Unsupervised Learning is a podcast about trends and ideas in cybersecurity, national security, AI, technology and society, and how best to upgrade ourselves to be ready for what's coming. All right. Well, Alastair, welcome to Unsupervised Learning.

Unsupervised Learning is a podcast about trends and ideas in cybersecurity, national security, AI, technology and society, and how best to upgrade ourselves to be ready for what's coming. All right. Well, Alastair, welcome to Unsupervised Learning.

Yeah, thanks for having me, Daniel. Long time fan of yourself in the show. So good to be on here.

Yeah, thanks for having me, Daniel. Long time fan of yourself in the show. So good to be on here.

Awesome. Yeah. So can you tell me about yourself and and, uh, harmonic security?

Awesome. Yeah. So can you tell me about yourself and and, uh, harmonic security?

Yeah. Quick bit of bit of background, as you can tell from the accent. Originally from the UK here. So my, my previous company to harmonic was Digital Shadows which I set up in London and the threat Intel space and we were we were really good at spotting all the sensitive data that had already leaked out of businesses across the open, deep and dark web. I did the series A in Silicon Valley, moved here in 2015, so I'm now ten years into the US in a dual national and so on. So pretty bedded into the the. Bay Area digital shadows was acquired in July of 22 and as you'll remember well November of 22 ChatGPT comes out and you know the world changes and I you know, I started just, you know, exploring that and talking to a lot of smart people in the space and seeing what I could learn. And, and actually, you were one of the first people who was writing a lot about it. I started, you know, picking up your, your newsletter, I think in, um, early 23 as you were really getting going on the topic. And so that's ultimately led to me founding Harmonic Security in August of 23. So about 18 months old now. Um, we are we're really building a new data protection technology. We're calling what we're doing zero touch data protection. And we're harnessing the power of generative AI to build this. It's it's it's our own set of specially trained small language models that we're using for data protection. That allows us to do some very different things that I'll talk about. But use case one for us is very much, ironically enough, it's generative AI adoption from the enterprise. Right. And the challenges, particularly in sensitive data leaking into these different AI applications and models. We see that as like the number one barrier to to adoption in the enterprise, and we're helping them with that. And so that's really what harmonics about today is we're building out a pretty unique approach here to data protection.

Yeah. Quick bit of bit of background, as you can tell from the accent. Originally from the UK here. So my, my previous company to harmonic was Digital Shadows which I set up in London and the threat Intel space and we were we were really good at spotting all the sensitive data that had already leaked out of businesses across the open, deep and dark web. I did the series A in Silicon Valley, moved here in 2015, so I'm now ten years into the US in a dual national and so on. So pretty bedded into the the. Bay Area digital shadows was acquired in July of 22 and as you'll remember well November of 22 ChatGPT comes out and you know the world changes and I you know, I started just, you know, exploring that and talking to a lot of smart people in the space and seeing what I could learn. And, and actually, you were one of the first people who was writing a lot about it. I started, you know, picking up your, your newsletter, I think in, um, early 23 as you were really getting going on the topic. And so that's ultimately led to me founding Harmonic Security in August of 23. So about 18 months old now. Um, we are we're really building a new data protection technology. We're calling what we're doing zero touch data protection. And we're harnessing the power of generative AI to build this. It's it's it's our own set of specially trained small language models that we're using for data protection. That allows us to do some very different things that I'll talk about. But use case one for us is very much, ironically enough, it's generative AI adoption from the enterprise. Right. And the challenges, particularly in sensitive data leaking into these different AI applications and models. We see that as like the number one barrier to to adoption in the enterprise, and we're helping them with that. And so that's really what harmonics about today is we're building out a pretty unique approach here to data protection.

Okay. Interesting. So there's like an old space I don't know if it's been renamed, but it used to be DLP. Yeah. For like for like outbound, you know, sensitive data going out. Um, it sounds like it's something like that. But at the same time it's like AI readiness. Um, and then like the leakage issue. So, like, how do you see those and differentiate them?

Okay. Interesting. So there's like an old space I don't know if it's been renamed, but it used to be DLP. Yeah. For like for like outbound, you know, sensitive data going out. Um, it sounds like it's something like that. But at the same time it's like AI readiness. Um, and then like the leakage issue. So, like, how do you see those and differentiate them?

Yeah. It's a great point. I think there's there's been as you mentioned, there's a few categories that we, we can collide with a little bit, and we're trying to not think so much about the existing categories, is just focusing on what the problem is that the enterprise is trying to solve today. And that naturally leads us to overlap into into some of these categories, for sure. I mean, I think if you think about, as I'm doing about the problem space today around AI, that's it's kind of a top three for everybody we talk to is, okay, you've got you're in a position of having to go and try and adopt this technology. Um, the business is pushing for it in most cases. Right. We don't want to be left behind. We need to go and get on this. Um, but the obviously, there's, uh, there's a bunch of people that are worrying about the risks attached to that. Principally, where does the sensitive data go? And the start of that journey is visibility, where you need to understand effectively what's going on today in the enterprise, because whether you like it or not, employees have already jumped in and have started using a bunch of these tools and technologies. And, and so, so you sort of look at what enterprises have have to deal with their and often the the approach has been, well, um, let's just sit, block and wait. Right. Try and block all this stuff. Pretend it's not happening. Put a policy in place. You know, maybe we'll start to build, you know, by one of the an enterprise version of something, right? It's co-pilot or it's it's ChatGPT. And we'll try to point everybody at that. Um, but inevitably, you know, there's this, this sort of Cambrian explosion of other AI applications and uses out of the core apps that often get blocked. And and you don't want to frustrate that either. You want you want to be adopting the majority of the the technology where you can. So the question comes back to, you know, how do you do that safely? And and I think getting getting visibility into it is the first part. And then the second part is, well what about the controls. And you mentioned DLP, I think that's kind of the classic one where where organizations start to look at their existing, uh, options, whether it's DLP or trying to label all the data in it in a company. Right. Those have been the two things we've tried to do for 20 years. Uh, hasn't really worked that well over the last 20 years. I mean, it's it's just such a challenge for most security teams, right?

