Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:22
This is Sander . I'm at HP's
0:24
Amplify partner conference and
0:26
I'm here with Ian Pratt . He's Global
0:29
Head of Security for HP Personal
0:31
Systems . Welcome , ian . Hello
0:34
. I would like to start with a rather broad
0:36
approach . So what is the role of a company
0:38
like HP ? Or , more
0:42
broadly , of Endpoint in
0:44
the security stack for customers in general , more broadly , of endpoints
0:46
in the security ?
0:47
stack for customers in general . So at HP we
0:49
really see security as a key differentiator
0:52
for us . It's an area that we've invested in for
0:54
a long period of time . It was really 20 years
0:56
ago that we set up
0:58
the security research lab as part
1:00
of HP Labs , and there are so many
1:02
things which we take for granted for
1:04
as regards security in the PC world today
1:07
that that lab folks
1:09
in that lab saw the coming
1:12
threat , you know , created a solution
1:14
, worked with the product groups to get it into
1:16
HP products and
1:23
then beyond that sort of worked to try and drive it as an industry standard to raise
1:26
the bar for everyone . And we've had this leadership position
1:28
and a few years ago that got
1:30
broadened where , rather than just worrying
1:32
about securing the PC
1:34
platform , we now see it as
1:36
part of our role to help secure the operating
1:38
system , the applications and the user data
1:41
too . So that's really expanded
1:43
what we do . So we still have a lot
1:45
of focus on the hardware
1:47
, but also security
1:49
software and services which we offer
1:51
not just on our own PCs but on
1:54
PCs from other vendors , helping so we can
1:56
support the whole of the customer's estate
1:58
.
1:58
And I'm guessing there will be listeners now who say , well , okay
2:00
, but there are lots of existing
2:03
endpoint protection kind of software
2:06
stacks that are already on
2:08
the market . What
2:10
do you add , as HP
2:12
, to this layered security stack
2:14
?
2:15
Yeah , so there are a number of areas where
2:18
we have really differentiated capabilities
2:20
, some of which are enabled by the fact that
2:22
we're building the hardware , so we can
2:24
actually create custom silicon that
2:26
we build into the hardware , or where
2:29
we work with our silicon partners Intel
2:31
, amd and our Qualcomm to build
2:34
in capabilities to those CPUs
2:36
that we can then take advantage of with our
2:38
software . And so
2:40
that's a big part of what we do and
2:43
it means that we can take
2:45
a different approach from traditional
2:47
security software vendors . And
2:49
so what I would say is , in the SMB
2:53
world , we can offer
2:55
a complete solution for
2:57
customers' endpoint security needs . In
2:59
the enterprise world , it's more about
3:01
sort of augmenting what customers
3:04
have . All customers have antivirus
3:08
or EDR or MDR services
3:10
, but we have capabilities which are
3:12
, you know , differentiated and
3:14
unique , which add to what
3:16
they have and solve the problems
3:19
of , you know , security
3:21
of the hardware itself .
3:24
And yeah , like I assume you can send
3:27
that data or telemetry to other
3:30
solutions as well . Right , so you can
3:32
add that to the stack
3:34
. In general , absolutely .
3:35
I mean these days . You know customers expect
3:38
everything to be integrated . You know they want to have a
3:40
single pane of glass where all
3:42
of their security events are flowing through
3:44
to one place . And you know we absolutely work
3:47
with partners to provide that .
3:49
And do you see an impact of the shift
3:51
towards more platform approaches to security
3:54
rather than the old
3:56
not necessarily old-fashioned , but endpoint
4:00
focus right ? You hear lots of EDR vendors going to
4:02
XDR and going to lots of other platform plays , vendor going to XDR and going to
4:04
lots of other platform plays . Do
4:06
you see an impact on how customers
4:09
or how the market perceives endpoint
4:11
security ?
4:19
Yeah , I mean , it's certainly the case that you want to be able to follow events
4:21
across not just the single endpoint , multiple endpoints and perhaps
4:23
where that threat interacts with your active
4:26
directory or with things on the network
4:28
, and it's important to enable
4:30
all of that information to be pulled
4:32
together . And that's what everybody
4:35
is doing , either through buying
4:39
its XDR products or using
4:42
just the capability to pull
4:44
the information together , whether it's into a
4:47
SIM tool or Splunk .
4:49
Yeah , you still need all the endpoint information
4:51
and telemetry anyway
4:53
right . So that's never going to go away , even though
4:56
there's maybe not as much focus on it from
4:58
a pure security perspective .
