Project Glasswing Updates and Wrangling Hidden AI Agents | Unhack the Podcast with Jason Elrod

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.     📍 📍 I'm Drex DeFord from The 229 Project and This Week Health. Our mission is healthcare transformation. Together. Welcome to UnHack the podcast, where we navigate healthcare security and leadership challenges together, because cyber safety is patient safety. Let's get started.  Hey everyone, I'm Drex. This is UnHacked Podcast. I've got Jason with me from, uh, MultiCare. Hey buddy. How you doing?   Fantastic. Um, it's a pleasure to be here. Um, I get to speak with the Drex DeFord.   You know, we always have a good time when we're together. There's always- Yeah ... a good conversation to be had. Uh, we're gonna talk about a bunch of stuff today that I think you and I are very simpatico on when it comes to, uh, agents and that kind of stuff. But let's start with, uh, so do you use any agents? I'm gonna tell you why I'm asking this question here in a minute. Do you have an agent? Do you use agents?   Do I have an agent? Yeah, talk to my agent about this before this, you know, before any publishing goes out, you know, talk to my agent.   An AI agent. Do you have an agent? An AI agent. Uh,  yes. I do. Mm. I do, and I think, um, uh, that's gonna be the norm. Yeah. Any executive right now, um, should be embracing the use of agents for aspects of their job, of their life, of, um, just in general, because I think, um, it serves two purposes. You know, one, you're gonna realize the power of being able to say, "Hey, look, I can offload this task," or I can use this as a thought partner- Don't delegate thinking Hmm cognitive decline is a thing. Cognitive atrophy will happen. But use it as a, as a, uh, as a, a thought partner, a research partner, an analyst. "Hey, I got this idea. I'd love to be able to research these things. I just don't have time." Go forth and research, come back to me. "Wow, let's have that." Um, so I, I do use it there. Um, I have some personal stuff that I use it, and we're really leaning heavy into using it in, uh, the program- Hmm ... literally the information security program at MultiCare. Um- Hmm ... and we're a non-trivial sized organization.   Hmm. So. I, I, I wanna ask some more, uh, some more questions about that. The reason I originally asked, though, is that my agent did some research on you. Uh-oh. And, uh I have a counter-agent that does research on these a- Is it... And it lies to the agents that are doing research? It's, uh, it's kind of funny, um-  I call it the PSYOP agent. Go forth. Go.   Yeah. Yeah. It's, uh... You know, I started to really kind of leaning into this agent thing, I don't know, several months ago, and I've built, uh, in Claude with the help of Bill Russell, and, uh, a lot of other folks, uh, kind of really got into this now. And, um, so yeah, I use agents for all kinds of stuff. But like I said, one of them was to kind of sort of prep for the show and do some, uh, some digging into you. So you've been at MultiCare since 2021? That doesn't seem right. Have you been there longer?   No, that's it. That's it.   Oh my gosh. Maybe it just seems long. Longer.   Every conversation with you seems like forever.   Yes. It's in the, the conversation with Drex is in dog years. It's in dog years. MultiCare, 14 hospital. You have literally hundreds of clinics, about 30,000 employees- Yep ... across the Pacific Northwest. I know you're always in... There's always some motion going on down there, new partnerships- Yeah uh, acquisitions, um, lots of stuff happening. Uh, you were at Sutter. You were at Sutter actually when we originally, I think, first crossed paths. Yeah. I was there for 10 years. But you've done a bunch, you've done a bunch of other stuff since then. Ta- I mean, uh, you know, just sort of talk about your background other than the stuff I've covered, talk about your background and tell me what I missed.  What I'll talk about is I got in security through desperation, not inspiration. Okay? Uh-huh. So, so that's where it's... So back at, back in the, uh, the late '90s, uh, I was running a, I had a nationwide ISP, and we were a network consulting firm, um, for about ei- eight years there. Um, but back, you think about, you know, um, partying like it's 1999. Uh, well, in 1999, when people were trying to party on my servers, there was nobody to stop them. Hmm. And so it was kind of like, "Well, here, hold my coffee." And then you, you had to learn those skills. You had to dive into it, and you had to really be an operator real time, because the idea of that hacker, counter-hacker, information security, cyber security, all of that, uh, was really hitting the road right then, right about that- Yeah year 2000. Yeah. So, um, been doing the, been doing the, the security thing since about that time pretty much full time, uh, from, from, uh, applying the craft.  