Yeah. It's a great point. I think there's there's been as you mentioned, there's a few categories that we, we can collide with a little bit, and we're trying to not think so much about the existing categories, is just focusing on what the problem is that the enterprise is trying to solve today. And that naturally leads us to overlap into into some of these categories, for sure. I mean, I think if you think about, as I'm doing about the problem space today around AI, that's it's kind of a top three for everybody we talk to is, okay, you've got you're in a position of having to go and try and adopt this technology. Um, the business is pushing for it in most cases. Right. We don't want to be left behind. We need to go and get on this. Um, but the obviously, there's, uh, there's a bunch of people that are worrying about the risks attached to that. Principally, where does the sensitive data go? And the start of that journey is visibility, where you need to understand effectively what's going on today in the enterprise, because whether you like it or not, employees have already jumped in and have started using a bunch of these tools and technologies. And, and so, so you sort of look at what enterprises have have to deal with their and often the the approach has been, well, um, let's just sit, block and wait. Right. Try and block all this stuff. Pretend it's not happening. Put a policy in place. You know, maybe we'll start to build, you know, by one of the an enterprise version of something, right? It's co-pilot or it's it's ChatGPT. And we'll try to point everybody at that. Um, but inevitably, you know, there's this, this sort of Cambrian explosion of other AI applications and uses out of the core apps that often get blocked. And and you don't want to frustrate that either. You want you want to be adopting the majority of the the technology where you can. So the question comes back to, you know, how do you do that safely? And and I think getting getting visibility into it is the first part. And then the second part is, well what about the controls. And you mentioned DLP, I think that's kind of the classic one where where organizations start to look at their existing, uh, options, whether it's DLP or trying to label all the data in it in a company. Right. Those have been the two things we've tried to do for 20 years. Uh, hasn't really worked that well over the last 20 years. I mean, it's it's just such a challenge for most security teams, right?

Yeah, it sounds great, but when you try to implement it, it turns to garbage really quickly.

Yeah, it sounds great, but when you try to implement it, it turns to garbage really quickly.

Yeah. I mean, it really does. I'm yet to find somebody who who loves their, their DLP or really enjoyed the process of trying to label all the data in the business. Um, you know, and usually it's, it's often just a compliance tick box. Right. It's kind of there if the regulator asks, but is it really doing anything very useful for you? Well, probably not right. It's right. It's like a yeah, yeah.

Yeah. I mean, it really does. I'm yet to find somebody who who loves their, their DLP or really enjoyed the process of trying to label all the data in the business. Um, you know, and usually it's, it's often just a compliance tick box. Right. It's kind of there if the regulator asks, but is it really doing anything very useful for you? Well, probably not right. It's right. It's like a yeah, yeah.

So so let me let's do this. This should be fun. So I'm just going to give you a scenario that I think is happening quite a bit. And then let's talk about where harmonic security would fit into this. So a big part of the use case is simply the business says, Holy crap, we need to have AI immediately, right? We need marketing to be moving on this. We need some sort of product that says something about AI. So we were thinking it would be something related to like, um, our CRM lookup. Uh, you can ask questions about your current account or whatever. So obviously we want to hit that API. Here's the API internally for that. Um, also we want to do some external lookups, uh, to combine it with some web search or whatever. So I guess we'll need that API. And then like the business kind of sends over this hunk of garbage over to like the product team which has like three or 4 or 10 internal APIs plus some other agent functionality or whatever. And then you have like this, uh, combiner, uh, sort of agent that actually formulates this stuff from the API's and hands it back to the user through this chatbot. And that's like 20 different nightmares combined. So where is harmonic security on this?

So so let me let's do this. This should be fun. So I'm just going to give you a scenario that I think is happening quite a bit. And then let's talk about where harmonic security would fit into this. So a big part of the use case is simply the business says, Holy crap, we need to have AI immediately, right? We need marketing to be moving on this. We need some sort of product that says something about AI. So we were thinking it would be something related to like, um, our CRM lookup. Uh, you can ask questions about your current account or whatever. So obviously we want to hit that API. Here's the API internally for that. Um, also we want to do some external lookups, uh, to combine it with some web search or whatever. So I guess we'll need that API. And then like the business kind of sends over this hunk of garbage over to like the product team which has like three or 4 or 10 internal APIs plus some other agent functionality or whatever. And then you have like this, uh, combiner, uh, sort of agent that actually formulates this stuff from the API's and hands it back to the user through this chatbot. And that's like 20 different nightmares combined. So where is harmonic security on this?

Yeah, I, I think for, for the reasons that you just outlined really we're not trying to solve that problem today. Uh, and I'll talk about why I think. I think the, uh. Yeah. November 22nd, ChatGPT comes out. I think 2023 and into 24 companies were were having to say that they were AI forward. And, you know, every CEO is talking about AI and telling the board and the market about it. And and what happened in reality was, I think a lot of people, you know, spun up some sandboxes in usually open AI related. They tested out some use cases, mostly around, as you say, you know, sales or customer success activities. Very few of those have entered production. And I think what's happened and continues to happen is that the the percentage of companies that are really trying to build out their own AI to solve these problems, particularly the common business problems, is just going away. It's diminishing to to be the really sophisticated orgs only. And what the vast majority of companies are doing is ending up adopting third party SaaS that has already thought about this. It's what they do as their bread and butter. So are you going to build a better CRM than Salesforce and and all the other players? Probably not. Right? Salesforce is busy spending all day long figuring that that scenario out. And I think that's true for most of the common business use cases right around stuff like customer success, technical support, the way you're going about your marketing, it's going to be more, you know, are you going to you're going to be using the latest tools, though, whether it's, let's say like gamma for writing presentations now or, you know, granola for your note taking and all these types of things. Right. And then some of those get built in ultimately to Microsoft and Google suites, like big announcements this week from Microsoft and Google. And so if you've got a bunch of employees, maybe you're on the Microsoft Suite. Sure. But your employees want to use notebook LM, right. They want to be there's that Project Mariner spinning up about how do you get agents in the browser through Google. But I think that that's really the direction that most enterprises end up in. And then there's a bunch that have failed projects around trying to build their own. There's a bunch that will have successful projects building their own. But I think that's for me, that's got a lot of the attention right now. And, you know, obviously this stuff like we talk about the, um, you've got the, um, the top ten, the OWASp top ten, and uh, which is smart. Like, I think it's a good set if you're building your own. But I don't see I don't see these types of, of issues as the ones that almost the majority of CSO that we talk to are struggling with. Right? It's it's more, hey, we need a business wants to use all these tools. We don't know what we're using today. Who knows what's going on in marketing right now? Because these people are adopting these tools. They're firing our corporate data in because they want to get productivity out. I think that's going to be step one for the vast majority of companies. And that's our immediate focus.