5:00
Yeah , I think one of the things you have to you
5:03
know people sometimes forget
5:05
is that if you look at how breaches
5:07
play out in , in over 70
5:10
percent of the you know of breaches
5:12
it's the end point , is
5:14
the point of entry for the attacker . The end point
5:16
is where you've got the coming together
5:18
of vulnerable technology and
5:21
fallible users and you
5:23
know you vast majority
5:25
of these attacks . You lure
5:28
the attacker , lures a user into clicking on
5:30
something which exposes vulnerabilities
5:33
on the machine to attack and then , having compromised
5:35
that machine , it's then the launching
5:38
point for moving
5:41
across the enterprise and if
5:44
we can keep that initial
5:46
compromise from happening , then we
5:48
can keep the enterprise safe .
5:50
So there's a big role for
5:52
endpoint security still and just
5:54
shifting gears a little bit because
5:57
we have to move on , even though it is
5:59
very interesting what is
6:01
the biggest challenge at the moment around
6:03
endpoint security in general ?
6:05
So I think one of the
6:07
things we've seen , which is we're beginning to start
6:10
seeing have real impact , is that
6:12
the bad guys have been quick to adopt
6:14
generative AI technologies
6:16
and we're seeing a real surge
6:19
in phishing
6:22
email , the lure emails luring
6:24
people to click on things that have sort
6:26
of perfect English . In
6:29
fact , we're actually seeing Not even English , right
6:31
?
6:31
Yeah , other languages as well .
6:33
Indeed , and I think that's a particular problem for some of the
6:35
Nordics countries , where folk
6:38
you know have perhaps been conditioned
6:40
to think that if something comes through
6:42
written in you
6:45
know , in Danish or you know or their local
6:47
language , that it's
6:50
probably okay .
6:51
It's also much easier to put
6:54
the triggers in for people to actually click right
6:56
. So you can ask it please
6:58
make it relevant for someone from Copenhagen
7:01
or from Oslo .
7:02
Well , that's it . It used to be the case
7:04
that you might have to have a
7:07
human to actually research
7:09
a victim if you wanted to create
7:12
a targeted attack , whereas
7:14
now you can just have generative
7:17
AI , research someone on LinkedIn or
7:19
social media and then be able to
7:21
create a customized email
7:24
which they're more likely to click on . Also
7:26
, another area which we're seeing happen is
7:28
if , having compromised
7:31
one machine and having access to a user's
7:33
email inbox , look
7:35
at all of the people they're communicating with and
7:38
then take the context from those email
7:40
exchanges and then use that information
7:42
to then compromise
7:44
people on the other end of those
7:47
conversations , or even look
7:50
in the directory to find out
7:53
the next person to attack in that organization
7:56
. With emails appearing to come from the
7:58
user of the machine you've just compromised , it's extremely
8:00
hard to detect . I think it's
8:02
basically impossible as a
8:04
human to .
8:06
I know of some companies that have
8:09
some of the phishing
8:11
email kind of detection capabilities
8:14
.
8:14
Yeah , but it's getting increasingly
8:16
harder for them to do that .
8:19
Even though even Gen AI has some telltale signs
8:21
that it's probably it does right now .
8:24
But already we're seeing with each
8:26
new iteration
8:29
that the and
8:32
we're seeing the language become more natural . There
8:34
were certain phrases which are
8:36
a bit of a giveaway for ChatGPT , but
8:39
those same phrases don't crop up if
8:41
you're looking at output
8:43
from Lama or a Gemini
8:45
and so expecting that you
8:47
can detect generative
8:50
AI just by looking at an email
8:52
, I think it's not going
8:54
to hold for much longer .
8:55
No no , and as HP
8:58
, I've known
9:00
about your ESC
9:02
kind of component inside
9:06
laptops for a while . With
9:09
the new generation you've
9:14
also improved on
9:17
that chip as well , but
9:20
that's not used for those
9:23
purposes in general right To combat
9:26
, for example , the Gen AI generator kind of
9:28
stuff .
9:28
Yeah , so that's quite separate what we do with
9:30
that chip . It's our
9:33
fifth generation of security controller chip
9:35
that we've announced
9:37
and are building into our
9:40
commercial PCs from March , and
9:43
we released the first generation of that chip back in
9:45
2013 . We're
9:48
now up to our fifth generation . Over the last few
9:50
years we've seen Apple
9:52
come out with the T1 chip , google
9:55
come out with the T1 chip , google come out with the Titan security chip . So
9:57
you know other vendors
9:59
are now sort of you know , catching up and having
10:02
their own security chips , but you know we're up to a fifth generation
10:04
still in the PC world .
