Black Hat USA: Cybersecurity Concerns Amid Big Tech's AI, ChatGPT 'Race'
Corporate races are not driven by a concern for safety and security.
![Maria Markstedter at Black Hat USA 2023 Maria Markstedter at Black Hat USA 2023](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltec8c885e7a312075/6523eb311fb1af141e7957c1/Maria-Markstedter-at-Black-Hat-USA-2023.jpg?width=700&auto=webp&quality=80&disable=upscale)
The biggest problem for the cybersecurity community isn’t the existence of new challenges associated with AI, said Azeria Labs’ Maria Markstedter.
“Our biggest problem is we don’t actually have enough people with the skills and knowledge to assess these systems and build the guardrails,” she said. “So there are already new job flavors emerging out of these new challenges.”
AI isn’t going to replace cybersecurity professionals, but skill requirements will change, and cybersecurity professionals with AI skills could replace those who lack those skills.
Also at Black Hat, the Defense Advanced Research Projects Agency (DARPA) issued a call to top computer scientists, AI experts, software developers and more to participate in the AI Cyber Challenge (AIxCC). It’s a two-year competition aimed at driving innovation at the nexus of AI and cybersecurity to create a new generation of cybersecurity tools.
“AIxCC represents a first-of-its-kind collaboration between top AI companies, led by DARPA, to create AI-driven systems to help address one of society’s greatest challenges – cybersecurity,” said Perri Adams, DARPA’s AIxCC program manager. “In the past decade, we’ve seen the development of promising new AI-enabled capabilities. When used responsibly, we see significant potential for this technology to be applied to key cybersecurity issues. By automatically defending critical software at scale, we can have the greatest impact for cybersecurity across the country and the world.”
AIxCC will allow two tracks for participation, the funded track and the open track. Funded track competitors will be selected from proposals submitted to a small business innovation research solicitation. Up to seven small businesses will receive funding to participate. Open track competitors will register with DARPA via the competition website and will proceed without DARPA funding.
Teams on all tracks will participate in a qualifying event during the semifinal phase, where the top scoring teams (up to 20) will be invited to participate in the semifinal competition. Of these, the top scoring teams (up to five) will receive monetary prizes and continue to the final phase and competition. The top three scoring competitors in the final competition will receive additional monetary prizes.
Anthropic, Google, Microsoft and OpenAI will collaborate with DARPA to enable competitors to develop state-of-the-art cybersecurity systems.
AIxCC competitions will be held at Def Con with additional events at Black Hat USA. The semifinal competition and the final competition will be held at Def Con in 2024 and 2025.
“If successful, AIxCC will not only produce the next generation of cybersecurity tools, but will show how AI can be used to better society by defending its critical underpinnings,” Adams said.
This week, Qualys launched on the AWS Marketplace its go to market strategy for SMB business.
Karun Malik, Qualys’ director of strategic alliances, said his company is a platform story.
“Our story of a platform is you can have the same agent do a number of different risk mitigation structures for you,” he said. “The same agent can discover vulnerabilities, discover inventory and also do patching, which is response. And the same agent can also look at external attack surface management using some external scanners. So being a cloud and having a cloud platform, we are now proving to customers that, ‘Hey, we’re Qualys.’ Not only can you consolidate technology, but you can also consolidate optimization, including getting a better TCO from the investments you make.
“Our goal as a company is to move toward a risk-based platform and with all the nuances we are making on true risk, which is our new risk rating score, we amalgamate all the data, we’re bringing more value, more innovation, we’re seeking feedback from customers and we’re improving the platform to be more and more partner-friendly so it gets adopted more by partners. So that’s what brings us to Black Hat.”
In addition to resellers, cloud partners and MSSPs, Qualys is now working with cyber insurance partners, “where now we’re tying up with cyber insurance vendors, where the value of our data is how they underwrite and they provide risk insurance premiums back to their customers,” he said.
“We’re also partnering with OEM partners where now a lot of our technology partners are leveraging our data to prepackage back into their product,” Malik said. “Microsoft Azure is one of our biggest technology partners globally today where they use our data across containers and non-container instances.”
