During the past few months, Microsoft Exchange servers have been like chum in a shark-feeding frenzy. Threat actors have attacked critical zero-day flaws in the email software: an unrelenting cyber campaign that the US government has described as “widespread domestic and international exploitation” that could affect hundreds of thousands of people worldwide. Gaining visibility into an issue like this requires a full understanding of all assets connected to a company’s network. This type of continuous tracking of inventory doesn’t scale with how humans work, but machines can handle it easily.
For business executives with multiple, post-pandemic priorities, the time is now to start prioritizing security. “It’s pretty much impossible these days to run almost any size company where if your IT goes down, your company is still able to run,” observes Matt Kraning, chief technology officer and co-founder of Cortex Xpanse, an attack surface management software vendor recently acquired by Palo Alto Networks.
You might ask why companies don’t simply patch their systems and make these problems disappear. If only it were that simple. Unless businesses have implemented a way to find and keep track of their assets, that supposedly simple question is a head-scratcher.
But businesses have a tough time answering what seems like a straightforward question: namely, how many routers, servers, or assets do they have? If cybersecurity executives don’t know the answer, it’s impossible to then convey an accurate level of vulnerability to the board of directors. And if the board doesn’t understand the risk—and is blindsided by something even worse than the Exchange Server and 2020 SolarWinds attacks—well, the story almost writes itself.
That’s why Kraning thinks it’s so important to create a minimum set of standards. And, he says, “Boards and senior executives need to be minimally conversant in some ways about cybersecurity risk and analysis of those metrics.” Because without that level of understanding, boards aren’t asking the right questions—and cybersecurity executives aren’t having the right conversations.
Kraning believes attack service management is a better way to secure companies with a continuous process of asset discovery, including the discovery of all assets exposed to the public internet—what he calls “unknown unknowns.” New assets can appear from anywhere at any time. “This is actually a solvable problem largely with a lot of technology that’s being developed,” Kraning says. “Once you know a problem exists, actually fixing it is actually rather straightforward.” And that’s better for not just companies, but for the entire corporate ecosystem.
Show notes and links:
“A leadership agenda to take on tomorrow,” Global CEO Survey survey, PwC
Laurel Ruma: From MIT Technology Review, I’m Laurel Ruma, and this is Business Lab, the show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace.
Our topic today is attack surface management. Where will your next cybersecurity breach come from? Enterprises have more and more things attached to their internet, including ever-expanding networks and aging infrastructure. And as attackers become more creative, executives will have to as well.
Two words for you: unknown unknowns.
My guest is Matt Kraning, who is the chief technology officer and co-founder of Expanse, which was recently acquired by Palo Alto Networks. Matt is an expert in large-scale optimization, distributed sensing, and machine learning algorithms run on massively parallel systems. Prior to co-founding Expanse, Matt worked for DARPA, including a deployment to Afghanistan. Matt holds PhD and master’s degrees from Stanford University. This episode of Business Lab is produced in association with Palo Alto Networks. Welcome, Matt.
Matt Kraning: Thank you so much. Very happy to be here.
Laurel: From the very beginning, you’ve been an expert in large-scale distributed sensing and machine learning algorithms run on massively parallel systems. How did that expertise lead you to co-found a company in the field of attack surface management?
Matt: Well, I’ll say a few things. Attack surface management is what we wound up calling it, but it was actually a very long journey to that and we didn’t really set out knowing that that’s exactly what it would be called or what precisely we would be doing. So there’s not even a Gartner category, which is a certain way of validating the existence for a market segment. That is actually still coming out. So the field of attack surface management, we actually invented ourselves. And a lot of invention means that there’s a lot of discovery going into that.
Unlike a lot of enterprise security and IT companies where, in a lot of cases, most companies founded are usually going into an existing market—they’re doing usually an incremental or evolutionary advancement on top of what has already been invented—we actually took another approach and said, “We’re really, with fresh eyes, asking, ‘What is not being served in the market today?’” And came up with the idea of, “Is the internet, with all of its promise, actually going to be a strategic liability for organizations, no longer just a strategic asset?”
We developed a lot of techniques and technologies to basically look at all of the internet as a dataset: to gather, continuously, information about the internet, which is really where our backgrounds came in both from academia and then also from our work in the defense and intelligence communities, in places like DARPA, and at various places in the US intelligence agencies. And we said, actually, there seems to be a whole bunch of stuff broken on the internet, and surprisingly, a lot of it is actually associated with very large, very important companies. It was scratching on that question that actually led us to both founding Expanse and then also creating what would be the first and is the leading product in what is now known as attack surface management, which is really understanding all of the assets that you have, understanding the risks that they might pose and then also fixing problems.