Yeah, I, I think for, for the reasons that you just outlined really we're not trying to solve that problem today. Uh, and I'll talk about why I think. I think the, uh. Yeah. November 22nd, ChatGPT comes out. I think 2023 and into 24 companies were were having to say that they were AI forward. And, you know, every CEO is talking about AI and telling the board and the market about it. And and what happened in reality was, I think a lot of people, you know, spun up some sandboxes in usually open AI related. They tested out some use cases, mostly around, as you say, you know, sales or customer success activities. Very few of those have entered production. And I think what's happened and continues to happen is that the the percentage of companies that are really trying to build out their own AI to solve these problems, particularly the common business problems, is just going away. It's diminishing to to be the really sophisticated orgs only. And what the vast majority of companies are doing is ending up adopting third party SaaS that has already thought about this. It's what they do as their bread and butter. So are you going to build a better CRM than Salesforce and and all the other players? Probably not. Right? Salesforce is busy spending all day long figuring that that scenario out. And I think that's true for most of the common business use cases right around stuff like customer success, technical support, the way you're going about your marketing, it's going to be more, you know, are you going to you're going to be using the latest tools, though, whether it's, let's say like gamma for writing presentations now or, you know, granola for your note taking and all these types of things. Right. And then some of those get built in ultimately to Microsoft and Google suites, like big announcements this week from Microsoft and Google. And so if you've got a bunch of employees, maybe you're on the Microsoft Suite. Sure. But your employees want to use notebook LM, right. They want to be there's that Project Mariner spinning up about how do you get agents in the browser through Google. But I think that that's really the direction that most enterprises end up in. And then there's a bunch that have failed projects around trying to build their own. There's a bunch that will have successful projects building their own. But I think that's for me, that's got a lot of the attention right now. And, you know, obviously this stuff like we talk about the, um, you've got the, um, the top ten, the OWASp top ten, and uh, which is smart. Like, I think it's a good set if you're building your own. But I don't see I don't see these types of, of issues as the ones that almost the majority of CSO that we talk to are struggling with. Right? It's it's more, hey, we need a business wants to use all these tools. We don't know what we're using today. Who knows what's going on in marketing right now? Because these people are adopting these tools. They're firing our corporate data in because they want to get productivity out. I think that's going to be step one for the vast majority of companies. And that's our immediate focus.

You're right. You're right. And that started first. It started immediately. It started in basically November of 22. Yeah. Because people were like just dragging and dropping like everything into their um okay. So what does that look like? What does that look like in terms of like bringing over sensitive documentation? Um, PRD documents, like all sorts of stuff that's like, should not be shared. What does the interface look like for harmonic security to be able to see it. And is it monitoring. Is it monitoring and blocking or some combination thereof.

You're right. You're right. And that started first. It started immediately. It started in basically November of 22. Yeah. Because people were like just dragging and dropping like everything into their um okay. So what does that look like? What does that look like in terms of like bringing over sensitive documentation? Um, PRD documents, like all sorts of stuff that's like, should not be shared. What does the interface look like for harmonic security to be able to see it. And is it monitoring. Is it monitoring and blocking or some combination thereof.

Yeah. No. Great. Great question. So yeah harmonic. What we are at the core is a browser extension that we can roll out in 30 minutes across all of the enterprise browsers. At that point, within the 30 minutes, we're starting to get visibility into all of the AI adoption of all of these third party tools and services across the company. And we can start to show show businesses, right. These are the ones that you know, that shadow AI challenge effectively. But the sanction versus unsanctioned as well. So you may know that you've approved certain coding assistance, but it turns out your engineering team is pumping your IP into a bunch of others. It may be that you've approved an enterprise version of Copilot, and yes, your employees are adopting that, but they're also creating spreadsheets in, you know, CSV, for example. They're putting data into that, which is a, you know, a free tool that is not absolutely not covered by your enterprise agreements. And, you know, the question marks around where the data is hosted, how is it being stored and secured? Um, you know, maybe it's gamma, which is an awesome product, but you probably if your employees are firing your data and generating presentations in it, you probably want to know that you've got the enterprise plan right and you want to standardize on these things. So so I think that's the those are the challenges that we solve very quickly. We give you that visibility part one. But the visibility is kind of the the easy bit. And we give you the risk as well. So which ones are training on your data. Which ones are hosted in geographies you don't want your customer data going into. But the the bigger bit though. So that's the kind of the governance, the visibility and often the step one. But then we come to the controls. Right. Because it's it's great. We can see some of this stuff, but what do we do about it. And that's really our differentiator. So so harmonica at the core I mentioned my last company, Digital Shadows, was looking at sensitive data that had already leaked out with harmonic. We're using knowledge of that to build small language models that understand sensitive data really well. Much like a human would. And that means that instead of just doing PII and PCI badly, which is effectively what the rest of the industry does today, one, we could do those things really well. But more importantly, we can also spot things like architectural diagrams or legal correspondence, or employee financial information, or corporate spreadsheets, insurance claims data, things like that you could never spot before because the the technology was just doing a regex or some sort of basic rule based. Totally. It doesn't work. We know it doesn't work, but but we do it because it's all we've had and the regulator asks us to. But now there's a better way because we can, you know, we've got these smart models that have incredibly high accuracy rates, takes the load off the security team. So this is where the zero touch data protection comes in, because we're accurate enough that we're not noisy and annoying for the employees. so we can jump in with the employee and resolve issues straight away at the end. The end point with the end user. And then this load doesn't fall on the security team. Now we have the data, the audit. They can go and see what who's been doing what and what. We've been able to stop getting out. And they configure it and manage it. But ultimately we're solving the data protection challenge without the load on the security team. So why would you go about, you know, rolling out classic DLP technology or trying to label all the data or, you know, worry about the the types of casb style solutions that are that are giving you some sort of insight into what's going on, but not fixing the problem. Right. We can fix the problem. We can do it in 30 minutes with this browser based rollout.

