Welcome back after the workshops and also after the breaks. I hope you had a good time on the workshops. Some of you are now even experienced hackers, I learned. There's another conference going on upstairs with the German army. They are now already concerned that you're going to hack them. I also do hope you have interesting discussions amongst each other and we can now continue for our next two hours with five high-profile speakers. The first one will talk about, obviously, the topic of the conference, AI in Cybersecurity.
He comes with over 20 years of experience in the IT industry and he worked with companies such as HP, AWS, before he joined Palo Alto Networks. Please join me and welcome Florian Hartwig on stage, who is the Managing Director of Germany.
So, hello everyone. As was said, Florian Hartwig, I run the German business of Palo Alto Networks in Germany. I joined a year ago and talked about AI in Cybersecurity today. What it does, what it doesn't do, certainly there's a lot of myths circulating the topic and I'll try to demystify a few of them today. Before I start, let's briefly talk about the macro environment in which we all operate. The world is changing, that is new.
What is new, though, is the pace at which change is happening, impacting businesses around the world and also cybersecurity states of our customers across the industries. So, there's geopolitical instabilities and we don't need to go as far as China or Taiwan. I wouldn't call Europe necessarily very stable nowadays if we look towards the East, if you look at what's going on in the Ukraine and the amount of really well-funded, state-funded actors that are emerging.
Also, companies need to reconsider where they actually store their data. So, that is all part of that pillar. The second pillar that we're seeing accelerating at a fast pace is third-party vulnerabilities. Given the supply chains that are growing in complexity, both in the physical but also in the digital world, the attack vectors are also exploding in CICD chains where some open source code might not be as professionally written as it should have been or also on the shop floor.
Think of the shop floor systems or the world of OT security that has often become a prominent inroad of hackers simply because it's the weakest part of the chain. If we think about regulatory compliance, and I'm sure many of you are getting their heads around this too, maybe some with DORA as well, those legal risks that are emerging from regulatory requirements are prevalent, but they're not only a risk, but they can also be a differentiator for companies to generate trust with their end customers.
Then, digital transformation, the whole notion of the move to the cloud. As was said, I spent the last eight years in Amazon, had the pleasure to build the business in Germany, so enjoyed a front row seat. What it means of helping customers adopt the cloud and generating towards digital at a fast pace.
Security, however, has often been an afterthought. I would say it is oftentimes not fully ingrained in the considerations at the get-go. We at Palo Alto Networks, we do see one and a half million new attacks every day. I'm going to share some more data right in a second.
AI, if we look at what happened to internet or mobility, it took 23 or 16 years respectively until the amount of 1 billion users got reached. When it comes to AI, and you might challenge the fact that we're already there, given the widespread of AI apps, that number might clearly be reached even faster. Research suggests that it takes seven years until 1 billion users get reached. I personally think it's too late. I think it's probably going to take much faster than that. We have to make sure that all this stuff gets secured right at the start.
Not fixing things when it's too late, but really think about the emergence of all the code that is being generated through the help of AI. Good. Coming back to the initial mandate and the theme of that presentation is around the myth and what role AIs really play in cybersecurity. There's quite a few. I'm going to touch on three key important ones that I believe are super important. The reason I'm doing that is, first of all, to drive some clarification, but I also like to create some optimism in an industry that is a bit centered around doom and gloom, if that makes sense.
Here to create some confidence. The first myth is AI is just a buzzword. It doesn't help the attackers, doesn't help the defenders. It's just another hype. Let's look into that. I'll start with a quick question. I'd like you to raise your hands. How long do you think it takes an hacker in the AI age to steal your data once he or she is in your network? Less than a month?
Hands up, please. Or less than a week? Less than a day? Or couldn't care less? Of course. It's less than a day. That's weird. There's numerous examples where it even takes less than a day. We're talking hours or minutes from the moment of entering the network and then exfiltrating the data. The number of bad actors out there using AI, this number is exploding. It's not growing linearly, it's exploding. That actually leads to the fact and leads to a couple of data points that I'd like to share here on that slide. Compromising to exfiltration down from days to minutes.