But when we founded Expanse back in 2012, we didn’t know that it was going to be attack surface management. We didn’t even have the name attack surface management. Instead it was very problem-focused on, “We’re seeing a lot of weird and dangerous things on the internet and a lot of security vulnerabilities. Let’s double-click on that a lot and actually see if there’s a way to build a business around that.”
Laurel: And how much the internet has changed in these nine short years, right? When you talk about that data set and in trying to find information of where the biggest security risks are, how hard was it to find? Did you look around and see, “Oh, look, there are entire datasets, you could track back easily to these companies. They’re leaking.” Or, “Things aren’t secure.”
Matt: I love the phrase, “Everything is obvious once you know the answer.” I think initially one of the main challenges is that in order to even show how large this problem is, you actually need to gather the data. And gathering the data is not easy, especially on a continuous or regular basis, you actually have to have a lot of systems engineering background, a lot of distributed systems background to actually gather data on everything. I think what made our approach unique is that we actually said, “What if we gather data on every single system on the internet?” Which is actually enabled by a lot of both cost advantages enabled by things like cloud computing, but also software advantages both in open source and things that we would write ourselves. And then, rather than starting from things that you know about a company and trying to assess their risks, we said, “Why don’t we start with everything on the internet and then try to whittle it down to what is interesting?”
And a lot of very good insights came out of that where again, almost by accident, we started discovering that we would actually find many, many more security problems than organizations actually knew about themselves. When I’m talking to organizations, I’m not talking to small businesses. I’m talking military services. I am talking Fortune 500 companies, Fortune 100 companies, Fortune 10 companies. Even the largest, most complex, but also the best finance, most elite customers had problems for security. And what really our discovery and our journey in creating the category, in creating attack surface management as an idea was that we find all of these security vulnerabilities and all of these assets in far-flung places anywhere on the internet, and they will occur for a multitude of reasons.
But it was actually interesting because while the security challenges and security risks were very real, the real symptoms that we found, that we discovered, were actually that organizations did not have an effective means to track all of the assets that they had online and to simultaneously assess the security posture of those assets and to simultaneously fix and remediate and mitigate the risks of those opposed to the organization.
And I think that was one of the very interesting things was that looking back, we can now say, “Obviously, you want to do all of these activities.” But because we were actually doing something new that had never been done before, it was a new category, we had to discover all of that starting from the point of really, “There seems to be a lot of stuff broken on the internet. We don’t exactly know why, but let’s go investigate.”
Laurel: That’s a good way of thinking of it, starting with a different place and then working your way backwards. So Matt, according to a recent PwC survey of more than 5,000 CEOs around the world, 47% are extremely concerned about cybersecurity. Now, 47% doesn’t sound like a large number to me, shouldn’t it be closer to 100%?
Matt: I would say that every CEO I’ve talked to is concerned about it on some level. And I think a lot depends on where they are. Overall, what we’ve noticed is a very large uptick, especially in the last five years, of the attentiveness of the CEOs and boards of directors to cybersecurity issues. Where I think we’ve seen a lag, though I think there are a few exceptions in this area, is that a lot of both tools and presentations that go, especially for executive audiences, for cybersecurity risks do not effectively convey everything that those people need to make effective decisions. And I think this is challenging for a variety of reasons, especially that a lot of CEOs and boards do not necessarily have the full technical background in order to do so. But I think it’s also been a failure to date in industry to be able to provide those tools. And I think we’re going to see more and more changes there.
I equate it to really the state of finance before Sarbanes-Oxley that basically started to require CEOs to get training, and boards as well, to start to understand certain financial metrics, to actually have certain controls in place. I think at the high level, we are going to have to see something like that in the coming years be implemented in some way to say that there are a minimum set of standards and that boards and senior executives need to be minimally conversant in some ways about cybersecurity risk and analysis of those metrics. Right now, I’ve seen a lot of people say, “I am concerned about this, but then I also don’t really know where to go next” or, “I’m conversant. We got a report. We hired some firm. They had this presentation that had a whole bunch of PowerPoint slides with a lot of charts that would have Christmas tree lights that made my brain melt. And I could not really understand the concepts.”