Yeah. No. Great. Great question. So yeah harmonic. What we are at the core is a browser extension that we can roll out in 30 minutes across all of the enterprise browsers. At that point, within the 30 minutes, we're starting to get visibility into all of the AI adoption of all of these third party tools and services across the company. And we can start to show show businesses, right. These are the ones that you know, that shadow AI challenge effectively. But the sanction versus unsanctioned as well. So you may know that you've approved certain coding assistance, but it turns out your engineering team is pumping your IP into a bunch of others. It may be that you've approved an enterprise version of Copilot, and yes, your employees are adopting that, but they're also creating spreadsheets in, you know, CSV, for example. They're putting data into that, which is a, you know, a free tool that is not absolutely not covered by your enterprise agreements. And, you know, the question marks around where the data is hosted, how is it being stored and secured? Um, you know, maybe it's gamma, which is an awesome product, but you probably if your employees are firing your data and generating presentations in it, you probably want to know that you've got the enterprise plan right and you want to standardize on these things. So so I think that's the those are the challenges that we solve very quickly. We give you that visibility part one. But the visibility is kind of the the easy bit. And we give you the risk as well. So which ones are training on your data. Which ones are hosted in geographies you don't want your customer data going into. But the the bigger bit though. So that's the kind of the governance, the visibility and often the step one. But then we come to the controls. Right. Because it's it's great. We can see some of this stuff, but what do we do about it. And that's really our differentiator. So so harmonica at the core I mentioned my last company, Digital Shadows, was looking at sensitive data that had already leaked out with harmonic. We're using knowledge of that to build small language models that understand sensitive data really well. Much like a human would. And that means that instead of just doing PII and PCI badly, which is effectively what the rest of the industry does today, one, we could do those things really well. But more importantly, we can also spot things like architectural diagrams or legal correspondence, or employee financial information, or corporate spreadsheets, insurance claims data, things like that you could never spot before because the the technology was just doing a regex or some sort of basic rule based. Totally. It doesn't work. We know it doesn't work, but but we do it because it's all we've had and the regulator asks us to. But now there's a better way because we can, you know, we've got these smart models that have incredibly high accuracy rates, takes the load off the security team. So this is where the zero touch data protection comes in, because we're accurate enough that we're not noisy and annoying for the employees. so we can jump in with the employee and resolve issues straight away at the end. The end point with the end user. And then this load doesn't fall on the security team. Now we have the data, the audit. They can go and see what who's been doing what and what. We've been able to stop getting out. And they configure it and manage it. But ultimately we're solving the data protection challenge without the load on the security team. So why would you go about, you know, rolling out classic DLP technology or trying to label all the data or, you know, worry about the the types of casb style solutions that are that are giving you some sort of insight into what's going on, but not fixing the problem. Right. We can fix the problem. We can do it in 30 minutes with this browser based rollout.

Interesting. And this data could actually be used to power a labeling project because you'd be seeing the real stuff.

Interesting. And this data could actually be used to power a labeling project because you'd be seeing the real stuff.

That's right. You actually get a real insight into what's going on. We released a report earlier this week that you can you can download and and so on to look at what what is leaking out. And because we've gone we've obviously got great visibility now into this, this type of data across our client base. And the the interesting thing is it's it's 8.5% of the prompt data that we see has some sort of sensitive information in and of that sensitive information, about half of it is customer data related. But there's a significant minority. It's I think it's about 15% that is things like legal and financial information. And then you have obviously IP and employee data and all kinds of things like that. But it's not really been possible to have that visibility before. We sort of kidded ourselves by putting some sort of DLP that was tuned to spot PII. We've got data protections covered and things like that, or the labeling, like the sort of myth of labeling all the data when when we know the reality is that most, most of that is inaccurate and you don't find all the data anyway. So, so this we've been able to show what's really happening and then put controls around it.

That's right. You actually get a real insight into what's going on. We released a report earlier this week that you can you can download and and so on to look at what what is leaking out. And because we've gone we've obviously got great visibility now into this, this type of data across our client base. And the the interesting thing is it's it's 8.5% of the prompt data that we see has some sort of sensitive information in and of that sensitive information, about half of it is customer data related. But there's a significant minority. It's I think it's about 15% that is things like legal and financial information. And then you have obviously IP and employee data and all kinds of things like that. But it's not really been possible to have that visibility before. We sort of kidded ourselves by putting some sort of DLP that was tuned to spot PII. We've got data protections covered and things like that, or the labeling, like the sort of myth of labeling all the data when when we know the reality is that most, most of that is inaccurate and you don't find all the data anyway. So, so this we've been able to show what's really happening and then put controls around it.

So do you have um, is there any way you can pull up the interface. Do you want to show any part of part of it, or do you want to just talk through it?

So do you have um, is there any way you can pull up the interface. Do you want to show any part of part of it, or do you want to just talk through it?

