[00:00:35] Tom Garrison: Hi, and welcome to the Cyber Security Inside podcast. I’m your host, Tom Garrison. And with me as always, as my co-host, Camille Morhardt. How are you doing Camille?
[00:00:45] Camille Morhardt: I’m always better as it gets sunnier out. So, I’m doing even better than usual.
[00:00:50] Tom Garrison: We have a really interesting conversation to talk about, threat detection and what does that mean? And how is a sort of transition on the hardware side of capabilities within platforms, now come together with the software and the software industry, and what’s possible there? And we have a really good guest who’s got a unique perspective, given his role running planning.
[00:01:17 ] Camille Morhardt: Yeah, I think it’s really interesting how software and hardware are coming together. It seems that, that is the future and it will never go back apart anymore. Once you start to integrate things like that and take advantage of the various capabilities, it’s so much more optimized, that it’s really a transformational thing.
But something that I find really interesting about the conversation might not be something that you look at or notice quite as much, because I know you’ve done that role before. But to me, it’s very interesting just to even hear from somebody, how you go about product planning. I mean, you’re talking to customers, but that really can’t be all, right? I mean, sometimes you never know where the future’s going to turn, and even the very people who are using the technology the most might not know either. So, I thought it was really interesting to find out how you accommodate sort of future trends and changes, and risks and unexpected entrants, and all sorts of things like that.
[00:02:19] Tom Garrison: Yeah. There’s a lot of really, really interesting aspects to this podcast. So what do you say we get right to it?
[00:02:25] Camille Morhardt: Let’s go.
[00:02:31] Tom Garrison: Our guest today is Mike Nordquist. Mike is the VP and GM of Commercial Client Planning and Architecture. He has overall product planning and architecture responsibility for Intel’s Business C lient platforms, including Intel vPro brand, across both desktop and mobile platforms. So welcome to the podcast, Mike.
[00:02:54] Mike Nordquist: Thanks, Tom. Awesome to be here.
[00:02:55] Tom Garrison: I mentioned obviously in the introduction that you do product planning and architecture. What does that mean? What kind of things do you do, in order to know what to build into the latest products?
[00:03:07] Mike Nordquist: Yeah, well, it really starts with the end customers, and talking to CIOs, talking to CISOs in this space about what their pain points are. What are their challenges? What are the things they’re trying to overcome in this space? And then trying to figure out, “Hey, does Intel have something they can do to help that, right? Can we make security better? Can we make manageability better in this space? What types of tweaks can we make into our products?”
And we have to really get going on that early because in a lot of cases, it could take us four or five years to build some specific hardware hooks into our platforms. And so, we got to think about that early on. We’ve got to do a lot of research in that space to try to figure out what those are. And then we take that information. We also work with a lot of partners, right? So we’re trying to figure out whether it’s Microsoft or Google on the OSB side of the house. Or, some OEMs like Dell or HP and Lenovo, hey, how do we work together with them to try to actually solve those problems that customers have?
[00:04:01] Camille Morhardt: How often do you feel like trends in security emerge along a path that’s somewhat predictable, and it’s evolutionary. And you figure, “okay, the next thing that everybody’s going to need is obviously going to be C, because we saw a B before that, and we started with A.” Or, how often is it that you and maybe the customer too, I don’t know, are completely surprised? Like there’s some use case that people end up applying that no one thought of, and all of a sudden, the whole industry kind of has to revamp the underlying security architecture.
[00:04:37] Mike Nordquist: Yeah. I mean, I think there’s just a mix of that. There’s some things that you plan out, how am I improving encryption over time in this space? How do I stay ahead of what level of encryption that I need? But then there’s things that will just get thrown out there that you don’t anticipate, you don’t see coming. And I think, a lot of how you see people attack, you see kind of new variants kind of coming in. And so, just trying to solve a problem, especially if you’re three or four years out, saying you’re going to address everything, is probably a little bit naive, right? So you have to look at it and say, “How do I offer flexibility in this space? How do I do things like looking at behavior, versus just looking at a signature of something ?” And leave some kind of programmability or adaptability in, in whatever you’re designing.
[00:05:20] Tom Garrison: Yeah. Well, one of the things that I know, what we talked about while we were preparing for today’s podcast, was sort of evolution of how the technologies evolve both on the hardware side, how do you make encryption faster or better? And then also on the software side within the security world, and how those two sort of come together. And I think one of those areas, obviously, that we wanted to talk about today is threat detection. And I wonder if you could just spend a minute and sort of talk about those two trends, and then how do they come together with threat detection?