I think people get it, but we’re still in the early days of, How do you have effective controls over this? And then how do you actually have programs that are robust around it? Again, we need to move in that direction because more and more boards need to see this as a foundational aspect of their company, especially as pretty much all companies today, I don’t care what industry you’re in, what size, your company actually runs on IT. It’s pretty much impossible these days to run almost any size company where if your IT goes down, your company is still able to run. And as a result of the understanding of cybersecurity at those levels, with attack surface being now a part of that, is very important for organizations to be able to understand, because otherwise you will put your organization at a very large amount of risk by not being able to properly assess things like that.
Laurel: Yeah. And that gets back to the old adage, every company is a technology company. But maybe this is a more specific example of how it is. Could you briefly describe what attack surface management is, maybe perhaps for that executive audience?
Matt: The way that we describe attack surface management is it’s effectively a three-step process where all steps are done continuously in the form of cycle, but it is a process and procedure by which you, or really a vendor, in this case Expanse or Palo Alto Networks, continuously discover all assets that an organization has. In our case, from external attack surface, all assets that you have on the public internet. And that is a continuous process because at any given time, and I can go into this later, but at any given time, new assets could appear from anywhere on the internet. So you need to have a continuous discovery process that says, “At any given time, I might not know everything about my assets so I should have mechanisms to gather information about anywhere that they could be and try to associate them to my organization.”
At the same time as soon as an asset is discovered, you have to have means to evaluate it across a variety of different characteristics. In many cases, if I’ve discovered a new asset, is this asset actually truly new? And if it is not, then matching, normalizing, deduplicating that with other things. If it is a new asset, then in most cases, it’s actually going to be unmanaged. So how do I actually start a slew of activities to say, “This is an asset that exists with mine, but it usually exists outside of an intended set of security controls. So how do I start a process to both assess what controls need to be put in place and then bring it under management.” And the third part of evaluation is also understanding what is the risk that this poses immediately to my organization to help me prioritize activities.
The final step is what we call mitigation. Once you’ve evaluated everything that you’ve discovered, what do you actually do about it? What actions do you take and how do you do so in highly automated and effective ways. And for us, there are two primary steps that mitigation involves. I mentioned prioritization, but it’s one, bringing systems under management. In a lot of cases, what that also means is that for most systems associated with our large customers, it actually means taking them either off the internet directly, so we’re putting them behind a VPN or other sort of corporate device, or making sure that they are then known and then up-to-date because in a lot of cases, the real symptom of security problems that we find happens to be around the fact that an asset was just unmanaged for a very long time and may contain security vulnerabilities that were later discovered simply because you would have security patches that exist for known security issues that had not been applied.
In certain cases, such as zero-day attacks, it’s actually just much more important to know where all the assets are so you can patch them as soon as possible. But for the larger majority of assets that we discover for our customers and help manage their attack surface, the real problem is that the assets are just not known. And for executives, the real key is that the existing processes and tools that a lot of companies use can be very good from this certain side of security, but they assume that networks are effectively a lot more static.
Laurel: So what are the ramifications of an enterprise not knowing their actual attack surface?
Matt: The large, most obvious one is an increased risk of breach. I think it was an adage throughout a lot of the 2000s, helped on in no small part by vendors, that everything started from email phishing. And there’s very, very large email security vendors that still pumped this message that it’s every single security incident is effectively a phishing email and that humans are the weakest link when they’re clicking on things, and therefore buy more email security.
I don’t think that’s wrong. I think it’s actually correct that security is a big thing, you can buy it. But it’s also much easier to mitigate especially now with a lot of good tools, like you actually have full visibility over all emails being sent to employees because they have to go through a central mail server. It’s actually a question of just being able to detect bad things but not actually needing to find out that there were, say, emails being sent that you didn’t have visibility into.
I think in contrast, what we’ve seen, especially more recently over the last decade and really even the last five years, is some of the absolute worst breaches, the ones that cause hundreds of millions to billions of dollars damage, are not coming from phishing. They are actually coming from usually unknown and unmonitored assets and that in many cases, were actually on the public internet. So I think some of the largest examples of this are actually things like the WannaCry attack, which caused, it’s estimated over $10 billion worldwide in damage, shut down entire companies, putting most of the health-care system of the United Kingdom back on pen and paper for actual days.
And the real ramifications are, you have all these extra avenues to get in because there are so many more assets that are online that are not being tracked by organizations, and that is actually how attackers are getting in because it turns out that there are very efficient, automated ways for attackers to understand and probe for and exploit these attacks surfaces. And the ramifications are quite bold. You see most of the healthcare of a first-world country reduced to pen and paper for days. Very, very serious because it’s not just hacking someone’s email, it’s actually hacking the critical infrastructure of the network itself.
