0:22

This is Sander . I'm at HP's

0:24

Amplify partner conference and

0:26

I'm here with Ian Pratt . He's Global

0:29

Head of Security for HP Personal

0:31

Systems . Welcome , ian . Hello

0:34

. I would like to start with a rather broad

0:36

approach . So what is the role of a company

0:38

like HP ? Or , more

0:42

broadly , of Endpoint in

0:44

the security stack for customers in general , more broadly , of endpoints

0:46

in the security ?

0:47

stack for customers in general . So at HP we

0:49

really see security as a key differentiator

0:52

for us . It's an area that we've invested in for

0:54

a long period of time . It was really 20 years

0:56

ago that we set up

0:58

the security research lab as part

1:00

of HP Labs , and there are so many

1:02

things which we take for granted for

1:04

as regards security in the PC world today

1:07

that that lab folks

1:09

in that lab saw the coming

1:12

threat , you know , created a solution

1:14

, worked with the product groups to get it into

1:16

HP products and

1:23

then beyond that sort of worked to try and drive it as an industry standard to raise

1:26

the bar for everyone . And we've had this leadership position

1:28

and a few years ago that got

1:30

broadened where , rather than just worrying

1:32

about securing the PC

1:34

platform , we now see it as

1:36

part of our role to help secure the operating

1:38

system , the applications and the user data

1:41

too . So that's really expanded

1:43

what we do . So we still have a lot

1:45

of focus on the hardware

1:47

, but also security

1:49

software and services which we offer

1:51

not just on our own PCs but on

1:54

PCs from other vendors , helping so we can

1:56

support the whole of the customer's estate

1:58

.

1:58

And I'm guessing there will be listeners now who say , well , okay

2:00

, but there are lots of existing

2:03

endpoint protection kind of software

2:06

stacks that are already on

2:08

the market . What

2:10

do you add , as HP

2:12

, to this layered security stack

2:14

?

2:15

Yeah , so there are a number of areas where

2:18

we have really differentiated capabilities

2:20

, some of which are enabled by the fact that

2:22

we're building the hardware , so we can

2:24

actually create custom silicon that

2:26

we build into the hardware , or where

2:29

we work with our silicon partners Intel

2:31

, amd and our Qualcomm to build

2:34

in capabilities to those CPUs

2:36

that we can then take advantage of with our

2:38

software . And so

2:40

that's a big part of what we do and

2:43

it means that we can take

2:45

a different approach from traditional

2:47

security software vendors . And

2:49

so what I would say is , in the SMB

2:53

world , we can offer

2:55

a complete solution for

2:57

customers' endpoint security needs . In

2:59

the enterprise world , it's more about

3:01

sort of augmenting what customers

3:04

have . All customers have antivirus

3:08

or EDR or MDR services

3:10

, but we have capabilities which are

3:12

, you know , differentiated and

3:14

unique , which add to what

3:16

they have and solve the problems

3:19

of , you know , security

3:21

of the hardware itself .

3:24

And yeah , like I assume you can send

3:27

that data or telemetry to other

3:30

solutions as well . Right , so you can

3:32

add that to the stack

3:34

. In general , absolutely .

3:35

I mean these days . You know customers expect

3:38

everything to be integrated . You know they want to have a

3:40

single pane of glass where all

3:42

of their security events are flowing through

3:44

to one place . And you know we absolutely work

3:47

with partners to provide that .

3:49

And do you see an impact of the shift

3:51

towards more platform approaches to security

3:54

rather than the old

3:56

not necessarily old-fashioned , but endpoint

4:00

focus right ? You hear lots of EDR vendors going to

4:02

XDR and going to lots of other platform plays , vendor going to XDR and going to

4:04

lots of other platform plays . Do

4:06

you see an impact on how customers

4:09

or how the market perceives endpoint

4:11

security ?

4:19

Yeah , I mean , it's certainly the case that you want to be able to follow events

4:21

across not just the single endpoint , multiple endpoints and perhaps

4:23

where that threat interacts with your active

4:26

directory or with things on the network

4:28

, and it's important to enable

4:30

all of that information to be pulled

4:32

together . And that's what everybody

4:35

is doing , either through buying

4:39

its XDR products or using

4:42

just the capability to pull

4:44

the information together , whether it's into a

4:47

SIM tool or Splunk .

4:49

Yeah , you still need all the endpoint information

4:51

and telemetry anyway

4:53

right . So that's never going to go away , even though

4:56

there's maybe not as much focus on it from

4:58

a pure security perspective .

