[00:00:00] Mayank: In fact, I’ve heard reports where people have seen vulnerabilities be exploited in less than 30 minutes as soon as they’re known.
So the reason this is happening is because clearly there are agentic systems who are monitoring feeds to see where new vulnerabilities are found and then finding systems who are still using those vulnerabilities and going after them.
[00:00:21] KB: From KBI Media, I’m Karissa Breen and this is KBKast.
Today’s guest is Mayank Upadhyay, Chief Security and Trust Officer at Snowflake, who sees the telemetry of an entire industry flow into one data lake. We talk about the closing window before advanced AI proliferates, the external agents already probing your defenses, and the unresolved question of whether anyone, even the people who built this, truly understands what they’ve unleashed.
If you find these conversations useful, hit follow. It’s the single best way to make sure the next one lands on right into your feed and it helps other execs find the show.
Now to today’s guest, Mayank.
So, Mayank, you sort of said that Mythos is like spin offs which will rapidly proliferate. So what does that world actually look like in practice? And then I really want to get a bit of a lay of the land from yourself, given your role.
[00:01:21] Mayank: Maybe, maybe we’ll just start with the second question and make our way to the first question.
The lay of the land right now is that, and this is one of the reasons I took on this role, I find it super exciting. The rate at which the world is changing around us, thanks to advances with agents, is just incredible. And I thought it was a phenomenal opportunity to come here to Snowflake and do some really, really interesting work. One of the things I find fascinating about Snowflake is that every single vendor that builds a product for them, whether it’s a SaaS vendor or it’s a security vendor or even their own products.
Telemetry from everything from the applications, from the cloud providers, from the corporate systems is all sent into one data lake. Guess which one that is into Snowflake, right? So as a security person, it’s kind of treasure. It’s a. It’s like a treasure trove where you just walk in and you’re like, wow, I can build all this cool stuff because I can see exactly what’s going on. And then AI comes along and you put those incredible capabilities on top of it and you’re like, my God, I can like process this stuff like never before. I can be reactive, I can be proactive. I can build all sorts of interesting defenses.
So the landscape right now looks like folks, obviously Mythos has been in the news, as are some of the other cyber models. And by the way, we should talk about, is it just the cyber model that makes a difference? Is it the harness that goes around it? There’s lots of interesting thoughts around that. But the landscape looks like, oh my gosh, there’s an Armageddon coming. How are you going to get ahead of it? Right, so how are you going to proactively expand your own monitoring? How are you going to go and look at all your source code, look at literally under every rock, at every sort of nook and cranny and make sure that you don’t have some sort of a vulnerability hiding there.
So, so that’s kind of a fun thing for somebody like me who’s a glutton for learning new things. And I think it’s a fantastic time to be in the industry and be applying all of all those learnings to sort of a very real and problem that is that is coming our way very soon. So that’s sort of the landscape. You could talk about scanning source codes, you could talk about scanning your website, your APIs, the drivers you put out. You could talk about lots and lots of different things like, you know, all the processes you have, the human aspect of it. You know, people go and give permissions to lots of different apps on the Internet to use. There’s just so many interesting aspects to this.
So I think that was the general idea on the landscape. Now you touched upon this notion of spinoffs, right? Mythos spinoffs. Well, the main point that I think is, you know, when Mythos first came up, every came out, everybody was like, okay, there’s very few people have access to it. It’s kind of guarded.
We saw there was some news around how there was unauthorized access to Mythos. So those things can happen.
But more importantly, I think the capabilities of so many other models are catching up. It’s going to be really hard to keep this genie inside a box.
And so it’s just a matter of time before. In fact, I would wager you already have some open source models that are capable of getting close in capabilities when you put them in the right harness.
So this is a time for everybody to be taking this super seriously and start building your own harnesses. Start using every model that the most advanced model that you can get your hands on today, start pointing it towards all your assets and seeing what you can find.