Same for exploitation of vulnerabilities down from weeks to a week today, maybe minutes in the foreseeable future. And then ransomware. If people can build ransomware in 15 minutes and we've seen that happening and it takes them only hours to get into the system and steal data, that outlines the big, big dissonance that we're facing because the median time for a large enterprise in the Western world to detect an incident ranges between four to seven days. Ransomware 15 minutes, data exfiltration in the minutes, but it takes four to seven days until something gets detected.
This is based on our own research paired with some independent data. That's crazy. The second myth is centred around the imbalance of power in the AI age. Some might say, well, the attackers dominate the defenders. There are so many out there, they're so smart, AI will just kill us basically. And if you look at that rather busy slide, you might argue it could be true. It could be true because especially Gen AI is uplifting all kinds of, if I were to categorise the hackers out there, they all benefit from the use of AI.
Both the state-owned, state-funded actors, the cyber criminals, the professional orgs benefit. But it's worth noting that the biggest, biggest impact we're seeing is on the hacktivist side. They like to think of a student in a garage trying to earn some extra money becoming a hacker, write a ransomware. So this group disproportionately benefits from the use of AI, which leads to, first of all, a tonne of more attacks, but certainly the level of sophistication of the attacks we're seeing, even from those rather less skilled groups, is quite amazing.
I'm sure if you've also received those phishing emails that look pretty damn good. And it's not all really great professionals that are behind these oftentimes.
However, and here I am in the, you know, switching to more like creating some confidence here. What actually differentiates good AI from not so good AI?
Well, it's the data, isn't it? We at Palo Alto Networks, we're in the business for quite some time, building, deploying firewalls for 15 plus years. We have collected a lot of data, good data, which makes us confident. And this is what we realise every day, that the AI we leverage to protect our customers is pretty efficient. And it's not only us, I'm talking about the industry as a whole.
So, for example, as you can see on the slides here, each day we analyse around one and a half billion objects. And out of these objects, we identify, and that's quite an amazing amount, almost 20 million net new attacks. And this number is probably outdated every month I talk about it, 20 million net new attacks, zero days that haven't been there the day before. And in addition to that, and that's certainly enabled by artificial intelligence, is to block 12 or more billion attacks every day. That's never possible with human force only.
I mean, you ask yourself how many cybersecurity professionals, how many data scientists you actually want to hire? I mean, where would you find them to get on top of all the attacks that are happening? This can only happen through AI.
So, what we are preaching is you need to combat AI with AI, otherwise this battle is already lost. Third one is scamming. And that's not new either. It's on the rise, it's growing fast.
But again, the level of sophistication, what's going on in this bucket of scamming attacks, you've probably, as we said, realized yourself, have been a victim of a pretty good phone call, WhatsApp, email, whatever kind of text message. So, what's now possible through the use of AI is quite phenomenal. And I'm going to talk about a real daunting example. Who of you have heard of this poor finance worker in Hong Kong?
Yeah, a few of you have. So, here's this poor guy working in the finance department, receiving a fairly random notification asked to wire 25 million USD to an unknown bank account. And this guy is obviously smart and realized probably something going on here and would reject the request. What happened then is this individual got invited to a Teams call or a Zoom call or whatever it was. And there he found himself in a group of fairly well-known people. Some of his peers, his boss was there. And they would all talk about this planned investment and planned money transfer.
And eventually this team concluded that it's the right thing to do. And everyone was aligned.
So, this chap would then go and wire 25 million USD because the people who he thought would be in that meeting, these avatars were created based on publicly available data, footage, video material that existed out there in the web and created that quite phenomenal illusion. And it doesn't stop there.
We're seeing a lot of, there's a lot of examples where identity cards are being stolen, where then the facial recognition tests when loans are being requested or bank accounts are being registered, where with pretty strong deep fake technology, those facial recognition and these hurdles that are being built are just eliminated like that. So, yeah. A new area of scamming is no myth. It's a bloody hard reality.