Also at Black Hat, Critical Start debuted its Managed Cyber Risk Reduction (MCRR), a new approach to security designed to reshape the way businesses combat cyber risk. MCRR, the next evolution of managed detection and response (MDR), provides a comprehensive managed solution to address risks, vulnerabilities and threats. It’s designed to go beyond threat-based detect and response to support organizational security programs across the five functions of the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). Those are identify, protect, detect, respond and recover.
Also this week, Critical Start announced its new risk-based Vulnerability Prioritization offering, designed to address many of the challenges security leaders face with their vulnerability management programs. Leveraging a blend of platform-based analysis and human expertise, the new offering combines risk-reducing recommendations and exploit-aware threat intelligence with existing vulnerability scanning results to enable more effective and efficient patching efforts.
Randy Watkins, Critical Start’s CTO, said his company pioneered the MDR space eight years ago before anybody else was doing it.
“And we’ve always focused on how we reduce a customer’s risk,” he said. “But in looking at detection and response, those are reactive controls. So a breach has to happen for us to be able to detect and respond to it. But how do we go a step further and actually improve customer security posture to be more resilient to some of these attacks? That’s what MCRR is. It’s that expansion of MDR beyond reactive controls to more of the proactive side to help customers increase their security posture to become more resilient.”
Some of the capabilities that Critical Start is baking into MCRR both help partners set up the customer security posture and make its detection and response more effective,” Watkins said.
With Vulnerability Prioritization, Critical Start is looking at the potential that an attacker is going to “target that exploit that’s on your machine or target that vulnerability on your machine with an exploit to breach your organization, he said.
“We’re looking at, is it weaponized? Are advanced persistent threats (APTs) using it against which verticals, and are different ransomware groups using it?” Watkins said. “And then we’re going to prioritize those vulnerabilities over the others. So if you only have time to patch one thing, let’s patch this one vulnerability across these seven critical assets that didn’t have extended detection and response (EDR) on them last week. Let’s really start building up that posture and protecting the organization. So the benefit to our partners is instead of having to work with two, three, four different service providers to look at their total risk, we are taking a holistic approach to risk with a single provider. And with all of that visibility, there’s a lot of synergy between the detection and response, and the prevention or the proactive controls that we can put in place.”
Also at Black Hat, Appdome announced that Bugcrowd has joined its new Mobile App Defense Project, a community program aimed at improving mobile DevSecOps for everyone. This collaboration aims to create a more secure mobile app economy, raise the bar on mobile app defense, and provide rapid, validated, continuous cyber and anti-fraud solutions for all mobile applications globally.
Dave Gerry, Bugcrowd’s CEO, said the collaboration is all about helping to bring security around mobile applications to the forefront.
“A lot of people think about web apps, they think about infrastructure, they’re talking about AI,” he said. “But ultimately, we’re all typically still running our days off mobile applications. So we’re assuring that mobile vulnerabilities are being addressed just as quickly as other vulnerability types, and this gives us the flexibility and the ability to start to help make customers more aware.”
In addition, Bugcrowd will launch a new partner program near the end of 2023, Gerry said.
“We’ve put a lot of work into it,” he said. “I think as we look at the landscape, partners are becoming more important than they ever have been. We’re seeing that organizations have preferred vendors that they like to work with. And also we’re not a services business, we’re a software business. We’re a marketplace to connect the right researchers at the right time to unlock the human ingenuity that exists within the community. And by partnering with different services providers or resellers, we have the ability to start to add a little bit more value for clients and get them the services that they need. We’re building the foundational pieces of the program and starting to make some of these strategic announcements.”
During Black Hat, Symmetry Systems, a next generation AI-powered data-centric security company, announced an $18 million growth capital funding round led by OVN Capital.
The round had repeat participation from ForgePoint Capital and Prefix Capital, and new participants W11 Capital Management and TSG (The Syndicate Group), a channel-focused strategic investor.
This funding will be used to accelerate global revenue-generating efforts, including the scaling of channel sales.
Symmetry Systems’ data-security solution, DataGuard, uses AI to build an agentless security model. DataGuard provides granular visibility into every part of a company’s data, who has access to it and how it’s being used. While sitting in a company’s hybrid cloud, it autonomously scans for anomalous behaviors and threats, helping companies manage and take calculated risks as they innovate and build for a data-centric future.
