Inside Visa’s Cyber Defense: CISO Subra Kumaraswamy on blending AI and Human Defense

Welcome to another edition of Cyber Sessions, where we explore how security leaders are protecting the systems that we all rely on. I'm Joan Goodchild, and today I'm really excited to be joined by Subra Kumar Swamy.

He is the CSO with visa, which operates one of the largest and most trusted payment networks. Welcome. Subra. Thank you, John, and happy to be here.

So now, visa processes billions of transactions a year across more than 200 countries. And behind the scenes at its cyber fusion centers, they are working around the clock to block 90 million attacks, 11 million, 11 million phishing emails every month. I'm exhausted just thinking about it.

So we're going to talk to visa. We're going to talk to super about Visa's team and their technology, including AI driven detection and response, and how they deliver on the promise of zero breach and zero disruption.

I'm excited to dive into these details. Super. Looking forward. Happy to dive in deeper. So first let's start with how do you design security operations at Visa's massive global scale? Yeah. John, you mentioned the word trust, the one of the most trusted payment ecosystem.

So the cornerstone of the trust is cybersecurity. And, you know, we designed the cybersecurity, you know, in a way that, you know, we have this concept of zero zero trust architecture.

And it's built on, you know, pessimistic principles. And of course, you know, the culture of being paranoid all the time. Yeah. And, you know, and and these are the when I think about cybersecurity, we think about in three different ways.

Number one is the cyber security team and the, in the program that I manage. And, I'm accountable for.

And the second is the, visa payment and fraud disruption. And, you know, that's focused on ensuring that we be the best way to be paid and get paid. And the third area of focus is the visa risk products.

So of all of that, we need to make sure that we, you know, we manage it proactively looking at this risk landscape, the threat landscape that's so dynamic and so sophisticated and is evolving every day.

So we do this in a way that we, we built this architecture with a high resiliency and also, you know, continue to innovate in a responsible way. You know, the the name of the game is would be 1 or 2 steps ahead of the bad actors.

So which means that, you know, we have to be constantly innovating.

And the last thing I want to say is that, you know, for the second year in a row, we were certified as one of the highest rated cybersecurity program in the industry, in the area of financial and regulated, sector.

And I'm happy to say that, you know, we are, you know, we are sustaining that program.

And, looking forward to the next year. Well, that's really impressive. So congratulations on that accolade. Now, zero breach, zero disruption. That's a really ambitious goal. Obviously. So how do you measure success there.

How do you keep your teams motivated to be able to continue to work towards those goals? Yes. And again zero breach and zero disruption. That's the mission.

And you know and you know, we all have, you know, at the ground level, you know, we're all connected to the mission to keep our billions of consumers and the, you know, 14 billion tokens that we have in the ecosystem safe and secure. Right? That's the purpose.

And every one of us wake up every day with a mission to ensure that, you know, we continue to earn the trust from our customers and consumers.

And we have done that in a, you know, in a systematic way. Number one, right.

Having that culture of, you know, as I said, of being paranoid and, you know, even though, we were scored at 4.9 out of five, you know, by the, the research, the most reputed research firm, there's still point one less, which means, like, we are still not doing something right.

This is 4.9 out of five. So in that model, we have to. And, look for what else can we do better?

And, you know, and this goes to, you know, from creating a very, pessimistic, design centric products, to all the way to ensure that we are continuously monitoring the ecosystem for any new threats.

So just to give you a little bit of flavor, we have, you know, on a daily basis, we handle about 22 billion events every day.

And in that we are looking for actionable intelligence to look for any, you know, needle in the needle stack that we should go after. So using AI and machine learning, we're able to convert the 22 billion into hundreds of events that we investigate.

And that gives us, you know, a continuous, you know, insight into what's happening in the ecosystem. And number two is we employ about 120 different layers of tools. And these are very diverse set of tools that some of them are built by visa for visa.

And, some of them are acquired, by vendors in very reputed vendors.

So we build system of, defense in depth, to ensure that, you know, we can prevent, detect and respond. And, in the cases where we need to recover, we can recover. So all of that is done in a very, very systematic framework.

So that gives us the, you know, the team wakes up every day to ensure, you know, you're either preventing something.

And if you're not able to prevent it able to data and recover. Tell us what AI driven security means at visa and how you keep that from becoming a black box. Dig into that a little bit with us. Yeah.

So for us, you know, we've been on a journey of, you know, automation to ensure that we have a very scalable model.

If you look at the site visa cyber team, we had a very global team. You know, we are in, three different continents, and we have a very diverse set of talent, and they bring the best of, you know, best every day.

And when you think about, you know, the, the, some.