Yeah. I mean, we absolutely can. Actually, let me just check if I can log in. Totally. So. So I've just got an example here of, um, we're running Gemini. And so you've got an employee coming along. We're imagining in this instance we're an insurance company because we're working with a few of these. So these are things that that we've seen before. Um, I'm putting in some, some data here that in this instance is is something we don't the company doesn't want getting into something like Gemini. Right. It's actual customer claims data that's going in. We have seen this. I think it's probably pretty tempting if you work in claims right now to be getting something like a ChatGPT or Gemini to start automating aspects of your job. So we've got an employee saying, hey, you know, can you review the following claim, propose next steps to determine if it's legitimate or not. And they've punched.

Yeah. I mean, we absolutely can. Actually, let me just check if I can log in. Totally. So. So I've just got an example here of, um, we're running Gemini. And so you've got an employee coming along. We're imagining in this instance we're an insurance company because we're working with a few of these. So these are things that that we've seen before. Um, I'm putting in some, some data here that in this instance is is something we don't the company doesn't want getting into something like Gemini. Right. It's actual customer claims data that's going in. We have seen this. I think it's probably pretty tempting if you work in claims right now to be getting something like a ChatGPT or Gemini to start automating aspects of your job. So we've got an employee saying, hey, you know, can you review the following claim, propose next steps to determine if it's legitimate or not. And they've punched.

All this data in. This is worth calling out. You are on the actual Gemini site. You are actually connected directly to Google and they're just doing their normal thing with whatever endpoint. And as long as they're using the approved enterprise browser because you're an extension, you can see.

All this data in. This is worth calling out. You are on the actual Gemini site. You are actually connected directly to Google and they're just doing their normal thing with whatever endpoint. And as long as they're using the approved enterprise browser because you're an extension, you can see.

Exactly, exactly. And we can. We work with all the browser types we can install in, in, you know, very secure ways such that we appear everywhere and see, see everything that's going on, you know, no matter what browser is being used, even if the employees are installing their own. Um, so so that's that's the start point for us, is you've got an employee that's doing something like this. How would you spot this with existing technology? You probably wouldn't. You could argue you can match on the policy number. So I'll even take that out. Right. But from context, you and I can see that this is still customer insurance claims data. Right. Um, but historically, we'd never be able to stop this if I try to submit this and I'm running harmonic. We do know that this is sensitive data. So we've come up, we see we can see this is insurance claims data here. And the reason is that this has bounced off our language models. where we have a small language model that's been trained just to look at insurance claims data, understands it very well, doesn't matter to us if it's data from Chubb or Beazley or Hiscox or whoever, right. Because because the model understands generically what insurance claim data is, just like you do and I do. Right. We could recognize claims from all those companies because we know what one is. Right. So you don't need to do the old world of exact matching rejecting on on things goes away. And instead we can have these, you know, much more higher order approaches to stopping our sensitive data leaking out. So this this is completely.

Exactly, exactly. And we can. We work with all the browser types we can install in, in, you know, very secure ways such that we appear everywhere and see, see everything that's going on, you know, no matter what browser is being used, even if the employees are installing their own. Um, so so that's that's the start point for us, is you've got an employee that's doing something like this. How would you spot this with existing technology? You probably wouldn't. You could argue you can match on the policy number. So I'll even take that out. Right. But from context, you and I can see that this is still customer insurance claims data. Right. Um, but historically, we'd never be able to stop this if I try to submit this and I'm running harmonic. We do know that this is sensitive data. So we've come up, we see we can see this is insurance claims data here. And the reason is that this has bounced off our language models. where we have a small language model that's been trained just to look at insurance claims data, understands it very well, doesn't matter to us if it's data from Chubb or Beazley or Hiscox or whoever, right. Because because the model understands generically what insurance claim data is, just like you do and I do. Right. We could recognize claims from all those companies because we know what one is. Right. So you don't need to do the old world of exact matching rejecting on on things goes away. And instead we can have these, you know, much more higher order approaches to stopping our sensitive data leaking out. So this this is completely.

This this is the real experience here. This is not like a demo. Like you actually press enter and then this popped up.

This this is the real experience here. This is not like a demo. Like you actually press enter and then this popped up.

Yeah. And so right now this has not gone to Google. This data is is still with us in the browser. But I've given in our example here we have the option to ignore harmonics. I'm going to ignore. And now the data is gone. Right. We've let it go out of the door and it's it's sat with Google. Gemini is going to do its thing and start to start to give us a response here. But if I come to the harmonic portal now, and we'll walk through a little bit more of this in a minute, but we have logged and audited this. So you can see that, you know, just a minute ago this was me into Gemini, which we consider a high risk the public edition. And I ignored the intervention. And you can go and see the actual prompt data that was put in in this case. And there's a lot more we can we can dig into. But that that's like the if you want to like the flow is, is is that is the core flow. But as I mentioned, the kind of the starting point for most organizations, even before they get to that is really just trying to understand, you know, what is going on in the business today because most of them don't have that visibility. And so we start with that. And so you've got usage and adoption here where we can start to show, you know, the number of apps and the categories that they exist in.

Yeah. And so right now this has not gone to Google. This data is is still with us in the browser. But I've given in our example here we have the option to ignore harmonics. I'm going to ignore. And now the data is gone. Right. We've let it go out of the door and it's it's sat with Google. Gemini is going to do its thing and start to start to give us a response here. But if I come to the harmonic portal now, and we'll walk through a little bit more of this in a minute, but we have logged and audited this. So you can see that, you know, just a minute ago this was me into Gemini, which we consider a high risk the public edition. And I ignored the intervention. And you can go and see the actual prompt data that was put in in this case. And there's a lot more we can we can dig into. But that that's like the if you want to like the flow is, is is that is the core flow. But as I mentioned, the kind of the starting point for most organizations, even before they get to that is really just trying to understand, you know, what is going on in the business today because most of them don't have that visibility. And so we start with that. And so you've got usage and adoption here where we can start to show, you know, the number of apps and the categories that they exist in.

And the apps would be things like Gemini, ChatGPT anthropic or what? How do you differentiate an app?

