.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
Stolen Credentials, Fake Hires, and the New Insider Threat
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
In this episode of Unspoken Security, host AJ Nash sits down with Dan O'Day, Senior Consulting Director at Unit 42 by Palo Alto Networks. Dan shares key findings from the 2026 Global Incident Response Report, built from over 750 real-world cyber incidents, covering four major threat trends reshaping the security landscape.
Dan breaks down how AI is compressing attack timelines at a dramatic rate. The fastest incidents now move from access to full impact in just 72 minutes, down from 285 minutes the year prior. Attackers are no longer breaking in. They are logging in, using stolen credentials, tokens, and API keys to move laterally and avoid detection. Identity is now the dominant attack surface, playing a material role in nearly 90% of Unit 42's investigations.
The conversation closes on a note of cautious optimism. Dan argues that over 90% of breaches stem from preventable gaps, meaning security is solvable. He outlines three priorities for defenders: empowering the SOC to act at machine speed, treating identity as the new perimeter, and securing the entire software supply chain from the first line of code to cloud runtime.
Download the Unit 42 Global Incident Response Report 2026 here: https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report?utm_source=linkedin&utm_medium=social&utm_campaign=na&utm_content=pa001134
Unspoken Security Episode 58: Stolen Credentials, Fake Hires, and the New Insider Threat
[00:00:00] Dan O'Day: Over 90% of breaches are enabled by preventable gaps. It's something we talk about in the report. And there's a flip side to that,despite the speed, despite the scale of these attacks, there's room for optimism. Because if 90% of them are preventable, that means security is solvable.
[00:01:01] AJ Nash: Hello, and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. Spent about 19 years in the intelligence community, mostly NSA. Been building and maturing intelligence programs in the private sector for 10, 11 years now. I'm passionate about intelligence, security, public speaking, mentoring, and teaching. I also have a master's degree in organizational leadership from Gonzaga University, and I continue to be deeply committed to servant leadership. So this podcast brings all of these elements together with some incredible guests to have authentic, unfiltered conversations on a wide range of challenging topics.
This is not your typical polished podcast. My dogs do make occasional appearances,just heard one outside the door. Let's hope we don't get one today. People argue and debate here. We even swear sometimes. That's all okay. I need you to think of this podcast as a conversation you'd hear at a bar after a long day at one of the larger cybersecurity conferences. These are the conversations we usually have when nobody's listening.
Now, today I have a really special guest. I'm joined by Dan O'Day. He's Senior Consulting Director with Unit 42 by Palo Alto Networks, specializing in digital forensics and incident response. If that sounds confusing for anybody, just think of Dan as a cyber firefighter and digital arson investigator. When he isn't uncovering the truth from a sea of ones and zeros, he's normally found with his head buried in one of his books,and I can assure you that closet behind him is full of them. Or he'll be sipping on a mug of coffee or tea, or maybe the occasional beer. Dan, anything you want to add to that bio before we get going?
[00:02:26] Dan O'Day: No, just that I have a background that includes public sector,most of that time between military and federal law enforcement. And I've spent over the last decade in the world of private sector consulting, so I have both vantage points as well.
[00:02:40] AJ Nash: Outstanding. I'm biased,I think that helps, obviously, because that's my background too. So listen, before we jump in, today we're going to talk about the new report from Unit 42 by Palo Alto,the Global Incident Response Report. But for those who don't know, we should probably set the stage a little bit. Who is Unit 42, and what is this Global Incident Response Report we're going to chat about today?
[00:02:59] Dan O'Day: Yeah, absolutely. So Unit 42 is the threat intelligence and cybersecurity services arm of Palo Alto Networks. We focus on four areas,threat intel is one of those, and it's really the underpinning layer of all of them. But it includes incident response, proactive services, and managed services,managed detection and response, things like that.