10:05
And just to be clear for listeners
10:08
thinking what is
10:10
this chip ? What does it do ? It
10:12
is the chip behind things like Sure Start
10:15
and Sure Run , all that stuff
10:17
that keeps your firmware uncompromised
10:21
, and all that .
10:22
Yeah , it's a chip which is
10:24
powered on even when the machine appears to be
10:26
off , and it's what enables
10:28
the PC , to say , be managed
10:31
. If you
10:33
leave your PC in the
10:35
back of a taxi and you want to
10:37
contact it
10:39
over an IoT
10:42
wide area network to be able to
10:45
lock the device or to wipe it or turn
10:47
the GPS on and find out where it is
10:49
, one
10:54
of the things it does is to validate
10:57
that the firmware hasn't been compromised
10:59
, that it hasn't been tampered with and that it's
11:01
running genuine firmware . And , crucially , if
11:03
it does detect a problem , it can always get
11:05
a pristine version
11:08
of the firmware put back onto
11:10
the CPU . So that's one of our
11:12
promises is that the machine always gets
11:15
back to a clean state .
11:16
But that's been in the ESC
11:19
chip for I mean probably since
11:21
the inception .
11:22
Yeah , what's
11:24
new is , I think , from what I understand , is that you're
11:27
actually adding some more
11:29
features , or maybe I'll just
11:31
call them features , but more capabilities of the
11:33
chip , maybe also towards cryptography
11:36
and and things like that right , yeah
11:38
, so that chip one of the things that chips
11:40
always been responsible for is is
11:43
checking the firmware hasn't been tampered
11:45
with , and one of the the capabilities
11:47
we announced as part of that fifth
11:49
generation security controller chip is
11:52
support for quantum resistant
11:55
cryptography . So so the
11:57
reason that's important is obviously , you
11:59
know , right now there are a lot of organizations
12:01
across the world racing to build
12:03
a quantum computer , and some of them making
12:06
quite good progress , and one
12:08
of the things that you can do with a quantum computer
12:10
is implement something called Shor's algorithm
12:13
that enables you to factor
12:16
very large numbers in
12:19
a relatively short amount of time , which is something
12:21
which has not been possible before . All
12:24
of the cryptography we use today for
12:26
checking signatures
12:28
on documents
12:30
, on transactions
12:33
, on signatures on software
12:35
, also for checking that the website is
12:37
the website you think it is it's all built
12:39
on the fact that factoring prime
12:42
numbers , or factoring large numbers , is
12:45
very hard . If that's suddenly
12:47
not the case , all of that cryptography fails
12:50
.
12:50
But isn't it the case correct me if I'm wrong that
12:52
AES-256 is still
12:54
quantum proof ?
12:56
Yeah , so AES . That6 is still quantum proof
12:58
. Yeah , so
13:02
AES . That's an example of a symmetric key
13:05
algorithm . But before you can use an algorithm
13:07
like AES , we have to agree on what the key is . And
13:09
the way that that is done today
13:12
is using what's called public key
13:14
cryptography or asymmetric key cryptography
13:16
, and it's those algorithms that
13:18
rely on that factorization
13:21
problem and if
13:24
that suddenly becomes possible for
13:26
people to break , all of those schemes cannot
13:28
be relied upon . And
13:31
that's where we're
13:35
seeing the new
13:37
cryptographic algorithms being
13:39
developed right now which are quantum
13:41
resistant , that even if you had a quantum
13:44
computer because they use
13:46
a different mathematical property then
13:49
they're going to still be secure
13:52
even in the presence of a quantum
13:54
computer . And the
13:56
reason why it's important
13:58
for things like PCs is
14:01
some of the PCs that we're selling today
14:03
are going to be in use for many years . Maybe
14:05
not the desktops and laptops , which perhaps have a
14:08
three or five year lifespan , but
14:10
increasingly with circularity that
14:13
is going to be longer . But
14:15
some of these systems end up getting used in retail
14:17
which might have a 10-year lifespan , or end
14:19
up in doing
14:23
OT control
14:25
functions in factories and
14:29
critical infrastructure and
14:31
they may have very long lifespans . And
14:33
if somebody comes up with a quantum computer
14:36
. One
14:39
of the things they're likely to do with it fairly early on is to break the signature
14:42
used to sign
14:44
firmware updates .
14:47
And just to get this straight , what does ESC
14:49
do now , in this fifth generation
14:51
, to prepare yourself for
14:53
that ?