5:00

Yeah , I think one of the things you have to you

5:03

know people sometimes forget

5:05

is that if you look at how breaches

5:07

play out in , in over 70

5:10

percent of the you know of breaches

5:12

it's the end point , is

5:14

the point of entry for the attacker . The end point

5:16

is where you've got the coming together

5:18

of vulnerable technology and

5:21

fallible users and you

5:23

know you vast majority

5:25

of these attacks . You lure

5:28

the attacker , lures a user into clicking on

5:30

something which exposes vulnerabilities

5:33

on the machine to attack and then , having compromised

5:35

that machine , it's then the launching

5:38

point for moving

5:41

across the enterprise and if

5:44

we can keep that initial

5:46

compromise from happening , then we

5:48

can keep the enterprise safe .

5:50

So there's a big role for

5:52

endpoint security still and just

5:54

shifting gears a little bit because

5:57

we have to move on , even though it is

5:59

very interesting what is

6:01

the biggest challenge at the moment around

6:03

endpoint security in general ?

6:05

So I think one of the

6:07

things we've seen , which is we're beginning to start

6:10

seeing have real impact , is that

6:12

the bad guys have been quick to adopt

6:14

generative AI technologies

6:16

and we're seeing a real surge

6:19

in phishing

6:22

email , the lure emails luring

6:24

people to click on things that have sort

6:26

of perfect English . In

6:29

fact , we're actually seeing Not even English , right

6:31

?

6:31

Yeah , other languages as well .

6:33

Indeed , and I think that's a particular problem for some of the

6:35

Nordics countries , where folk

6:38

you know have perhaps been conditioned

6:40

to think that if something comes through

6:42

written in you

6:45

know , in Danish or you know or their local

6:47

language , that it's

6:50

probably okay .

6:51

It's also much easier to put

6:54

the triggers in for people to actually click right

6:56

. So you can ask it please

6:58

make it relevant for someone from Copenhagen

7:01

or from Oslo .

7:02

Well , that's it . It used to be the case

7:04

that you might have to have a

7:07

human to actually research

7:09

a victim if you wanted to create

7:12

a targeted attack , whereas

7:14

now you can just have generative

7:17

AI , research someone on LinkedIn or

7:19

social media and then be able to

7:21

create a customized email

7:24

which they're more likely to click on . Also

7:26

, another area which we're seeing happen is

7:28

if , having compromised

7:31

one machine and having access to a user's

7:33

email inbox , look

7:35

at all of the people they're communicating with and

7:38

then take the context from those email

7:40

exchanges and then use that information

7:42

to then compromise

7:44

people on the other end of those

7:47

conversations , or even look

7:50

in the directory to find out

7:53

the next person to attack in that organization

7:56

. With emails appearing to come from the

7:58

user of the machine you've just compromised , it's extremely

8:00

hard to detect . I think it's

8:02

basically impossible as a

8:04

human to .

8:06

I know of some companies that have

8:09

some of the phishing

8:11

email kind of detection capabilities

8:14

.

8:14

Yeah , but it's getting increasingly

8:16

harder for them to do that .

8:19

Even though even Gen AI has some telltale signs

8:21

that it's probably it does right now .

8:24

But already we're seeing with each

8:26

new iteration

8:29

that the and

8:32

we're seeing the language become more natural . There

8:34

were certain phrases which are

8:36

a bit of a giveaway for ChatGPT , but

8:39

those same phrases don't crop up if

8:41

you're looking at output

8:43

from Lama or a Gemini

8:45

and so expecting that you

8:47

can detect generative

8:50

AI just by looking at an email

8:52

, I think it's not going

8:54

to hold for much longer .

8:55

No no , and as HP

8:58

, I've known

9:00

about your ESC

9:02

kind of component inside

9:06

laptops for a while . With

9:09

the new generation you've

9:14

also improved on

9:17

that chip as well , but

9:20

that's not used for those

9:23

purposes in general right To combat

9:26

, for example , the Gen AI generator kind of

9:28

stuff .

9:28

Yeah , so that's quite separate what we do with

9:30

that chip . It's our

9:33

fifth generation of security controller chip

9:35

that we've announced

9:37

and are building into our

9:40

commercial PCs from March , and

9:43

we released the first generation of that chip back in

9:45

2013 . We're

9:48

now up to our fifth generation . Over the last few

9:50

years we've seen Apple

9:52

come out with the T1 chip , google

9:55

come out with the T1 chip , google come out with the Titan security chip . So

9:57

you know other vendors

9:59

are now sort of you know , catching up and having

10:02

their own security chips , but you know we're up to a fifth generation

10:04

still in the PC world .