[00:03:24] AJ Nash: Well, and I'm familiar with some of the work you guys have done. Unit 42 has a really cool website with great profiles on a lot of threat actors and groups. Anybody who's spent any time doing intel, we're all hoarders of that information. You go to every vendor you can find and pull all that stuff together, and maybe you're able to understand enough to try and protect yourself. It's obviously complicated and ever-changing, but you guys have always done a really good job. I'm a bit of a fanboy of some of the work Unit 42 puts out. Between you and me,and now everybody who's about to hear this,I once applied for a position at Unit 42 and wasn't good enough. I think that says a lot about the quality of the team. There were a lot of talented people in the world. You guys have a great team. If somebody told me 750 major cyber incidents a year is a big chunk of the work you do for this particular report,is that right?
[00:04:13] Dan O'Day: That's right. Seven hundred and fifty cases we looked at just from the past year for the report itself. We actually work more cases than that,it's just that we can't always use all of the data. Certain public sector cases, for contractual reasons, we might not be able to use. So there are over 750 we can talk about in aggregate and anonymized form, but we do work more than that. And that's just incident response. That doesn't include all the threat intel research, all the other initiatives, all the proactive stuff,trying to lay out that blueprint for cyber resilience for all of our customers. This is just the reactive IR piece where we derive a lot of this data from.
[00:04:58] AJ Nash: Obviously that tells us there's a lot of content that goes into this work, and being able to bring that down explains why these are annual reports and not monthly reports. So I think we should jump right in. I had a chance to read through this report,I had kind of an advanced read on it. It's a pretty good read, frankly. A lot of these annual reports are dry, but you guys have a pretty good read with some really interesting things. Based on the work over the last year, what are your key observations? What should people be looking at and taking away right now?
[00:05:26] Dan O'Day: Really four key observations that we highlight in the report. The first one was about AI becoming a force multiplier for threat actors. We talk a lot about speed,how fast things are getting, and just how much AI is compressing the attack life cycle from access to impact, and introducing new vectors as well. It's not really a buzzword anymore. AI is a real friction reducer for threat actors and takes a lot of that grunt work out that used to go into all that kind of stuff.
[00:06:10] AJ Nash: Yeah, I had seen attack velocity,how fast actors are getting from initial intrusion to exfiltration. It's accelerated massively. The report said it was down to 72 minutes, and that's just in one year,it was 285 minutes last year. I was impressed by that stat. And that's AI,that is what's causing that. So you've got a 75% reduction in time. That's remarkable. And it tells us we also have to be getting better at AI, because it is a force multiplier for adversaries,which means, like it or not, we have got to figure out a way to keep up with them.
Another big piece I had seen was identity,that identity is becoming a more reliable path for attackers to succeed. Is that right?
[00:07:12] Dan O'Day: That's the second main trend we talk about. Identity played a material role in almost 90% of our investigations, which makes sense,because you have to authenticate, generally speaking. Increasingly, we're just seeing attackers logging in with stolen credentials and tokens. They're exploiting these fragmented identity states to escalate privileges and move laterally. And it's no longer just usernames and passwords,we're talking API keys, access keys, stuff that enables cloud workloads and things that folks aren't always thinking about.
[00:07:52] AJ Nash: Yeah, it's much easier to get into a system if you have access than it is to hammer your way through. Why bother with brute forcing if you can just convince somebody,either through deception or because they made an error,to hand over their credentials? And I imagine it's less detectable too. If somebody comes in with valid credentials, it takes a while to realize something's off. Two-factor authentication should resolve some of that, but I'm going to gamble that people are getting around 2FA issues as well. What are some of the other big trends we should be watching for?
[00:08:31] Dan O'Day: Software supply chain risk is our third one. This has moved beyond just vulnerable code,not to minimize vulnerable code, because it's still a problem,but to the misuse of trusted connectivity overall. This includes SaaS integrations, vendor tools, application dependencies further up the chain. But also stuff in the CI/CD pipeline itself, tools within that, or exploiting the code repository itself, or features or bugs within those platforms. That really shifts the impact from isolated compromise to widespread operational disruption,where something could get baked into your product that shouldn't be there.