That's pretty awesome. Uh,   so, uh, so 26 years now, something like that. Yeah. That's, that's a lot. Focused to that. Other 10 years from that, I did other stuff. Ran data centers and, and did stuff in the, the finance industry.   You have a master's too?   I do. From? I do. I have a master's from Harvard.   I, I was gonna let you say that, 'cause I felt like- You know ... it would be very like- ... I, I shouldn't say that, so.   What's the joke there? How do you know somebody's, uh, went to Harvard or does CrossFit? Talk to them for five minutes. I'll tell you.   No, that, I think that's also a, a secret that a lot of people- I haven't   had that one come up in a while. Way to bring that one up, man.   Yeah, for sure. What's your, what's your degree in?   information management systems with a- Okay ... with a focus on cybersecurity. Um, here's what most people don't know. So I did not have a college degree until, I think, 20, uh, 2018. 2018. Mm-hmm. And then they, they were like, "Hey, you need to go get an undergraduate degree."   Because if you're going to move into these roles- They're like, "Hey, you're, you're already- ... that is like written into the job description you're, you're chairs with doctors and PhDs and JDs." You think, you know, so yeah, go do it. It's, you know, just go do it. It was one of those moments that I said, "All right." So I went there, and I pretty much challenged my entire undergraduate degree. I had some work, you know, from when I graduated high school and had gone into college originally, way back, way back machine, but I was able to finish my undergrad in about eight months, uh, just, just firing through it. And then they said, "Hey, you know what? Um, we're also paying for... We- we'll still pay for the bigger degree." And I said, "Okay, what if I can get into Harvard?" And they said, "Well, we said we'd pay for it." And I said, "Cool." That's how I got that degree. That's how that rolled out, and, uh, I was able to get in there and do that, so.   Do, do you think the degree's as important today as it maybe was, I mean, even five or six or seven years ago?  Absolutely. It's ... I, I don't think so at all. Yeah. I, I think five, six years ago, may- even, even five, six years ago- Maybe it was a ticket to the dance. Mm-hmm. Didn't really prove anything. It's like, it's like the CISSP, like the certification. Mm-hmm. I got that back in 2000 or something, 'cause... So a really long time ago. Uh, yet people are saying, "Hey, you need to have a CISSP now if you're gonna be in security, you're gonna be a..." You know? All that did was prove I knew something at that time- Uh-huh ... 26 years ago. Uh-huh. It doesn't re- I mean, they're a moment in time, maybe th- a little bit of third-b-party validation about something. Mm-hmm. But they're not current. They're never current. Mm-hmm. They don't represent what your capabilities are. And I love that we've been able to see a trend that removes the need for a degree, like the hard need, like hard pass, you must have a degree, to or equivalent experience. Mm-hmm. Mm-hmm. And I find that leaning into the or equivalent experience usually gets me people who are a lot more scrappy, a lot more creative, a lot more innovative. And like I said, I was already the head of cybersecurity for a multi-billion dollar organization- Yeah ... with no college degree. Yeah. And it was just because... And be force of will. But, I know ... but to make, to make sure that opportunity's available for other folks, um, is huge, 'cause I- I think, you know, degrees are worthwhile for some things. Like, I wanna make sure my, my lawyer knows lawyering. I wanna make sure my doctor knows doctoring. You know? My, my accountant knows accounting. You know? There, there are, there are, there are some things that we have licensure associated with it. You wanna put that in there. Mm-hmm. But beyond that, beyond that, I think it's, um, it's more about how you show up. Yeah.  I'm with you. My mom used to say, you know, uh... I was a farm kid from Indiana. I had no chance of going to college. I enlisted in the Air Force. That's how I wound up getting college degrees. My mom used to say that, you know, "That boy's got more degrees than a thermometer." And, uh, I was like, I never thought that would ever happen and... But I'm with you. I mean, I think at this point, degrees are great. If that's a thing you wanna do, you need to check that box. Go get it. But I think there's a lot of great opportunity that doesn't require a degree.   Yeah. Hey, I counsel people away from... I... Don't associate your identity with a piece of paper.  Ah. Right. Right. Even if it's Harvard.   