[00:05:55] Mike Nordquist: There’s a lot of work that we do just down at the hardware level of securing boot and doing things with the OS that’s great. But there’s a whole other security ecosystem that when you go talk to a CSO an IT decision maker, a lot of times they’ll say, “What’s your security strategy?” And they’ll immediately jump to a software vendor, right? An AV provider, whether it be CrowdStrike, whether it be Defender, that’s kind of been their strategy. And they start with a software only solution. But as we’ve kind of looked at some of the challenges, just doing software alone was not having the success that they probably wanted. So it was, “Hey, what could you do next from a hardware perspective?”
And we started with just a basic thing that was around memory scanning. And memory scanning was something that a lot of the AP providers had capability to do, but they didn’t do it because it had a performance impact. They would turn on memory scanning to try to look at some of the memory and see if anything was going on there. And then they’d get complaints from their end users that say, “Man, my computer, for whatever reason, it’s really lagging. It kind of feels slowed. It’s something happened.” So it was generating calls. And so as a result, a lot of those AV vendors just turned it off.
We looked at that and said, “You know what? That would be a great capability that instead of just running on the CPU, we could actually go and move it into our GPU that’s sitting there, right? And it’s maybe not as heavily utilized, especially in the business workspace. Let’s go ahead and run the memory scanning over there. And that we’ll have a very minimal impact on a highly paralyzed XPU, like a graphics engine. And we can actually go ratchet that up.” So they get better security without impacting that user experience. And that was kind of our first foray that we did a couple years ago. And for us, it really opened the door to, what else could we do?
And, when you talk to any of these vendors now, it’s really just about, “How do I use cloud, how do I use data, right? That’s how I protect. I’m looking at behavioral types of things in this space.” And it turned out, there’s a lot of different telemetry that’s below the OS that might not normally be surfaced in that area, that we can actually look at, start to see, are weird things happen? Or, there’s some behavioral things that are happening.
And, we have these PMUs that were built into our processors in this space, that have some signals coming out of them. And, we could start training those things with machine learning to say, “Hey, there’s some weird behavior in this area.” And we could actually provide that up to those AV vendors and say, “Hey, there might be something different going on here.” Right. We can help your detection rate, is there something there, is there efficacy in improving their products, as well as reducing any false positives that you might see? Right. And we could do all that without having an impact performance. And so, that’s kind of the journey that we started off with that memory scanning, and we’ve actually been building more and more detectors and capabilities on top of that foundation over the last couple years.
[00:08:46] Tom Garrison: And you’ve used a few acronyms that I just want to make sure the audience can understand. So, you’ve said PMU?
[00:08:53] Mike Nordquist: It’s performance monitoring unit.
[00:08:56] Tom Garrison: That’s just basically a way for the CPU to be able to track its performance?
[00:09:01] Mike Nordquist: Yep, exactly.
[00:09:03] Tom Garrison: You also used XPU and GPU. Can you tell us what those are?
[00:09:09] Mike Nordquist: Yeah. So GPU is just graphics processing unit, right? So it’s just your graphics engine you have integrated into most modern chips that you see today. XPU is just, X is just supposed to be generic. It’s just saying, “We can bring in other accelerators.” And so as we look to our future roadmap, and if you go to some of our architecture days and things like that, you’ll hear us talk about VPUs or NPUs in this space, which are just those artificial intelligent engines that were designed more for AI in that space.
And so as we kind of look forward into, “Hey, Intel, that’s great.” Of course, you always ran stuff in your CPU. Okay. What you just told me now is with TDT, you can now run it on your GPU. So you have a choice depending on what’s going to run better. And you’ll hear us talk about XPU that says, “Hey, if I bring in an AI accelerator, that’s actually on that platform processing unit, that’s specific for AI, I can run on that as well.” And what we want to do is we want to kind of hide that, even from the software, right. We just want to go ahead and be the arbitrator. And they’re saying, “Where’s it going to run best? Where am I going to get the most performance with the least user experience possible, and actually run that?” And then they don’t have to do anything special. They just write to one layer and they can take advantage of it. And we’ll work behind the scenes to decide, what’s the optimal engine to run this particular thing.
[00:10:28 ] Camille Morhardt: Mike, is there a specific kind of threat that TDT, threat detection technology is looking for? Or, is it just looking for anomalies for somebody else to investigate, if that could be a problem or a vulnerability
[00:10:40] Mike Nordquist: Yeah, the cool thing about it is it’s really programmable in the space. And so when we started it out, we were just doing that memory scanning kind of capability. Then we did some PMU basic stuff. It was just helping a little bit on behavioral. Then we moved into crypto jacking and we did a detector specifically for crypto jacking. And recently we went and we did some of the ransomware capability. And then we have anomaly behavior detection that’s coming as well.
And so we’re building more detectors to look at specific areas, and it just depends on how we want to train those different detectors that we have in this space. And we’re building in more capability to support more detectors. So you can start mixing those things together, as we move forward under newer platforms.