And the apps would be things like Gemini, ChatGPT anthropic or what? How do you differentiate an app?

Yeah. So so we started out at harmonic just looking at JNI specific apps, right. Like ChatGPT and Gemini. I think very quickly that distinction goes away. Right. Because pretty much all SaaS is wrapping JNI features into itself at the moment.

Yeah. So so we started out at harmonic just looking at JNI specific apps, right. Like ChatGPT and Gemini. I think very quickly that distinction goes away. Right. Because pretty much all SaaS is wrapping JNI features into itself at the moment.

Yes.

Yes.

So we're essentially expanding and have expanded harmonic to look across the whole stack of your enterprise apps because and so all of these are AI enabled apps. On the right hand side that we see is is being active here. And then you've got newly discovered, we can start to show outliers, break it out by the category of application that we're seeing. So this is broader than just the core apps.

So we're essentially expanding and have expanded harmonic to look across the whole stack of your enterprise apps because and so all of these are AI enabled apps. On the right hand side that we see is is being active here. And then you've got newly discovered, we can start to show outliers, break it out by the category of application that we're seeing. So this is broader than just the core apps.

That makes more sense right. Like you said AI is just an instance. Yeah. It's like it's like saying, hey, um, are you a database company? Right. Um, and it's like, uh, what do you mean? We use a database? It doesn't mean doesn't mean we are a database company. So I just blends into everything it does. So at that point it's not it's it's protection from I if you're using an AI app specifically, but really it's all the same stuff. You're pasting something that shouldn't be going into a form.

That makes more sense right. Like you said AI is just an instance. Yeah. It's like it's like saying, hey, um, are you a database company? Right. Um, and it's like, uh, what do you mean? We use a database? It doesn't mean doesn't mean we are a database company. So I just blends into everything it does. So at that point it's not it's it's protection from I if you're using an AI app specifically, but really it's all the same stuff. You're pasting something that shouldn't be going into a form.

Yes. Exactly. Right. And so for us, ultimately, the difference between this data going into a Dropbox public folder or going into Gemini is like, what's the difference really? There is, there is I think there is a little bit of a difference because some of these there's something a little, little insidious about how some of them are collecting and training on the data that's going in. And there's obviously this explosion in AI apps that wasn't like no one was campaigning to get workday installed as an employee. But but they are campaigning to jump into tools that automate bits of their job. Right. So I think I think there is a distinction in kind of in one aspect, but but for the most part, it's all the same, right? It's data leaking out of the business and whether it's going into AI or elsewhere, then harmonics going to help. But our focus for use case one has been all about AI adoption. And and so it's sort of giving that visibility and then allowing you to put the right controls in place. And and just to show you one more kind of cool thing that, you know, we have this whole detection catalog, we're continuing to expand, but you can see the types of things we can spot, right. M&A data is obviously absolutely critical. How would you spot that leaking out historically really difficult. But we've got models that understand what that looks like. And so instead of it being a rules based approach, we have these human readable data definitions that explain to the model like what is what is that right? What is M&A data? Why is it important. So we can interact with the end user and coach them and nudge them appropriately.

Yes. Exactly. Right. And so for us, ultimately, the difference between this data going into a Dropbox public folder or going into Gemini is like, what's the difference really? There is, there is I think there is a little bit of a difference because some of these there's something a little, little insidious about how some of them are collecting and training on the data that's going in. And there's obviously this explosion in AI apps that wasn't like no one was campaigning to get workday installed as an employee. But but they are campaigning to jump into tools that automate bits of their job. Right. So I think I think there is a distinction in kind of in one aspect, but but for the most part, it's all the same, right? It's data leaking out of the business and whether it's going into AI or elsewhere, then harmonics going to help. But our focus for use case one has been all about AI adoption. And and so it's sort of giving that visibility and then allowing you to put the right controls in place. And and just to show you one more kind of cool thing that, you know, we have this whole detection catalog, we're continuing to expand, but you can see the types of things we can spot, right. M&A data is obviously absolutely critical. How would you spot that leaking out historically really difficult. But we've got models that understand what that looks like. And so instead of it being a rules based approach, we have these human readable data definitions that explain to the model like what is what is that right? What is M&A data? Why is it important. So we can interact with the end user and coach them and nudge them appropriately.

That makes sense. Prompts rule the world. I mean ultimately those are prompts. And prompts are the intelligence.

That makes sense. Prompts rule the world. I mean ultimately those are prompts. And prompts are the intelligence.

That's right. And then but then to back it up, you need a model that's got the right set of training data and is fast enough to sit in line. Right. And that's kind of the core of our tech is is having built that, that data set, train these specific models and made them really fast. Um, so yeah, that's um, that's what harmonics doing essentially. So, so the goal with, with this of course, is you can, you can much more safely adopt generative AI. You've got some nice reporting that you can show your AI committee about who's doing what with the data, the fact that we're able to protect and intervene and coach the, the employees. Um, but but then, of course, the beauty is that we don't need to load up the security team with a bunch more work here because we're handling this automatically with the end users.

That's right. And then but then to back it up, you need a model that's got the right set of training data and is fast enough to sit in line. Right. And that's kind of the core of our tech is is having built that, that data set, train these specific models and made them really fast. Um, so yeah, that's um, that's what harmonics doing essentially. So, so the goal with, with this of course, is you can, you can much more safely adopt generative AI. You've got some nice reporting that you can show your AI committee about who's doing what with the data, the fact that we're able to protect and intervene and coach the, the employees. Um, but but then, of course, the beauty is that we don't need to load up the security team with a bunch more work here because we're handling this automatically with the end users.

Yeah, it's being outsourced to the user directly.

Yeah, it's being outsourced to the user directly.

Yeah, but at low enough volume and friction that they don't they don't feel it, which is. Yeah. You know, we only get in the way when they're going to expose the company to real risk. It's not just pinging on a, on a regex match. That's innocuous because they're doing something. That's fine. Right.

