In Episode S7E5, host Steven Bowcut speaks with Ian Amit, CEO and Founder of Gomboc AI. The conversation covers various aspects of Gomboc AI and its approach to computer science and cybersecurity. Ian shares his practical problem-solving philosophy and insights into the evolving landscape of cybersecurity, highlighting the impact of generative AI and the inefficiencies in traditional cloud security and DevOps processes. They discuss the complexities of cloud security, including risks from misconfigurations and shadow IT, and outline Gomboc AI’s deterministic approach to AI, which relies on provider documentation to deliver precise solutions while maintaining human oversight. Finally, Ian emphasizes the future direction of Gomboc AI, advocating for improved DevSecOps practices and the integration of infrastructure as code and GitOps methodologies.
Summary
The conversation begins with a discussion of the word Gomboc, a mathematical object that self-rights itself. Steven asks about Ian’s background in computer science, programming, and security, which has led him to his current role as CEO and co-founder of Gomboc AI. Ian emphasizes his practical approach to problem-solving and his understanding of various roles in the cybersecurity industry. The conversation concludes with Ian sharing his perspective on current trends in cybersecurity and what he sees coming in the future.
AI in Computer Science and Security
Ian and Steven discuss the evolution of computer science problems, focusing on the core elements of inputs and outputs from a security perspective. They discuss the implications of generative AI, which is a reiteration of classic problems in computer science. They also explore the potential of AI in automating tasks, from data privacy to web application security. Steven raises the question of how threat actors are using AI, to which Ian responds that AI is used in reconnaissance, gathering information, and identifying patterns. They agree that AI is used to shorten the time to gather information and to automate tasks. The discussion lays the groundwork for a deeper exploration of AI and its applications in the security industry.
Breaking Cloud Security and DevOps Bottlenecks
Steven and Ian discuss the inefficiencies in the traditional approach to cloud security. Security teams identify issues but lack the technical expertise to fix them, leading to a bottleneck in the DevOps process. They propose a radical change to break this cycle, aiming to eliminate the manual work and bottlenecks in both security and DevOps. The goal is to streamline the process, allowing security to focus on finding issues and DevOps to fix them without the need for extensive research and configuration.
Generative AI’s Limitations and Alternatives
Ian and Steven discuss the application of generative AI in cybersecurity, with Ian explaining that they had to move away from it due to its probabilistic nature, which doesn’t meet their specific engineering needs. Instead, they opt for a deterministic approach, utilizing deterministic algorithms that are based on facts and are repeatable. This decision is made to minimize toil and build trust with engineers. Ian also mentions that they are continuously researching and reading about specific services to find the right way to configure them in their architecture.
Navigating Cloud Security Complexity
Steven and Ian discuss the challenges organizations face in cloud security. Ian highlights the complexity of cloud services, with numerous options and configurations, which can lead to misconfigurations and vulnerabilities. He emphasizes the need for organizations to navigate this complexity to build secure environments. Ian also points out the issue of shadow IT and third-party components, which can introduce unknown risks.
AI Implementation and Human Oversight
Steven and Ian discuss the use of AI in their respective organizations. Ian explains that his company uses a deterministic approach to AI, which means they don’t learn from other people’s configurations or mistakes. Instead, they build a knowledge graph based on provider documentation and apply it to each customer’s environment. This approach allows them to provide very specific and accurate fixes for issues they encounter. Steven asks about human oversight in the AI process, and Ian confirms that while they automate a lot of the menial work, they never fully automate the deployment of fixes. They provide a code-level fix that is reviewed and approved by the human team. This approach ensures that the security teams remain in control.
Gomboc AI: Security and DevOps Future
In the interview, Ian and Steven discuss the future of Gomboc AI, focusing on its current security aspects and potential future applications. Ian emphasizes that Gomboc AI is not just for security but also for DevOps, aiming to simplify the process of defining and achieving desired cloud environments.
He also highlights the importance of maturing DevSecOps practices and accelerating their maturity, suggesting the adoption of infrastructure as code and GitOps approaches.
About our Guest
Ian Amit is the Co-Founder and CEO of Gomboc.ai, a company that provides cloud infrastructure security solutions. Prior to his role at Gomboc.ai, Ian held senior leadership positions at Rapid7, Cimpress, Amazon, ZeroFOX, and IOActive. With over 25 years of experience in the security industry, he has a strong background as a practitioner. Additionally, Ian is a co-founder of the Tel Aviv DEFCON group and serves on the board of BSides Las Vegas. He is also the creator and co-CEO of The CISO Track, a series of curated events focused on Chief Information Security Officers (CISOs).
This episode is a must-listen for anyone cloud security.
Click the image below to listen to this episode of Brilliance Security Magazine Podcast
Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.