Laurel: Speaking of critical infrastructure, another recent attack is the water treatment plant in Florida, where an attacker was able to remotely change the chemical makeup of the water to add lye to it, which could have poisoned an entire community. So then, infrastructure is an enormous issue for very large companies, like water treatment plants or oil and gas companies, etc.?
Matt: Absolutely. In that case, to the best of my understanding, the attack vector there was actually a remote access server that someone at that plant left open, was on the internet, and allowed someone to go in. What our tech services are about is we’re finding ways in that are effectively tools of IT convenience but that are able to be subverted by attackers because the tools of IT convenience are not hardened to the same degree as other things that are meant to be on the internet and are left out as a matter of course. We have this line that we like to view the internet in most ways as what most of us experienced through our web browsers or on our phone. It’s this really nice setup consumer experience and all of the webpages we view looks very nice and pleasing and we go there.
And it’s a good analogy to the physical world like I guess, soon after we’re all vaccinated from covid-19, we’ll be back shopping outside. You might go to a Starbucks and the store is really nice, you have this great experience, you get your latte, you go out, but then if you look beneath all of the glitz on the streets, you actually have much older infrastructure. You have things like no sewer pipes and other things that are greasy and cracking. And that’s the infrastructure that supports the more beautiful world on top.
A lot of what we see as part of attack surface is an IT analogy that most people view the internet really as just, “What’s in their web browser? What’s on the phone, these nice consumer websites?” But there’s entire backend IT infrastructure that supports that. And it’s somewhat creaky and it’s not always well-configured. Without something like ASM, you have problems that you don’t actually know the state of your network because it’s so large, distributed, and complex. And as in the case with Florida, which by the way was a smaller organization, it goes to the heart of how do you know that something is not going on? Under any IT security policy, having a remote access service on the internet should not be allowed. But it’s very hard even for smaller organizations to get that continuous visibility of, what do I actually look like from the outside? What do I look like to an attacker with legacy tools?
Laurel: And that’s a good example of an attack that’s not a phishing attack. It has nothing to do with the email. While we’re on the discussion of attacks, most memorably this year again, SolarWinds and Exchange, how would implementing ASM have changed those outcomes for organizations? Or how about those lucky organizations that actually understood their attack surface management options and were able to find this and thwart the attack?
Matt: I’ll speak to both because a number of our customers had both of those kinds of systems and we helped them respond. I think the Microsoft Exchange hacks, and for your listeners, a bit of background: there was actually a set of zero-days announced for the sets of versions of the Microsoft Exchange email services earlier in February and March of this year. Very, very dangerous because in effect, these are the mail servers of an organization and if you followed this XY chain, what it basically allowed you to do was send a message to a mail server to grant you effectively unfettered administrative access to the entire mail server. And there were actually hundreds of thousands of these that we detected online. And effectively, if you think about it, having an attacker being able to download all or most of the corporate mail server and with all of these sensitive information that’s stored there, is a very serious attack.
So what we noticed were actually two things, which was, for large organizations, they were very aware of this and they were patching very, very rapidly. But there were a number of customers that we were able to help where they’re so large that they actually don’t even have one central set of mail servers. So without Expanse, they wouldn’t have been able to find even all of their mail servers and be able to patch them in time because they are so distributed, they actually needed an inventory of even their mail servers. And it’s very hard to aggregate that in one central way unless you’re using an ASM tool like Expanse. Because instead, in a lot of cases, you’re usually using Microsoft Outlook and Microsoft Excel. You’re going to be sending emails to different business units. You’re going to be asking IT leaders in those different business units. If they’re patched, they will be sending emails and spreadsheets back. It’s a very, very manual process.
So able to actually identify that and really help them in a very short order of, like, a day, find and be able to fix every single server they had on their estate, which we think really, really changed the outcome, because they could have been vulnerable for weeks in certain cases. For SolarWinds as well, I think the details are a bit different because not all SolarWinds assets are necessarily exposed to the internet. And also in a lot of cases, they’d been there for months. As part of broader Palo Alto, we had other products that were able to stop SolarWinds: the SolarWinds attack in particular, our endpoint framework called XDR. But even there for SolarWinds, once the attack was known, customers still have the problem of, they didn’t even know where all of their SolarWinds servers were, which again goes back to this inventory problem and choosing capabilities, both like Expanse and other capabilities we now have as part of Palo Alto, we were able to actually help customers very rapidly understand everywhere they had a SolarWinds exposure so that they could mitigate that very quickly. So there was effectively a two-step process. At Palo Alto, we were able to prevent the attack on our customers even without knowing that the supply chain had been breached. And then once it was more public, we were actually able to then also help everyone identify all of the servers that they had and make sure that they were all up to date and not infected with the supply-chain Trojan.