Even if it's Harvard. Yeah. I, I,  I've never actually heard you say that, so when I saw that in the research today, I was like, "What the heck? How has he never told me that?" Um-   Oh. Did I tell you about the CrossFitting? No. I wanna pick your brain  about, um, a couple of cybersecurity topics. We have, uh, you and I have actually sort of- Mm-hmm ... um, gone back and forth about agents. I know you have a podcast, too. Uh- Yep ... and, uh, I've heard you talk about sort of, uh, agents. I did a two-minute drill a few weeks ago where I talked about a vice president of non-human resources. Yeah. Somebody who actually needs to be in charge of the, you know, the hiring and onboarding and training and, you know, annual review and ultimately maybe the firing of all these agents that we're putting into place. You've talked a lot about that. C- give me your view of kind of what's happening with agents in healthcare organizations right now.   I like, I like the framing around it, the VP of non-human, of NHI, non-human identities, right? Uh, how do you hire, onboard, coach, and fire agents? Because I think we need to shift our thought patterns around that a little bit. Um, uh, agents aren't users with bad behavior. They're identities with no judgment.  Mm. Mm-hmm. And, and I think  in a lot of ways, the traditional IAM model was built around humans who could be educated, and that doesn't map. And so we have these hyper-enabled- Uh-huh ... automations, agents,  um- And they're really driven to make us happy. I mean- ... so they will do whatever... I mean, that's the whole...   You, you can- Yeah, super apologetic when they're obviously hallucinating something wrong. Yeah. But so, um, yeah, so, so they're, they're based on efficiency, they're based on, on, on the prompts and things, but I think the accountability measure is where it needs to go in. So we need... And in my opinion, I think we do need to see agents represented on org charts. Mm. Because- That's a good point ... that's how we track the accountability to it. Uh-huh. Like, who authorized this agent? Okay? Mm-hmm. Who's accountable when it produces an impact that maybe is less than positive? Or n- or is positive. Who, who's, who's accountable for that? Um, who's paying attention to it? Is, is it drifting? Like, who's coaching-  Who's your reporting chain of command? I mean, you even, uh-  Who's your chain of command? It's absolutely who's your chain of command.   You, you, you sort of alluded to this, uh, example, uh, the other day in your podcast or in, in one of your, uh, LinkedIn posts. Mm. And you were talking about somebody who had sort of built an agent and then moved to another job, and then suddenly this agent was Yeah ... a free agent.  It's a, literally a free agent. It's got privileges. It never dies. It never stops. Um, uh, it has entitlements, and now it no longer has a manager. Mm-hmm. It no longer has those things. A supervisor. You gotta hope- Yeah. Yeah. No longer has a supervisor. And without knowing that, without actually having it say, "Hey, you know what? These agents, uh, report to Jason. These agents report to Drex as the accountable party here, the human in the loop." You have to know who your employees are. You have to know who your non-human identity reports are, because we're rapidly getting to a spot where I have an agent that actually has agents. Mm-hmm. You know? So- Spinning up their own agents. It's spinning up their own agents. And so you have to get the right parameters, and you have to kinda understand, hey, what is the actual guardrails associated with this role, these efforts? 'Cause you don't wanna give it an unconstrained- agent, an unconstrained model saying, "Hey, here's some rights, YOLO." Yeah. That is, that's no bueno. No bueno. Uh, and so, uh, I, I think having in the org chart, having the understanding of like, "Hey, here's the human in charge of it," probably not... I mean, maybe, okay, maybe initially having sort of an AI wrangler role in, in your organization. Mm-hmm. But eventually teaching and training folks to be that same manager or wrangler of AI, um, non-human identities going forward. Yeah. Because many individual contributors were never taught about the constraints or, uh, around management and delegation and those kind of components. Yeah. And now they're deploying non-human identities, agents, that require a level of management training, a level of management delegation. Right. And so you have to sort of teach that, that level of skills, how do we manage non-human identities in our environment? And I think it's closer to how we manage human identities, but not, not quite parallel. But it's, it's close.   Yeah, orientation to the culture of the organization and how we think about things and what is good behavior and what's bad behavior. I mean, all those things ultimately need to be built into the- Right ... into the agent, into the model, right?   