Mohit Tiwari, Symmetry Systems‘ co-founder and CEO, said his company enables partners to integrate security solutions with its offerings to enhance customers’ ability to employ data security posture management (DSPM) and data security-centric practices in their cybersecurity operations. It partners with leading software vendors to integrate with its DataGuard platform to accelerate DSPM transformation.
“Organizations have to unlock their data to survive, to be agile and resilient in a remote-first, generative AI era,” he said. “However, organizations do not even know what data they have or who can access it, or how it is used. This means that today, data is either locked away in regulated vaults or exposed to unmanaged risk in cloud and data lakes. Symmetry’s partners make it safe for data to flow — across business units and into the cloud and data lakes — faster and more safely than ever before. Our partners include MSSPs, incident response teams, and GSIs such as Accenture — and they help their customers by proactively hardening their data against risks and responding within minutes and with data-object level precision when an incident does happen.
With this funding, Symmetry Systems is announcing the Symmetry Scorecard for its partners and customers. It’s a data security scorecard that takes minutes to set up and drives the cloud, security and data teams in a collaborative manner to make data flow safely.
“Symmetry is building a partner-driven product so that partners can be the glue that holds together data security over time and across business units — driving attributes such as what data matters most to an organization, what business initiatives it is tied to, and how to best manage data risk,” Tiwari said.
Also at Black Hat, Rubrik announced it has signed an agreement to acquire Laminar, a data security posture management (DSPM) platform.
The combination will create a complete cyber resilience offering by bringing together cyber recovery and cyber posture across enterprise, cloud and SaaS. Rubrik said this acquisition supports its leadership position as one of the preeminent data security platforms and furthers the company’s mission to secure the world’s data. Terms of the deal were not disclosed.
Ghazal Asif, Rubrik‘s vice president of global partners and alliances, said the addition of Laminar will broaden the overall solution coverage and IT buyer universe (CIO plus CISO), enabling partners to sell Rubrik’s cyber posture products in addition to cyber recovery to provide customers with an end-to-end cyber resilience solution.
“Partners can offer value-added cyber recover and cyber resilience services, or augment their existing portfolio of services.” she said. “This acquisition leapfrogs Rubrik over legacy vendors with the only complete cloud-based cyber resilience solution in the market (among current competitors). Many partners sell multiple backup vendors, and it’s hard to differentiate in the cyber market. This acquisition will allow partners who are authorized to sell Rubrik a competitive edge.”
Also at Black Hat, Tenable announced the launch of ExposureAI, new generative AI capabilities and services across the Tenable One exposure management platform.
Tenable has also introduced Tenable Exposure Graph, a scalable data lake, powered by Snowflake, that fuels the ExposureAI engine. This unified data platform — representing more than 1 trillion unique exposures, IT assets and security findings (vulnerabilities, misconfigurations and identities) across IT, public cloud and OT environments, is the largest repository of contextual exposure data in the world and feeds all of Tenable’s exposure management products.
Tenable ExposureAI provides three new categories of generative AI-based preventive security capabilities that are foundational to exposure management programs:
Search – enables security teams to ask questions using natural language search queries to analyze assets and exposures across their environments, understand relevant contextual information and prioritize remediation efforts.
Explain – provides specific mitigation guidance that leverages Tenable’s unrivaled exposure data to provide security teams with clear visibility and succinct analysis of complex attack paths, specific assets or security findings.
Action – delivers insights and recommended actions based on the highest impact exposures, empowering security teams to proactively address risks and reduce their organization’s overall exposure
“For years, Tenable has used its market-leading vulnerability management data and applied AI techniques to help organizations prioritize vulnerabilities based on true risk to the business,” said Glen Pendley, Tenable’s CTO. “AI is a part of our DNA. Now we’re using generative AI to put more power than ever in the hands of security teams to inform their exposure management programs and root out cyber risk wherever it exists.”
Also at Black Hat, Tenable announced the launch of ExposureAI, new generative AI capabilities and services across the Tenable One exposure management platform.
