RSAC 2023 Day 1: Fighting Bad AI with Good AI the Future of Cybersecurity
New Fortinet research shows high number of organizations paying ransoms.
![Rohit Ghai RSA 2023 Keynote Rohit Ghai RSA 2023 Keynote](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt9930a61f6c61a26a/6523fe367f88f544d377501c/Rohit-Ghai-RSA-Keynote-2023.jpg?width=700&auto=webp&quality=80&disable=upscale)
Jeetu Patel, Cisco‘s executive vice president and general manager of security and collaboration, said the cybersecurity industry is at an “inflection point” with cybersecurity and AI.
The model, the data and the experience must come together to make AI an improvement on insights, he said.
“What if we could have a 10-times better experience for the security operations center (SOC) analyst?” Patel said. “AI could be an aid so SOC analysts can do their job more efficiently. What if they could get recommendations on the right things to do?”
Patel then showed a video prepared by Cisco in which a SOC analyst can rely on an AI assistant to help them in every step of their jobs.
“When you use AI to augment humans in the job, amazing things can happen,” he said. “The experience is going to become much more natural. We’re thrilled about what this can do and it’s not that far away.”
Tom Gillis, senior vice president and general manager of Cisco‘s security business group, said extended detection and response (XDR) is “clearly going to be the talk” at this year’s RSAC.
“We’re hard-pressed to find a vendor not talking about XDR,” he said.
It’s increasingly clear that attackers are getting really good at emulating users and apps, Gillis said. According to Cisco, 80% of ransomware last year started with email. And now malicious hackers use AI to make it harder to detect phishing emails.
XDR provides the tools needed to detect threats before they become ransomware attacks, he said. SIEM is looking at summary data. XDR is looking for the highest-fidelity data. XDR is designed to automate response in an intelligent fashion.
XDR won’t replace SIEM, Gillis said. But working together provides a more effective way to identify threats.
Also at RSA, Fortinet unveiled its 2023 Global Ransomware Report. It’s based on a recent global survey conducted by Fortinet and explores cybersecurity leaders’ perspectives on ransomware, particularly how it impacted their organizations in the last year, and their strategies to mitigate an attack.
Key findings from the global survey include:
The global threat of ransomware remains at peak levels, with half of organizations across all sizes, regions and industries falling victim in the last year.
The top challenges to stopping a ransomware attack were people and process related, with many organizations lacking clarity on how to secure against the threat.
There are a range of technologies viewed as essential to prevent ransomware, with an overwhelming majority prioritizing an integrated approach to security.
Despite the global macroeconomic environment, security budgets will increase in the next year with a focus on AI/ML technologies to speed detection, centralized monitoring tools to speed response, and better preparation of people and processes.
“Though three out of four organizations detected ransomware attacks early, half still fell victim to them,” said John Maddison, Fortinet‘s executive vice president of products and CMO. “These results demonstrate the urgency to move beyond simple detection to real-time response. However, this is only part of the solution as organizations cited the top challenges in preventing attacks were related to their people and processes. A holistic approach to cybersecurity that goes beyond investing in essential technologies and prioritizes training is essential.”
Fortinet’s research revealed there was a large disconnect between respondents’ level of preparedness with existing strategies and their ability to stop a ransomware attack. Although 78% of organizations said they were “very” or “extremely” prepared to mitigate an attack, the survey found 50% fell victim to ransomware in the last year, and almost half were targeted two or more times.
In addition, despite most detecting an incident within hours, and sometimes minutes, the percentage of organizations paying ransoms remains high, with almost three-quarters of respondents making some form of ransom payment. When comparing across industries, organizations in the manufacturing sector received higher ransoms and were more likely to pay the fee. Specifically, one-quarter of attacks among manufacturing organizations received a ransom of $1 million or higher.
Finally, while almost all organizations reported having cyber insurance, almost 40% didn’t receive as much coverage as expected. And in some cases, they didn’t receive any because of an exception from the insurer.
In addition, the report found that organizations using point products were the most likely to fall victim to an attack in the last year, while those who had consolidated to a smaller number of platforms were the least likely to be a victim.