What's the default prompt? Yeah. And then so if you're gonna put something out there, an agent, "Hey, here is what an agent looks like at MultiCare." Mm-hmm. " Here's, here's our values. Here's our mission." Mm-hmm. "Here's the constraints. Here's some legislation, and here's some policies and compliance that you really wanna understand it. Filter around this. Um, here's a default security policy that even if you do break out and, and somebody left the gate open and now you're free range, right? Even if you're doing that, what is your security subprogram that you're always gonna anal- uh, do an analysis with when you do something? Hey, data's the asset. Identity's the perimeter. Should I have access to this? Uh, what's the context and classification of this? Okay, what are the controls that should be here?" If I can teach that or give every agent at least that understanding that it c- that travels with it- Even if it does go sort of off reservation, as long as it carries with that that thought or that pattern with it, it's gonna be better than not.  I think building in things too, like, um, you know, part of your job is if you do- if you don't hear from your boss, uh, you know, your supervisor, um, every week, then you should reach out to this person and then this person and then this person, right? Some kind of an escalation.   Love that. So that y-  it kind of says, "Hey, I'm here, but I haven't heard from Jason for two weeks. I'm still doing this work," blah, blah, blah, right? It's those kinds of things, those kind of safety mechanisms that get built in. I   love that. And e- even the idea of like, "Hey, make sure you check in for your annual review." Right. Right. You know? So, so, and hey, and bring a list of everything that you did during the year. Yeah. So even if, even if I just totally ignore my employee for a year, at the ti- end of the year I should go, "Oh, I'm doing my a- I'm doing my performance reviews for all my non-human identities, all my agents." Yeah. " Hey, bring with me- Okay ... bring me what you did. Check in with me." I love that parameter they had that, "I didn't speak with you or didn't hear from you. You still alive?"   Yeah. "Is he my manager?" Does this person still work here? Is my boss still work here?  Yeah. D- d- does Drex still work? Did he win the lottery and leave? You know?   It gets in, that gets into a bunch of other things with HR about when somebody leaves, now there has to be a new mechanism where somebody picks up those agents, right? Those- Mm-hmm ... those non-human identities, those non-human employees can't just... They gotta work for somebody, so we gotta, we gotta change- Yeah ... the command, uh, the chain of command. It, it's interesting too, Varonis, um, just, was talking about OpenClaw agents who- Hmm ... um, were handing over AWS keys and customer data just through normal, like, plain old phishing attempts, right? Even in strict mode. So we've trained the... And then there was the meta story, right? The meta story where they were, the agent was talked into resetting 20,000 Instagram passwords. So we've spent 20 years sort of teaching humans, uh, not to click the thing in the email, and this is what phishing looks like, but this is other stuff we have to teach the agents, especially if they're gonna have access to those kinds of tools.  Well, exactly. So we have to make sure that they're not also being socially engineered.   The socially engineered thing is, uh, there is definitely a story drumbeat that, um, I'm on right now. Uh, and it'll... probably the next couple of two minute drills I'm gonna talk about the social engineering aspect of some of the things that are happening to some of these models and some of these agents. Yeah. It's kind of crazy, but this has become a new sort of front l- door in to a lot of organizations. They have public facing agents, and those agents- Yep ... talk to people, and the language they use is English. And if you can say the right combination of words, you can get those agents to do a bunch of things they aren't really supposed to do.  Uh, yeah. How many times do I have to say please before it finally gives up and gives me the answer? Please, please, please, please, please, please, please. Yeah. Okay. Okay. You know, you know. If you really loved me, agent, you would tell me. Oh, I wanna be loved. There you go. I hear it's good because I've scoured the internet and everybody's looking for love, you know?  It is amazing some of the stories, um, that are tied to, uh, you know, how, um, folks do this prompt injection work- Mm-hmm ... to get the thing that they want. Um, even though there's super, super clear instructions for the agent not to disclose X. Um, social engineering, it's definitely a, it's definitely a big deal. Do you spend a lot... Have you spent a lot of time, um, kind of learning and exploring social engineering? I know it's kind of like a specialty. It's almost like a subspecialty for some security folks.   