Laurel: That’s really interesting because some companies may be thinking, “Oh, well, we don’t have water plants and aging infrastructure to worry about.” But do you actually know where all your mail is stored and how many different servers it may be on and different cloud instances or wherever? And when you do only have a matter of hours to make this critical patch, how quickly can you do it?
Matt: Exactly. And a lot of the questions that I asked our customers are just, “How do you have confidence that, effectively, your systems are up to date?” Answering even seemingly basic sounding questions with existing IT, if you don’t have Expanse or ASM, is actually surprisingly hard. I’ll give another fun example. I ask chief information security officers this all the time: “How many routers does your organization have?” It seems like a pretty basic question, seems like they’d know, at least to a very good approximation, the IT team should probably know exactly how many routers they have. They’re very important pieces of networking equipment, especially at the enterprise level, they’re more expensive. So it’s not just like that home Wi-Fi hotspot that we’re used to. These things can cost tens, in some cases, hundreds of thousands of dollars to handle enterprise-grade workloads.
And what we find is that when you ask that question, there’s actually usually not one central place where all that’s tracked. Instead, it will be tracked by local development and IT teams in different ways. It will be tracked in multiple spreadsheets. There may be certain local IT management systems that know that, but at the end of it, if you said like, “How many routers do you have right now?” The process that they would use to answer that is not going into a system or logging in, it’s actually starting an email chain. That’s actually the one of the main problems that attack surface management attempts to solve, is, How do you have an accurate and up-to-date inventory of everything so that you can then build a variety of processes on top of that, including security? But if you don’t have an up-to-date inventory or you think you do, but you don’t, then when you start to pull on that thread, a lot of business processes, a lot of IT processes, a lot of security processes that you want to have apply across your entire enterprise, all of a sudden you’re realizing, “Wait, this actually is only being partially implemented because if I don’t have a full inventory, how do I actually know what’s going over all of my assets as opposed to just the assets I know about?” And that’s what we talk about when we say “unknown unknowns.” As you mentioned at the top, it’s, “I know some degree of my systems, but do I know all of them?” That delta can be everything for organizations because most of their risk is in the parts of their network they did not even know to investigate.
Laurel: What other data-driven decisions can be made from this sort of focus on actually knowing where all your assets are. How else can this help the business?
Matt: Two areas that this really helps organizations with is actually cloud governance and M&A. Particularly, these are very sprawling enterprises. So for a lot of our customers, they might actually have hundreds of different cloud accounts in the public cloud providers, so AWS, Azure, Oracle, Google, Alibaba in a lot of cases, and they had no way to actually rationalize this because they would have a whole bunch of different development teams and they couldn’t get something. And so, when they say that they are moving to the cloud, a typical refrain from our customers will be like, “Yes, we are. We have deals with Amazon and we’re hedging our bets a little bit. We’re also exploring Azure so we’re not solely locked into one cloud.” What we find is that the average customer for Expanse is in 11 different infrastructure providers.
I’m not talking SaaS, I’m talking in places that you actually get like renting a server, putting data on yourself. It’s amazing and astronomical and we could say, “Well, yeah, you are on Azure. You’re also on AWS. Did you know that you’re also in DigitalOcean? You’re also in Linode. Your general manager in Europe probably put you in OVH or Orange hosting. You have something else in the Malaysian data center. I’m not exactly sure what that is.” And that’s typical. One customer for us was actually in over a hundred different providers because they’re a very large multinational. I think that’s when we see that people’s cloud governance plans versus cloud reality are dramatically different. And helping them with that will enable them to move both securely and quickly to the cloud.
Second one is mergers and acquisitions. I think this is something that is increasingly happening. As a lot of industries are consolidating, there’s a lot of M&A activity more recently. But when you think about it, an M&A is one of the largest IT change events an organization can have, especially if it’s a large acquisition. So I know a little bit about this, having recently gone through this process with Palo Alto Networks on ourselves on the other side of the table, but the number of things you have to integrate is quite large. And in the case of Expanse, we’re integrated with a top security company in the world and also we are relatively small. So the integration headaches have been almost nonexistent, and it’s been a really great process.
But for larger organizations where you might, an organization with 50,000 people is acquiring an organization with 10,000 people, the number of different steps you have to go through, the amount of IT that you have to transfer, the amount of legacy that you have to understand is gigantic. And in a lot of ways, these are in many cases only partially implemented because as an acquirer, you might not even know where all the assets you’re acquiring are. As an example, for an airline, there was a series of mergers and we’re actually able to find assets of the merged airline that no longer exists, but were still on the internet more than a decade after the merger.
