Rachael Lyon:
Welcome to To The Point cybersecurity podcast. Each week, join Vince Spina and Rachael Lyon to explore the latest in gloFbal cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachael Lyon here with my co host, Vince Spina. Vince, how are you doing with the jet lag?

Vince Spina:
I think you're doing well. I'm doing well for our listeners. Just got, in from Saudi Arabia, a 28 hour, trek, but very comfortable, very smooth. And, I'm sure to my team, they don't like it because I think I put out 2250 emails in the course of that time. So it's one huge blast.

Rachael Lyon:
Nice. Well, I didn't receive 1, so I feel a little left out now.

Rachael Lyon:
So I'll

Rachael Lyon:
put that on there.

Vince Spina:
We can fix that.

Rachael Lyon:
Maybe next time. Maybe next time. So I am so excited for today's guest. Can I tell you in our our 300 plus episodes, we've never never talked about this topic? So, without further ado, let's welcome to the podcast Philippe Humeau He is the CEO of CrowdSec, which he describes as the ways of firewalls. How interesting is this? Philip, welcome.

Philippe Humeau:
Thank you, Rachael. Thank you, Vince.

Rachael Lyon:
So could you please give us a little bit of, like, founder story on CrowdSec? Like, how did the idea for this come about? Because it is really unique.

Philippe Humeau:
Yeah. It comes from the, an Olympic, actually. You know, funny enough, after these these recent Olympics, come came from another Olympic, which was like 12 years ago, something like this. And we had a client, InterSport. It's a European fashion not fashion, a sport brand. Sorry. So they sell everything sport. And these guys, they were having, they had contracted with my previous company for a high security environment.

Philippe Humeau:
So they were all settled and everything. Everything was fine. And then at all of a sudden, we see a lot of IP addresses trying to scan the website, to scrub the surface, find vulnerabilities, and so on. I'm like, wow. That that's a massive attack. That's not, you know, background noise. It's not random. Someone is really, really trying.

Philippe Humeau:
And, those guys, they they tried hard, and they actually fell on a big boat because this system was extremely resilient. It had its problem. It was long to configure and somebody it was very efficient. So the guys crashed something like 6,000 IP addresses just trying to scan the surface of the website and failed miserably. And we were like, hey. First of all, beer popcorn. It's working. We worked on that for a while.

Philippe Humeau:
I'm glad it works. Now what's next? I mean, those IP addresses have value. Right? They they are the bread and butter of a cybercriminal entity. So So what what do we do with it? Can we share it with other peers, people over the Internet, other hosting companies? Are we even legally able to do this? How long is this information valid for? And so on and so forth. So we started to ask ourselves question around, you know, what we could could we do with it? And basically, nothing. And then we're, like, very frustrated because we thought we could do what we do with this high security environment, share all those IP addresses together, and be comfortable with this because it would be the core job of the company doing this. So people would trust us for that.

Rachael Lyon:
Nice.

Vince Spina:
Philippe, I I just wanna jump in there. So you you basically, you know the IP addresses at any given time, and I, I'd like to know, like, how fast does it change of of bad guys? What do you actually do with that? Would your consumers come to you and that's like a blacklist of IP addresses that get blocked in their environments? Or I just wanted to nerd out a little bit on how how once you know those IP addresses, what do you do with them? If I'm your customer, what what what do I get from you guys?

Philippe Humeau:
So yeah. So there is it's a twofold story. The first story is a free open source software, which is a security engine. It was it used to be called an IPS, IDS back in the days. Sure. But that that was before Gartner came in and say, hey. We need to rename everything into who's paying the most. Yeah.

Philippe Humeau:
XDR XDR. It's an everybody need an XDR who who hasn't got an XDR. So I'm supposed nowadays it's an XDR, whatever whatever is the name. But yeah, basically it's an IDS IP. So it's detecting attacks, it's blocking the attacks, and supporting the IP address that aggressed you. Whether it's an HTTP query that was crappy, whether it's trying to brute force your your credentials, whether it's trying to leverage a CVE, whatever. So we detect this, we block this, and all of this is entirely for free. Now we what we get paid back the way we get paid back is by signals.

