Transcript
in San Francisco. I'm in the expo hall of RSA at the Forescout booth with Justin Foster, CTO of Forescout. Justin, how are you doing? I'm doing great. How are you, ZS? Yeah, good, good. So first time on with me, really excited to have you. Any initial thoughts from the show here? You know, every year we see trends. This year, Gentic seems to be the big trend. And I'm glad that we're riding that wave, too, with the launch of Vistaro AI. Yeah, I want to talk about that, though. Before we get into that, though, you know, a lot of security teams I talk to, they're getting a little sense of AI fatigue, right? They get all these chatbots telling them information, and it seems like they're doing more work doing prompt engineering than they were before. And so based on your view as CTO of Forescout, why is this current approach to AI not working? When you look at things like large language models, they're fantastic. But if you use them as a prompt engineer, it becomes a very clunky interface. You're exposing people to hallucinations. You're exposing people to liability risks. So early on in our journey with AI, I made sure the teams were using large language models in a responsible way, in an automated way. So for instance, generative AI blades, where we take the data, we take the prompt engineering and then just summarize the results for the user. Or generative AI reporting, where we make sense of the numbers for non-security professionals. And the same thing applies for our new agentic AI. I don't like open prompts. I think it's clunky, and I don't think we should make our security engineers become prompt engineers. Yeah, well, there certainly has been a lot of that, though. Yes. Yeah, and in fact, a lot of frustration managers I talk to now. I think I read something you wrote where you talked about AI hitting the peak of inflated expectations for AI, I guess to stay on an analyst term. And I know that was some of the thought process behind Vistaro AI. It wasn't to just add an AI interface into a legacy product, but to actually rebuild the security product with AI in mind. And so can you talk about that transition, and really what the difference is and what it brings to the security problem? Yeah, I mean, a couple years ago I set a vision for our innovation team to be able to sit down at Forescale Cloud and take that wealth of information about assets, threats, risks, and control, and just ask it, what should I do today? Where could I spend my most valuable time? We have limited time, limited staff, limited budget. And so the team thought about it for a while and built this system where it takes your persona and it takes what's happened that day, new CVs, new cabs, changes in the environment. And before you even log in that day, it summarized the most interesting things that you could possibly look at that given day based on your role. And I think that's the kind of direction we have to take AI. Not make it so open and make it so laborious, but use it behind the scenes to make life simpler and easier for our users. Yeah, okay. So the thesis behind that is that Gentic is supposed to do that, right? Now if I go walk around here, I'm going to see the term Gentic at everyone's booth, right? And there is a Gentic, and then there's actually a Gentic. Can you talk about what makes Vistaro AI really kind of truly a Gentic versus some of the other solutions you see? And then as far as the human, how do you make sure the human can stay in the loop but not be a bottleneck? Yeah. So the broad term of Gentic means AI going and doing something on your behalf. In our case, what we did is we said, we want to know what your persona is and we want to use skills. So we actually codified over 30 skills, and these are from professional hunters or network analysts or GRC analysts, where we're saying, what would you do with this information? And we codify that in a way that instantly when you log in, you see the relevant information, you see the most interesting, but you can deep dive deeper. So you can ask it a question, you know, okay, I want to dig in why there are new assets with new risks on my network. It will think about it and it will pull in the relevant skills and it will present four simple options with a graph to show you where do you want to go next? Okay. You know, it turns out mostly on Windows. Well, I'd like to investigate why on Windows. And so it's almost like who wants to be a millionaire? Four simple clicks, no prompt engineering, no typing, no clunky interface. So we combine the skills with the persona, with the Gentic part to create something that's more refined and innovative. And what you'll see here, you know, on the show floor is a lot of a Gentic where they're just applying automation to AI. It's not really, in my mind, a fully a Gentic AI. Yeah. Yeah. I guess that's the difference in the automotive industry of like lane change alert and true autopilot. Right. Yeah. There's big differences there. Although there's a Gentic-ish, I suppose. Right. Yeah. So now you, as you mentioned, you've eliminated the need for prompt engineering, but that almost mandates the need for you to know what the engineer needs to know before they actually know it or know they need