I had a geniunely surreal conversation with the security team the past week, it went like:

'Hi, we are reaching out to you because our tool flagged a large data transfer between such and such services'

'Wait, the source endpoint is an internal service, the target endpoint is an internal S3 bucket (I was doing a routine DB backup) Neither are reachable from the internet. How is it a security issue?'

'Our tool has flagged it'

To be fair though, models might be changing the calculus for what constitutes a vulnerability that is too small / too obscure to care about.

If AI is reducing the cost of using the long tail of small vulnerabilities or is making possible chaining them together into something more profound, then those small, less-concerning issues might requiring addressing in a way that was previously not required.

It won't bring understanding though is the problem. You get situations like the parent, where the execs don't have the knowledge, time, or care to learn beyond "vulnerability bad, must patch now"

Execs/Management types getting extra visibility into the technical side, in my experience, has only ever resulted in additional but meaningless work, like just checking boxes on a compliance/audit checklist without actually considering the impacts of those changes, or whether a company is actually vulnerable to the disclosed CVE.

It's along the same lines of the BS I deal with day to day from upper management arguing back with "But ChatGPT said..." meanwhile pasting some hallucinated crap that doesn't even apply to our environment.

LLMs are basically a dunning-kruger machine for management. Engineering is best left alone and trusted to do what they are being paid to do.

Yeah, I’m getting the sense that Mythos is for cybersecurity what blockchain was for back-end finance. A bit useful. But mostly good for bringing attention to upgrading neglected systems.

I recommend "How to measure anything in cybersecurity risk". Really interesting read about putting actual value on security.

[dead]