Which gives you an idea of just how long some of these things take. That’s the other side of, how we really help with our customers, is actually understanding, “When you actually acquire an asset, how do you actually complete that process? How do you measure it? How do you monitor it and how do you do that at the scale of the internet rather than with a lot of consultants, Excel spreadsheets, pieces of paper and emails?”
Laurel: So from our conversation today, I feel like this is the, “If you don’t know what you don’t know, you should really figure it out” warning, if you haven’t heard it before. But there are glimmers of hope in this, right? Because if the asset exists, you can at least find it, track it and assess what you’re going to do with it, mediate any changes you need to make or assess it to bring it back to full cybersecurity compliance. What gives you hope about what’s possible after seeing the first three months of this year and what’s happened with attacks, the ongoing issues that we’re going to have? But there is opportunity there, right? There is hope. What are you seeing that makes you optimistic about cybersecurity and what we’re looking forward to in the next five years?
Matt: Yeah, I’m actually quite optimistic in not even the long-term but even in the medium term I think, even three, four years out. Near-term, definitely there’s going to be some rough seas ahead, but here’s what makes me most optimistic. One, I think that this is actually a solvable problem largely with a lot of technology that’s being developed. And by that, it is clear that once you know a problem exists, actually fixing it is actually rather straightforward. There’s a lot of mechanistic steps to get better at that. There’s a lot of automations that can be put on that. And there’s a lot of things coming to bear. But in many cases, the actual hard part is seeing what you actually need to fix and knowing all of the set of problems and then being able to prioritize them effectively and then start working on them.
And I think in particular, the things that I’ve seen are within the industry, I think there are a lot of technologies in the few years that are going to meet the marketing hype that has been around for years. I talk a lot with industry partners. We use substantial amounts of data. With my background where I have a PhD from Stanford in operations research and machine learning, we actually do use some real actual machine learning in our products. We also use a lot of heuristics as well. I joke that we sometimes have machine learning classifiers to solve a problem. Other times we have SQL queries that solve the problem.
We have some really well-written SQL queries. I’m very proud of those. But I think that the industry itself, especially in marketing material, you would think that everything in cybersecurity is this automated AI, ML-enabled everything. In most cases, but not all, but in a lot across the industry, and this is especially true in startups, it’s just a line to pitch. And what companies really call AI are just standard software rules and there’s really nothing special going on.
Or there’s an old joke that, “Oh, I have this great AI thing. What is it? Well, we have a bunch of analysts that are former intelligence officers, usually in Maryland or outside of Tel Aviv and they’re the ones doing everything. But we have a system that efficiently routes work to them and that’s our AI.” And they’re like, “Wait, that’s people.” I think what I’ve seen is that one, automation broadly defined is a real thing. But automation actually means on the ground, is you take something that previously took hours and days and 10 people. And then with software right now, it’s more so how do you take that down to 15 minutes and two or three people?
I think that we’re going to see even larger gains or even start to take humans out of the loop entirely in certain business processes. And I think what we’re seeing and this is a lot of what we’re working on and I’m working on now is that over the next months and years, actual large-scale machine learning capability is actually being deployed in production. I think there are some that are out there in piecemeal. There’s a lot more rules than anyone wants to talk about, but we are now seeing there’s enough assemblage of data, there’s enough normalization of data in that, especially at the larger companies, and that enterprises are more willing to share information with vendors if it demonstrably improves the security service that they are getting, that we are actually going to be able to deploy increasingly sophisticated capabilities along those lines and have the product/reality match. I think that’s what at least the broader industry marketing zeitgeist had been.
I’ve seen a lot of them, they are very, very real and they’re very much coming. And they’re coming at an industrial scale for defenders. And I think that’s what I’m most excited about because despite the fact that there’s the old adage of, attackers need to be right once, defenders need to be right all the time, increasingly, it is now more scalable for defenders to be right much of the time and to actually set up very vast monitoring networks so that if the attackers slip up once, the defenders can completely wipe them out in that attack. And that both asymmetrically affects cost and also I think will help tilt the field back to defense.
Matt: I think when you had partial AI solutions and ML solutions and partial automation, it helped attackers much more because they could duct-tape together a few different parts, scale up certain things very highly and then just see what came back to them in a great way. I think defenders are going to be able to have similar capabilities that are effective because they actually cover everything going on in an enterprise. And that’s going to allow us to turn the tide.
