Next in Tech | Ep. 267: Mythos and Security

View Full Transcript

Eric Hanselman   00:00:02

Welcome to Next In Tech, an S&P Global Podcast where the World of Emerging Tech lives. I'm your host, Eric Hanselman, Chief Analyst for Industry Research at S&P Global. And today, we're going to be getting into a cybersecurity topic that has been grabbing the headlines. If you haven't heard about it; the latest large AI model from Anthropic is being identified as having great capabilities to be able to identify vulnerabilities to open up the world to attackers and create yet more challenge in terms of how we secure IT environments. And with me to discuss it today are parts of our security team, Scott Crawford and Dan Kennedy. Welcome back to the podcast to you both.

Scott Crawford   00:00:47

Thank you, Eric. Always a pleasure, and looking forward to this one.

Dan Kennedy   00:00:50

Yes. Thanks, Eric. We'll try to keep it under 4 hours.

Eric Hanselman   00:00:53

Well, that really speaks to the enormity with which this announcement is being treated. And I guess maybe let's start with a little bit of background. Anthropic has made this announcement that their latest model has such tremendous capabilities in terms of finding new vulnerabilities, existing software that they're holding back from releasing it and have made limited releases and are in theory getting -- doing responsible notification for all those vulnerabilities they found. The challenge, though, is that in some cases, the scale, just the number of vulnerabilities they're identifying, they seem to be saying are going to be complex and maybe time consuming to remediate. What's your take on this? And I guess maybe you can fill in some of the blanks of what I haven't pulled together here.

Scott Crawford   00:01:43

Well, that was the main headline, of course, was the announcement and introduction of Project Methos. -- technically, Project Methos preview, as you noted, Anthropic has decided to withhold it from public availability, which no one's really tried that since OpenAI temporarily withheld GPT-2 in 2019 from the public because it was deemed too dangerous to release the public. So that kind of raises the question of, okay, what are we actually trying to achieve by doing that, given the benefit of the doubt as far as the capability that could be considered as fearsome in the wrong hands. Nevertheless, that's what they've decided to do and restricting access to 40-plus entities, companies in cybersecurity to help evaluate exposures and risks arising from what Methos can do. What Mthos can do is fairly significant. Some of the numbers released with the initial announcements were that not just to get produced. Yes, I mean, they said -- Anthropic said in its initial announcements on April 7 that it had been able to analyze thousands of vulnerabilities already. The popular press has drawn some comparisons between that and the number of vulnerabilities disclosed in a given period of time 1 year prior, but that's less significant than just the number itself.

Eric Hanselman   00:02:59

So a whole year's worth of vulnerability is just in the initial phase of announcement.

Scott Crawford   00:03:06

Yes, some significant percentage of that. But like I say, it's a popular press capitalizing on that, making that comparison, saying 2,000 or more what Anthropic said was thousands of, so maybe a bit of a stretch there, but still a pretty significant number. But in those numbers, when reputable organizations doing the assessment like the U.K. AI Security Institute, which is a U.K. government research organization focused on safety for advanced AI models, one of the interesting things is not just the sheer number and speed with which Methos can discover vulnerabilities, the fact that it can chain these together into a comprehensive, more impactful attack sequence. So the AISI, for example, reported on April 13 that Methos was able to succeed in 73% of expert level tests in capturing flag exercises in which AI models have to identify and exploit weaknesses in target systems to retrieve hidden artifacts. In other words, the flags, something which it claimed that no AI model could complete before April 2025. And it also found that and a simulated 32-step network attack simulation, Mthos completed an average of 22 of the steps with Cloud OPUS 4.6, the next best performer completing an average of 16 steps. So it's not just discovery of vulnerabilities, it's the ability to exploit them and not just exploit them, but to chain them together in more comprehensive attacks. These are the things that attracted attention. There's another aspect to that, but let me take a breath there because I know Dan has been watching this pretty closely as well.