[00:11:23] Tom Garrison: How does AI play into this, or machine learning play into our ability to come up with these detectors?
[00:11:31 ] Mike Nordquist: There’s a couple different databases that you can actually use to look at a lot of the different malware that’s out there in the marketplace right now. And so there’s national and world malware databases that you can get samples to. And then we can actually take that information in, and we can actually train our detectors to look for those different signatures, to look at the different behaviors.
And in a lot of cases, they’ll take malware and coder chunks of it out of that, and then they’ll write some new malware, but they’ll still be some traces of it in there. And so, what we do is we actually train it for those various things, and they’re actually able to deploy it through those AV vendors that are all in the marketplace, and actually have, use machine learning with TDT on those systems to be running real time at that endpoint, and actually detect these things as they come through.
And then we can actually update them over time as well. So it’s not a static thing, that you set it once and forget it. You can actually update the machine learning in that space on those end units. And then as we go over time, we actually move into more AI, which actually gets really automated in that space. It’s not just machine learning. It is, how do we get the thing to think for itself, and advance on itself at that endpoint? And that’s where we really think the future of this is going.
[00:12:47] Camille Morhardt: I’d like to hear more about that. I think what you just said is that threat detection technology is maybe even a relatively early implementation, you can correct me if I’m wrong, in industry. It is using AI to protect workloads that are occurring. And I’m wondering if you see a future trend to actually protecting AI, and how you see that evolving?
[00:13:12] Mike Nordquist: We actually have some technology that’s coming in the future that will actually help us protect those AI models. Right? So if you want to put it on a virtual container, you want to make sure that’s encrypted, that’s protected, because that might be your IP in this space that you don’t want shared. There’s technologies that we’re working on that will actually protect.
I think what we’re talking about here, though, is not necessarily that. It’s just using the power of machine learning and AI to actually just see some weird behavior, or things that might be happening to your system, that shouldn’t be happening. Right? We want to raise a flag and say, “Hey, that’s a huge problem. Let’s go do something about it.” So it’s getting more information into whatever AV or EDR, or XDR vendor that you have, to just detect that earlier, right?
There’s some stats that are out there that we just showed that said, “Hey, once an attack actually hits, on average it takes like an hour and a half to move to the second machine.” So take a day, you take two days, this could get into your system and infect a bunch of systems around you really quick. So, you’re always looking for that edge that says, “Hey, if this system has been attacked, how does it notify me as soon as possible so I can take some action on it, so I can quarantine that system, so it doesn’t move somewhere else, so it’s not actually encrypting all my drive?” And so really that’s what TDT does right now is, it’s just trying to move up to that day zero, hour zero, minute zero as close as we can. Give that edge, so I detect it, actually right away and I could decide what to do next. We’re not trying to do it on our own. We’re trying to integrate into systems that people already have, with ISPs that they already have, that just make it more effective when it runs on those Intel systems.
[00:14:44] Camille Morhardt: Is TDT or threat detection technology actually taking action in quarantining, or is that something that a software partner would make the decision about how to handle?
[00:14:56] Mike Nordquist: No, we would work with a software partner to decide what the decision is. So we’re just serving that information up to that software provider, and then they could decide what action they want to take based on that. Right? So we’re not, again, we’re not trying to replace the AV EDR or XDR vendor in this space. We’re trying to make their product better. And then they have standard mechanisms for what they want to do in this space and policies.
And it’s not that we couldn’t try to do some of that if we wanted. As we actually went and talked to end customers, so I started this whole conversation about, “Hey, what do end customers want? What do we hear from IT decision makers, what do we hear from CISOs?” They’re like, “Don’t give me another tool, right? I don’t want another tool. Can’t you just work with the existing tools that I have?” That would be their ideal situation.
If you can go in, this is what we can do with TDTs. We can say, “Hey, are you using a CrowdStrike, are you using Defender in this space? Awesome. Did you know that if you have a 12th gen system, it will automatically recognize that, if you have the latest and greatest updated AV?” And we’ll just take advantage of it. You as an IT person have to do nothing; you can just take advantage of that goodness, just based by a choice of what you’re choosing for an end system.
And so, when we’ve talked to end customers, they’re like, “That’s great. I like no-touch for me. I like that. I just buy this. And if it’s already integrated with my AV provider, I can just take advantage and get benefits of it. That’s great.” They love it.
[00:16:16] Camille Morhardt: A lot of systems are integrated, or I think at least we’re starting to have an integration across IOT devices and also possibly that’s connecting back into server side. Is there any kind of coordination across multiple kinds of devices for seeking out threats?