Philippe Humeau:
So when an IP is addressing, say, Rachael, and Rachael is getting this, I don't know, brute force attack on our servers, Rachael's servers are reporting us the IP address that was aggressive, the time stamp, and the behavior. And with our network of 100 of thousands of machine across the the globe, we get real reports of who's getting aggressed, but what IP and so on. So this maintains a real time map of the IP addresses used by cybercriminals. And in return, because we need to make a living out of it, we sell the signals to companies that want to protect themselves. Another form of block list. Yeah.

Vince Spina:
Yeah. And that's, that's like real time dynamic always changing?

Philippe Humeau:
Yeah. So it's an it's a very interesting part of the story here, Vince. So the rotation rate is around 5% per day. At the scale of 12,000,000 IOCs daily we receive, we see the rotation rate of IP addresses used to carry attacks around 5% per day. So one could consider it's a lot. The other one would say, hey. That's marginally low actually compared to what I would have guessed. The second surprise we had by digging into our data lake is that only 5% of the attackers are using VPNs.

Philippe Humeau:
And I was like, if you would have asked me back in the days, Rachael, how much what would be the percentage on the back of your mind? I would say, like, I don't know, 30, 40%.

Rachael Lyon:
Right.

Philippe Humeau:
And, no, it's only 5%. And the reason why is that there are 2 kinds of VPNs. 1 is a crappy type, you know, underground type. We don't do KYC. We don't care what we're carrying. These ranges have extremely bad reputation. Everybody knows it's out the garbage of the Internet. And if you use those IP addresses, you already pre filtered a lot.

[06:21] Attackers avoid VPNs; prefer pre-compromised servers.

Philippe Humeau:
So, basically, it's not really a comfortable position to be an attacker. But if you take the real good VPNs with good quality service, blah blah blah blah blah, they do the KYC. They don't accept to be paid in Monero or whatever, and they want you to have a credit card, an invoice, blah blah blah. And then you leave trace. And next thing you know, you have the FBI knocking at your door 3 AM in the morning. And as we all know, cyber criminals are not from the morning. Right? They are not morning people. So, globally, they don't use so many, VPNs, and they prefer to use pre compromised servers that that comes nearly for free nowadays.

Philippe Humeau:
Interesting.

Rachael Lyon:
Wow. That is interesting. So for the benefit of our our listeners, because we have never talked about multiplayer firewalls, can you break it down a little more on how it's constructed?

Philippe Humeau:
Yeah. Sure. So it's a friend of mine that that coined the term. A guy working at Google, he said, hey. Basically, you're doing a multiplayer firewall. He's like, that's a good banter. That's a good one, and I love it.

Rachael Lyon:
Yeah. Exactly.

Philippe Humeau:
2 words. If you can narrow it down to 2 words, it's it's extremely good. So why we consider it a multiplayer firewall? Because so first of all, the firewall part. Right? A firewall is accepting or refusing an IP based on a static rule set. A stupid rule set say a are good, b are bad. A should come in, and b should never come in. Now what is the history of a already? Is this guy with fancy sneaker and a Lambo, supposed to get into my nightclub because he has a lot of money? But what do I know? Maybe he's coming back from Syria and got a trending in bombing. And it's the same number, the same sneakers, and same fancy guy.

Philippe Humeau:
So just basing my decision on the look, on the static cool set is borderline stupid. What we want to do is to create a dynamic firewall. We want to react based on the history, on the reputation of the on the behavior of the IP addresses that are interacting with your workloads. So if they have bad behaviors, we'll refuse them. And if they have repeatedly had bad behaviors in the past in many different places, we'll build up a bad reputation for them. Until they redeem themselves and stop doing crap. And then they will be, you know, freed from the block list. But basically, what we do as a multiplayer, as a way of firewalls, we share those IOCs in real time, we curate them with a network effect, effect, and we distillate them into a block list that benefits everyone in return.

Rachael Lyon:
I like that.

Philippe Humeau:
It's obvious. Right? It's it's it's kind of logic. If you think about it like, mankind only solve problem when we're big problems when we are collaborating. We solved the COVID 19 problem in 1 year, in under a year, saving the global population 100 of thousands of deaths because we collaborated together, all the universities, all the doctors, all the virologs, all the labs.

Rachael Lyon:
That's true.

Philippe Humeau:
And top one priority, kill the COVID. And they did because collaboration. When you guys send people to the moon, you tackled a hugely complex problem with tens of thousands of people collaborating together. Could a smart guy alone in his garden do it? No, definitely not. No matter how smart he is. There's only when we collaborate altogether then we can picture a black hole, raise 264,000 time funds for projects in Kickstarter, learn 43 language using lingo, whatever. You know? Do we do a lingo? Sorry. So collaboration is the most powerful of human interaction, I find.