Dan Kennedy   00:04:32

I would just react to 2 things you said. I mean, yes, it executed 22 steps out of 32. And so the UKI Security Institute is -- the average run doesn't complete everything. So they're comparing Mythos to other models and saying, yes, this one is a step change better. I think it's interesting you mentioned the marketing for OpenAI GPT-2. It's the same too dangerous to release type marketing. And it's key to remember the CEO of Anthropic came from OpenAI. And then we were all there in November of that year when the world ended, right? So we remember that. So I think we have to be very careful with some of this stuff. A lot of sort of bud in the announcement, but the models are getting noticeably better at vulnerability discovery and reasoning to some level. And so there's some real effects there. It will likely compress the time scale needed for certain offensive tasks. They're not yet autonomous operators beyond the testing you just mentioned, Scott, and defenders get access to similar capabilities, sort of complicates the offense side winning based on this, but there's patching is still hard, and I'm sure we'll get into that as we talk further. It can read on familiar code basis fairly quickly and your numbers suggest that. It can suggest attack services and test cases. And therefore, it compresses both time and skill. -- the skill for operators. We've seen things like that before. And made exploit was a good example earlier cleaning up vulnerabilities that saw in the wild and then letting people do push button attacks. So we've seen versions of this before, and this could be nonlinear scaling if it actually works.

Eric Hanselman   00:06:10

I guess that raises the question there. Is this a step function? Or is this incremental? And it sounds like, at least what we know, it seems to be a significant increase. And it's both sides of it. It's both finding and identifying vulnerabilities to exploit and then actually building an exploit chain to actually do the compromise itself.

Dan Kennedy   00:06:33

Yes. And we're in a demo phase. This is not a scientifically verified phase. And the U.K. AI Institute effort is probably the first thing I've seen that's a sober look at the fact that these tests are operating -- these ETF tests are in a very controlled environment without defendndors acting against them. And so this specific thing feels incremental from where we're sitting right now, which goes against the media narrative.

Eric Hanselman   00:06:58

I would agree. just yet.

Dan Kennedy   00:07:02

The path we're on is more of what you were saying in your first example. The path that's going on is one that we should recognize. These models will continually get better.

Scott Crawford   00:07:11

Yes, I would agree with that. In fact, even in the data points that were released about Methos, the data points themselves speak to both the incremental improvement in models and their ability to perform these what would be seen as offensive security tasks from a security practitioners point of view. But even in the initial data points about the preview release, Methos was able to achieve an 83.1% success rate in reproducing vulnerabilities and developing exploits, but that's compared to 66.6% for OPUS 4.6. So step function, yes, but incremental at the same time. These models are improving in their capability. The headline notes, not just the sheer volume, but also the fact that more than 99% of the vulnerabilities that Metosa discovered, which acclaimed had not yet been patched, including a 27-year-old bug and hoping BSD, which also captured a lot of headlines. That does tend to overshadow the incremental nature of this and the fact that step function in terms of sheer volume and efficacy in changing attack together, but the models have been improving in this direction, and they will continue to improve. But this definitely got the public's attention. And that's, I think, very much needed in terms of addressing where security processes are today versus where they're going to have to go in light of this kind of progression.

Dan Kennedy   00:08:28

That's the interesting part. Anthropic is a better marketing organization than some of their contemporaries. Even some of you, the BSD 20-year-old bug, that is getting repeated constantly. Old bugs are found all the time. open source reviews are mostly opportunistic. You don't make money buying bugs in open source, bug. They don't pay bug bounties and so on and so forth. You're using free scanners. They're typically not turned on. They're typically not run regularly, close attention, not paid to results. Unit tests are very big in that world. Security testing is not as systematic. I mean mature projects have security policies and coordinated disclosure and sometimes continuous fuzzing, dependency scanning, but old bugs get found all the time. So I find what the general media is getting impressed with is stuff we see fairly often. And I don't know, too much ank is being spilled on some of this stuff.

Eric Hanselman   00:09:18

Because we are in a world in which there are various organizations that actually are doing open source scans. So the Linux Foundation is funding scans and more comprehensive testing as part of open source initiatives. There's a lot that's going on there. But I guess I wanted to touch, Scott, on where you were heading, which was operational changes. what -- from the defender perspective, what do we need to be doing better and differently. I mean the problem is we're discovering more vulnerabilities, the rate at which we're discovering more vulnerabilities is increasing. And in a world in which we seem to be doing maybe a little better at patching things, but not necessarily. And certainly not enough, not improvements enough to be able to keep up with this sort of scale.