[00:09:25] AJ Nash: Yeah, and supply chain,people have been talking about supply chain for years. Third-party risk, supply chain risk,they're interrelated. They're not quite synonymous, but they can be pretty close. And we've been talking about it for years. It's a difficult nut to crack because everybody has dozens of vendors. You can't keep track of all of them. That's how business gets done,software as a service, platforms. We're all absorbing some of these risks whether we like it or not. It's not surprising that adversaries would go after that. Is that the kind of thing you're talking about when it comes to supply chain risk?
[00:10:29] Dan O'Day: Yeah, stuff like that. And even recently,there's been a lot of activity with the Node Package Manager, NPM. There have been a few prominent ones lately. And it could be small stuff. One of my favorite examples from several years ago,the package name was Kik, K-I-K. The maintainer of that package had some other package that was far less consequential,a left-pad or some kind of visual hack. It turns out it ended up being a dependency of most major websites on the internet. A company asserted that was its trademark and acquired that package. As a result, the maintainer rage-quit and pulled all their packages, and then broke a good chunk of the internet,Twitter, major news networks, major social media sites all depended on it. And that wasn't even a security issue. It just goes to show the interconnected world. I'm sure many viewers have seen the XKCD comic,the one with one guy in Nebraska supporting this open source project thanklessly that everything depends on.
[00:11:56] AJ Nash: And everybody's got stories like that. People don't always think about it when we talk about third-party risk or supply chain risk. You've got the malicious, which people focus on,somebody impersonating a third party or manipulating trusted data downloads. But you've also got a third party's insider risk being your problem. A third party's corporate culture is your problem. A third party's layoffs can be your problem. We've seen stories where companies do massive layoffs and find out the only person who knows how to do a critical function was just let go.
It can be somebody who maintains code, like you said. The XKCD cartoon you mentioned is very valid. There are a lot of vital, important systems that people don't realize just how few people are actually managing. The wrong person doesn't show up on the right day or rage-quits and takes their toys home, and you realize a whole bunch of stuff doesn't work anymore.
It would be nice to know enough about your vendors to ask,what are your contingency plans? What redundancies do you have? How many people are actually maintaining this piece of equipment I've built my business on top of?
[00:13:34] Dan O'Day: Yeah, absolutely. And just being aware of those dependencies is really step one. The foundation of security,it's been true for decades,is asset inventory. That doesn't change when it becomes a software bill of materials. Understanding configuration management is really important, and that includes SaaS apps,understanding their ownership and their scope. Having a good inventory of all those integrations and where OAuth tokens are floating around.
The same things apply,a departed user from the organization was using something, and making sure any integrations that are no longer needed are severed. There have got to be ways to revoke tokens, to rapidly disable those connectors and isolate vendor agents without improvising during upstream incidents. Kind of like a break-glass approach,severing that connection as needed. And of course you have got to log everything. You have got to have good auditing of usage to know when something abnormal is happening,like an OAuth token being used to pull everything from a third-party application integration.
[00:15:25] AJ Nash: You make good points. Having playbooks,I've worked for a few companies over the years, and usually when you leave, your stuff doesn't work. But I have worked for some companies where, out of curiosity, I checked and my platform credentials still worked. I don't abuse that,I tell somebody and shut it off. But it does happen where companies just don't have the right documented practices, or there's no automation, or somebody misses something.
[00:15:49] Dan O'Day: With developers, that's where it's probably most problematic. With a standard employee where everything's integrated into SSO, you revoke that and you're fine. But how many temporary AWS access keys did a developer create over their lifetime? How many are still floating around in an IAM user they created as a test for an app that isn't actually associated with their main identity? That's the kind of stuff we often see,some dev account or test thing, or some long-lived access key, where a just-in-time credential would have done fine. It was developed that way and then ended up in production with a long-lived credential. And sometimes you see the same credential being used in both dev and production environments,and dev usually doesn't have the same security requirements as prod.