Multiplayer involves crowdsourcing; vetting accuracy is crucial.

Vince Spina:
So, yeah, I mean, ultimately, the multiplayer because, when Rachael and I were prepping for this, Philippe, I've been in my background is in networking, and, I know I know I look 29, but I'm not. And, I've been in the industry a long time, and I go, I've never heard that term. But essentially, it's it the multiplayer is the crowdsource component of that. Right? And, now the thing is is, how do you vet that, what you're getting from your constituency is actually accurate so that, you know, when it comes together or do you care? I mean, I I guess the promise is just like analogous to, like, distributed denial of service. You don't wanna block something that's actually a good IP address. Right? I mean, I could see where maliciously somebody could come in and do the exact opposite of what, you know, your your core desire is to do.

Philippe Humeau:
Absolutely. So it's called the Byzantine general problem, and we have the same problem on the blockchain like Bitcoin or Ethereum. Are all the participant good intended, Or is someone trying to poison the consensus and spread false information? So let's pretend for a while that Rachael is trying to kill Vince's, business. Right? So Rachael is gonna send me send me a ton of reports on Vince's IP so that basically the consensus is crashed and, Vince's IP end up in the block place and we cripple Vince's business. Congratulations, Rachael. You failed because, first of all, we don't trust you for 6 months. So even though you enrolled yourself in the program, there's a quarantine time of 6 months. So you have to be very patient and you have to collaborate and report real signals for 6 months before you can eventually attempt your no t attack against Vince business.

Need diversified reports to confirm malevolent activity

Philippe Humeau:
Right? Second thing is we don't only trust, Rachael. We need many Rachaels. We need a lot of reports against Vince's IP to be sure that it's really malevolent. And not only a lot of them, but very diversified, coming from different places in the world, different autonomous system as we know them, which means, like, basically, if you're a cybercriminal, it's really hard for you to deploy so many machines in so many different environment. It's gonna cost you a ton of money and time to eventually pull out this heist. Let's say finally, you injected, Vince IP into our consensus and we broadcast it and Vince is having real issues with this, at scale. And and also we have a problem as CrowdSec because we are decrimitablized. We are not as, you know, as trustworthy as we used to be because we broadcast it to false positive, which never happened in 4 years, by the way.

Philippe Humeau:
Well, then you would lose entirely the whole reputation you build it for all those machines you deployed instantly because we would look into this. We would put human into the loop. Say, okay. Congratulations. You did it. We'll burn the whole network. And you're basically stage 0. So for 6 months, you helped us with tons of machines.

Philippe Humeau:
And for an hour, you were right and you blocked Vince and it's easy blocked and and you you fried the whole network. So, basically, we make it so that it's not worth it. Interesting.

Vince Spina:
Rachael, I man, I'll keep asking questions. So

Rachael Lyon:
No. Keep going. Keep going. Yeah. My my brain is just sucking it all

Philippe Humeau:
out. Yeah.

Vince Spina:
Yeah. So I I mean, it's almost I wanna try to match metaphors because, Philip, some of your, work

Philippe Humeau:
good.

Vince Spina:
Fill you know, pictures have been great. But, I liken it to maybe joining a game, you know, negative connotation there, but takes a while. You gotta, you know, you gotta kinda hang around the clubhouse a little bit. They gotta trust you. They'll give you some activities, things like that, but eventually, they let you in. So I I I get that, and I also get the part where you say, hey. It's not worth it. Not time and money.

Vince Spina:
I mean, they're both of those resources. You'd have to spend a lot. But let's say somebody, starts out really good, and they have all the right intentions, and they get through those gates. There was no malicious behavior. But now on the back end, somebody's a trusted source. They're part of that team now. And, you know, now, you know, people that, wanna be a little bit more malicious, you know, through some sort of, you know, whatever, monetary bribe or whatever, starts using the power of 1. I I I assume we're talking I don't know what the scale of your your crowd is.

Vince Spina:
I gotta believe it's probably in the 1,000. Is that is that a fair statement? Or even higher. Okay.

Philippe Humeau:
So Probably 100 of 1000. Yeah.