Yeah, but at low enough volume and friction that they don't they don't feel it, which is. Yeah. You know, we only get in the way when they're going to expose the company to real risk. It's not just pinging on a, on a regex match. That's innocuous because they're doing something. That's fine. Right.

This is really wonderful. I wonder, um, you're probably already thinking of this, but in the insights tab, do you have anything around known providers that they've just clearly said that they train on the data? So it's like an even higher risk.

This is really wonderful. I wonder, um, you're probably already thinking of this, but in the insights tab, do you have anything around known providers that they've just clearly said that they train on the data? So it's like an even higher risk.

Absolutely. Yeah. I mean, and we can do the breakdown here between the public editions, the free editions and the ones you have an enterprise license for. So just because you have an enterprise license from ChatGPT doesn't mean that people are using that versus their home edition. Right. And they're logging in with their personal account. So we have a, you know, we consider the free edition higher risk precisely because of the training declaration that it that it has. And we can we can start.

Absolutely. Yeah. I mean, and we can do the breakdown here between the public editions, the free editions and the ones you have an enterprise license for. So just because you have an enterprise license from ChatGPT doesn't mean that people are using that versus their home edition. Right. And they're logging in with their personal account. So we have a, you know, we consider the free edition higher risk precisely because of the training declaration that it that it has. And we can we can start.

There you go. Training declaration. Hi.

There you go. Training declaration. Hi.

Yeah. So if we want to drill into that, uh, you know, here's where we've picked it up from. Um, and yeah, so, so OpenAI state that, uh, they may use your data to train and improve their models in that free edition. So, yeah, that's the visibility that we're giving the enterprise. And then you can put appropriate controls around it.

Yeah. So if we want to drill into that, uh, you know, here's where we've picked it up from. Um, and yeah, so, so OpenAI state that, uh, they may use your data to train and improve their models in that free edition. So, yeah, that's the visibility that we're giving the enterprise. And then you can put appropriate controls around it.

Yeah. That's wonderful. And then you define a policy somewhere I imagine. Um, and that's what gets implemented.

Yeah. That's wonderful. And then you define a policy somewhere I imagine. Um, and that's what gets implemented.

Yeah, exactly. There's a ton of, um, a ton of things that you can do to configure this, but we have a have a whole config designer we've taken instead of just having these these horrendously complex screens with 1000 controls, we've taken a more visual approach to building the config out and inspired by some of the great work that companies like Tynes and others have done recently, to make things much more user friendly in how you set this stuff up. And so there's there's a range of ways you can set up and configure it. And beyond that, you can also do a massive amount of customization around the intervention itself. So maybe you want your own logo and color scheme. You want to put your own security policy here. You've got an AI policy. You can link to it in in here and apply, you know, different controls to redirect employees to secure secure options and things like that. So depending on how you want to set it up, some some companies are much more draconian than others, of course, because they, you know, they're dealing with very sensitive data or they're highly regulated. Others are a little more, hey, we want to want to just trust the employees, but we are auditing and logging this stuff, so if they're really starting to push our data places, it shouldn't go. We can we can see that.

Yeah, exactly. There's a ton of, um, a ton of things that you can do to configure this, but we have a have a whole config designer we've taken instead of just having these these horrendously complex screens with 1000 controls, we've taken a more visual approach to building the config out and inspired by some of the great work that companies like Tynes and others have done recently, to make things much more user friendly in how you set this stuff up. And so there's there's a range of ways you can set up and configure it. And beyond that, you can also do a massive amount of customization around the intervention itself. So maybe you want your own logo and color scheme. You want to put your own security policy here. You've got an AI policy. You can link to it in in here and apply, you know, different controls to redirect employees to secure secure options and things like that. So depending on how you want to set it up, some some companies are much more draconian than others, of course, because they, you know, they're dealing with very sensitive data or they're highly regulated. Others are a little more, hey, we want to want to just trust the employees, but we are auditing and logging this stuff, so if they're really starting to push our data places, it shouldn't go. We can we can see that.

Sure. And it allows for both of those situations. It's more strict or more open.

Sure. And it allows for both of those situations. It's more strict or more open.

Yeah that's right. Yeah.

Yeah that's right. Yeah.

Yeah. This is really great. Um, what what are you working on next that you can talk about? Like, what are you excited about? Uh, new threats or new situations you're trying to address?

Yeah. This is really great. Um, what what are you working on next that you can talk about? Like, what are you excited about? Uh, new threats or new situations you're trying to address?

Yeah, we're continuing to build out our coverage to, you know, cover. You know, as I mentioned, beyond the kind of core gen AI sites and gen AI enabled SAS, we're going to build harmonic out over time to cover essentially everything going through the browser. Uh, so it's, you know, you can see the movement of the enterprise towards browser based access to most of their services and applications, and we want to be the essentially the data protection layer for everything that goes through there. Uh, so that's that's kind of directionally where we're headed and we're busy building out a out a bunch of integrations as well at the moment. We. Next week we're rolling out Okta Integrations. We have entra ID as standard at the moment, so we're continuing to add to things like that and building out more insights is kind of next so that you can start to see, well, what are the types of prompts that are getting used by different teams in the company? You know what, what are our use cases as a business here and and where are the risks within that. But but the goal is that this is really more of an enablement tool for, for gen AI than, than just a data protection tool, because companies obviously want to be adopting this technology and we can let them do it safely instead of just blocking everything where a lot of them sit today.

Yeah, we're continuing to build out our coverage to, you know, cover. You know, as I mentioned, beyond the kind of core gen AI sites and gen AI enabled SAS, we're going to build harmonic out over time to cover essentially everything going through the browser. Uh, so it's, you know, you can see the movement of the enterprise towards browser based access to most of their services and applications, and we want to be the essentially the data protection layer for everything that goes through there. Uh, so that's that's kind of directionally where we're headed and we're busy building out a out a bunch of integrations as well at the moment. We. Next week we're rolling out Okta Integrations. We have entra ID as standard at the moment, so we're continuing to add to things like that and building out more insights is kind of next so that you can start to see, well, what are the types of prompts that are getting used by different teams in the company? You know what, what are our use cases as a business here and and where are the risks within that. But but the goal is that this is really more of an enablement tool for, for gen AI than, than just a data protection tool, because companies obviously want to be adopting this technology and we can let them do it safely instead of just blocking everything where a lot of them sit today.