[00:04:49] KB: Okay, so this is interesting. So a couple of things there. When you say super seriously, would you say the companies aren’t doing, doing or looking at it seriously? And I asked that because, like, at the moment, like, all the conversations I’m having with people like yourself is like, yes, I’m hearing about the harnessing stuff. And then it’s like, oh, no, we’ve adopted AI too quickly. And other people like, no, we’ve got to use it to excel further. So I’m just seeing so many different ends of the spectrum to what people in your position or various positions actually think. But are you hearing this as well? What. What do you think perhaps people aren’t taking seriously? I know there’s no real easy answer, and we’re still figuring it out. It’s just more trying to get some insight given, you know, pedigree, your tenure in the space.
[00:05:28] Mayank: So I think we should separate the problem into two parts. So if some people are saying we’re adopting AI too quickly, it might be that they’re talking about business processes without having the right kind of controls to make sure that the AI isn’t doing things it’s not supposed to or data isn’t getting exfil. Right. So that’s just one part of it, right? That’s about, hey, am I giving AI tools to my employees who might be using it in ways that they’re not supposed to inadvertently. And these agents are extremely good at poking and prodding every single tool they have access to. And maybe there’s data exfiltration happening. So that’s one facet of the problem. But the one that I’m talking about is a different facet, which is it’s not you. It’s somebody else who’s outside of you who has access to these capabilities. And they’re the ones who are going to come and, like, probe you and they’re going to find every weakness you have and figure out how to exploit it. So if you want to get ahead of that, there is no way that you can humanly keep fixing things which are going to be coming at you. So you have to use AI to get ready for it, which means your security teams have to start scanning their source code with AI today to find those vulnerabilities. It means that you’re monitoring your triaging of alerts which come in, all have to be automated to the extent you can so that you can scale your security team. I think that second one isn’t so much of a choice. It’s something you just have to get ready to do and do whatever. And by the way, That’s a huge people transformation too. Like getting your security teams to believe that whatever they’re doing is not going to scale very soon. I would strongly encourage people to take that second facet super seriously and very, very urgently.
[00:07:09] KB: This is super interesting. So then I’ve been writing articles again, talking to people like yourself, saying that now we’re using AI agents to govern the AI agents that are out there.
So I want to talk through like, is it going to become a point where it just becomes a moot point? Because it’s like, well, do we even need to do all these things? Because we’ve got these other things self governing and all this sort of stuff. I’m just hearing that trickle through now as a thing that I’m hearing in this media role.
[00:07:36] Mayank: Yeah, look, I think what you just described fits in the first facet of this problem again, right? It’s around how do you build AI agents so they’re well behaved, so they don’t accidentally leak stuff. Right. And these are, every company is doing some innovation, every single platform is doing innovative work over here. We announced a bunch of thing at our summit which is around agent identity and controls so you can make sure these agents are well behaved. Right. There’s lots and lots of different protections and governance layers that go into it. But here we’re talking about agents that you are creating as an enterprise. Right, but the one that I’m saying that you need to start getting your security teams to look at more urgently and more seriously is the second kind where somebody else is building agents outside and they’re coming at you because those people are not necessarily scrupulous. Right. And they’re just trying to find vulnerabilities in your, in your code and your services.
So for you to stay ahead of that, you have to proactively find and fix those vulnerabilities. And that’s the one that I, I think it’s worth separating both these categories of things. But you’re right, these are both very much extremely topical and both are really, really important with everything that’s going on.
[00:08:48] KB: So do you think companies are doing this because even if we go back like in history, in time of like protecting our four world perimeter, obviously that’s changed, but it’s just more. Do you think there is that mindset still there or do you think people have been bamboozled lately by the whole AI stuff, et cetera, et cetera. So has this mindset, even if it is relatively engendered into people who’ve been doing this for a long time like yourself, do you think it has gone by the wayside, perhaps, in terms of the thinking towards this problem, Generally speaking,
[00:09:23] Mayank: I think there’s a lot of evidence that people should look at very, very carefully. For example, I think the number of open source vulnerabilities CVs that have been reported are said to have had a sharp spike as of January. I don’t remember the exact stat. I can probably dig it up and send it to you. I think it was of the order of 30% or more. Right. Secondly, people, a lot of organizations have measured what’s called the time to exploit from the time when a vulnerability is put out to when somebody comes and exploits it. If you haven’t patched it in the past, the time to exploit used to be of the order of days, even weeks, and now it’s said to be of the order of 10 hours. Right. In fact, I’ve heard reports where people have seen vulnerabilities be exploited in less than 30 minutes as soon as they’re known.