Bob VanKirk, SonicWall‘s president and CEO, was on hand at RSA to talk about what partners can expect in the coming months.
“We’ll be updating our partner program,” he said. “We’ve seen incredible growth out of what we have called our MSSP program in the past. We’re redoing that program altogether so that it will allow a much broader set of partners to participate and take advantage of, for example, monthly billing and if the number of users goes up or down, you’re only paying for that number. So we’re expanding that program, allowing a lot more partners in. We’ll be expanding that offering. It was just a few solutions. Now what we’re doing with all the changes, it used to be OK after the products were out, hey, what can we send through the MSSP program and service provider program. Now at the front end before a product even is going into the life cycle development, the PMs have to justify why or where is that going to fit in the partner program and the service provider program, which is a whole different approach that contributes to our seeing so much strength there.”
Everything SonicWall has done in recent months, including restructuring and bringing in new talent, is based on better understanding its more than 17,000 partners, VanKirk said.
“A segment of partners is saying, Hey, I don’t want to buy everything up front,'” he said. “And we will provide that flexibility, no question. But others, and where we see the majority going, they want to pay on a monthly basis. We want to understand where our usage is, toggle it up or down. So we’re accommodating that. And it means changing our systems up. It means redoing the program. And then at an overall level, we’re totally redoing our SecureFirst program.”
Melissa Bischoping, Tanium‘s director of endpoint security research, was on hand at RSA to talk about the latest emerging threats.
“Everyone likes to think about it as the most sophisticated and the crazy, and the stuff coming through the skylights,” she said. “But for me, top of mind is insider threats and supply chain vulnerability. Supply chain vulnerability, both with reused third-party and open-source code, but also implanted malicious code. So I think … having a software bill of materials as part of your asset management shortens the time it takes to say, ‘Are we good?’ With insider threats, we’re not going back to the office full time anytime soon, so people are using their devices, they’re mobile and they’re working out of coffee shops. That gives additional opportunities for data to exist in places maybe you don’t know or don’t trust. So knowing where your data is and how it’s moving, even when it’s outside the confines of your physical network, is a big part of managing that insider threat risk.”
Insider threats are both deliberate and accidental, Bischoping said.
“When we look at insider threats, we talk about that from different angles,” she said. “So you’ve got the insider who might be accidental. Maybe they don’t understand that they plugged a USB device in that wasn’t trusted or wasn’t approved. Or maybe they accidentally left an unlocked device somewhere insecure. But then you also have the malicious insiders. Maybe they were hired specifically by an adversary to infiltrate your environment, or maybe they’re seeking to take revenge or they feel like they’ve been wronged. Maybe they’ve got a financial motivation and they want to sell your sensitive data. So those can come from different angles. More often than not, the accidental insider threat can be just as damaging to loss of intellectual property and loss of data.”
Asset visibility is the biggest problem among organizations, Bischoping said.
“So many times I talk to organizations and they can’t tell me exactly how many endpoints or exactly what type of software is in their environment,” she said. “So it’s comprehensive visibility and then real-time understanding of change. Did you know that that data changed location at the time that it did? You can’t audit it a quarter later and go back. So I think that real-time visibility is always paramount. And then understanding how data flows through your network normally, what is your baseline of how data moves across your applications and your endpoints, and detecting deviations from that?”
Bischoping said she is seeing some encouraging signs.
“I’m seeing more and more C-levels have conversations about that,” she said. “There’s a lot more awareness of it. And I think that’s been one of the most promising things. Educating the executive leadership is making better decisions in how we build architecture and how we actually engineer the solution.”
SlashNext is looking to recruit more partners to provide its platform using generative AI to prevent phishing attacks.
SlashNext recently released its Generative HumanAI solution that uses generative AI to defend against advanced business email compromise (BEC), supply chain attacks, executive impersonation and financial fraud. This new solution joins SlashNext’s existing HumanAI capabilities, which mimic human threat researchers by combining natural language processing (NLP), computer vision and ML with relationship graphs and contextualization to thwart sophisticated multichannel messaging attacks.
Generative HumanAI anticipates vast numbers of potential AI-generated BEC threats by using AI data augmentation and cloning technologies to assess a core threat and then spawn thousands of other versions of that same core threat, which enables the system to train itself on possible variations.