Scott Crawford   00:10:06

Yes. It's pretty obvious that the pace of remediation is going to accelerate. We're going out to invoke automation in ways that we haven't before. But what that actually looks like is still largely a TBD. Wiz made much of its announcement at the RSAC conference of the introduction, not just of red and blue agents, red agents representing the efforts of red teams, which in security are the offensive teams that try to exploit and penetrate defenses. Blue teams representing the defender's point of view, identifying areas where defense could be shored up. But also green agents, which are focused on remediation, what we might think of in the commercial off-the-shelf software realm as patching for bespoke applications, vulnerability remediation, code fixes, et cetera, which is a great concept, and it's high time we saw that. But the reality as far as what that looks like in practice is going to be much more diffuse, much more complex and has to be worked out across the entire scope of applications that are going to be subjected to this type of approach to automation. It's going to take considerable time to embrace CO software, bespoke software, web applications, cloud native applications, there's a spectrum of feasibility across which we can actually reach. But we've even seen some of the cost providers beginning to take some steps in this direction. Microsoft, for example, talking about the tools that it can marshal to help accelerate processes. But getting to the point where we will have to make significant strides in closing the window between discovery and remediation. And that's probably one of the biggest demands on the table. And same for how we assess the risk and identify the exposure. going with scoring that's generally applicable to any environment like CVSS or even the Xloit prediction scoring system, which correlates vulnerabilities with are they actually being exploited in the wild. Those are good things -- good places to start, but you're going to have to correlate it to your own environment to know exactly how a significant issue requires being addressed because just the sheer volume of what you're going to receive from now on is going to be significantly higher than it has been.

Eric Hanselman   00:12:11

I will point out that there is one other thing that we're starting to see in the attacker community, which is that as the rate of patching goes up, we're now starting to see attackers go after the patch supply chain. And this is NPM attacks, the package manager attacks for a whole set of distribution -- software distributions. You're now seeing attackers go after that supply chain and compromise the updates to a particular well known well-leveraged package. And really, what's happened is we got good at patching more quickly. And then the attackers basically said, we said, great, we're going to roll out those patches the moment we get them, we're going to be fast and quick. And the attackers have said, "Oh, hey, great, we're going to compromise systems by compromising those patches really fast and really quickly. And it's now -- again, once again, there's nothing like a good attacker strategy that turns what should be a useful strategy on its head and weaponizes it in ways that now it can be leveraged because now there's a need to at least be, I guess, more assured of what the quality of those updates are before you actually apply them. And even in some of these environments where they realized that the update has been compromised if a bad patch that was going out. This was something that even in the 3 or 4 hours before it took somebody to actually take a look at it, there were still a lot of systems that got compromised and a lot of data that was absconded with before people really realize this. So we're now getting into a world in which we've got to think more about our software supply chain. Who do we get patches from? Where does that fit? There's as you're saying, the world has gotten a lot more complicated because of this.

Dan Kennedy   00:14:11

Some of our skill sets though are regressing in that regard. I mean we've understood for 20 years we need to test patches. This is not a new idea. And we've known that just based on even well-intentioned patches. So you're right about supply chain compromise being a new element to this. But we've had the patches that are well intentioned for security tools to take down airlines and Microsoft OS patches that crash everything and AB patches that crash everything. So we've been dealing with this for decades. And our muscles around knowing to test these things in limited environments or in test cases of atrophy over time given the speed that's expected out of modern IT organizations.

Scott Crawford   00:14:50

Yes, it's not just that. There's also -- we were discussing that earlier this morning, the economic factors involved in the pragmatic practical side of that. And an example I like to cite often is that if you're building a commercial minimum viable product or MVP, you are raising against time to include a certain number of features. And for that matter, you're often doing that with incremental updates as well, too. You're rushing those to market, trying to get ahead of your competition. There's revenue and potentially profitability at stake when you have to do that. And the rush to get those into production, it's long been assumed we can fix bugs after we get it out into production, get it in the hands of paying customers. I think that approach is going to have to undergo some revision to put it mildly, that approaches to more secure code and development are going to necessarily not only have to be integrated, but have to be automated in ways analogous to what we've been seeing with respect to vulnerability discovery and for that matter, remediation as well, too. So it's a lot to take on pretty much all aspects of the life cycle. And by the way, it's not just open source. that's being exploited when the patches and updates are being targeted. We've also seen this with commercial off-the-shelf software as well, too. The SolarWinds Orion attack probably being one of the most noteworthy examples and adversary actually infiltrated a commercial product. And updates were pushed and the exploit proliferated as a result thereof. So it's not just in the open source realm, we have to deal with this. It's commercial software as well.