So the reason this is happening is because clearly there are agentic systems who are monitoring feeds to see where new vulnerabilities are found and then finding systems who are still using those vulnerabilities and going after them. We ourselves have done a lot of work building an agentic harness using advanced LLMs to look at our own source hood. And the speed at which we’re finding and patching these things is incredible.
So I think this is very real. Every large organization, and there’s been a bunch of CISOs who’ve come out and spoken about this. Lots and lots of people have come out and said that this is real. They have found and fixed a number of things.
So I would not take that second category of risks lightly. It is real and it is here and now the LLMs that the capabilities of LLMs this year have taken a big quantum leap in terms of what they’re able to do. There’s lots of different reasons for that. It has to do with new GPU architectures which can communicate faster. They can store a lot more context as a result of this. LLMs are able to connect the dots between many different issues and they can say, hey, if I find this one vulnerability here, can I get in the door through that? And then can I find my way to the next room using this other vulnerability? And then can I do this other thing? And they’re able to chain these things together and break through a lot of parameters that you might have. This quantum leap and LLM capabilities is real and it is interesting times for security people because of that. It’s just that a lot of people don’t have access to these models as of today, the most advanced models. But like I said, open source is going to catch up fast and this genie is going to get out of this box or bottle and this is giving us all some breathing room to try and get ahead of it. So we should utilize this breathing room to do as much as we can to get prepared for it.
[00:12:07] KB: So just on a quick side tangent, so Sizo was asking me about this, saying, are you doing much content around it? And then I knew I had the podcast with you this week, but I mean, I’m an Australian, I live in the US now, but I think recently the chief lawyer of Anthropic flew to Australia to have some meetings like with government officials.
And then one of the items that was actually discussed is this, securing the Australian access to the company’s new model, which has only just been released in the us.
So obviously now people are getting worried because it’s going to proliferate, et cetera, similar to what you were talking about.
And the genie, like, I feel like it’s going to be hard to put back in. What do we actually do now, considering we’re in this position and this is where it’s at. Obviously people are worried about it. I mean, these meetings wouldn’t happen in a country like Australia for no reason.
So I’m curious to just get a little bit of your insights here around that. You may not have known that. It was just more when you were talking. That was what was coming up in my mind.
[00:13:06] Mayank: Yeah, no, I do remember reading about that in the news that happened in Australia. There was something similar in India where the government got together with a bunch of banks and had some conversations. I think there was something in the UK as well. So it’s pretty common for this to be happening around the world. I think if you’re a CISO who’s trying to figure out what you can do right now, first and foremost, get your people to be AI ready. There are many vendors who will do pen testing and red teaming for you using AI. So if you don’t have folks inside who can build an agent harness and you know, plug in some of the more newer models into it, go get one of these vendors and then have them run it for you, this will proactively set you up to find these exploits before the adversaries are able to. And you need to run these on a continuous basis now because a lot of people are Also generating code using AI, the speed at which software is being developed has increased tremendously. Especially if you’re one of those AI forward organizations that’s generating a lot of that, then you need to be continuously scanning. But even if you’re not, I think the scanning has to happen continuously because the way these LLMs work, it’s a bit probabilistic whether they’re going to find a particular vulnerability or not. And the more time you give them, the more likely that they’ll find something big. Right. They’ll be able to string these things together.
So I think running these sort of continuous scans on your source code and your sort of surface area is critical. So I would encourage everybody to find a way to do that, whether it’s through a third party or whether it’s through some in house capabilities.
And then I think the other thing that you should also look at, how do you triage your alerts that coming from your security operations center, Try to automate as many of the easy ones as you can and leave the extremely hard ones for human beings, because when you start getting probed by agents outside, there’s going to be a lot more alerts coming than you can keep up with. And the third thing I would say is we’ve all spoken about this thing around Zero Trust and shrinking the perimeter. I think that’s kind of, we don’t talk about it as much right now in this AI age, but it’s become even more important because imagine if somebody breaks through a perimeter somewhere, you don’t want them to be able to move laterally inside your Enterprise just willy nilly. Right. So if you had plans to do more micro segmentation, to go more towards the Zero Trust model, this would be the time for you to accelerate it. So it’s almost like you may have had a plan for how you run security. That was before the Agentic era. You kind of have to revisit it with these three lenses, I think, to, to get ready for this new era.