“So we have two versions of our product,” said Barry Ruditsky, SlashNext‘s senior vice president of business development, partnerships, channels and alliances. “We have a business version, which basically when we prevent an attack, we report all that telemetry back to a cloud administration project. So companies that really are using managed BYOD or supervised BYOD, they’re under control of the company. They love that product because whenever we stop something, we basically report back. With BYOD, the users are a little bit more skeptical about having their company know or Big Brother know how they’re using their phones. So we came out with a personal edition of our product, which does not report anything back to the enterprise. So for users that want to have that level of protection, but not report back, we can do that.
“We’re also seeing a blend between the fully managed device versus BYOD, where companies are starting to tell their employees, ‘Listen, you want hybrid work, you want to work from all your own devices, there’s got to be something we need to put on your phone, on your devices to protect the company.’ So we’re living in both worlds right now.”
Older designed products don’t prevent the AI-driven attacks that are now coming across in email, he said.
“From a channel perspective, are you going to continue to sell the old stuff and maintain the old stuff, or are you going to help your customers move to the next generation of technology that’s designed and architected to block or prevent these types of attacks from occurring?” Ruditsky said. “We’re looking to build businesses with partners who want to get that next level of emerging technology and we want to build a business with them. They will act as trusted advisors for their customers, and they could introduce this next type of technology to them. So in the United States at this point, we’re very focused on finding partners that are providing that level of trusted service to their customers.”
SlashNext’s generative AI technology is going to continue to evolve, he said.
“We’re going to be leveraging more and more generative AI to help continue to more rapidly build the models for the ML classifiers to spot these types of attacks and prevent them,” Ruditsky said. “We really feel like we’re first in the market with this capability. So we’re looking for partners that are really interested not just in the technology, but really providing the platform and the solution to protect those users from human compromise.”
At RSA, Proofpoint unveiled a host of innovations across its Aegis threat protection, identity threat defense and Sigma information protection platforms. Organizations can stop malicious email attacks, detect and prevent identity-based threats, and defend sensitive data from theft, loss and insider threats.
The new innovations further enhance Proofpoint’s threat and information protection platforms, in addition to its newly formed Idintity threat defense business (formerly known as Illusive), to help organizations augment and safeguard their productivity investments, such as Microsoft 365, with maximum deployment flexibility.
“Proofpoint continues to deliver on innovations that empower organizations to break the attack chain,” said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy. “By providing our customers a unified path to solve for risk across email, cloud, identity and data, CISOs gain unparalleled visibility into and protection against the tactics that attackers rely on most.”
Arctic Wolf announced two solutions at RSA. The Cyber JumpStart Portal will help insurance brokers and carriers address clients’ cyber insurability gaps. Brokers and carriers can partner with Arctic Wolf to offer clients a suite of cyber risk management tools that will improve business resilience and reduce the frequency and severity of cyber claims.
“Business resilience is critical to strengthening the cyber posture of any organization,” said Scott Holewinski, Arctic Wolf’s senior vice president and general manager of incident response. “Unfortunately, the ever-changing threat landscape and technical nature of cyber insurance creates constantly moving goalposts for brokers and clients alike. By leveraging the Arctic Wolf Cyber JumpStart Portal, insurance brokers and carriers will be armed with the resources and tools needed to help end cyber risk and provide their clients and prospects actionable guidance to increase insurability and enhance risk management outcomes.”
Arctic Wolf also announced the launch of Arctic Wolf OEM Solutions, a suite of security scanning and threat intelligence capabilities to meet the needs of OEMs, ISVs and large enterprises looking to add critical security operations capabilities to their solutions.
“To build secure products, stay ahead of today’s advanced threat actors, and earn the trust of their customers, OEMs and ISVs need to have best-in-class security capabilities engineered into the solutions they are bringing to market,” said Dan Schiappa, Arctic Wolf’s chief product officer. “But building that security technology on their own can be costly and time consuming, especially if they do not have deep domain knowledge in cybersecurity. With the launch of Arctic Wolf OEM Solutions, we are excited to offer the same leading technology and data that helps power the Arctic Wolf Security Operations Cloud to organizations of virtually any size so that they too can build world-class cybersecurity products and solutions that can defend their assets at the speed of data.”