Dan Kennedy   00:16:19

You got into our advice, Eric. Our advice is terrible. -- thing about reading -- making the mistake I read the New York Times right before this, but I was kind of reading about the Treasury Secretary and the Head of the Federal Reserve calling all the banks to a Mythos meeting and Thomas Friedman article and another article. And the third article thing was your password is finished, use MFA as a reaction to AI-related vulnerability identification. And we just keep saying that stuff. use MFA, use AI to combat AI. Scott and I just go back and see RSA Security Conference, -- what do you think we talked about for 99% of the time People are pushing touch points for nondeterministic LLMs into their security products everywhere they can. So like that is being done. And we're just like just patch. And we just got to done discussing why it's never just patch. It's testing and this and that. I have to expect people to then say, wear a warm coat, bring a towel like something that's new and novel with this -- yes, take your vitamins. This tried and true old-fashioned advice, it's getting to a point across the board with this, with phishing, advanced business e-mail compromise where the old advice doesn't stand up to this kind of situation or a step change.

Eric Hanselman   00:17:42

I wonder -- I don't know. I think you're raising what is a really important point here, which is that if the expectation is that compromise becomes easy, isn't this getting back to a lot of the, I don't know, broadly the Zero Trust principles. I tread into Zero Trust territory with caution just as a general concept. But the idea that if you can compromise a single machine easily, why is it that you compromise complete environments? Are the other controls that we should have in place sufficient to be able to at least limit the extent of the damage that can get caused?

Dan Kennedy   00:18:21

There are a lot of arguments to make for security hygiene. I think you're absolutely right. And I think for environments that don't have that in place that have just open reversal or near open reversal, very valid to go after those things first. But at the same time, I don't entirely understand having a discussion about exactly what this is, how is this going to work? And then immediately jumping into things like make sure you have MFA enabled. And it's like, all right, if you can draw a straight line between those things, I'll listen. I've been at this for decades. And I think we have to kind of raise the level of sophistication of the discussion. And I will again say I read the New York Times before I walked into this. So a lot of these opinions are based on the last hour, but we'll get to an anti-raadioactivity shower here shortly. Thank you.

Scott Crawford   00:19:05

But Eric, you bring up something we really haven't touched on yet, and that's the defense and threat detection aspect of this. There's been a lot of discussion of vulnerability discovery and handling. There's been a lot of discussion of remediation and what that implies. Not as much. I've seen some, but frankly, not as much discussion of what does this mean for the impact of threat detection and defense -- some of the more interesting points to me, at least anyway about that is, okay, how does this change? Detections are going to have to get a lot quicker and a lot more effective to have -- to be able to respond quickly enough to mitigate attacks before they have an impact, particularly with the scale of automation. And I've seen some speculation that's frankly intriguing to me. Does this portend a new opportunity for technologies such as deception technologies where you have honey tokens and deception artifacts deployed in your network to detect malicious activity in items that aren't actually functional, but do serve a purpose of giving you telemetry when an adversary is actually going after your environment. Does this create a new opportunity for them? Does this create a new opportunity for something more dynamic in the nature of defense where when an attack is detected, is it feasible to look forward to the future? This is not a near-term view. But if we look beyond the near term, what does that mean for defense that can effectively recompose elements of itself in a defense and depth strategy to for the intelligence that a model can gain about scanning the attack surface and understanding where exposures live. We haven't seen much about that yet because that's really very much a futuristic view of where defense could go. But these are some of the things I think we're going to see more of just in the coming months.

Eric Hanselman   00:20:48

So AI fly paper is in our future for defenders. -- something to entangle those attackers who are heading towards this, make them at least slow them down a little bit, maybe buzz a little longer, but we'll see.

Scott Crawford   00:21:04

Hold on. I'm registering the domain right now. Give me just a second.

Dan Kennedy   00:21:08

AI fly paper.

Eric Hanselman   00:21:10

Got it. I think it's a defensive strategy that we need to promote more specifically. So...

Scott Crawford   00:21:16

But yes, I mean, in the practical short run, detection, what does this mean for detection and mitigation. And that's something I think will be interesting just in the next few months.

Eric Hanselman   00:21:23

So we've already got AI tooling, and I don't know, depending upon how you slice it, we've had AI in defensive capabilities within the security realm for what, I don't know, 7, 8, maybe 10 years, things that were labeled AI, whether or not they were sophisticated machine learning or not. We now are starting to get to a point at which we've got AI capabilities that can now help us dig through these massive telemetry that we're generating, and we're certainly making some progress there. more needles are being found and more haystacks.

