set is based on very hard math problems. Okay, so the RSA algorithm is based on the fact that multiplying two very large prime numbers is easy, but taking the product of two prime numbers and figuring out what the two prime numbers are is extremely difficult. Okay, so all these now post-quantum encryption or public key cryptography algorithms that are being suggested are based on different very hard to solve math problems.

David Moulton: Yep.

Nir Zuk: There's no proof that there are no quantum algorithms that can solve those in a reasonable time. So, but that's the best we have as an industry and that's what we'll do.

David Moulton: So, Nir, I like to ask everyone this question at the end of the podcast; what's the most important thing that a listener should take away from this conversation?

Nir Zuk: Probably the most important takeaway from this conversation is what we started with, which is that cybersecurity is becoming more data-based. Our ability to detect bad things and to deal with bad things is moving away from knowing about those bad things in advance and looking for them, towards just take this huge amount of data and look for the needle in the haystack. And the implications for that are very important. The first implication is, it's going to be very wasteful and not as productive to try to do it with multiple data lakes versus one. So, we believe cybersecurity is going to consolidate around [music] data lakes, single data lakes. And then, the second implication of it is that your cybersecurity will come from large vendors that either or don't work with, you know, with innovative startups to provide additional functionality. [ Music ]

David Moulton: Nir, thanks for this great conversation today. I really appreciate you sharing your thoughts on Palo Alto Networks predictions for 2025, and your deep dive into how cybersecurity is becoming more data-driven, about where things are going with AI, and just a touch of the conversation on quantum computing and your thoughts there.

Nir Zuk: Thank you very much for having me.

David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple podcast or Spotify. Your reviews and feedback really do help us understand what you want to hear about. And if you want to reach out to me directly about the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller, our content and production teams which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman mixes the show and edits the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]