So, therefore, we, you, all collectively need to be on our toes even more. So, the good news is that there's a couple of things that we can and should do to protect ourselves. And I would categorize them in four buckets. On the first hand side, there's modern technology that is becoming more and more standard. Think of watermarking.
So, think of visible or invisible marks in digital assets to verify and protect data from unauthorized assets. These things are becoming gradually, but they're becoming a new normal. The second thing is detections. And we talked about detections that are technology enabled that are part of the solutions that we provide as a cybersecurity vendor.
But also, think of the big platforms out there. Think of the Metas, the Apples, the Googles. First of all, they have a ton of people working on those subjects.
So, there's a sheer mass of talent addressing those threats. And secondly, they also have quite good data.
So, there's patterns that have been recognized over the past. So, I personally believe and hope you would agree that some of those defense mechanisms from the larger platforms that most of us work with as end users have been working pretty well. Third thing is, and that's a super important one in my view, it's about the mindset. Security has to be a mindset. And if it's not a mindset, it has to be created.
So, talking a little bit about what we do, and I think we as a cybersecurity vendor do have that cybersecurity mindset. But still, we get tested. We get tested on a regular basis. We receive those phishing emails to stay with that example. Pretty good stuff. And if you click on one and it was a phishing email, then you're forced into a 30-minute training and enablement session that you rarely have time and appetite for. It's certainly not in that given moment.
So, creating those mindsets, I think it's more difficult with the elder generation. But on a positive note, what we're seeing the more younger generations, they are quite vigilant, they're quite agile, and they are embracing that security mindset quite nicely. And then the fourth point is around collaboration and partnerships. And what I mean by that is, first of all, collaboration across companies in the industry.
So, we should not, and we do not hold back, but we share those insights with the broader industry, you know, cybersecurity vendors, but also thinking about partnerships between the private and the public sector, you know, the BSI in Germany. I think this collective power of intelligence of people and technologies can actually move the needle quite dramatically. Last thing I'd like to mention is the importance of independent validation of controls and architectures.
So, this is more important than ever, not only because some of the regulators are actually enforcing that, you know, think of PCI in the financial services space, but I'm not sure how many of you know the MITRE ATT&CK framework. This is pretty good. This is an independent organisation that actually assesses the solutions out there that exist and their potential and they are mapping them to, against the most prominent threats that are out there. In the AI age, having this, you know, independent check and validation is super, super critical.
So, in short, there clearly is a trend that AI is, you know, changing or accelerating the game in cybersecurity, both on the good side, but certainly also on the side of the bad actors. And that's point number two, it still doesn't fundamentally change the game, at least not in the midterm, right? What we have shared is the headstarts that, you know, the good guys and the good companies have when it comes to talent, when it comes to data, is quite, is helpful and will lead to an edge, presents an edge, at least today's.
Whether it will be on the long run, I'm not here to discuss today, but so far so good. And then there's obviously companies like Palo Alto Networks who, you know, differentiate with the solutions that we offer the customers based on the data we have accumulated over time, based on, you know, the complexity that we're helping our customers to reduce based on platformization.
So, that's about it. I thank you very much for listening. And I think there's no more time for questions, really. I think we... I have one. You have one?
Okay, that's good. Thanks, Florian, for that.
Yeah, one question. You talked about the usage of AI. This morning, I presented survey results with it.
So, still two-thirds of the people said they are just exploring it or not using it at all. The usage of AI for us defenders, is it an option or a must?
Well, based on what I've just shared and based on my fundamental belief, I think the punchline is you need to combat AI with AI. You cannot hire as many people, you cannot act as fast as you need to be. You need to, you know, sort of upgrade your line of defense as the attackers also upgrade their line of attack.
So, I think that's not an option. I think it's clearly a must. Okay.
Thanks, Florian. Thank you very much.