Laurel:Matt, thank you so much for joining us today in what has been a fantastic conversation on the Business Lab.
That was Matt Kraning, the chief technology officer and co-founder of Expanse, who I spoke with from Cambridge, Massachusetts, the home of MIT and MIT Technology Review, overlooking the Charles River.
That’s it for this episode of Business Lab. I’m your host, Laurel Ruma. I’m the director of Insights, the custom publishing division of MIT Technology Review. We were founded in 1899 at the Massachusetts Institute of Technology. And you can also find us in print, on the web, and at events each year around the world.
For more information about us and the show, please check out our website at technologyreview.com.
This show is available wherever you get your podcasts. If you enjoyed this episode, we hope you’ll take a moment to rate and review us. Business Lab is a production of MIT Technology Review. This episode was produced by Collective Next. Thanks for listening.
This podcast episode was produced by Insights, the custom content arm of MIT Technology Review. It was not produced by MIT Technology Review’s editorial staff.
The quest to show that biological sex matters in the immune system
She ultimately found a postdoctoral position in the lab of one of her thesis committee members. And in the years since, as she has established a lab of her own at the university’s Bloomberg School of Public Health, she has painstakingly made the case that sex—defined by biological attributes such as our sex chromosomes, sex hormones, and reproductive tissues—really does influence immune responses.
Through research in animal models and humans, Klein and others have shown how and why male and female immune systems respond differently to the flu virus, HIV, and certain cancer therapies, and why most women receive greater protection from vaccines but are also more likely to get severe asthma and autoimmune disorders (something that had been known but not attributed specifically to immune differences). “Work from her laboratory has been instrumental in advancing our understanding of vaccine responses and immune function on males and females,” says immunologist Dawn Newcomb of the Vanderbilt University Medical Center in Nashville, Tennessee. (When referring to people in this article, “male” is used as a shorthand for people with XY chromosomes, a penis, and testicles, and who go through a testosterone-dominated puberty, and “female” is used as a shorthand for people with XX chromosomes and a vulva, and who go through an estrogen-dominated puberty.)
Through her research, as well as the unglamorous labor of arranging symposia and meetings, Klein has helped spearhead a shift in immunology, a field that long thought sex differences didn’t matter. Historically, most trials enrolled only males, resulting in uncounted—and likely uncountable—consequences for public health and medicine. The practice has, for example, caused women to be denied a potentially lifesaving HIV therapy and left them likely to endure worse side effects from drugs and vaccines when given the same dose as men.
Men and women don’t experience infectious or autoimmune diseases in the same way. Women are nine times more likely to get lupus than men, and they have been hospitalized at higher rates for some flu strains. Meanwhile, men are significantly more likely to get tuberculosis and to die of covid-19 than women.
In the 1990s, scientists often attributed such differences to gender rather than sex—to norms, roles, relationships, behaviors, and other sociocultural factors as opposed to biological differences in the immune system.
For example, even though three times as many women have multiple sclerosis as men, immunologists in the 1990s ignored the idea that this difference could have a biological basis, says Rhonda Voskuhl, a neuroimmunologist at the University of California, Los Angeles. “People would say, ‘Oh, the women just complain more—they’re kind of hysterical,’” Voskuhl says. “You had to convince people that it wasn’t just all subjective or environmental, that it was basic biology. So it was an uphill battle.”
Despite a historical practice of “bikini medicine”—the notion that there are no major differences between the sexes outside the parts that fit under a bikini—we now know that whether you’re looking at your metabolism, heart, or immune system, both biological sex differences and sociocultural gender differences exist. And they both play a role in susceptibility to diseases. For instance, men’s greater propensity to tuberculosis—they are almost twice as likely to get it as women—may be attributed partly to differences in their immune responses and partly to the fact that men are more likely to smoke and to work in mining or construction jobs that expose them to toxic substances, which can impair the lungs’ immune defenses.
How to tease apart the effects of sex and gender? That’s where animal models come in. “Gender is a social construct that we associate with humans, so animals do not have a gender,” says Chyren Hunter, associate director for basic and translational research at the US National Institutes of Health Office of Research on Women’s Health. Seeing the same effect in both animal models and humans is a good starting point for finding out whether an immune response is modulated by sex.
Why can’t tech fix its gender problem?
Not competing in this Olympics, but still contributing to the industry’s success, were the thousands of women who worked in the Valley’s microchip fabrication plants and other manufacturing facilities from the 1960s to the early 1980s. Some were working-class Asian- and Mexican-Americans whose mothers and grandmothers had worked in the orchards and fruit canneries of the prewar Valley. Others were recent migrants from the East and Midwest, white and often college educated, needing income and interested in technical work.
