The AI growth is amplifying dangers throughout enterprise knowledge estates and cloud environments, in accordance with cybersecurity skilled Liat Hayun.
In an interview with TechRepublic, Hayun, VP of product administration and analysis for cloud safety at Tenable, suggested organisations to prioritise understanding their danger publicity and tolerance, whereas prioritising tackling key issues like cloud misconfigurations and defending delicate knowledge.
She famous that whereas enterprises stay cautious, AI’s accessibility is accentuating sure dangers. Nevertheless, she defined that CISOs in the present day are evolving into enterprise enablers — and AI might finally function a robust device for bolstering safety.
How AI is affecting cybersecurity, knowledge storage
TechRepublic: What’s altering within the cybersecurity atmosphere as a consequence of AI?
Liat: To start with, AI has change into far more accessible to organisations. Should you look again 10 years in the past, the one organisations creating AI needed to have this specialised knowledge science crew that had PhDs in knowledge science and statistics to have the ability to create machine studying and AI algorithms. AI has change into a lot simpler for organisations to create; it’s nearly identical to introducing a brand new programming language or new library into their atmosphere. So many extra organisations — not simply massive organisations like Tenable and others — but additionally any start-ups can now leverage AI and introduce that into their merchandise.
SEE: Gartner Tells Australian IT Leaders To Undertake AI At Their Personal Tempo
The second factor: AI requires lots of knowledge. So many extra organisations want to gather and retailer greater volumes of information, which additionally generally has greater ranges of sensitivity. Earlier than, my streaming service would have solely saved only a few particulars on me. Now, possibly my geography issues, as a result of they will create extra particular suggestions based mostly on that, or my age and my gender, and so forth. As a result of they will now use this knowledge for his or her enterprise functions — to generate extra enterprise — they’re now far more motivated to retailer that knowledge in greater volumes and with rising ranges of sensitivity.
TechRepublic: Is that feeding into rising utilization of the cloud?
Liat: If you wish to retailer lots of knowledge, it’s a lot simpler to do this within the cloud. Each time you determine to retailer a brand new sort of information, it will increase the amount of information you’re storing. You don’t should go inside your knowledge heart and order new volumes of information to put in. You simply click on, and bam, you’ve got a brand new knowledge retailer location. So the cloud has made it a lot simpler to retailer knowledge.
These three elements kind a type of circle that feeds itself. As a result of if it’s simpler to retailer knowledge, you may improve extra AI capabilities, and then you definitely’re motivated to retailer much more knowledge, and so forth. In order that’s what occurred on the planet in the previous couple of years — since LLMs have change into a way more accessible, frequent functionality for organisations — introducing challenges throughout all these three verticals.
Understanding the safety dangers of AI
TechRepublic: Are you seeing particular cybersecurity dangers rise with AI?
Liat: The usage of AI in organisations, in contrast to using AI by particular person individuals internationally, continues to be in its early phases. Organisations wish to guarantee that they’re introducing it in a method that, I might say, doesn’t create any pointless danger or any excessive danger. So by way of statistics, we nonetheless solely have a number of examples, and they aren’t essentially a great illustration as a result of they’re extra experimental.
One instance of a danger is AI being educated on delicate knowledge. That’s one thing we’re seeing. It’s not as a result of organisations will not be being cautious; it’s as a result of it’s very tough to separate delicate knowledge from non-sensitive knowledge and nonetheless have an efficient AI mechanism that’s educated on the best knowledge set.
The second factor we’re seeing is what we name knowledge poisoning. So, even if in case you have an AI agent that’s being educated on non-sensitive knowledge, if that non-sensitive knowledge is publicly uncovered, as an adversary, as an attacker, I can insert my very own knowledge into that publicly uncovered, publicly accessible knowledge storage and have your AI say issues that you simply didn’t intend it to say. It’s not this all-knowing entity. It is aware of what it’s seen.
TechRepublic: How ought to organisations weigh the safety dangers of AI?
Liat: First, I might ask how organisations can perceive the extent of publicity they’ve, which incorporates the cloud, AI, and knowledge … and the whole lot associated to how they use third-party distributors, and the way they leverage completely different software program of their organisation, and so forth.
SEE: Australia Proposes Necessary Guardrails for AI
The second half is, how do you determine the crucial exposures? So if we all know it’s a publicly accessible asset with a high-severity vulnerability to it, that’s one thing that you simply most likely wish to deal with first. But it surely’s additionally a mixture of the affect, proper? In case you have two points which can be very related, and one can compromise delicate knowledge and one can’t, you wish to deal with that first [issue] first.
You additionally should know which steps to take to deal with these exposures with minimal enterprise affect.
TechRepublic: What are some large cloud safety dangers you warn in opposition to?
Liat: There are three issues we normally advise our prospects.
The primary one is on misconfigurations. Simply due to the complexity of the infrastructure, complexity of the cloud, and all of the applied sciences it gives, even in case you’re in a single cloud atmosphere — however particularly in case you’re going multi-cloud — the possibilities of one thing changing into a problem simply because it wasn’t configured accurately continues to be very excessive. In order that’s positively one factor I might give attention to, particularly when introducing new applied sciences like AI.
The second is over-privileged entry. Many individuals suppose their organisation is tremendous safe. But when your own home is a fort, and also you’re giving your keys out to everybody round you, that’s nonetheless a problem. So extreme entry to delicate knowledge, to crucial infrastructure, is one other space of focus. Even when the whole lot is configured completely and also you don’t have any hackers in your atmosphere, it introduces further danger.
The side individuals take into consideration probably the most is to determine malicious or suspicious exercise as early because it occurs. That is the place AI may be taken benefit of; as a result of if we leverage AI instruments inside our safety instruments inside our infrastructure, we will use the truth that they will have a look at lots of knowledge, and so they can do that basically quick, to have the ability to additionally determine suspicious or malicious behaviors in an atmosphere. So we will deal with these behaviors, these actions, as early as attainable earlier than something crucial is compromised.
Implementing AI ‘too good of a chance to overlook out on’
TechRepublic: How are CISOs approaching the dangers you’re seeing with AI?
Liat: I’ve been within the cybersecurity business for 15 years now. What I like seeing is most safety specialists, most CISOs, are in contrast to what they was like a decade in the past. Versus being a gatekeeper, versus saying, “No, we will’t use this as a result of it’s dangerous,” they’re asking themselves, “How can we use this and make it much less dangerous?” Which is an superior pattern to see. They’re changing into extra of an enabler.
TechRepublic: Are you seeing the nice aspect of AI, in addition to the dangers?
Liat: Organisations have to suppose extra about how they’re going to introduce AI, relatively than considering “AI is simply too dangerous proper now”. You may’t try this.
Organisations that don’t introduce AI within the subsequent couple of years will simply keep behind. It’s a tremendous device that may profit so many enterprise use circumstances, internally for collaboration and evaluation and insights, and externally, for the instruments we will present our prospects. There’s simply too good of a chance to overlook out on. If I may help organisations obtain that mindset the place they are saying, “OK, we will use AI, however we simply have to take these dangers under consideration,” I’ve carried out my job.”