Arctic Wolf announced two solutions at RSA. The Cyber JumpStart Portal will help insurance brokers and carriers address clients’ cyber insurability gaps. Brokers and carriers can partner with Arctic Wolf to offer clients a suite of cyber risk management tools that will improve business resilience and reduce the frequency and severity of cyber claims.
“Business resilience is critical to strengthening the cyber posture of any organization,” said Scott Holewinski, Arctic Wolf’s senior vice president and general manager of incident response. “Unfortunately, the ever-changing threat landscape and technical nature of cyber insurance creates constantly moving goalposts for brokers and clients alike. By leveraging the Arctic Wolf Cyber JumpStart Portal, insurance brokers and carriers will be armed with the resources and tools needed to help end cyber risk and provide their clients and prospects actionable guidance to increase insurability and enhance risk management outcomes.”
Arctic Wolf also announced the launch of Arctic Wolf OEM Solutions, a suite of security scanning and threat intelligence capabilities to meet the needs of OEMs, ISVs and large enterprises looking to add critical security operations capabilities to their solutions.
“To build secure products, stay ahead of today’s advanced threat actors, and earn the trust of their customers, OEMs and ISVs need to have best-in-class security capabilities engineered into the solutions they are bringing to market,” said Dan Schiappa, Arctic Wolf’s chief product officer. “But building that security technology on their own can be costly and time consuming, especially if they do not have deep domain knowledge in cybersecurity. With the launch of Arctic Wolf OEM Solutions, we are excited to offer the same leading technology and data that helps power the Arctic Wolf Security Operations Cloud to organizations of virtually any size so that they too can build world-class cybersecurity products and solutions that can defend their assets at the speed of data.”
RSA CONFERENCE — Artificial intelligence (AI) and cybersecurity took center stage on day one of RSAC 2023. The message: We need good AI to fight cybercriminals who use bad AI.
The theme of RSAC 2023 is stronger together. The massive conference in San Francisco is back up to pre-pandemic attendance levels.
Rohit Ghai, RSA’s CEO, discussed new challenges that AI puts on th cybersecurity community.
“AI will challenge our identity, our role in this world,” he said. “Bad AI will take us for a ride and identity is a sitting duck.”
The first technology wave was the internet and the second wave was mobile cloud, Ghai said. AI is the third wave, and it’s so loud “we can all hear the waves crashing.” AI can pass the bar exam, and create polymorphic malware.
RSAC 2023: AI Foundational in Cybersecurity, Identity Strategy
There are three reasons why AI is foundational in cybersecurity and identity strategy, Ghai said. Cybersecurity and identity strategy can’t be accomplished without it. Cybercriminals will use it to compromise identity and “we need AI to fight this.”
We’ll need AI to weed out false-positives and reduce security alert fatigue, he said.
“Threat actors have been using automation for launching attacks,” Ghai said. “Now they’re using AI for phishing attacks. We need AI on our side to stop attacks from bad AI. Identity is the most attacked part of their attack surface.”
AI can manage millions of identity privilege changes in minutes instead of hundreds in days in traditional cybersecurity, he said.
Multifactor authentication (MFA) isn’t doing enough to protect identity, Ghai said.
“We need solutions that ensure identity throughout its entire life cycle,” he said. “This is a super human problem and we need AI to pull this off.”
Next-Generation Identity Platform Powered by AI
The next-generation tech platform for identity will be open and integrated at the data layer, Ghai said. It needs a security-first approach and will be powered by AI.
AI in security doesn’t mean a replacement for people, he said. Most of the AI solutions companies are rolling out are “co-pilot” solutions. Many jobs will disappear because of AI, but in cybersecurity “we don’t have enough people as is.”
AI will make decisions easier and automate most identity workflows, Ghai said. Humans will supervise, and even if they exit their roles, they’ll still need to educate, supervise and regulate.
“We will make make sure good AI remains good,” he said. “We need to reimagine our role and our place in identity.”
See our slideshow above for more from day one of RSAC 2023.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like