And it's not just developers. Nowadays you have salespeople integrating third-party apps into Slack or their CRM. Do those always get terminated through the downstream system? Depends.
[00:17:11] AJ Nash: No, there's lots of ghost architecture, lots of phantom architecture. And with AI, everybody's a developer now. Companies are mandating, "You will use AI, you will do these things." AI is great,a lot of amazing technology there. But it's amazing how quickly companies are mandating that people use a tool they don't understand how to use. Most people using AI don't understand how it works, and many don't even understand how to use it well. I use it a lot, and I think I use it relatively well. I'm probably making all sorts of mistakes because this is a massive technology that was thrust on us really quickly,and has gone from "Oh, this is really cool" to actually a mandated thing. So yeah, we're all developers now. I'm sure we're creating all sorts of problems for enterprises that are going to keep adversaries very happy.
Speaking of adversaries,you guys had a fourth pillar. If I remember correctly, it was about nation-state actors specifically.
[00:18:13] Dan O'Day: That fourth trend is about how nation-state actors are really adapting their persistence and stealth tactics to enterprise operating environments. Examples include persona-driven infiltration using fake employment,which we've seen a ton of, with deepfakes being used in job interviews and day-to-day interactions. Creating synthetic identities, and then achieving deeper compromise once they're inside as an insider threat. We're also seeing them try to compromise core infrastructure and virtualization platforms,deploy their own VM or compute resource in the cloud. You thought you had 100% coverage, but you didn't know about the VM the threat actor deployed. It doesn't have your EDR tool on it. That's why you have got to have control plane visibility too, not just the endpoint. And there are early signs of AI-enabled tradecraft being used to reinforce those footholds.
[00:19:24] AJ Nash: When you talk about the nation states,one thing I saw not long ago that was pretty interesting was North Koreans specifically. The last number I think I saw was 100,000,in dozens of countries,where North Koreans have actually acquired legitimate positions through illegitimate ways. False personas. They've gone through interview processes and been hired, and some have actually been quite productive from what I understand. Getting good reviews. Being good employees. Meanwhile clearly operating as insider threats.
I've been doing intel for decades. I don't root for the adversaries, but I do like smart bad guys. That's a pretty smart scheme. It's been going on for a long time and it's fooled a lot of Fortune 500s. People who have had this happen to them aren't bad people or immature organizations. This is a very novel and interesting scheme that has really picked up steam.
Are you like me,do you find this one the most interesting of the four pillars?
[00:20:55] Dan O'Day: The insider threat from nation-state activity is definitely very interesting, and it's increased quite a bit from our perspective. It's jumped up to around seven or eight percent of our overall caseload for insider threat in general,the bulk being malicious insiders, which could be North Koreans or others, but often with North Korean involvement. And what they can do,if they have a team of people working on something, their productivity can actually be quite good. We've had examples where we've joined a call with legal and HR to break it to the manager about an approach we're going to take to sever access, and they're like, "Oh, that's my best employee."
We've got a blog post about it,I think it's called North Korean Synthetic Identities or Deepfakes. You can Google it. It has specific mitigations and recommendations for HR folks, for security folks,not just the technical side, but business process stuff too.
[00:22:15] AJ Nash: I think I'm more concerned that they're going to be such good employees that companies start deciding the risk is acceptable. "Hey, this person is really producing a lot for us,we'll manage that risk." I hope that's not the plan.
[00:22:32] Dan O'Day: And eventually they hold your company hostage.
[00:22:34] AJ Nash: "But not this quarter. In this quarter our numbers are going to be good and I get my bonus, so I can't really worry about what happens two quarters from now."