Sorry, I need to, what was the the crux of the question? I lost you, John. Sorry about that. The question was, what is AI driven security really mean at visa? So we can either start by me asking you again, or you can just dive right into the answer.

Okay? Sure. Yep.

Okay.

What does a AI driven security really mean at visa? And how do you keep it from becoming a black box and so on? You know, if you think about Visa's cyber security program, we have been investing in AI for the last many years.

But in the last two years, we've made much more focused on using generative AI.

And that's the buzzword of the industry.

And, you know, and one of the things I'm really optimistic about is how do you bring Gen AI and I, the traditional AI, to ensure that we can actually prevent issues in the first place, which means, like, you know, we are analyzing the 22 billion events every day with AI and more importantly, being able to provide the right level of contextual data to our first line.

The first line, the folks who are looking at this day in, day out, so have driven is really to ensure we reduce the toil, we reduce the the manual, laborious work that happens behind the scene.

So first, to ensure that we, you know, we, equip our front line with the right level of tooling and powered by AI to ensure that they have the best signal to noise ratio so they can act on the most critical vectors targeting.

These are the payment ecosystem. Number two is, really focusing on ensuring that we leverage AI to help create products that are secure by design and secure by default.

What that means is, you know, we and we had this notion of shifting to the left, which means like an AI, ensuring that we build products with cybersecurity first mindset. Right.

And with cybersecurity architecture as a as a core principle. So in that model gen AI is helping us to automate quite a bit of things.

For example, all the code that is being generated by our developers or 10,000 plus developers and AI are secured, and they're done in a way that, you know, in a very automated fashion, where AI comes in and looks for issues and the vulnerabilities, attack surface that we can detect earlier and along the way, we are able to apply the right remediation using AI.

So in a nutshell, you know, we're able to use generative AI to compress the time to detect issues, compress the time to respond in issues. I'll give you one example. We have a program called Bug Bounty. And a bug bounty is a very common program across the industry.

And in that, you know, we have now, agents, you know, when I say agents, I'm talking about agent AI.

They are coming in to look for vulnerabilities in AR 1500 application that we have. And the same point we have now, develop AI technologies to respond to those threats.

Anything that we discover, you know, which may have taken, for example, two hours to fix an issue, we can now remedy it the same in less than ten minutes.

So we are able to see that action where, you know, by creating, AI into our product development lifecycle, we have now, you know, better, management of the attack surface and reducing the risk of how we would develop a product that goes to the consumers.

Now, I think this is really interesting because, you know, there's obviously we talk about AI all the time now in security. And I think there's a lot of desire to do a lot with it.

But there's still a lot of difficulty out there with trying to come up with the actual strategy for it and how we're going to use it and so forth.

You know, and I mentioned in the last question to, you know, how do you keep it from becoming a black box?

So maybe you could speak to because I think it'd be really interesting to others, other practitioners as well, to hear about, you know, like the strategy and the things that you had in mind when you put this together now because it sounds like, you know, you're really successfully using it with a mind toward, you know, again, these various attack vectors and, and, you know, efficiencies and it kind of checks a lot of different boxes.

So talk about that with us a little bit more. Yeah.

So and so the way we think about it is that, you know, when you think in it, when you take all the use cases that we're working on a day in, day out, we look at the use cases that has the most impact to the landscape.

For example, you know, if you think about, penetration testing, you know, it's a very, very, common function in every, you know, a company that has, a software engineering and, application security focus, the areas that have the most impact that we thought is on the Pentesting because it's very human driven.

And in this case, you know, by leveraging AI, agent is actually testing on behalf of human, they still have the principle of we still, you know, embrace the principle of human in the loop, right?

Because we need to make sure that even if AI is able to go, you know, come up with a decision, human is able to validate and show that it is not, you know, we're not missing anything.

There's no false positives, right? You know, those are the kind of focus that we you know, we try to bring you the AI.

So pentesting, in that case, we were able to bring a lot more efficiency, which means we can do a lot more testing of the products in the pipeline. And we're able to provide a much higher assurance, in a, you know, with it.

So it's faster, it's better. And it's also, you know, helping us to scale the program so we can now say that, you know, pentesting can be done across many applications, even though they may not necessarily warrant it.

So it provides us a platform to, you know, scale much better than just using humans. So that's one example. The second one I say is that, you know, the cyber defense, cyber defense is the front line, 24 by seven.

As you know, we have three different, cyber fusion centers globally. And, you know, these are the folks who are, you know, looking at the glass and looking for, you know, the next big incident, you know, that we should be thinking that that may come our way.

So we are able to shift that, focus from waiting for an incident to more proactive threat hunting. Right.