14:55
situation . So it implements
14:57
one of these new quantum-resistant
14:59
algorithms such that all
15:02
of our firmware updates will be signed with
15:05
signatures using this quantum-resistant
15:07
algorithm , so that even if somebody
15:09
breaks a
15:11
traditional RSA or elliptic
15:13
curve signature , then the security
15:16
is still going to be assured because they won't
15:19
be able to use the quantum computer to break
15:21
this new signature .
15:22
Okay , and so what
15:25
does this mean for end users
15:27
or for organizations looking
15:29
to protect
15:32
themselves against this future threat
15:34
, which isn't necessarily there yet ? Can
15:37
you give us , just to close this off this
15:40
conversation can you give us some
15:42
first steps that you can take as an organization
15:44
just to prepare yourself for this eventuality
15:48
? Because I think somewhere in 2035
15:51
, we expect , or 33 , we expect
15:53
quantum computers to actually be able to
15:55
break traditional cryptography
15:58
in a substantial way .
16:00
Yeah , I don't think you know . No one knows what the real
16:02
timeline is going to be . There's a lot of uncertainty
16:05
around it Could happen sooner , could happen later .
16:08
Like you mentioned , they're making quite big strides
16:10
nowadays towards ?
16:11
Yeah , and I
16:14
certainly meet organizations at Global 2000
16:16
companies where they now have
16:18
somebody assigned who is responsible for
16:21
their transition
16:23
to post-quantum
16:25
crypto , quantum-resistant
16:28
crypto and part of
16:30
that is looking at their own use of cryptography
16:32
within the organization and looking
16:34
at how they would migrate to
16:36
quantum-resistant cryptography , but
16:39
also looking at all
16:41
of the infrastructure they use , all of the various
16:44
suppliers they have and all of their dependencies
16:46
on cryptography . And
16:48
we are now seeing how
16:51
a number of governments are beginning to
16:53
give direction on that . We're expecting
16:55
the US government in 2025
16:59
to start requiring procurement
17:01
to consider quantum-resistant
17:04
algorithms for some of these key
17:06
long-lived capabilities , Like if you're
17:09
buying hardware that has got the
17:13
cryptography built into the hardware , you don't
17:15
want to have to replace that hardware because
17:17
someone's built a quantum reuse .
17:18
You want to be ready for that . Is this something that
17:21
you need governments to
17:23
actually take action on before it
17:25
actually gets interesting enough or
17:28
crucial enough for organizations
17:30
to do something about it , or do
17:33
you expect some sort of a natural ?
17:35
I think we're seeing a mixture . I think the , as
17:37
I say , security , mature , global 2000
17:39
companies you know many of them already beginning
17:41
to worry about this , building plans
17:43
for how they're going to make that transition . And
17:46
then governments themselves are saying
17:48
you know , for their own equipment
17:51
purchases . You know they want to
17:53
see this quantum resistance and
17:55
of course , you course , organizations
17:58
will do the work for selling to government . That's going
18:00
to enable the raise
18:03
the bar for all organizations
18:06
.
18:06
So it's a mixture . Yeah , and just to close off
18:08
, because obviously we talked a little bit about Gen
18:11
AI but we didn't really touch on AI itself
18:13
with the AI-based PCs , because these
18:15
new chips are going to be part of the
18:17
new lineup of AI PCs . Does
18:20
the AI that's in the new lineup
18:23
in any way augment or
18:25
help the
18:27
goals of the ESC chip in general ?
18:29
You know I would say it's
18:32
kind of orthogonal to what we're doing on
18:34
the ESC , but obviously we are using
18:36
those NPUs for
18:39
security purposes . You know we've got a
18:41
lot of our security capabilities use
18:44
machine learning . Today , if
18:46
we're taking advantage of the NPU , we
18:48
get to run bigger ML
18:50
models than we could have done on the CPU
18:53
, which gives us more capability . But
18:55
also we're seeing how there
18:59
are lots of software vendors that are wanting
19:01
to take advantage of the NPU , perhaps to save
19:04
compute costs in the cloud
19:06
, but also because
19:08
customers are wanting not
19:10
to send that sensitive data to the cloud
19:13
and be able to take advantage of
19:16
inference on the endpoint . And
19:19
I think there's a lot of potential
19:22
there for us to make
19:24
AI more private
19:26
and more secure and
19:29
trustworthy , taking advantage of that local
19:31
compute .
19:32
Okay , that sounds interesting . I'm really
19:34
curious to see where this goes from here , I mean , what
19:37
the sixth generation of the chip is going to bring and
19:40
we're going to progress and eventually
19:42
get there , hopefully towards a secure
19:45
future . Thank you very much
19:47
, Ian , for this insightful conversation
19:49
.
19:50
Well , thanks Anna .
19:50
Thanks for inviting me . Thank you .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More