[00:22:43] Dan O'Day: I know we're being facetious, but we've seen them partner with ransomware operators on a few occasions,there's some public reporting on that. Or just straight-up blowing away all the source code repos, permanently deleting stuff, wiping out resource locks, removing everything, and then holding the business hostage and demanding an exorbitant amount of money to restore it. So the risk obviously outweighs the benefit. But it is interesting how in the short term they sometimes do a good job to get more entrenched in the organization.
[00:23:22] AJ Nash: You have got to do good work early on so you build that trust, and then people are like, "That's my best hire. They won an award last month." Meanwhile they're planning your destruction. It's not a good time to be in HR. It's a tough job market, somebody shows up who is really talented and willing to work cheap,that's what companies want.
[00:23:44] Dan O'Day: And sometimes companies do a good job with their hiring processes, but they partner with vendors or a temp agency, and that ends up being the vector. We've seen that happen before too.
[00:23:59] AJ Nash: That makes sense. That's metrics-driven. A vendor is hired to fill roles. I'm not saying they would intentionally place a North Korean into a role,of course not. But you're in a hurry. There are a lot of roles to fill. It's metrics-driven. And if you're not prepared, if you haven't read a report like the one you guys put out and don't understand that this is a real threat,which you can't expect recruiters to know,it's hard to keep track of every new possible attack vector. So they move quickly with a candidate that seems good and passes all the checks. That person passes interviews. The company still bears responsibility for having hired them. And then that person is productive,until eventually they can destroy your business.
That kind of gets into my next question. As we dig deeper into the paper,what are you seeing as the most concerning or novel discoveries in the past few years overall?
[00:25:04] Dan O'Day: At a high level, I think we're moving away from isolated one-off incidents. Mature organizations that have good zero-trust implementations in place are still able to stop things before they get too far. Good conditional access policies, host integrity checks, all that kind of stuff. But when folks don't have all that in place,or playbooks that take automated action, especially around identity compromise,we're seeing a lot more widespread operational disruption. It can take down entire ecosystems at once. And they're just moving so fast. We used to measure things in days and hours, and now we're measuring in minutes.
You brought up the 72-minute figure. We've even seen examples where new CVE proofs of concept drop and folks are scanning for that in about 15 minutes. And if we take all incidents overall,not just the fastest quarter,more than one in five see exfiltration in the first hour. That's 22% in the data set we looked at. And we certainly think AI is a huge driver of that.
Sometimes we can demonstrate that clearly,you start seeing emojis and well-commented code in an attack, and you think, "Okay, I have a good sense of what's going on here." But you also see examples where it's more speculative,threat actors discussing prompting tricks in underground forums. So we know it's happening. You mentioned stories,one example, not good for the organization that was unfortunately victimized.
[00:27:01] AJ Nash: We won't name names, so it's okay.
[00:27:02] Dan O'Day: Muddled Libra,which is a term we use for a grouping of tactics more than a specific actor,is part of a group often tracked as "the Com," this larger group of largely teenagers. Muddled Libra is more commonly known as Scattered Spider in the media. We had an incident where a call came in on a weekend to the help desk. This person was pretending to be a C-level executive, requesting a password and MFA reset. The help desk followed policy,they asked for the person's name, title, and manager's name. But for an executive, that's really all public information.
[00:27:49] AJ Nash: Yeah, LinkedIn. Or even if you're a public company,the public filings. There are a lot of ways to get org charts.
[00:27:54] Dan O'Day: Exactly. You can zoom in. People sell lists. And so the agent ended up resetting the credentials. The actor got in, then went into Microsoft 365, accessed some IT-related documents, looked at the corporate directory,and then about an hour later, called the help desk back. This time they pretended to be IT. Because they had access to the corporate directory, they could pass the identity check that was in place for that organization. And then things got worse. A lot of times these organizations have recordings of these phone conversations. The help desk agent asked one fateful question: "Do you want to reset your user account or your admin account?"
[00:28:41] AJ Nash: Oh my goodness. Yes, I do. Absolutely, I do. What a great idea. Thank you for being so helpful.