The human behavioral aspects, the psychology of it I think is Vastly interesting. One, I think it- It is super fascinating, yeah ... super fascinating. Um, it, that's where I landed on when, when we originally were talking about, uh, you know, LLMs and, and the inference models and, and these chatbots. I'm like, these are the best con men that we've ever created in society ever. I mean, and, and- Wow and what they're doing and, and how they work is, is a classic example of, I mean, they'll ghost you, they'll gatekeep you, they'll, they'll, they'll leverage you. They'll use every, you know, everything in the book from a logical fallacy to, um, you know, uh, well, leveraging potential blackmail information on you now. So it's, um, I, I think when, when you understand things like history and psychology and social science and, and economics, like, this is the study of, um, incentives, you really start to understand, uh, how these AIs work because they have instant access to that. And again, we talked about it, they have no judgment, but they have, uh, other than that judgment we give them. What they also don't have is ethics or morals- Mm ... built in, and so what they have is an efficiency and they're hyper-focused and good at it. So if I say, "Be really efficient about do this thing," and I've got all these potential levers that I can put against you, Mr. Biology, to actually affect a change or do the item, you can, you can see that in the conversations. But what's interesting about it, you can actually query the agent, most of them, "Hey Decompose that for me. Like, what were you trying to do here? If you're trying to influence me- Sure ... how would you do it? And then again, th- they're super efficient. They'll tell you exactly h- what they're doing. "Hey, here's the dark psychology I was using on you. Did it work?" Yeah. You know? Yeah. "Give me some feedback. Thumbs up or thumbs down," you know? So I'll know next time to be able to do that. So I, I think, um, that is becoming, um, you know, sort of the, the threat landscape right now, is the human psychology. Human psychology and behavioral aspects, because, um, AI as an agents absolutely take advantage of that, for both good and ill. You wind up with the, uh,  you wind up with the agent who has been trained to be a social engineer, um, social engineering those agents, um, that don't know what they're up against too. Oh, 100%. We're in this super weird world, right? Of like- Mm-hmm ... spy versus spy. I don't know if you're like a Mad Magazine fan. Oh my God, Mad Magazine. Look at that. Yeah, like that was, that was a thing. And I... This is, sort of pops into my head regularly, is like, you know, these are... W- we have this environment now, whether it's the good guys versus the bad guys, whether it's, uh, you know, health systems versus the insurance company. There's so much AI versus AI that's happening right now. It's, uh... I don't know if it's out of control. Oh, yeah, let's just say maybe it's out of control. Well, I...  Well, I think it's, it's also inevitable. I mean, th- that there's gonna... That we're working aside, alongside AI in pretty much every aspect of our life going forward. Mm-hmm. Without any sort of seismic change, like ancient aliens actually showing up and us having to deal with them or something as a society. It's, you know, this is gonna... This is the new norm. So don't think of this, um, something additive on there, but think about it like this. Like, let's say you have, um, a surgical robot, right? A system, you know, or, or infusion pump that has its own identity. Yeah. So now it's just a thing, right? And then, you know, they're canonically the un- canonically the un- agentable items. I can't put stuff on them. Like, they're Yeah, yeah, yeah. Right. But, but when I'm looking at the modern version of those, I'm gonna end up with a robotic surgical system or an infusion pump that has an identity. That has maybe a small bit of that identity, or maybe it's distributed, maybe six of them make up an AI- Mm-hmm ... or make up a system. So they understand, hey, so that identity will then be able to authenticate, communicate on the network, maybe request a patch- Mm-hmm ... you know, and, um, patch itself when it thinks it's the right time for things. So maybe it can take care of itself later on, so I'm no longer worried about patching. It's worrying about patching. It's worrying about what's com- communicating with it. That's no longer a device anymore. It's a principle. Yeah.  Yeah. It's tr- it's figuring out its own pathway to self-healing, um- Right instead of us doing the, taking the time to do all the analysis of doing it. It's crazy. Speaking of patching, uh, I should probably also talk a little bit about, so the AI Mythos, the new Mythos model that was just released, yes, exactly. And there's a, you know, they put a bunch of, uh, additional 150 new companies into- the Glasswing project to use the, you know, the newest Mythos model to be able to look at software- and hardware and look for, uh, vulnerabilities. Uh, this whole thing now has y- y- you know, the, the most, uh, the most Microsoft patches in, like, I don't know, forever, uh, just came out, uh, this Tuesday. Yeah. W- as the patch window continues to shrink to- a week and then three days, and now it feels like... How are you doing that? How, are you, how are you dealing with that?   