So now I, you know, as an example, about 80% of our incoming incidents are being treated by AI, which means that, you know, we are now, using the, the, the people to be doing more innovative and creative to look for, you know, needle in the needle stack with the help of AI proactively versus waiting for a particular attack to happen.

So that's kind of, you know, so my philosophy is that, you know, as we bring AI into the into the, ecosystem, we can delegate a lot of the mundane, you know, triaging that doesn't have much value to AI and let the human do what they're good at. Right?

You know, they can look at pulling all these things together, connecting the dots and going after the threat that we might have, you know, not we're not able to address it with the AI.

So that's kind of, you know, we the philosophy is continue to push more AI into, the, the frontline, into the product development, into the response and let the human do much more creative work and do proactive threat hunting and create a secure by design and secure by default security posture.

You as an experienced CISO, you know, we started this discussion talking about like 90 million attacks and 11 million phishing emails.

Or maybe I've got the number swapped, but, you know, it's so overwhelming now as an experienced.

So talk about the threat landscape too, and how AI is influencing that and what you're seeing in the cyber fusion centers with regard to, again, this increasing swell of attacks, and especially enabled by the use of AI by the attackers. Yeah, it's a great question.

You know, we see about, 120 million attacks every month against our apps and AI and APIs.

Well, and, you know, again, these are, you know, as we think about, the AI getting smarter and the bad guys are able to get access to the same technology, you know, end of the day, deny the dual use, you know, is, you know, for the both the good guys and the bad guys.

And AI has also democratized, AI across the board, which means the barrier to entry is very low for a bad actor. Right. So as a result, what we are seeing is that the bad guys are able to do much better reconnaissance. They're able to discover vulnerabilities much faster.

And this means that the time, the mean time to detect a vulnerability is going to be shrinking and will continue to shrink.

So this is the nature of the game, right? Where, you know, AI is enabling the bad guys to find that the crack in your in your, in your house, the foundation.

So now with that in mind, right when we, you know, when we venture to the journey few years back in the notion of zero trust, we built the entire architecture with multiple layers.

So now, you know, with the with the advent of AI, we have been able to take every layer and be able to infuse AI into those. As an example, when you're looking at, prevention, you know, you have to understand what the threat model is.

So we are now able to leverage AI to automatically provide us a threat model. Right.

You know, when we are building the products again, the goal is to empower the defenders with the tools and be able to do that in a much faster and more and more accurate way.

Now on the on the other side from the, you know, response and recovery side, we're able to now able to triage issues much faster and which means we're able to detect issues the, you know, in terms of the meantime, we detect in our end that has been compressing, you know, doing 30% faster than what we did last year.

So as a result, you know, we are now able to take a lot more of these, you know, you can sort of speed the surface area and be able to analyze.

So it's empowering that, you know, so I want to make sure that the good guys, you know, on our, on our end has access to these technologies much earlier.

So the again, you know, the if you shift to the other side of the spectrum, how bad actors are leveraging, we are seeing AI empowering bad actors with more sophisticated tools like deepfake tool, you know, deep fakes and how, they can use, a $20 tool to impersonate John, you and say, look, you know, if you're coming and, you know, like what?

How we are chatting here. If you're on a team call and if I, you know, don't know, it's, you know, it's you coming in, and I will do what you're asking me to do, right? So.

So these are the areas where we are now doubling down to innovate and figure out how do I get ahead of the game when there's a deep fake course. All right.

Video that's coming into, social engineer or employees, you know, especially those folks who have keys to the kingdom. We need to make sure that they understand that these are, the new address, emerging threats.

And we've been investing on training, ensuring that we provide the right level of training and, awareness for them as well as we are now looking at enhancing the tools to detect those type of attacks.

Now, running such a massive global cybersecurity program, you know, I'm sure there's a lot of people listening in, that also wonder about how you're innovating, you know, whether it's AI related or not.

What's 1 or 2 innovative things that you've done, whether it's strategy or tooling or so forth in the last year or so that you really felt like was a game changer, in your fusion centers that you think is worth mentioning for people that are looking for guidance? Absolutely.

So as I mentioned to you earlier, we use about 120 different technologies, you know, across the layers. And many of them were invented by visa as an example.

You know, we have this technology called VBA, which stands for Visa Behavioral Analytics Program, which allows us to stay ahead of the account takeover threats and botnet threats.

As you know, you know, in the, you know, the in the internet, more than 50% of the traffic are coming from botnets. Sometimes they're good bots. And in a lot of times they're bad bots. So our technology, the VBA, is actually layered on top of our applications.