[00:28:49] Dan O'Day: Exactly. So of course, the threat actor responded, "Both, please." They had to call back a third time to get instructions on how to use the VPN. And then they were off to the races. They signed in with legitimate credentials, moved laterally from the VPN directly to a bunch of systems, got onto file servers and a domain controller, created a virtual machine in the environment to hide in plain sight, exfiltrated hundreds of gigabytes to Mega, and then encrypted a bunch of the virtual infrastructure. The next day, they sent a ransom note from a new email account they created. And all of this happened in about half a day,within hours, they had domain admin. These sorts of attacks are unfortunately becoming the norm. Vishing,calling employees pretending to be IT,is still really popular, especially for groups that have established playbooks. Why change what works?
[00:29:55] AJ Nash: Yeah. And vishing gets better with AI,you can do very convincing vishing now. A couple of years ago, at a BSides event, somebody asked my permission before doing this,they did a live demonstration using vishing as their example. They used my voice. It was a physical security scenario, played through the PA system so everybody could hear it. It took a while for people to realize I was waving my hand in the back of the room saying, "Hey, I'm right here. That's not me." And that was already two years ago. The technology has gotten considerably better since then.
But that story,the customer service aspect of it,we've spent so many years telling IT people they're a pain to work with, and everybody just wants them to help. Now you find somebody who's like, "Can I supersize that for you?" And that's bold. Muddled Libra,those are teenagers. A very bold strategy.
Where's the fault in that scenario? And how do you improve your playbooks? Because if it truly is a C-level executive, they're not likely to tolerate being interrogated for very long. So where is that line?
[00:32:37] Dan O'Day: Even if the playbook was followed,around domain admin credentials especially,having some additional policies. Even just a ping on Slack or Teams saying, "Hey, just confirming this is you." Or calling the number on file. And making sure if this is being outsourced to a BPO, that they're following your policies for these things as well.
[00:33:07] AJ Nash: 100%. It's multifaceted. There's never just one place to point the fault. That's what makes security difficult. And the adversaries are good. I don't root for adversaries, but I do enjoy seeing smart ones. You've got to tip your hat a little bit to smart criminals.
[00:33:29] Dan O'Day: Yeah, and they're using large language models even more. Like, speaking of smart criminals,everything from negotiating in a ransomware or extortion context, to when we get a ransom note. It used to be that ransom notes were very canned. But we're starting to see,and we don't know 100% if this is what's happening,it looks like somebody took the file listing of data they exfiltrated, fed that into an LLM, and said, "Summarize the most sensitive items." And so it's very detailed sometimes,"We have this and this",and it's so well written. That's a pretty compelling ransom note.
[00:34:09] AJ Nash: Yeah. That's smart. Why not? You've got all the stuff. "Hey AI, give me an inventory of what I've acquired." And then you take that and push it back in and say, "Here's everything we have." The ransoms used to be this bland generic thing. Now they can give you a whole page that shows exactly what they got. And it probably took them less time to write it, and it puts more pressure on somebody to pay the ransom.
Listen, we've talked about a lot of bad things here. But we should talk a little about the other side. With all the scary developments, what recommendations do you have for defenders trying to protect against all of this?
[00:34:58] Dan O'Day: One of the most frustrating things is that over 90% of breaches are enabled by preventable gaps. It's something we talk about in the report. And there's a flip side to that,despite the speed, despite the scale of these attacks, there's room for optimism. Because if 90% of them are preventable, that means security is solvable. As our colleague likes to say,security is solvable.
So to move from reactive defense to proactive resilience, there are really three questions we focus on in the report. First,are you empowering your SOC to move at machine speed? You have got to have consolidated telemetry, a unified view that's not just spitting out alerts but able to make decisions in seconds, not hours. You have to move past alerting into acting.