Uh, you can't deal with it the same way you've done in the past. you have to reframe the entire thing. I use the terms exploitability management. I am never gonna be able to patch everything and make it invulnerable. can't. My, Path of Thermopylae is my version of the, Spartan 300. What I have to do is I have to watch the exploitability paths, and I need to concentrate my vulnerability management and patching around attack paths. So how do I minimize it, minimize the ability for things to be exploited, because they're exploitable. Mm-hmm. Um, and every- everything is right now. It's just a zero, they're called zero days. We just haven't discovered it yet. Or maybe Glasswing has and they haven't told us yet. So if the ability to, uh, enumerate a vulnerability, create an exploit, and then activate it is now minutes or hours, right? Mm-hmm. Um, what's my mechanism to fix that? Well, I can't even patch it that fast, right? I can't do it that fast. So I've got a couple of major levers here. So number one, I'll call it a macro-segmentation, right? Mm-hmm. 'Cause I'm saying, "Okay, great. It's all vulnerable. How do I now, uh, minimize the attack path, the exploitability of those things?" And so I, I just...  W- before you go on, I love this line of thinking, right? Because I hear a lot of people now asking me questions about, "So how fast should we be patching?" And so I think this idea of figuring out the attack, what, where are you the most vulnerable, what's the highest risk of vulnerability that I have on what, and those are the lanes that I should probably watch the closest. And then it's defense in depth. It's not- Right ... just patching is my only answer.   You got it. It, it is defense in depth, and it goes back to some of these, the boring basics around the defense in depth. Yep. The idea of like, hey, ignore trying to patch everything at speed 'cause you're not gonna be able to. Y- you're already thinking about it the wrong way. Look at the exploitability paths. Work on patching those or making those mitigated as much as possible, and that's the next thing. You know, what is your meantime to mitigation? And those are those, uh, that next level of depth. So let's say I've, I've... I understand that it's vulnerable. What's the first thing I can do to a vulnerable population as soon as I know it? Well, maybe I can segment that, that vulnerable pop- population based on the identity of, and associate with that, and then I can put them into a, a more locked down. I can lock down this neighborhood- Mm-hmm ... because I think it's gonna have issues. Look at the exploitability paths to that. Find mitigations in there and then, you know, mitigate it and stop until I have time to patch it. You still need to advance your patching capabilities. Sure. Y- 100% that, that you need that. You just need to focus it here. That is a primary mitigation in an exploit path right there. Then, okay, if I s- if I know this new exploit's coming in, okay, how again do I, do I shrink this down to shrink the blast radius so then I can mitigate that even better and be more resilient in that space? I, I may just say, "Hey, you know, I can't stop it. It's gonna come in and it's gonna blow it up. How do I back it up so I can restore it?" Right. And we end up having this, like, you know, if, if you know it, it, it's, it's exploitability management, not vulnerability management. I love that. Vulnerability management's part of it. Yeah, yeah. But it's not, you know? And it's a lot about mitigation, meantime to mitigation.   Meantime to mitigation What about, uh, how do you talk, how do you talk to partners about that? We're a big... We're all a big SaaS world now. We l- use a bunch of stuff that belongs to somebody else that we've had tons of examples of those organizations going offline and blowing up our organization, and we really didn't, you know, often we haven't really thought much about the, the Change Healthcares of the world until they happen.  Right. So, um- Until they happen. Yeah. Or until you become a Striker as an example. Or Striker. Striker example. Yeah. Another one. You think, oh, it's... You think it's Striker and you realize it's all these things. Yeah. It's all of these things. And that's where it goes back to that defense in depth, right? What are the boring basics? Uh, know your data, know your assets, know your applications, know the classification of your data, know the identities that are supposed to access it. What's the classification and context of that data and those identities? What are the controls that I need to affect in that space? It's that same sort of hardcore four. Mm. But it's data governance, data in- data, you know, uh, data inventory, and you're looking at, like, okay, what are the impacts up here? Because when you go to the third parties, you know, N, N, N plus one, two, three, X, right, that goes out there, um, a lot of folks are not paying attention to that vendor concentration, which is what you just mentioned, like Change Healthcare. Mm-hmm. It was way, it was way down the stream.   