We have 5000 applications. And every one of these applications are now, instrumented with VBA so that they can actually look at every transactions coming in and understand, is this a transaction that we can authorize?

And as an example, we look at your behavior, you know, how you type, how you move your mouse and, you know, as we, as we learn about you and we do that very quickly, understand what the good behavior looks like.

So this allows us to say within, milliseconds, is that a gene behind the keyboard on the mouse, or is it a bad actor who's taken over the account and trying to, you know, do a abuse and replay of your, compromised credentials?

So VBA is a very critical tool for us to protect us from those type of threats and also to help us to reduce the friction with multifactor authentication.

As you know, you know, MFA is a very, you know, what I call a table stake for every, every, every application, you know, every application should have MFA technology behind it.

But the problem with MFA, this also creates friction. And, you know, it, which means you're you're trying to get a text message, and, you know, trying to copy that back into a, you know, into one time password because, you know, the one time password.

So VBA allows you to be very smart about it. It'll only, challenge you when we believe that, that that's a bad actor or has a bad behavior.

So we have, you know, we analyzed over 400 different signals, when we and I get a transaction and be able to say, you know, from the transact, from the signals, you know, is this something that you should step up and ask you to do a one time password, or we should let you go, you know, with that, with a seamless authentication like Fido based.

So this is where, you know, we we believe, you know, we have a very strong, you know, differentiator in the, in the area of protecting your applications. If I give you one more on that realm is, you know, what we call as the Jenn-Air guard.

So the jenn-air, as you know, you know, the our we have today, we have 112 different tools within.

These are which are jenn-air powered. And we need to make sure that when these, applications are interacting, they, I, we have to look for the attacks that may potentially be, you know, in terms of how they can be tricked, with prompt injection or content manipulation.

So we have built this genie guard that sits, you know, in line to every genie application and ensures that, you know, we can and we can provide the right level of integrity, comes through providing the the response back to the application.

So this is really paying as dividends. And now we're able to accelerate innovation much faster, given the fact that, you know, these guardrails are protecting your applications. So we're almost out of time here.

But I want to ask you the question that we ask everybody, which is unpopular opinion. What's your unpopular opinion? Something whether it's AI driven security related or anything else that you think that is somewhat controversial in the industry or among your peers? Excellent.

Excellent question. So, you know, I constantly think about, you know, how I change the game for the industry. And of course, you know, the camps are split, right?

You know, the folks who are jammed with the both the state and the folks are still figuring out is I, you know, worth while in terms of, how they can enable empower the frontliners as well as empower the, the, the one business.

So I have always taken the approach of let's ensure we have the best tooling, the, you know, for the best, talent that we have.

And, you know, all the things I did when we, when we, when the I was in the early days, I challenged my team to think about what are the things they would do differently, you know, in every aspect of what they do. And that changed.

You know what I, what what I called as the CSO challenge, a challenge that was issued to all my team members. And one of the a controversial, thing was, can we create a employees that will act on behalf of. No, that an analyst or an advanced engineer?

And this is very controversial, right. You know, for somebody to say, look, I'm going to now delegate my job to, you know, to I to go figure out whether that's something that threatens, that is mitigated, and need to be addressed.

So, you know, and that was the genesis of for some of the tools that we're doing today with the concept of human in the loop.

Now, this, you know, this innovation is where, you know, we're seeing a lot of, a potential of removing the toil from the human, and, you know, initially people say, look, you know, hey, Jan, I may could be, fired, and that can disappear soon, but I think the key point is that if we let, our engineers and the folks.

So the the the ground level innovate, ground up, you know, we can be we can provide a much better, scalable program and let them do what they good at, which is go figure out how to be, how to look at the next advanced cyber attack or innovate the next better tool.

So I guess the contrast of statement is can you experiment with, emerging technology in a way that you can still be safe and still provide the right level of assurance, to, you know, to my, you know, my businesses and my partners that this is a technology that health to be in a much better posture without compromising the

cybersecurity aspects of how we have built over the last many years. Okay, great. Well, super. Thank you so much for taking some time today to give us some insight and perspective into Visa's global cybersecurity approach. We appreciate your time. Thank you. John.

I really enjoyed every every one of the interaction they had. All right. And and looking forward to have a gen AI powered cyber defense so that that will create a equitable, ecosystem and let the good guys win.

Well, we'll keep hoping from your lips to God's ears. So thanks so much again for for that perspective, we'd like to remind all of our viewers.

Of course, if you enjoyed this conversation, please like, share, explore more, videos and more interviews because, we've got plenty of them for you. And for now, I am Joan Goodchild.

Thanks for watching Cyber Sessions.