Yeah. Interesting. You mentioned about the use cases like that could be a really cool, like you said, a business insight. It's like everyone's trying to get help with these architecture diagrams or whatever. It's like, okay, well let's go solve that.

Yeah. Interesting. You mentioned about the use cases like that could be a really cool, like you said, a business insight. It's like everyone's trying to get help with these architecture diagrams or whatever. It's like, okay, well let's go solve that.

Exactly.

Exactly.

That's pressure that needs to be relieved.

That's pressure that needs to be relieved.

What we found in a couple of instances is the, you know, the CSO is part of the AI committee, and they get given kind of the the tools, responsibility to implement some controls around this, and we give them the ability to come back to the business and say, hey, did you know, here's the set of things that we're using today. What do we think about this? It's a good starting point for the conversation of which, you know, we've got obviously teams that want to use these types of tools in these use cases. Are we going to standardize on some of them. Are we going to block like what's our policy. Right. And and I think it's, it's I think where the security teams often go wrong historically has been, you know, we get seen as the Department of No. And it's it's kind of a blocker. And I think this is an opportunity to say, well, hey, look we understand you need to do A, B and C because we can see it. Here's a secure way to do that. Right. And you go and talk to your colleagues, talk to the departments and enable them to be successful. And I think those conversations go pretty well.

What we found in a couple of instances is the, you know, the CSO is part of the AI committee, and they get given kind of the the tools, responsibility to implement some controls around this, and we give them the ability to come back to the business and say, hey, did you know, here's the set of things that we're using today. What do we think about this? It's a good starting point for the conversation of which, you know, we've got obviously teams that want to use these types of tools in these use cases. Are we going to standardize on some of them. Are we going to block like what's our policy. Right. And and I think it's, it's I think where the security teams often go wrong historically has been, you know, we get seen as the Department of No. And it's it's kind of a blocker. And I think this is an opportunity to say, well, hey, look we understand you need to do A, B and C because we can see it. Here's a secure way to do that. Right. And you go and talk to your colleagues, talk to the departments and enable them to be successful. And I think those conversations go pretty well.

Yeah. Well absolutely love it. It's the best implementation I've seen. I feel like you're really, really in touch with the problem. And, um. Yeah, I think your history with the previous company, uh, gives you a lot of, uh, advantage there.

Yeah. Well absolutely love it. It's the best implementation I've seen. I feel like you're really, really in touch with the problem. And, um. Yeah, I think your history with the previous company, uh, gives you a lot of, uh, advantage there.

Yeah, yeah. No, it's. I learned a lot of lessons on that journey. And this time around, being based in the Bay area always helps when you get. You get started as well. It's just such a great place.

Yeah, yeah. No, it's. I learned a lot of lessons on that journey. And this time around, being based in the Bay area always helps when you get. You get started as well. It's just such a great place.

Ground zero. When? When everything is blowing up. Right?

Ground zero. When? When everything is blowing up. Right?

Yeah. Yeah. Yeah. It does feel like a kind of a new industrial revolution. And this is the heart of it. So great to be here for it.

Yeah. Yeah. Yeah. It does feel like a kind of a new industrial revolution. And this is the heart of it. So great to be here for it.

Well, awesome. Well, how can people find more about the company?

Well, awesome. Well, how can people find more about the company?

Yeah. I mean, harmonic security is is the starting point on the web.

Yeah. I mean, harmonic security is is the starting point on the web.

Great domain.

Great domain.

Domain? Yeah. It's, uh, pretty pretty good for that. Um, but, yeah, I would say we we love jumping into demos straight away. Uh, we can roll out, as I said, in 30 minutes. So a pack is really easy for us to spin up, and we start to give you those insights in the pack, which then helps to inform what happens next. So if you've got companies that are starting to think about that as their step one inventorying what's happening with Gen I in the business and thoughts about UI act and things like that coming down the line. Right. We're a great first step for that. But then we also have the controls that come next. So if anyone's interested in that, we'd love to speak to them. Happy. Happy to jump on a call personally with anyone that's excited about what we're doing.

Domain? Yeah. It's, uh, pretty pretty good for that. Um, but, yeah, I would say we we love jumping into demos straight away. Uh, we can roll out, as I said, in 30 minutes. So a pack is really easy for us to spin up, and we start to give you those insights in the pack, which then helps to inform what happens next. So if you've got companies that are starting to think about that as their step one inventorying what's happening with Gen I in the business and thoughts about UI act and things like that coming down the line. Right. We're a great first step for that. But then we also have the controls that come next. So if anyone's interested in that, we'd love to speak to them. Happy. Happy to jump on a call personally with anyone that's excited about what we're doing.

Very cool. Well, thanks for the conversation. I really enjoyed it. And, um, yeah, I'm sure you're going to get some interest from this.

Very cool. Well, thanks for the conversation. I really enjoyed it. And, um, yeah, I'm sure you're going to get some interest from this.

Yeah. Thanks, Daniel. Been a been a pleasure, as always.

Yeah. Thanks, Daniel. Been a been a pleasure, as always.

All right. Take care. Thank you. Unsupervised learning is produced on Hindenburg Pro using an SM seven B microphone. A video version of the podcast is available on the Unsupervised Learning YouTube channel, and the text version with full links and notes is available at Daniel Miessler newsletter. We'll see you next time.

All right. Take care. Thank you. Unsupervised learning is produced on Hindenburg Pro using an SM seven B microphone. A video version of the podcast is available on the Unsupervised Learning YouTube channel, and the text version with full links and notes is available at Daniel Miessler newsletter. We'll see you next time.