Second,are you treating identity as a new perimeter? We've been talking about zero trust for years, and that's still very important. Tightening up identity access management to remove excessive privilege, using strict segmentation and robust identity controls. Segmentation of users, not just of systems, can stop lateral movement before it starts. Using phishing-resistant MFA,passkeys, FIDO2 hardware keys,not just standard MFA. And don't pit vulnerability management against identity. A leaked credential gives you the exact same exposure as an unpatched internet-facing system,the attacker still gets in the house.
Third,are you securing the entire software supply chain? Embedding security in the ecosystem itself, from the first line of code all the way to the cloud runtime. Start shrinking the attack surface. Does the dev environment need to be on the public internet, or can it be behind SASE? And consider the browser itself as part of the attack surface, because a lot of intrusions begin there these days.
[00:37:34] AJ Nash: And it's interesting,you talked about stronger identity management, moving past MFA and getting into FIDO2 and just-in-time access. All really good. Meanwhile, most people haven't even done MFA yet. We've spent years telling people the number one thing you can do to secure yourself is simply have MFA. You can have terrible passwords if you have MFA.
Just in the past couple of weeks, I've suddenly been getting notifications,somebody's trying to get into one of my email accounts. Somebody from the Philippines trying to get in, somebody from Turkey. Well, it's not me. MFA was all I needed and it took care of it. Now it was annoying,I had to go change my password,but it was a simple solution. And people haven't done that. Now we're going to tell them they need FIDO2 and hardware keys. It's the right answer, but I worry about how hard it's going to be to get people to adopt it when we haven't even been able to get them to adopt MFA.
And when you talk about secure coding,we just talked about how everybody's being pushed into AI and vibe coding. People who aren't coders are now writing code. I'm sure I'm creating all sorts of messes. On one hand we're telling people to work on a more secure app lifecycle, and on the other hand we're mandating AI involvement in coding for people who don't really understand it. Are we just going to spend the next decade telling people about FIDO2 and secure code while they ignore us?
[00:39:58] Dan O'Day: I hope it's not the latter. I think it's solvable. Having this baked into the build cycles themselves, baked into the tooling itself,you have got to have the right scaffolding in place. You have got to have all the telemetry feeding in. You have got to have the data lake. Because if you want to take automated actions, you have got to have the visibility to know and the authority for something to act. And we have to prevent governance drift,having that continuous lifecycle management. Centralizing identity. Using tools that can keep everything in one place and monitor those, not allowing people to just create temporary IAM users and access keys galore. Even in dev environments, you should be using just-in-time credentials, because then you don't have to rewrite the code when you go into production anyway.
Service accounts,getting those onboarded into proper solutions,that's huge. And then around AI and vibe coding,we do look at agentic security. An incredible amount of permissions are being granted to AI models on people's machines. Yes, it can increase productivity, but it can also wipe every file in the system.
[00:41:48] AJ Nash: That's right. AI could be your biggest insider threat, and we're giving it access intentionally. Administrative-level access. "Yeah, you do everything you need to do, just go make things better." AI is going to be a huge insider threat for a lot of organizations who don't yet realize that.
[00:42:05] Dan O'Day: That's where agentic security is really important. You're doing integrity validation of the steps being taken by these agents and asking,do we really want to wipe everything? Is that the intent here? And limiting what it has access to in the first place.
[00:42:25] AJ Nash: And it's so easy to fall into that trap. I'm guilty. I'm a career intelligence professional, a career security professional. I had an AI assistant just yesterday rewriting registry entries on my computer. "Okay, yeah, just go ahead. Do that thing." I've had it completely reshuffle all my file layout. That's really,even I know as I'm doing it, I'm thinking, "Let's hope this doesn't end poorly." But there is this much productivity. It's like that North Korean you hire,you know there's a risk, but they're your most productive person. These AI tools are our most productive tools right now. It's hard not to overlook the risk.