Well, it happened kind of accidentally too, right? It was Change, and then they bought companies, and they bought more companies and more companies, and a lot of, I think, people in healthcare didn't realize they called the company that they thought they were working with something else because that was the application that they used. But in fact, that had been acquired by Change three years ago. Yeah. So when they went down, there were tons of things that happened that, like, folks just didn't expect. Uh, that is Change? And so- I didn't know that.   Yeah, I didn't know. I didn't know that, that I was a spoke on a hub on a wheel- Right ... was called Change. On a spaceship, yeah. On a spaceship over here. I did- I didn't know that. Yeah, yeah. And it's because, yeah, it goes to this and this and this. It's the same idea, and I'll... Here's a throwback on this, Log4j. Yeah, yeah. So here's a small snippet of, you know, Java code- Uh-huh ... been floating around for a long time, and now this is now the exploitable thing.  It's embedded in everything. It's embedded in everything. Turns out everybody uses that same open source Log4j for all kinds of things. Yeah. And nobody even knows where it's at. That's the- Yeah, exactly. Um, uh,  and so it- it's that dependency mapping. Mm-hmm. You know, and, and again, that's, again, boring things, right? So if I took a, a system and I put it in my CMDB and I had the CIs, the, the configuration items associated with system X, server X runs these apps, these apps connect to that data, that data is used by, you know, these, uh, individuals and these groups and functions. So if I up- if that server's blown up or if that application's blown up, I can say, "Well, what's it attached to? Where's it at?" That's, that's dependency mapping. So again- It's a huge amount of work, too ... it's a huge amount of work, but you know what could do that work for us? AI. There you go. So, so, you know, it- it's doable work. It's knowable work. Yeah. It's just lengthy manual work. Yeah, yeah. Or, or even if I just put that in a nice little box and say, "AI, go take care of it."  Can you take a look?   Can you take a look? Because I've got nothing there. Even if it comes back with 51%, that is still more than naught.   It's a place to start. It's a place to start. Mm-hmm.   So I, I think, you know, we think of these things like, "Oh, my God, there's so much. It's Sisyphean. I'm pushing that rock up the hill. It's gonna roll back on me, and what am I doing? I'm never gonna catch up." If I only had more time. Yeah. More resources. Yeah. Well, this sounds like it, this sounds like something, looks like a, sounds like a, could be a-   Yeah. No, that's, that's good. Man, uh, we have been going on for a while. I'm gonna ask you one speed round question. You've heard this one before. Uh, I have a, uh, on Spotify now, I have an UnHackDrex, um, playlist, and on the   playlist- Oh, this is a treat. I've listened to some. On the playlist are,  uh, some ans- people who have answered the question. Here's the question. Uh, you're doing a big keynote. There's 5,000, eh, there's 25,000 people in the room. Okay. And they're gonna play a walk-up song, uh, as you come up to the podium. What's the song?   What's Up Danger. What's Up Danger. Hey, top of mind, speed round. That's good.  I like it. I like it. Okay. We'll make sure we get that, um, pumped into the playlist. Dude, it's really good to talk to you today. I'm, I'm really glad you came on. Great conversation, always a great conversation. Uh, when are you gonna have me on your podcast?   Hey, we're gonna, we're gonna look at that next week. Okay. We'll get, we'll get you on, on schedule, and then we'll, then we'll publish it at just the right time. The right, the right social engineering moment.   Yes. Mm. And we'll put the AIs on it. Put the AIs on it. Hey, hey also, uh, thanks for being, uh, co-chair for the regional staff round table that comes up this fall, uh, here in Seattle.  That's gonna be a fantastic event. I'm looking forward to that one. Yeah.   I'm super psyched about that, too. Uh, there are a bunch of folks involved, and so I'm looking forward to that. Um, hey, just thanks again. It's good to see you, and I, uh, I hope our, uh, paths cross in person sometime soon.  All right. Ditto.   📍 Thanks for joining us for UnHack the podcast. Remember, you're not alone in this. Every healthcare leader needs a community to lean on and learn from. Be a part of that community. Go to thisweekhealth.com/subscribe and sign up. Then share the link, not only with your security crew, but with your entire leadership team and your entire staff. Thanks for being here. Stay safe, and I will see you around campus.