Vince Spina:
So I I guess what I'm trying to dig into, can one bad actor who finds their way in through what used to be a trusted source, you know, you brought up cryptocurrency, things like that. Can the crowd be able to kind of see that and then mitigate it, quickly? Or is there a backdoor in just through, you

Philippe Humeau:
know Yeah. No. Not really because of the diversity we impose to any decision. So let me give you an example. Let's say all of the IP addresses of, say, Microsoft, all of a sudden become rogue and they report bad things. They only have one vote in the network because they don't offer enough diversity. They all come from the same IP range under the custody of the same actor. So meaning for us, it's just one vote saying, hey.

Philippe Humeau:
Vince's IP is bad. Okay. Fine. We have one vote against you. It's not enough for us to exclude you from the Internet. So we would have to have if enough different reports and if not different, offering enough diversity so that we consider it. So it would be extremely complicated for 1 managed sector to invade, say, 6 60, 70 different places in the world all of a sudden to just, you know, try to ditch one IP into, a block list. I'm not saying it's impossible.

Philippe Humeau:
I'm saying it's unrealistic or extremely costly, which is usually enough for a cybercriminal group to just keep on this option because your time and money well, let's say money is just a human function of time. So it's one is the other exactly. So they would not, you know, spend this time for nothing.

Vince Spina: If Philippe writes a Philippe philosopher book, I'm buying it because I there are couple of those couple of statements are good. I'm I'm sold, Philippe. I I love the concept. And,

[15:41] Previous honeypots collected useless Internet background noise.

Philippe Humeau:
You want some more of this because how we did how we did this in the past. You know, what was missing in the market before is, like, people were using, straw balls. They were calling these honeypots. So they would spawn machines on, Google, Amazon, different places, DigitalOcean, OVH, and so on, and they would pretend those machines were vulnerable. And they say, attack me, attack me, attack me, and then I'm collecting the attacks, and I'm saying, hey. This IP is attacking me. Yeah. But what do you get out of this? You get the random background noise of the Internet.

Philippe Humeau:
You know, people that are using, gatling guns to spray bullets and pray that eventually someone catches 1. But it's not showing you the real picture here, or it's showing you what's what's kind of obvious. Our our users are real users. They are real businesses defending real value, with real website, real transactions, real users behind it, you know. So would you invest, for example, you took the example of a DDoS, Vince. Would you send a DDoS against a a honeypot system? No. No. What what's the point? You know, it's it's pointless.

Philippe Humeau:
Would you try to credit stuff, cards, credit cards, onto a payment gateway on a honeypot? No. Because they have no payment gateway. They are just dummies, struggles, you know, getting hit by what I'm looking for

Vince Spina:
And the educated hacker, I mean, it's they're still beyond. Yeah. I mean, it's still beyond that.

Philippe Humeau:
But here, since it's real people, we can tell you, oh, those IP addresses are specifically aggressive against, I don't know, Lebanon, Korea, Australia, US. Ever since a month or 2 months or forever, we can also tell you, hey, this IP address is particularly interested in health care industry or retail or real estate or banking Because those clients are your clients, so they declare what they are. I'm banking industry. Okay. So this IP is attacking only banks. Well, I'm guessing it has, you know, a specific behavior. Or this IP is only doing DDoS. So we can create on the fly cohorts of IP address exhibiting the same behavior either against the same target or same group or the same vulnerabilities.

Vince Spina:
I'm assuming you there's large language models built into this in some form. You're using some level of AI to

Careful approach to AI using deep learning.

Philippe Humeau:
So I'm very careful with AI because there is so much buzzword in that, you know, we are doing data science a lot, and we are training models. They are not LLMs because LLMs for us are are not adapted, but what we do is, like, deep learning and, we are keeping and they are creating these on the fly cohorts. So let me give you an example of this. So if in your logbooks, you see passing, someone scanned my portal at 12:30 on this machine. And then at 12:32, someone tried CVE x y z on my website. And then at 12:45, someone, tried to inject passwords. Those are 3 three different events coming at 3 different time from 3 different IP addresses. Basically, anchor you cannot correlate them into anything.

Philippe Humeau:
But at the scale of my network, I see the same IP addresses exhibiting the same behavior in different places, and I can tell you, oh, those same IP those IP addresses are under the custody of the same cybercriminal body. I don't know if there are fancy bears with pink stripes and red spots. I don't care. They are the same cybercriminal group. So if IP a is knocking at your door at all and IP b is knocking at your door, you can practically block IPC because it's coming in 3, 2, 1, now. Wow. And the accuracy of this model is beyond beyond belief. Another thing that we can do, which is really cool, is saying, hey, those IP addresses are very likely to be residential proxies or VPNs.