[00:43:28] Dan O'Day: And hopefully next year we'll be talking about defender use of AI too. Because it's our tool as well. If folks can get the right foundation in place,sensors, data lakes, all of that,AI can also be very useful for us as defenders. We can fight AI-speed attacks with AI. We can't keep doing this manually. We have to fight AI with AI. But also, building out traditional playbooks,even just writing a playbook,to deal with not just resetting a password but also revoking a token. And moving past treating identity only for humans, but also for machines and for AI agents. If we move towards that, I really think it's very doable to move from always being reactive to being proactive and resilient.
[00:44:44] AJ Nash: We all hope so. That's always been the goal,to get left of boom, be more proactive. You make a good point,AI can write those playbooks for us, which is nice. It'll be interesting to see what the next year brings in terms of the stats you guys have tracked, and the speed of the actors, but also how we're going to use AI as defenders to improve.
That's what makes this all interesting every year. There's always something new that comes out and the data tells us what's really happening. Again, it's a really interesting report. For anybody who hasn't seen it, I highly recommend checking it out. We'll have links to that in the show notes, and I think we may have a QR code to download it at the end of this episode as well.
With that said, I've got to wrap up the show. The name of the show is Unspoken Security. Everybody gets the same closer question,you don't get a pass just because you're smart and well-read. With that in mind, can you tell me something you've never told anybody before? Something in your life so far that's gone unspoken.
[00:45:39] Dan O'Day: I did not finish, but I was briefly in a PhD program focused on computational linguistics,kind of with a cybersecurity interdisciplinary bent,at Purdue. My wife and I had been trying to have kids for several years at that point. She got pregnant and we decided to change life directions. But the real reason I pursued that PhD,even though I was working in cybersecurity my whole career,is that I'm a bit of a history enthusiast. I love ancient history and the textual criticism of ancient historical and religious texts. I saw computational linguistics as the most adjacent thing I could use to play with those skills outside of the cybersecurity context. I didn't end up finishing, but I've still been able to explore that on my own.
[00:46:34] AJ Nash: That's really interesting. I assume you didn't put that in your application at Purdue. And I imagine if you were getting any company tuition assistance, you probably didn't mention it there either,because a lot of us try to get an education that ties to our role. But I think it's actually really interesting that that was your thought process. Good news is, having a kid will cost about as much as a PhD, so the money will be well spent either way.
Do you think you'll go back and do the PhD at some point? Or just keep exploring it as a hobby without trying to formalize it?
[00:47:22] Dan O'Day: I'll never say never, but at this stage, I'd rather get on all fours and play with my kids. So it might be a while before that ambition returns.
[00:47:32] AJ Nash: Well, it sounds like you made a really good choice. There's not much better than hanging out with the little ones. But it's a great story, and now we all know a little bit more about you and what your passions are outside of chasing bad guys and writing cool reports.
Listen, I really appreciate you taking the time, Dan, to share this and go through it with me and with the audience. I found it fascinating. Like I said, I had a chance to read the paper in advance, and I thought there were some really good things. We only covered a portion of it,a pretty important portion,but there's a lot more in this that's worth checking out. I thought it was one of the better annual reads out there. It's not dry compared to some, it has good graphics, and it's easy to understand.
With that, I'm going to wrap up for today. Do you have any last thoughts before we close out?
[00:48:17] Dan O'Day: No, it's been a great experience. Thanks for having me on.
[00:48:19] AJ Nash: Well, thank you for being here. And listen, everybody who's listening and watching,thank you for taking the time. I know we're all really busy and you could be doing other things. I always appreciate you coming on. If you like the show, please like it, subscribe, and tell others. If you don't like the show, let me know and we'll see what we can do to improve it. Because I really like having the opportunity to have guests like Dan on here,some of the brilliant people in our industry. The goal is to make sure they are represented well and that people who are listening and watching are getting something valuable for their time. It's not about me, it's about all of you.
The show notes should have what you'll need as far as getting the report and reaching out to Dan and the team. We may also have a QR code at the end of this to download it. So I'm going to go ahead and close out for today. Thanks again, everybody. With that, this has been another episode of Unspoken Security.