it. Right. So how do you do that? So the key is we take the world information. So new cabs, new CVs, news, we scrape the newsfeeds. We take the environment information, new assets, new risks, configuration change, a device going out of compliance. And then we combine that with the persona. So we, you know, each individual has a different role. There might be a security engineer, a security analyst, a threat hunter, a GRC person. But we feed those three things together to process in the morning before their usual login time. What is most interesting to you based on your role? And I think that creates a really innovative result that nobody else is thinking about right now. Where if you take those three pieces of context, actually AI can do a lot with that information. And can you give me an example of how that might change the day in the life for your customer, the security engineer or the network engineer in some cases? Yeah. I think the key is, you know, we want to bubble up what is most relevant to take down organizational risk as fast as possible. So if, say, default router passwords is the easiest way for you to take down organizational risk, we'll highlight that. If it's a new CVE that just came out and you have it widespread across your network, and by the way, it's on the KEV list, it's being rapidly exploited in the wild, you should jump on that. You know, the next open SSL, you should be focused on that area. So we present the user, the moment they log in, the most relevant thing they should be spending that precious time on. Yeah. And I think, when I think of security tools, especially Socktools, right, there's a lot of signal. There's a lot of alerts. And in fact, I did a survey last year, and you probably won't find this data surprising. I asked, like, how many alerts do you not get to? And it was like almost 40%. And it's not that they don't want to, it's just that there's not enough physical manpower in companies to be able to do that. And so you're able to actually understand which signals matter and which ones don't matter. What's the secret sauce behind that? Because that doesn't seem like a trivial task. So if you look at a traditional SIEM, they're just looking at log data, like time series data. If you think about what we're doing on the network, we're profiling devices, looking at the compliance status. That's more what I would say, state data. I think the key is combining stream data and state data together to extract relevancy, right? If that's encountering a threat, and it looks like it's Windows, but it's actually an MRI, that's way more important than some Linux device that's controlling my smart TV, for instance. Yeah, and the Vistaro AI is actually built on the Forescout 4D platform. That's right. And can you actually talk about what that 4D platform is? I read a little bit about it with my watchers here. Describe what that is. Yeah, so the first idea is we assess what you have in your network. You can't protect what you can't see. We look at identity and classification of all types of assets, IT, OT, IoT, and OT devices. We're looking across, classifying what it is, the vendor make and model. The second is we assess, both for risks proactively and for threats reactively. We're looking at time stream data. We're looking at configuration, open ports, vulnerabilities, its role in the organization, and then we help govern. We're historically known for access control, but that's a misnomer. There's really hundreds of ways you can automate. You can put something into an isolated segment. You can take it completely off the network. You can put a user into the guest network, or isolate them so that IT can access that device, but it can't laterally move. And yes, you can do that often with IT devices, with, say, an EDR, but what about the wealth of devices that can't have an agent, the unagentable, unmanageable devices? And in our data, we're seeing that more organizations have more unmanageable, unagentable devices than they do IT devices these days. Yeah, and you actually integrate Vistaro with your threat intelligence as well, right? We do. Yeah. And then so that, the theory there is that becomes kind of the agentic brains, I guess if you will, the data foundation. Yeah, we have an awesome research department led by Daniel DeSantos in the Netherlands where we especially focus on OT, biomedical devices, building automation, HVAC systems. Yeah, and that's been your speed swap for a long time, right? Yeah, because there's so many research organizations that do IT, right? We don't have to go spend extra cycles on that, but we take all the wealth of information from that, plus the public information that we're part of, you know, we're part of a lot of ISAC, ISAO organizations, and we feed that into the intelligence in our Forescout Cloud and the 4G platform. Yeah, now if you've watched any of the teachings of Jensen Huang, I guess, he talks a lot about how the next wave of AI is going to be physical AI, right? And Forescout actually, maybe more than any of the security vendors, a long history of what one would think of as an OT device before, but what is that? That is physical AI, right? And as the world moves more to this world where everything is