10:05

And just to be clear for listeners

10:08

thinking what is

10:10

this chip ? What does it do ? It

10:12

is the chip behind things like Sure Start

10:15

and Sure Run , all that stuff

10:17

that keeps your firmware uncompromised

10:21

, and all that .

10:22

Yeah , it's a chip which is

10:24

powered on even when the machine appears to be

10:26

off , and it's what enables

10:28

the PC , to say , be managed

10:31

. If you

10:33

leave your PC in the

10:35

back of a taxi and you want to

10:37

contact it

10:39

over an IoT

10:42

wide area network to be able to

10:45

lock the device or to wipe it or turn

10:47

the GPS on and find out where it is

10:49

, one

10:54

of the things it does is to validate

10:57

that the firmware hasn't been compromised

10:59

, that it hasn't been tampered with and that it's

11:01

running genuine firmware . And , crucially , if

11:03

it does detect a problem , it can always get

11:05

a pristine version

11:08

of the firmware put back onto

11:10

the CPU . So that's one of our

11:12

promises is that the machine always gets

11:15

back to a clean state .

11:16

But that's been in the ESC

11:19

chip for I mean probably since

11:21

the inception .

11:22

Yeah , what's

11:24

new is , I think , from what I understand , is that you're

11:27

actually adding some more

11:29

features , or maybe I'll just

11:31

call them features , but more capabilities of the

11:33

chip , maybe also towards cryptography

11:36

and and things like that right , yeah

11:38

, so that chip one of the things that chips

11:40

always been responsible for is is

11:43

checking the firmware hasn't been tampered

11:45

with , and one of the the capabilities

11:47

we announced as part of that fifth

11:49

generation security controller chip is

11:52

support for quantum resistant

11:55

cryptography . So so the

11:57

reason that's important is obviously , you

11:59

know , right now there are a lot of organizations

12:01

across the world racing to build

12:03

a quantum computer , and some of them making

12:06

quite good progress , and one

12:08

of the things that you can do with a quantum computer

12:10

is implement something called Shor's algorithm

12:13

that enables you to factor

12:16

very large numbers in

12:19

a relatively short amount of time , which is something

12:21

which has not been possible before . All

12:24

of the cryptography we use today for

12:26

checking signatures

12:28

on documents

12:30

, on transactions

12:33

, on signatures on software

12:35

, also for checking that the website is

12:37

the website you think it is it's all built

12:39

on the fact that factoring prime

12:42

numbers , or factoring large numbers , is

12:45

very hard . If that's suddenly

12:47

not the case , all of that cryptography fails

12:50

.

12:50

But isn't it the case correct me if I'm wrong that

12:52

AES-256 is still

12:54

quantum proof ?

12:56

Yeah , so AES . That6 is still quantum proof

12:58

. Yeah , so

13:02

AES . That's an example of a symmetric key

13:05

algorithm . But before you can use an algorithm

13:07

like AES , we have to agree on what the key is . And

13:09

the way that that is done today

13:12

is using what's called public key

13:14

cryptography or asymmetric key cryptography

13:16

, and it's those algorithms that

13:18

rely on that factorization

13:21

problem and if

13:24

that suddenly becomes possible for

13:26

people to break , all of those schemes cannot

13:28

be relied upon . And

13:31

that's where we're

13:35

seeing the new

13:37

cryptographic algorithms being

13:39

developed right now which are quantum

13:41

resistant , that even if you had a quantum

13:44

computer because they use

13:46

a different mathematical property then

13:49

they're going to still be secure

13:52

even in the presence of a quantum

13:54

computer . And the

13:56

reason why it's important

13:58

for things like PCs is

14:01

some of the PCs that we're selling today

14:03

are going to be in use for many years . Maybe

14:05

not the desktops and laptops , which perhaps have a

14:08

three or five year lifespan , but

14:10

increasingly with circularity that

14:13

is going to be longer . But

14:15

some of these systems end up getting used in retail

14:17

which might have a 10-year lifespan , or end

14:19

up in doing

14:23

OT control

14:25

functions in factories and

14:29

critical infrastructure and

14:31

they may have very long lifespans . And

14:33

if somebody comes up with a quantum computer

14:36

. One

14:39

of the things they're likely to do with it fairly early on is to break the signature

14:42

used to sign

14:44

firmware updates .

14:47

And just to get this straight , what does ESC

14:49

do now , in this fifth generation

14:51

, to prepare yourself for

14:53

that ?