Tenable has also introduced Tenable Exposure Graph, a scalable data lake, powered by Snowflake, that fuels the ExposureAI engine. This unified data platform — representing more than 1 trillion unique exposures, IT assets and security findings (vulnerabilities, misconfigurations and identities) across IT, public cloud and OT environments, is the largest repository of contextual exposure data in the world and feeds all of Tenable’s exposure management products.
Tenable ExposureAI provides three new categories of generative AI-based preventive security capabilities that are foundational to exposure management programs:
Search – enables security teams to ask questions using natural language search queries to analyze assets and exposures across their environments, understand relevant contextual information and prioritize remediation efforts.
Explain – provides specific mitigation guidance that leverages Tenable’s unrivaled exposure data to provide security teams with clear visibility and succinct analysis of complex attack paths, specific assets or security findings.
Action – delivers insights and recommended actions based on the highest impact exposures, empowering security teams to proactively address risks and reduce their organization’s overall exposure
“For years, Tenable has used its market-leading vulnerability management data and applied AI techniques to help organizations prioritize vulnerabilities based on true risk to the business,” said Glen Pendley, Tenable’s CTO. “AI is a part of our DNA. Now we’re using generative AI to put more power than ever in the hands of security teams to inform their exposure management programs and root out cyber risk wherever it exists.”
BLACK HAT USA — The opening keynote Wednesday at Black Hat USA focused on the AI and ChatGPT race among tech giants, and what the future of AI could mean for the cybersecurity community.
Maria Markstedter is founder of Azeria Labs, which provides training courses on ARM exploit development, reverse engineering and vulnerability research. This is the largest-ever Black Hat USA with attendees representing more than 120 countries.
Jeff Moss, Black Hat’s founder and CEO, told attendees AI is essentially prediction, and it’s getting cheaper and cheaper to do predictions.
“Turn all of our problems into prediction problems,” he said. “The more you can turn your IT problems into prediction problems, the sooner you’ll get the benefit from AI.”
Smart cars are predicting where to go, when to brake and when more fuel is required, and that’s based on models of what people have done, Moss said.
In addition, unlike the dawn of the internet, governments are trying to get ahead of AI via regulation, he said.
“We’ve never really seen governments get ahead of things, so we have a chance to participate in rule making,” Moss said.
In addition, there should be more emphasis on opportunities for business to help steer the future, he said.
Black Hat USA Keynote Highlights Key Realities of AI and Cybersecurity
During her Black Hat USA keynote, Markstedter said AI systems and their use cases are evolving and capabilities are becoming more powerful.
“Second, we need to take the possibility of autonomous AI agents becoming a reality within our enterprises seriously,” she said. “And we need to rethink our concepts of identity access management of true autonomous assistants having access to our data and apps, which also means that we need to rethink our concepts around data security.”
AI models today are “more like a troubled teenager,” Markstedter said.
“It lies, it makes stuff up, conspires and is completely unpredictable, yet people trust it. So thankfully it is now in the safe hands of big tech companies racing against time to compete for market penetration,” she joked.
That comment got a big laugh from the audience. Microsoft is leading the race in generative AI and ChatGPT, rushing to add ChatGPT to all of its products, Markstedter said.
“This race comes as no surprise because whenever the world is shifting toward a new type of technology, corporations are racing to dominate the market,” she said. “And corporate races are not driven by a concern for safety and security. As we all know, security slows it down.”
The Cybersecurity Community’s Task
The cybersecurity community’s purpose is to focus on the technological changes from a security standpoint, Markstedter said.
“So our job is to understand the technology that is changing our systems and as a result, our threats,” she said. “We need to find creative ways to break it.”
Current threat models will turn upside down in the next few years, Markstedter said.
“And if you’re not thinking about the emerging risks of these models deployed within your enterprise, or within the products and services that you’re responsible for, you are doing it wrong,” she said.
Any problems or challenges for which the cybersecurity community doesn’t have solutions, there’s a lot of money in creating those, Markstedter said.
Scroll through our slideshow above for more from Black Hat USA. (Black Hat USA is part of Informa Tech, Channel Futures’ parent company.)
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like