[00:15:39] KB: So can I just ask in terms of the harness side of things, and that’s what’s coming through in conversations of late.
So the sort of harness acts as like the brain. And then would you say when people talk about AI guardrails, et cetera, that sort of, in that sort of sits on top of that harness, then would you say just to sort of paint a picture for people, because there’s no loose terms in that. The people that are saying out there, just so people are aware of what we. What you mean specifically?
[00:16:05] Mayank: Right, right. Right. The harness is really the thing which orchestrates what the, you know, helps the LLM with. Like, okay, these are the sequence of things you’re going to do and let’s sort of then kicks off that entire sequence. The guardrails are the things that the harness typically uses to stop the LLM from doing crazy stuff. Right. Ironically, you want a harness that doesn’t have guardrails that prevents your LLM from finding security issues.
Because if you had. Normally most of the models that you find commercially are told not to allow you to kind of go and poke somebody else’s services and find security issues with them. So the ones that you want to use for your own internal testing are ones where you’ve sort of removed some of those constraints on it so you can do more vulnerability testing. If you look at, for example, Anthropic’s Mythos, it comes with a custom harness, right. With their latest model. So the cyber version essentially has this hardest which has got these constraints removed from it. So it’s sort of free to go and find exploits and like, you know, chain these things together and do what would normally consider be considered unethical. Right. Because obviously you’re using it inside a constrained environment for your own testing. So it’s like it’s a white hat kind of environment, right, where it’s okay to do this.
[00:17:25] KB: So what do you think? Because, I mean, everything you’re saying is super interesting. So what do you think? As of today, people are like super worried about. Because every time I interview someone it’s like, oh, that’s, that’s a good thing that people should be worried about, like internal AI agents and then sort of external AI agents and then plus all the other thousand bazillion things people are going to do day to day. But when you’re speaking to your customers, generally speaking, what is it that sort of seems to be really at the forefront of concerns, would you say? Just to give a, again, some insight for people.
[00:17:56] Mayank: Right. So we spoke about internal agents. You know, we discussed those two facets. We discussed internal agents about how you’re using AI and what they might accidentally, which systems they end up talking to and do they accidentally exfiltrate data or do destructive actions. That’s obviously one of the most important things going on right now. The second one we spoke about are external agents who might be poking at you and may find vulnerabilities and then exploit things, weaknesses you have.
And the third category, of course, is the human beings, right? Because the human beings are just trying to get on with their lives and get their job done. And they want to move fast because everybody is trying to use AI to get more done. And sometimes the weakest link in the chain is also where bad things can happen. So there’s things like when people have been at a job for a very long time, they’ve accumulated a lot of permissions over the years as they changed roles and things like that. Nobody ever went back and cleaned up these permissions. Now, you know, imagine that one of these human beings gets compromised and their agent is looking at these permissions and saying, wow, you know, my job as an agent is to try every possible path to solve the problem you gave me. So it’s going to go in and explore all the systems it has access to. So the risk just becomes multifold in those situations. So permission management and sort of helping clean up don’t have people sort of sitting around with tons of ambient permissions, especially permissions which are given to their agents. Right? That’s a recipe for disaster in this world. I think those are the top three things that jump to mind for me. There’s a lot of other interesting human aspects too. People want to chain together tools, right? Like somebody wants to use like, you know, cloud cowork and they want to connect it to Slack and hey, do you have your personal Slack tenant also in here or is it just your work Slack tenant? If you have your personal Slack tenant, what happens if your cloud cowork sends work information to your personal Slack tenant? Right. It can exfiltrate that data even if you did not intend for you to be doing that. So there’s all these interesting new integrations which cause more exposure. So I think the whole human aspect and how human beings are interacting with these systems creates a very interesting situation as well.