14:55

situation . So it implements

14:57

one of these new quantum-resistant

14:59

algorithms such that all

15:02

of our firmware updates will be signed with

15:05

signatures using this quantum-resistant

15:07

algorithm , so that even if somebody

15:09

breaks a

15:11

traditional RSA or elliptic

15:13

curve signature , then the security

15:16

is still going to be assured because they won't

15:19

be able to use the quantum computer to break

15:21

this new signature .

15:22

Okay , and so what

15:25

does this mean for end users

15:27

or for organizations looking

15:29

to protect

15:32

themselves against this future threat

15:34

, which isn't necessarily there yet ? Can

15:37

you give us , just to close this off this

15:40

conversation can you give us some

15:42

first steps that you can take as an organization

15:44

just to prepare yourself for this eventuality

15:48

? Because I think somewhere in 2035

15:51

, we expect , or 33 , we expect

15:53

quantum computers to actually be able to

15:55

break traditional cryptography

15:58

in a substantial way .

16:00

Yeah , I don't think you know . No one knows what the real

16:02

timeline is going to be . There's a lot of uncertainty

16:05

around it Could happen sooner , could happen later .

16:08

Like you mentioned , they're making quite big strides

16:10

nowadays towards ?

16:11

Yeah , and I

16:14

certainly meet organizations at Global 2000

16:16

companies where they now have

16:18

somebody assigned who is responsible for

16:21

their transition

16:23

to post-quantum

16:25

crypto , quantum-resistant

16:28

crypto and part of

16:30

that is looking at their own use of cryptography

16:32

within the organization and looking

16:34

at how they would migrate to

16:36

quantum-resistant cryptography , but

16:39

also looking at all

16:41

of the infrastructure they use , all of the various

16:44

suppliers they have and all of their dependencies

16:46

on cryptography . And

16:48

we are now seeing how

16:51

a number of governments are beginning to

16:53

give direction on that . We're expecting

16:55

the US government in 2025

16:59

to start requiring procurement

17:01

to consider quantum-resistant

17:04

algorithms for some of these key

17:06

long-lived capabilities , Like if you're

17:09

buying hardware that has got the

17:13

cryptography built into the hardware , you don't

17:15

want to have to replace that hardware because

17:17

someone's built a quantum reuse .

17:18

You want to be ready for that . Is this something that

17:21

you need governments to

17:23

actually take action on before it

17:25

actually gets interesting enough or

17:28

crucial enough for organizations

17:30

to do something about it , or do

17:33

you expect some sort of a natural ?

17:35

I think we're seeing a mixture . I think the , as

17:37

I say , security , mature , global 2000

17:39

companies you know many of them already beginning

17:41

to worry about this , building plans

17:43

for how they're going to make that transition . And

17:46

then governments themselves are saying

17:48

you know , for their own equipment

17:51

purchases . You know they want to

17:53

see this quantum resistance and

17:55

of course , you course , organizations

17:58

will do the work for selling to government . That's going

18:00

to enable the raise

18:03

the bar for all organizations

18:06

.

18:06

So it's a mixture . Yeah , and just to close off

18:08

, because obviously we talked a little bit about Gen

18:11

AI but we didn't really touch on AI itself

18:13

with the AI-based PCs , because these

18:15

new chips are going to be part of the

18:17

new lineup of AI PCs . Does

18:20

the AI that's in the new lineup

18:23

in any way augment or

18:25

help the

18:27

goals of the ESC chip in general ?

18:29

You know I would say it's

18:32

kind of orthogonal to what we're doing on

18:34

the ESC , but obviously we are using

18:36

those NPUs for

18:39

security purposes . You know we've got a

18:41

lot of our security capabilities use

18:44

machine learning . Today , if

18:46

we're taking advantage of the NPU , we

18:48

get to run bigger ML

18:50

models than we could have done on the CPU

18:53

, which gives us more capability . But

18:55

also we're seeing how there

18:59

are lots of software vendors that are wanting

19:01

to take advantage of the NPU , perhaps to save

19:04

compute costs in the cloud

19:06

, but also because

19:08

customers are wanting not

19:10

to send that sensitive data to the cloud

19:13

and be able to take advantage of

19:16

inference on the endpoint . And

19:19

I think there's a lot of potential

19:22

there for us to make

19:24

AI more private

19:26

and more secure and

19:29

trustworthy , taking advantage of that local

19:31

compute .

19:32

Okay , that sounds interesting . I'm really

19:34

curious to see where this goes from here , I mean , what

19:37

the sixth generation of the chip is going to bring and

19:40

we're going to progress and eventually

19:42

get there , hopefully towards a secure

19:45

future . Thank you very much

19:47

, Ian , for this insightful conversation

19:49

.

19:50

Well , thanks Anna .

19:50

Thanks for inviting me . Thank you .