connected, do you feel like that really creates a defensible mode for Forescout? Yeah, if you look at, you know, increasingly this world is connected. You've got tractors driving themselves, fertilizing based on weather patterns and rain patterns. You've got power distribution and production that is fully automated and use AI to know when to extract power versus retain power, solar farms, you name it. The amount of connected physical devices that power our critical infrastructure is unreal. And people are applying more and more advanced technology. You know, robotics is coming fast and furious. If you saw the recent, you know, the demos, the Kung Fu demos in China, right? And these are all interconnected devices that need to speak to each other, but need to do so securely. So I think that's important for role for us in the security space is to ensure that we're looking after the security of all these devices, especially as they start to operate autonomously. You know, and one of the complexities is that, and people don't appreciate this, is how different the protocols are. In fact, I was talking with the CTO of an oil and gas company, and he said, forget I-T-O-T conversions, I want O-T-O-T conversions. Because we have so many in our organization, they don't, there's no, the security of them is all separate because they're so different. Yeah, it's true. I mean, we speak over 200 different non-IP protocols. So imagine most of the world's systems run on things like Modbus or Step7. These are not secure protocols, and they're not even encrypted in most cases, right? So if you look at something like the gates in the Netherlands that control the flow of water in and out of the country, right? Because the country is mostly largely underwater. These are PLCs and sensors that are speaking non-IP protocols. And so we look at both security vulnerabilities as well as operational risk for those. Is that sensor not responding? You should go replace it before that gate has to shut close. And you call for it to close, and it just doesn't close, that would be a bad thing, right? Yeah. Now, you said at a pretty important junction between AI and the users and keeping companies safe, I think this year we're going to see the EU's AI Act and NIST, some of the guidelines be enforced. So how are you thinking about responsible AI from your perspective? Yeah, I think ethical use of AI is incredibly important, and that's why I didn't want prompt engineering in our product, right? You don't want people in the security product asking how to cook an egg, or worse, right? We've all seen the examples where, you know, write me a contract to sell me that truck for a dollar, and it was legally binding, right? The dealership had to sell it. So we've stayed away from prompt engineering. I missed that, by the way, getting a truck for a dollar. Yeah, you didn't get to buy one for a dollar. So we've stayed away from that. That's the first tenet for ethical use. The other part is human in the loop. So we don't do anything automated based on the AI results, because for most of our organizations, you know, if you think of the CIA triad, availability is extremely important, especially, say, in the OT space. You don't want to automatically take a device out of line that might be a blood pump serving a patient at a hospital or a vital piece of the energy infrastructure that all of a sudden causes a blackout for a city. Like, we believe that AI has its role, but human in the loop is still a very important part, especially in cybersecurity. And then when you think about, you know, most processes that we work with in a company, and people, in fact, we're very deterministic in nature, right? The one thing about Agentic is, because of the reasoning aspect, it's no longer deterministic, right? And, you know, you're a CTO of this company, it's got to be something, balancing those two seems like a big challenge. Our big breakthrough was the skills part. You can have Agentic AI, you can have AI that operates by itself, but if it doesn't know what to do, if it doesn't have expert level system advice, then it's not going to produce anything relevant. So our big breakthrough, about six months ago, was the use of skills AI, and now you're hearing that, you know, Microsoft, a couple weeks after us, launched a skills system, but that's really like a cookbook or an instruction manual for that AI, how to act like an expert, and that was huge for us to unlock the power of Agentic AI. And if there was a sub-theme of the show, I'd say it's PQC, post-quantum, right? And when you think about, like, so first of all, nobody knows when Q-Day is actually coming, right? But it's fair to say it's coming down the road and people are prepping for it now. How are you helping your customers actually prepare for it in a way that they can be sure that they can go about their normal business operations, but whenever Q-Day comes, it's safe. So I was lucky enough to spend part of the weekend with two quantum physicists, and not only did they give me a migraine, they said, to factor RSA, we're likely going to be at that point with the amount of qubits by 2030 or 2035 at the very latest. So you know, harvest now, decrypt later is a real thing. We actually