[00:16:35] Mike Nordquist: Yeah. Well, I think there’s a lot of stuff in the works. I think things shift pretty quick as you look forward. The cool part for us is in most cases, if you have like a GPU, for example, or even that CPU core, you’re going to have the capability to do that. So the hardware is capable. Now, you have to look at who are the ecosystem providers in this space, right? So, who is the OS vendor of choice? Hey, for client, it’s Windows in a lot of cases, or could be Chrome in this space. As we look over to IoT, there’s a good shot that’s Linux in this space. Okay. So now I have Linux. Who’s the security vendor that’s sitting on top of that Linux version that they have? Okay, that’s probably going to be different in a lot of cases than what it is for the Windows world. So, we have the capability to actually go do that. I think the anchor right now that we’ve got going the last year and a half has been client, but there’s no reason for us to be able to extend, probably to IoT first and then also, look at servers in that area.
I think servers are a little bit different in many cases, because a lot of them are set up to run one workload in that space. They don’t have as much of a wide open Windows ecosystem, with maybe hundreds of programs that are actually running on that system. And then the favorite way for these folks to get attacked is, they don’t have emails with links in them that end users are clicking, right? That’s a lot of cases, how some of that bad malware actually gets let into the system.
[00:17:57] Tom Garrison: Mike, I think it’s really exciting. I personally think TDT is cool because of its inherent flexibility. It’s not tuned just for one particular threat or designed for one particular threat, but by its very nature, it can evolve over time to add whatever the threat of the day is, without the users having to do anything. It just can update.
Before we let you go, we have a segment on every podcast that we like to end with, called Fun Facts. And, I know that you’ve got one planned for us and I’m dying to see it. This is a visual Fun Facts. So those of you watching on YouTube, you can see it this way, or I’m sure Mike will describe for the audio listeners what he’s about to share. So, Mike take it away.
[00:18:51] Mike Nordquist: So in Oregon we have Willamette Valley, that’s not too far from us. They’re really known for Pinot Noirs. So much so that Riedel, who’s a glass manufacturer, had a special glass that’s got this special lip on the top, that’s an Oregon Pinot glass. And you’re like, “Hey, this is great.” And a lot of times, if you would go there, they would give you as part of your tasting at special events, they would give you a logoed glass with this Oregon Pinot glass. And you think, “It’s great. Wow, it’s got this open air. It really allows the wine to breathe,” and I’ll, didn’t get into all the specifics on that.
That wasn’t what was cool to me. The cool part to me was, I was sitting there one time and one of the people that was working the wine counter was like, “You know that will hold a whole bottle of wine,” but I was adamant there’s no possible way because I was looking right at this thing. And so, and I just want to do like a little bit of a demonstration, because you look at this glass, you’re like, “It probably looks big because I’m holding it there, but it’s really not that big of a glass.” And if you actually just go ahead and pour this in, I hope I don’t spill it all over my keyboard, that would be really bad.
You can see it goes all the way to the top. So, if you have people questioning you, “Gosh, don’t you think you’re maybe drinking too much wine?” You can say, “I just had one glass.”
[00:20:23] Tom Garrison: There you go.
[00:20:23] Mike Nordquist: Right?
[00:20:24] Tom Garrison: I think it’s cool because it’s an optical illusion, because you would swear there’s no way that entire bottle could fit in there, but it sure does. So, very cool. Good job, Mike. All right, Camille, what’s your Fun Fact for today?
[00:20:38] Camille Morhardt: Okay. So the Atlas moth, when it emerges from the Chrysalis and I think it’s one of the biggest moths by wingspan, 27 centimeters across or something. But when it emerges from the chrysalis, it has no mouth. So, it only lives for about five days, long enough to procreate, and then it dies.
[00:21:00] Tom Garrison: Dang.
[00:21:01] Mike Nordquist: That was terrible. I didn’t even get caught up in the five days. I’m just like, no mouth to eat or drink anything?
[00:21:07] Tom Garrison: Wow. All right. So mine is different. This is courtesy of my son, Zach. It is physically impossible to exceed the 70- pound domestic weight limit for a small flat rate box from the postal service. So the dimensions, when you do the calculations, the interior dimensions are 75 and a third cubic inches inside a small flat rate box. If you filled that box with pure Osmium, which I’d never even heard of before, but the Osmium is actually the dense substance known to man. It would weigh 61.48 pounds. So, pack away whatever you want in a small flat rate box, you cannot hit the weight limit. So there you go.
So Mike, hey, thanks so much for joining us today. I know we wanted to have you on the podcast for some time. I’m sure there’s going to be other topics in the future, given your role, that we’re going to want you to come in as well. But, you’ve been a great guest and thanks for joining us.
[00:22:06] Mike Nordquist: Awesome. Thanks so much.