Philippe Humeau:
And how we do this? So first of all, residential proxies are a pest because people are renting their landline connection at home for, say, $10 a month just to offset the cost on their own, spurtings. And, they're empty to they don't know who, actually. And those don't know who people are carrying attacks through, residential proxies, and it's a very a very classical thing. So for example, during the attacks of the of October in Israel, a lot of the attacks that were carried were carried through residential proxies. So basically, Israelis so Israelis attacking them. And we're like, but it cannot be. We are a very nationalistic country. People are are caring about the security of Israel.

Philippe Humeau:
Why would Israelis attack Israel? There were not Israelis attacking Israel. There were ironies, Russians, or whatever who rented Israeli's IPs to carry their attack. So if you can identify this cohort as being a residential proxy cohort, then you can tell everyone, hey. It's up to you. You want to accept or you don't want to accept residential proxy, but just know that we have a list of them. It's up to you whether you decide to block them or not. Very interesting. Rachael?

Rachael Lyon:
Yeah. I know. I know. It's like I'm trying to, like, wrap my head around all this. Well, I imagine with all of this information, though, you've got really valuable information, Philippe. I mean, I I can imagine, you know, there's there's probably big criminal gangs that you guys have uncovered, and what do you do with all that information?

Attribution in cybersecurity is unreliable and unpredictable.

Philippe Humeau:
So we come back to a problem that is called attribution, and we don't do attribution because to me, attribution is like, you know, you try to guess, the number of the lottery. Why that? Because if we take these fancy bear or pink stripes and red dots, whatever the name is, and, you know, those are just made to to to give you plush toys, black hat and whatever. The reality behind it is that those groups, they are recomposing constantly. They are subcontracting each other. People are moving from one to another. So if you say, this is a signature of the code of blah, well, maybe Yuri change, to another group. And Dimitri is working there. And John decided that he has allegiance with, the spider whatever bait, plush toy.

Philippe Humeau:
And indeed, it doesn't mean anything. You cannot possibly tell where an attack is coming from. This is, you know, daydreaming, but it's not realistic. So we don't care about that. We don't care at all. And by the way, would you act differently if I tell you it's like spider bear 2? Oh, oh, it's spider bear 2. So let them in. It's not a problem.

Philippe Humeau:
No. You want to block them, whatever their fancy name is. Right? So Right. We decided not to play that game at all. What we can tell you though is that we can detect if there are more activities against specific country, a specific industry, and if you need to be more careful compared, to some IP addresses or others. Which are the people doing good job, for example, at cleaning their systems quickly? We can tell you with a high degree of conf of confidence that AWS is doing an extremely good job at cleaning IPs that are compromised. As soon as an IP is compromised at their place, within 2 days, they make a takedown. And we see it in the figures.

Philippe Humeau:
We see the instantly, they are taken down. If you do if you look at DigitalOcean, there are machines that are compromised for years. And if you ask somebody, hey, guys, we have the list of your machines that are compromised and used by cybercriminals, like, yeah, cool. Are you gonna do something right? No. Someone is paying for them, so

Rachael Lyon:
Right.

Philippe Humeau:
We don't care. Mhmm. Okay. Okay. That's a philosophy. That's another philosophy. So, yeah, it's more in this direction.

Rachael Lyon:
That makes sense. That's fair. So so what's next? I mean, where do you take it from here? I mean, when this is pretty awesome stuff. Like, where does it go from here?

Philippe Humeau:
Yeah. Two angles. I I look back to a question of Vince, if you if you allow me, on the the delay, the timing. Mhmm. Vince was asking, and it's exactly where we're heading, how much how fast can the network detect this kind of attack? So it all depends on the scale and on the loudness of the cybercriminal group using those IP addresses. So you just scan to the whole Internet, in 4 minutes, we'll know about them in 2 minutes. Right? Obviously. Now if they are doing slow brute force of credentials or scanning your VoIP range and so on, But, you know, sneakily over a month, it will take us days before they end up in the consensus.