With few other technical jobs available to them in the Valley, women would work for less. The preponderance of women on the lines helped keep the region’s factory wages among the lowest in the country. Women continue to dominate high-tech assembly lines, though now most of the factories are located thousands of miles away. In 1970, one early American-owned Mexican production line employed 600 workers, nearly 90% of whom were female. Half a century later the pattern continued: in 2019, women made up 90% of the workforce in one enormous iPhone assembly plant in India. Female production workers make up 80% of the entire tech workforce of Vietnam.
Venture: “The Boys Club”
Chipmaking’s fiercely competitive and unusually demanding managerial culture proved to be highly influential, filtering down through the millionaires of the first semiconductor generation as they deployed their wealth and managerial experience in other companies. But venture capital was where semiconductor culture cast its longest shadow.
The Valley’s original venture capitalists were a tight-knit bunch, mostly young men managing older, much richer men’s money. At first there were so few of them that they’d book a table at a San Francisco restaurant, summoning founders to pitch everyone at once. So many opportunities were flowing it didn’t much matter if a deal went to someone else. Charter members like Silicon Valley venture capitalist Reid Dennis called it “The Group.” Other observers, like journalist John W. Wilson, called it “The Boys Club.”
The venture business was expanding by the early 1970s, even though down markets made it a terrible time to raise money. But the firms founded and led by semiconductor veterans during this period became industry-defining ones. Gene Kleiner left Fairchild Semiconductor to cofound Kleiner Perkins, whose long list of hits included Genentech, Sun Microsystems, AOL, Google, and Amazon. Master intimidator Don Valentine founded Sequoia Capital, making early-stage investments in Atari and Apple, and later in Cisco, Google, Instagram, Airbnb, and many others.
Generations: “Pattern recognition”
Silicon Valley venture capitalists left their mark not only by choosing whom to invest in, but by advising and shaping the business sensibility of those they funded. They were more than bankers. They were mentors, professors, and father figures to young, inexperienced men who often knew a lot about technology and nothing about how to start and grow a business.
“This model of one generation succeeding and then turning around to offer the next generation of entrepreneurs financial support and managerial expertise,” Silicon Valley historian Leslie Berlin writes, “is one of the most important and under-recognized secrets to Silicon Valley’s ongoing success.” Tech leaders agree with Berlin’s assessment. Apple cofounder Steve Jobs—who learned most of what he knew about business from the men of the semiconductor industry—likened it to passing a baton in a relay race.
Predicting the climate bill’s effects is harder than you might think
Human decision-making can also cause models and reality to misalign. “People don’t necessarily always do what is, on paper, the most economic,” says Robbie Orvis, who leads the energy policy solutions program at Energy Innovation.
This is a common issue for consumer tax credits, like those for electric vehicles or home energy efficiency upgrades. Often people don’t have the information or funds needed to take advantage of tax credits.
Likewise, there are no assurances that credits in the power sectors will have the impact that modelers expect. Finding sites for new power projects and getting permits for them can be challenging, potentially derailing progress. Some of this friction is factored into the models, Orvis says. But there’s still potential for more challenges than modelers expect.
Putting too much stock in results from models can be problematic, says James Bushnell, an economist at the University of California, Davis. For one thing, models could overestimate how much behavior change is because of tax credits. Some of the projects that are claiming tax credits would probably have been built anyway, Bushnell says, especially solar and wind installations, which are already becoming more widespread and cheaper to build.
Still, whether or not the bill meets the expectations of the modelers, it’s a step forward in providing climate-friendly incentives, since it replaces solar- and wind-specific credits with broader clean-energy credits that will be more flexible for developers in choosing which technologies to deploy.
Another positive of the legislation is all its long-term investments, whose potential impacts aren’t fully captured in the economic models. The bill includes money for research and development of new technologies like direct air capture and clean hydrogen, which are still unproven but could have major impacts on emissions in the coming decades if they prove to be efficient and practical.
Whatever the effectiveness of the Inflation Reduction Act, however, it’s clear that more climate action is still needed to meet emissions goals in 2030 and beyond. Indeed, even if the predictions of the modelers are correct, the bill is still not sufficient for the US to meet its stated goals under the Paris agreement of cutting emissions to half of 2005 levels by 2030.
The path ahead for US climate action isn’t as certain as some might wish it were. But with the Inflation Reduction Act, the country has taken a big step. Exactly how big is still an open question.