were the first to patent detection of non-quantum safe in an environment, and now we provide a beautiful dashboard that shows you your quantum readiness and how you're increasing. But it's incumbent upon all of us right now to be upgrading our SSL ciphers, be choosing the right PQC ciphers now, because if you think about it, like, how often do you change your banking password? And whatever they make me. Yeah. Well, think about a router or think about a switch and its administrative password. Even less. Those are probably still relevant five years from now, or even 10 years from now. So the more harvested traffic we have now, the bigger the risk surface, the more we can help organizations move to quantum safe algorithms, the easier it will be to protect organizations. I do find, too, that people's attitudes on harvest now and decrypt later tend to be mixed, and some are worried, some aren't. But I always tell people that, look, not all your data is worth decrypting five years from now, but some is, right? And so at a base level, you've got to figure out what that is to protect at least that data. And there might be a lot of stuff at the margin that'll surprise you that actually does matter down the road that maybe you think it doesn't now. Yeah. My biggest worry is those long-living secrets, those passwords for network devices or things that you could get into and do really bad things. Yeah. No, that's a good point, because those actually never change your rights. So now for CISOs and the IT practitioners out there, when they're out there evaluating tools to help them with their AI strategies, what's the biggest mistake you see them making, and what are a couple of things they should be looking for, but maybe sometimes you think they're not? So I'm seeing CISOs confuse AI and security for securing AI. They're going to have both problems. Yeah. Within their organization, people are using AI, perhaps in unsafe manners. Their products may be using AI. We've got prompt injection attacks already happening. We have people doing deep fakes for job interviews. So there's a whole class of where AI can be used maliciously against the organization. And then there are products like ours, using AI to benefit the time, to speed up acceleration or productivity of a security developer. I think business leaders need to be thinking about both. They need to be thinking about, how do I guard against the AI used as a sword, and how do I use AI as a shield? That makes sense. Yeah. And going back to Vistaro AI here, when I talk to a lot of the practitioners here, one word that keeps coming up is outcomes. People want to understand the outcomes they get. So if you think about the innovation you've driven into the product, what are the outcomes you're hoping your customers get or that you've seen them get from the deployment of it? My biggest hope is to spend as much time on proactive so you're not doing reactive stuff. The more time you spend patching and reducing that attack surface, the less chance you'll have of being breached and then having your hair on fire catching up. I just looked at one organization, for instance, they had 122 versions of OneDrive within their estate. Yeah. Why? Why would you have two or three patch management strategy, right? So patching, making sure your vulnerability management, making sure that you're hardening your attack surface, closing ports, good secrets, good SSL. My biggest wish is to help organizations reduce their attack surface before they get into any trouble. Yeah. And then just one last question. With all the talk about claws here, right, these are multi-agentic workflows that span different organizations. What kind of monkey wrench does that throw in? It seems like we've taken the concept of agentic, which for the most part, for a lot of companies, we'll live in a walled garden. They say, as far as agentic, that might be right. But now we're actually asking that to cross enterprises, cross application, to be able to complete this entire workflow. There's a reason in between, and it just seems like we may be opening up a can of worms. We have no idea the impact of it. You know, we kind of have to rethink everything. I guess that's what you've done, right? We have personal AIs that can shop for us now, but there's CAPTCHAs that are in the way. Well, now there's actually a legitimate reason to remove CAPTCHAs. One thing exists within the enterprise space, like MCP servers are going to become the reality of the new way of systems interacting. They're not actually all that secure right now. So we need standards to make sure MCP is as secure as RESTful APIs and using authentication. I think we're just starting to scratch the surface with what AI means for organizations and for cybersecurity in general. All right, Justin, a fantastic interview. Anything else you want to add? No, that's great. Great to meet you. Congratulations on the launch and the booth traffic looks fantastic here, so congratulations on that as well. Sounds good. Yeah, so on behalf of Justin Foster, CTO of 4Scout, I'm Z.S. Caravalho from ZK Research, and thanks for watching. Make sure you hit the subscribe button and give us a like as well. See you next time on my next episode of ZCast.