Philippe Humeau:
But now, here's the point. Most of my network is redundancy. I mean, and that's the point of it. Like a lot of information is redundant and this is what gives us, you know, the credibility to assess that this IP is dangerous because it's been reported by a lot of different people. Now it's not noise. Why that? Because the more the merrier. The more we are, the faster we can decide that this IP should be blocked. So in the very inception, the early days of Crowdsec, when the famous Log 4 j, CV stroke the Internet, we were 6 months old.

Philippe Humeau:
We had 3,000 people in the network, and we could spot roughly 3 to 4000 IPs that were the most aggressive against those, CVEs in 4 hours. Nowadays, a log 4 j would be detected in under 5 minutes. What's the next frontier? Seconds. If we can spot IP addresses in seconds, we would not only I mean, we would eventually deal with the payload, but we would disable all the rockets in the first place. The carrier of the attack, which is smarter than actually trying to dodge a bullet or or soak them into your love your love face, your your kevlar.

Rachael Lyon:
You know? Right.

Philippe Humeau:
So this is the first frontier. The second frontier I see, and it's probably the most important one, is what I call Moais. Moais are multimodal offensive AIs. What does it look like and what are they doing? Well, basically, look at it this way. You know about CTF competition. Right? So it's capture the flags, so white hat hackers are competing in order to gain points by compromising servers, and so on. What do we have out of it? A lot of logs, right, of real humans sending attacks and compromising machines. That's extremely, extremely interesting information to train in AI.

Philippe Humeau:
Right?

Rachael Lyon:
Right.

[25:37] AI accelerates vulnerability detection, creating unprecedented challenges.

Philippe Humeau:
And what we have is CVE database that describe basically how vulnerabilities are working. What if we use an LLM on other deep learning machines or machine learning systems to actually train an AI in doing the same thing and academical papers, and so on and so forth. And then all of a sudden you have an AI knocking at your door that instead of taking minutes to actually find a vulnerability, takes milliseconds. And it's a whole new dimension. It's a whole new game you're a whole new problem you're facing. So it's not only that they can craft perfect, accurate, you know, document to send you to make us believe Vince was in Saudi Arabia. Actually, we know he he was not. He was in Japan.

Philippe Humeau:
I know he's in Japan. So, you know, we can have credible pictures of Vince in Saudi Arabia sending Rachael, pictures saying, hey, I'm hostage or whatever. I have a problem. Send me money or unlock my account, whatever. That's obvious. That's already, you know, industrialized. That's part of the background noise now. You guys are dealing with this, and thank you for that.

Philippe Humeau:
But what we see as our next frontier are more eyes that we do this on the attacking machines, not human, but attacking machines. And that's where, you know, disabling this fleet of rockets will allow us not to get the payload reaching the workload so fast that we cannot, counteract on it.

Vince Spina:
Phil, for our listeners, I just used the term MOAI, MOAI. For the listeners, MOAI, multimodal multimodal offensive

Rachael Lyon:
Easy

Vince Spina:
for you

Rachael Lyon:
to say. Yeah.

Vince Spina:
It's easy for me to say. But just in case somebody wanted to refer it, I wanted to go back kind of you you touched on ethical hacking and and all of that. You know, there are people, associated with companies that, you know, wear white hats. You know, they're actually trying to find these vulnerabilities. How does your product like, when when you're watching, you have a list of, bad IPs, but if somebody's out there, you know, just poking around, doing pen testing, things like that, how do you separate the white hats from the black hats? Like, do white hats get caught up in, you know, the security? Okay. They do. Okay.

Philippe Humeau:
I figured that. Yeah. That you know, this fancy red spider stuff. It's the same thing. So we've called this some days ago, and the guy were like, hey. We have a problem because, clients of yours and that we have in common, they are blocking our IPs right away at the gate. And I'm like, and so what? You're exhibiting an offensive behavior, and the system is made to detect offensive behavior. Your IPs are always the same.

Philippe Humeau:
It's blocked. It's blocked. What do you want me to do? What we can do for you guys, if you want, is I've, have a white list saying those are the IPs of Qualys, and you can white list them if you want to disable our system and see if other system are resisting to Qualys or not. But no, I'm not gonna, you know, tell my client to disable CrowdSec so that you can pet test them. It's up to them. I mean, you're in real life configuration guys. And they were like, yeah. But we don't wanna share our IP addresses.

Philippe Humeau:
Well, you know what? Your your problem, not mine, actually.

Vince Spina:
Very good.