Dan Kennedy   00:21:56

I mean that raised a great point, right? When we talk about AI from the last decade or multi-decades ago, we're talking about machine learning and as you said, identification of needles in telemetry haystacks, which are a detective control at the end of the day. So what Scott is framing is more of a real-time response. And AI is very good at knowing what code is trying to do, and it's good at evaluating runtime requests. You use a lot of tokens, it can take time. We're not anywhere near there yet. If you would imagine a future, though, the trajectory we're on is identifying runtime activity with the code is attempting to instantiate and then get back to a maintainer of that code and all these other elements. You can imagine a world where AI can evaluate a request in real time, knows what it's trying to do with the code and access to and can make an evaluation as to whether this is dangerous activity or not. So we're not there yet, but you can see what Scott was talking about, a detection and response framework that's much more powerful than we have now based on these capabilities.

Scott Crawford   00:22:55

That framework concept is something worth keeping the finger on as well, too, because one of the things about the -- not just the evolution of the models themselves, but the structure, the scaffolding, if you will, the frameworks that are being developed to guide agentic activity, not just in security, but more broadly, Melissa and Sarah and Justin Lamb jointly wrote a paper around the evolution of this and other aspects of technology that we see coming to the fore in 2026. And my personal view on that is if in 2024, the watchword was generative in '25, it was agentic. In 2026, scaffolding frameworks harnesses to give some structure to agentic activity and direct it so that it's not proceeding, willy,y, but without sufficient direction and framing to guide what it does and guide it more effectively. I think that's going to be one of the top stories this year. So with respect to attack capability or adversarial capability, yes, the models are improving, but so will the harnesses for applying them to that functionality. And I would expect similarly with vulnerability and exposure mitigation as well as, frankly, defense. So these are some of the things that I expect to be watching. The analog that I have for this is 20-plus years ago at the early days of the web, the fundamental functionality was just an exchange of bits between a web server and a web client browser with no state whatsoever from one exchange to the next. We had to invent ways to impute state to those transactions for the sake of everything from commercial transactions to advertising. And that whole structure evolved to the point where we began to see frameworks like rails making that possible. And I expect to see a similar evolution, not just in security -- aggentic security technology, but more broadly across the Agentic landscape as well, too. So all things, I think, are going to affect where we go with this.

Dan Kennedy   00:24:40

That's right. We spent an enormous amount of time undoing the primary purpose of that network, which was surviving an atomic blast.

Scott Crawford   00:24:48

Well done. peripher.

Eric Hanselman   00:24:51

Well, I guess the answer is we're maybe not quite at another atomic blast in terms of what's happening with Mthos and this next stage models. But I guess, much more to do in terms of building Defender capabilities. But this has been great. I appreciate both your perspectives. Unfortunately, though, we are at time. I know so much more that we could be discussing. We'll have to follow up as we get more details and Methos actually gets fully revealed in all of its glory and see whether or not it lives up to all of the doom and gloom that's been projected around it.

Dan Kennedy   00:25:26

It can, right? It's the thing we talked about in the last podcast. As someone looking at the market, you're immediately on your heels because everyone has released the same take the same day of just pure and utter doom and gloom nonsense without access to the thing. And then all your time and inquiry spent rolling that back, not discussing, oh, hey, there is something here. Mozillow says it's helping them find vulnerabilities. There's credible signal here. Let's talk about that. But instead, it's not that, it's the end of security, it's the end of this, the end of that.

Scott Crawford   00:25:59

We didn't really touch a whole lot on Glass wing, not to extend our farewell here, Eric, but there are some implications of limiting access to securities haves in the top companies and cybersecurity implications for -- as our friend and colleague, Wendy Nather has so eloquently put it, those living below the security powering line. But I guess we'll have to wait until May when the -- when the Glasswing findings are published in July to see what we really do.

Eric Hanselman   00:26:27

All right. We'll leave it to that point, but thank you for all the insights.

Scott Crawford   00:26:31

Likewise, thank you for having us.

Eric Hanselman   00:26:34

And that's it for this episode of tech. But thanks to our audience for staying with us, and thanks to our production team, including Sophie Carr, Feranmi Adeoshun and Kyra Smith on the marketing and events teams. If you like this episode, please subscribe or like us. I hope you'll join us for our next episode where we'll be talking about the latest and greatest and a whole set of different technologies, because there is always something next in tech!