[00:20:17] KB: Welcome back to that after a quick word from our sponsor in Fintech. Trust is everything and proving it shouldn’t slow you down. Whether you’re dealing with ISO 27001, SOC2, CPS234 or GDPR, Vanta helps you demonstrate security and compliance without derailing your roadmap. Used by thousands of fast moving regulated companies, Vanta automates the hard part so your team can focus on shipping features, not gathering screenshots. Visit vanta.comKBKast that’s V A N T A.com KBKast to learn more.
And we’re back right where we left off.
So then just talking on the permission management side of things and you’re right and I’ve been there before when it’s like You’ve got a large enterprise, thousands and thousands of people, some people that have been there for like 30 years, and they’ve accumulated all these permissions that you have a right no one’s probably ever looked at.
So in terms of best approach, so now companies are obviously trying to go through this, fix it up, clean it up.
So would you deploy an agent to do that? Or you have to do it manually then just to make sure that you’re not sort of, you know, putting a band aid solution over a massive hole. So what would be your thoughts towards that?
[00:21:34] Mayank: There are a lot of tools which help you do this, so we are using those kinds of tools as well. But the thing that I’m also pushing my teams to do is to use AI to go through. As I mentioned at the beginning of this call, we have logs for pretty much everything, right. We love collecting logs, we love data. So we can go back and look at historically at like, okay, did this person use this particular permission or not? We can go back as long as we want. Right? So I think just using AI to go through your logs at AI speed and try to classify things and figure out, like, which permissions can be taken away is the best way to have a go at this problem.
[00:22:09] KB: And then in terms of the classification, like, I know that people are doing it like per job role, not just an individual person, because I remember even when I was working internally, we’d have to look at people’s individual, like Karissa Bream, what are her. Each individual. I mean, that would take so long to do when you’ve got thousands of people. But now I’m hearing that it’s just being grouped by job descriptions. If you’re a recruitment consultant or whatever it is internally, or talent acquisition, that would be. You would mirror it then across the function rather than each individual person to increase the process and I’m assuming, but then also to check your work, so to speak.
[00:22:47] Mayank: Yeah, and it has another advantage, kb, which is like, maybe there’s another person who’s in the same job function as you and they may not have used certain permissions yet, but because they’re in the same job function, you can predict they’re going to need these permissions.
So you don’t remove those permissions. In that case, you just anticipate, if you proactively remove them, they’re going to run into more friction. Right. So it’s a feature, not a bug in some sense to say, okay, look, this other person is likely going to need these permissions very soon. So let’s not be over eager to take those off. But there’s probably a bunch that, you know, KB hasn’t used in the last six months that we can take away from people in this role and other people similar to her. So that’s definitely one way to go about it. There’s another very interesting thing people do which is you can use solutions where you can have like a just in time privilege escalation. Right. So it’s like, you know, you kind of have the permission, but right before you can use it, you have to go somewhere and say, yeah, I intend to use this. And so then if you set an agent with your permissions and it tries to do something you do not want to do it, you can kind of catch it at that step because you’re like, wait, what the heck? It’s trying to do this. I never wanted it to do this, so I’m not going to give it that permission. So it’s like you have the permission and it’s free for you to assign to yourself for particular session where you know that you need it. So just creating those kind of controls is another easy way to handle this problem.
[00:24:07] KB: So then I sort of want to double down now on enterprises are rushing to deploy AI agents, like internally, right? We’re hearing it, we’re seeing things, you know, releases being made faster than ever. People, companies want to have the competitive advantage, for example.
So do you think really at the end of the day that most organizations actually really do understand this? Because I mean, I’m talking to people and they’re like, look, no one really does understand it. Like the people that created this stuff, like, you know, Sam Altman and friends are like, not even we fully understand it. So it’s like it’s a conundrum because if you don’t do it, then you’re in a pickle. But if you do it, you’re in a pickle. So I’m sort of just curious to get sort of your view considering, you know, sensitivity of data and there’s more data breaches now than before and the ramifications of that lost trust. You know, we know how it flows. So I’m just more trying to again understand conceptually where people’s minds are at because again, I’m hearing very different views depending on who I ask.
[00:25:09] Mayank: Yeah, you know, one perspective which I picked up over my career is like, especially as agents took off was think of agents as interns. You can give them access, but you kind of have to carefully audit and know what they’re doing.