Rachael Lyon:
That's fantastic. So we like to get a little personal with our guest, Philippe. And, you know, as as founder of CrowdSec, you not that you have a crystal ball, but you've been in cybersecurity for a really long time. And I'd be really curious to know kind of, like, what are you excited about that's happening in the industry right now and kind of as we we look to 2025? I mean, I know we talked a little bit about AI. It's a little sensationalist. I think there's, you know, a lot of questions on what it is, what it isn't. But what gets you excited about what's ahead for cyber?

Electricity revolution impacts society and cybersecurity multifacetedly.

Philippe Humeau:
Well and sadly, it will come back to us because I'm not a fond of guy. I'm not, you know, like, the BFF or for Panay, whatever. But I think there is something at stake here that is bigger than we think. It's it's electricity revolution for for what we're doing. I mean, it will impact the society at different level in different ways, obviously. Now in cybersecurity, it it recovers a different aspect. Because, for example, specifically in your line of work where you are dealing with these problems on a daily basis already back in the days, now you're you probably have a view of a surge of those attack by a 10 x factor. And we're not anymore in the presented attack with, like, tea typos and mistakes and grammar, horrible grammar all over the place.

Philippe Humeau:
It's extremely incredible. I can scan the entire surface of a company and craft, specific messages targeting specific people, detecting their intention. Are you upset against your company? Are you broke and financially in distress? Well, you can be then targeted with an attack where I bribe you, sending you half a Bitcoin if you give me your credentials. Right? How do I deal with that? I mean, the betrayal, is is an extremely, complicated part to deal with. Arguably, with behavioral detection, we can do this, but it's still very, very complex. So you guys have a lot on your platter. I have a lot on mine as well. But there is light at the end of the tunnel because, actually AI's are pretty good at spotting the AI's.

Philippe Humeau:
That's the funny part of it. And we can use different models to counteract on them. So I think this game of cat and mouse is just gonna accelerate at, very exponential in a very exponential way. For now, I think MOIs are only in the hands of governments and states. I haven't seen them I I know one private company that has something very similar in the making, but it's not yet ripe enough to be considered operational. Probably 3 to 6 months from now, one would have. What is very scary to me is the following, and it's actually your team when we prepared this interview that talked to that that that connected the dots. She said, and I quote, but do you think it will be commoditized at some point like ransomware was? I'm like, oh, damn it.

Philippe Humeau:
You're so right. The days there is a real moi out there, what will the people do? Rent it? Obviously.

Rachael Lyon:
Yeah.

Philippe Humeau:
They will rent it. And this is where the payload is defend. We will have a lot on our platter then because we will face groups that are probably average at what they're doing using exclusively efficient weapons.

Rachael Lyon:
Mhmm. And

Philippe Humeau:
that's what keep me up keeps me up at night, actually.

Rachael Lyon:
Yeah. That's that's a good point. It's Yeah. You know, kind of the ransomware of the month club. Yeah. That's exactly where it's gonna go.

Vince Spina:
Bill, this is where you're supposed to make us and our listeners feel good that you're working on that. Yeah. And Yeah. Yeah.

Philippe Humeau:
Okay. So the for for the for the feel good part. The thing is we know let's say let's say, Moaise have 2 2 working mode. 1 is be discreet, be undercover, don't ring all the alarms on the target because we have time. I want to compromise, I don't know, a a large companies in the US. I don't care about doing it in one day. If 6 months is your timeline, you can be very very sneaky and discreet. Well, it's not because you're discreet that do not leave trades in the logs.

Hackers show efficiency, rapid targeting, unlike humans.

Philippe Humeau:
And besides, from what we have seen so far, there are some kind of signatures we can see. Actually, they don't behave like humans, like white hat and so on. They are behaving very very differently. If I take for example just a SQL injection, they will narrow down on what's exactly the most likely to be efficient in a matter of 10 requests instead of 40. They're like, how come you narrowed that so quickly on your target? You are the trace of a moai, and I need to keep specific eye on you. Another thing that we're pretty, positive about, let's say this, if you put them in a very active mode, like, hey, compromise this company as fast as you can because I don't know, we are CIA and we need an access now now now now now. Right? Oh, NSA. Yeah.

[33:27] Teamwork is essential for defending against attacks.