And I think initially you want to let them do something that’s safe until you build trust before you can, you can give them more, more complex tasks where the damage might be higher. Right. So it’s a good thing to start experimenting but make sure you’ve got complete auditability as to like, you know, the agent identities are different than your human identities and you can tell this was done by an agent and not by human. And then build that confidence slowly, like whatever agent platform you’re using. Make sure that you build that expertise and that confidence gradually. That’s the way to proceed. It has definitely got all of us computer scientists, especially security people at the edge of our seats. We’re trying to invent new, you know, patterns, whether it’s sandboxing agents or identity delegation or protecting tool calls, all these sorts of things. So there’s a lot of innovation coming up from folks. And you may have seen at our summit we also launched a whole bunch of things. We’ve spoken about guardrails for indirect prompt injection from tools, even novel attacks. We’ve spoken about governing MCP tool usage, which is a very important way to manage your entire corporate data real estate.
We’re talking about agent identity. So these are the kinds of new constructs that we are going to keep inventing for good reason. These are concepts which have been around for a while in the security community and now is the time for us to maybe use AI to crank these constructs out faster than we’ve ever before.
[00:27:01] KB: Yeah, so I want to talk about then, that prompt injection. Do you sort of see this as becoming the new SQL injection of the AI time or how do you sort of see that unfolding now?
[00:27:13] Mayank: Yeah, no, I think it’s a big one because the whole power of tools is to be able to connect to third party data and have these tools return data that is fed. Your LLM and your LLM doesn’t do a great job differentiating between instruction and instruction hiding inside tool responses. This has been a problem, you know, that’s been known for the last year or so. Year, year and a half. I think a lot of advances have been made. We are using AI to find these kind of adversarial prompt injections. And so we think that gives us a leg up in being able to find novel new ways in which people might be sneaking these, these things in. But it’s an arms race so you can never rest on your ladles and you have to continuously keep investing here.
[00:28:04] KB: Okay, I’m just maybe going to round off with, we Keep hearing fight AI with AI. So is that actually a strategy?
[00:28:10] Mayank: Look, fighting AI with AI, it’s not just like what does fighting AI with AI means, right? It means getting ready and shoring up your defenses.
So you get your AI to work for you to find where the weaknesses are and you fix those weaknesses. And you fix those weaknesses with AI, right? So for example, scanning your code so, so that you can do the kinds of things where you can find a vulnerability, chain it to another vulnerability, and sort of figure out how somebody else might move laterally in your system doing that with AI and then using AI to fix each of, to propose fixes for each of those. Because human beings are unlikely to be able to stay up with the speed at which your AI is finding these vulnerabilities, right? So then having AI generate simple fixes for those that human beings can accept. There’s also another very interesting thing going on right now where there’s a lot of small open source libraries that are used by people. And many times these open source libraries are not well maintained and have a lot of vulnerabilities.
So another thing that’s going on now is people are saying, can I just completely replace these open source libraries with code I develop in house using agents, and I can write these in what’s called memory safe languages. So they’re just fundamentally more secure.
So that’s another way to use AI to get rid of a whole bunch of vulnerabilities that might exist in your code, right? So these are also examples of fighting AI with AI and then you’ve got your SOC situation, your security operations center, you get a whole bunch of alerts in, and then maybe you can have AI go through them and classify a bunch of them and say, hey, look, these are false positives, so don’t worry about this. And those false positives might be triggered because there is an adversarial AI system outside that is trying to break through your defenses. But it’s triggering some alarms, but no need for concern, it hasn’t broken through and you’ve got plenty of other layers to protect you.
So these are the kinds of things where an AI system can help the human being scale themselves better to stay ahead of the flood of information coming at them and to kind of proactively find and fix things. So I think all of that goes into fighting AI with AI.
[00:30:21] KB: That was Mayank Upadhyay. The idea I keep coming back to from that conversation is that time to exploit has collapsed from weeks to minutes, which means patching at human speed is already a losing game. You’re a CISO listening to this? Start continuously scanning your own source code with AI today. Because the breathing room you have right now is only temporary.
If this was useful, send it to one person in your leadership team.
KBKast, Cyber for the C-Suite.