Philippe Humeau:
Sure. But you're gonna be extremely loud by doing so because you you are yes. You're fast. But on the other end, on the receiving end, I will see a lot of trace in in the logs that that go insanely fast, And I will block you right away. And not only this, I will block all the IP addresses related to you across my network, which means actually the only way of defending really against the UI on the technical standpoint, the one that are attacking the servers, not the one attacking the humans. I I leave you to the humans. I'm gonna take care of the servers. But the one attacking the servers, the only way of efficiently defending against them is to team together.

Philippe Humeau:
Again, the crowdsourcing part would be, I think, crucial in this.

Vince Spina:
And build context through that teaming. Right? It's all Yes. It's all about contextual analysis of of that crowdsource. Boy, super intriguing.

Rachael Lyon:
Yeah. It's, Philip, I I'm conscious of time, but I just wanna thank you for educating us. I mean, it's, you know, Vince and I, we're new to this topic, and I I, I'm excited for for what you're doing and and what's ahead. So thank you. Thank you for sharing your insights with our audience. This has been wonderful.

Philippe Humeau:
It's my pleasure. And on top of that, I I shall remind, your listener that it's free. It's okay? So use it. Defend yourself. Defend your hospital, your your your your small business because no plumber is above being, scratched by a ransomware attack. Because you know what? This type of mob, like Vince talked about it earlier, it's a mob system. You start with small fishes that don't cost you a lot of money. So if I spend a $100 compromising your $20,000 business or $200,000 business, and I can stop you.

Philippe Humeau:
I can I can claim a $10,000 blackmail from you? Is it worth it? Right? So there's no fish too small to fry in this environment. That's why it's important that we all have a free path that we help everyone and that the large companies that can pay for it defend themselves using the premium product. That's why the free open source software is a a mean to an end. The mean is helping everyone to get the signal, and the end is sending the signal to the company that can pay for it. So if it's free, it's not because you're the product. If it's free, it's because cyber criminals are the product. Mhmm.

Rachael Lyon:
Yeah. I know. It's it's the only way we're gonna get there is working together because it's Yep. They're moving so fast. We have to we have to organize. Otherwise, we're never gonna beat it.

Philippe Humeau:
We're gonna beat them.

Rachael Lyon:
We're gonna beat them. That's right, Philippe. We're gonna beat them.

Vince Spina:
Our our AI is better than your AI.

Philippe Humeau:
Not exactly. It's more distributed. More distributed. There you go.

Vince Spina:
There you go.

Rachael Lyon:
Awesome. Well, thanks again, Philippe. And to all of our listeners out there, thanks for joining us this week. We really enjoyed it. And, again, you know, don't forget, Vince. Every week, what do we like to ask them to do? Smash that subscription. Smash the,

Vince Spina:
the subscription and the like button. Yeah.

Rachael Lyon:
That's right. And we have a fresh episode every Tuesday.

Vince Spina:
I'm not sure if you Rachael. I'm a little tired

Rachael Lyon:
from,

Vince Spina:
from my

Philippe Humeau:
jet lag, but

Rachael Lyon:
Every week, I give you

Vince Spina:
a jet lag.

Philippe Humeau:
That's right.

Vince Spina:
You're right.

Rachael Lyon:
You love me hanging.

Vince Spina:
Yeah. I apologize. The brain the brain didn't catch up there.

Philippe Humeau:
So yeah.

Vince Spina:
Philippe, our absolute pleasure. Thank you very much.

Philippe Humeau:
And,

Rachael Lyon:
Thank you.

Philippe Humeau:
My pleasure as well.

Vince Spina:And love the alpacas in the background. You gotta you gotta you need a plush toy. You know? If, if the bad guys have plush toys, we gotta have a

Rachael Lyon:
That's right.

Vince Spina:
The traffic cops of this cybersecurity world. I want one of those.

Philippe Humeau:
with pleasure.

Rachael Lyon:
Awesome. Thanks everyone for joining us, and until next time, stay safe. Thanks for joining us on the To the Point cybersecurity podcast brought to you by Forcepoint. For more information and show notes from today's episode, please visit www.forcepoint.com/podcast. And don't forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.

About our Guest

Philippe Humeau, CEO, CrowdSec

Philippe graduated as an IT security engineer in 1999 in Cyber security. He then created his first company, dedicated to red team penetration testing and high-security hosting. After selling his first company, his eternal crushes for Cybersecurity led him to create CrowdSec in 2020. This open-source editor creates a participative IPS which generates a global, crowd-powered CTI.