Enterprise AI Security Solutions

Yesterday, the National Security Agency Artificial Intelligence Security Center published the joint Cybersecurity Information Sheet Deploying AI Systems Securely in collaboration with the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre, the Canadian Centre for Cyber Security, the New Zealand National Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre. Deploying AI securely demands a strategy that tackles AI-specific and traditional IT vulnerabilities, especially in high-risk environments like on-premises or private clouds. Authored by international security experts, the guidelines stress the need for ongoing updates and tailored mitigation strategies to meet unique organizational needs. 🔒 Secure Deployment Environment: * Establish robust IT infrastructure. * Align governance with organizational standards. * Use threat models to enhance security. 🏗️ Robust Architecture: * Protect AI-IT interfaces. * Guard against data poisoning. * Implement Zero Trust architectures. 🔧 Hardened Configurations: * Apply sandboxing and secure settings. * Regularly update hardware and software. 🛡️ Network Protection: * Anticipate breaches; focus on detection and quick response. * Use advanced cybersecurity solutions. 🔍 AI System Protection: * Regularly validate and test AI models. * Encrypt and control access to AI data. 👮 Operation and Maintenance: * Enforce strict access controls. * Continuously educate users and monitor systems. 🔄 Updates and Testing: * Conduct security audits and penetration tests. * Regularly update systems to address new threats. 🚨 Emergency Preparedness: * Develop disaster recovery plans and immutable backups. 🔐 API Security: * Secure exposed APIs with strong authentication and encryption. This framework helps reduce risks and protect sensitive data, ensuring the success and security of AI systems in a dynamic digital ecosystem. #cybersecurity #CISO #leadership

National Security Agency’s Artificial Intelligence Security Center (NSA AISC) published the joint Cybersecurity Information Sheet Deploying AI Systems Securely in collaboration with CISA, the Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom’s National Cyber Security Centre (NCSC-UK). The guidance provides best practices for deploying and operating externally developed artificial intelligence (AI) systems and aims to: 1)Improve the confidentiality, integrity, and availability of AI systems.  2)Ensure there are appropriate mitigations for known vulnerabilities in AI systems. 3)Provide methodologies and controls to protect, detect, and respond to malicious activity against AI systems and related data and services. This report expands upon the ‘secure deployment’ and ‘secure operation and maintenance’ sections of the Guidelines for secure AI system development and incorporates mitigation considerations from Engaging with Artificial Intelligence (AI). #artificialintelligence #ai #securitytriad #cybersecurity #risks #llm #machinelearning

CISOs and security teams,   Microsoft just changed the landscape of AI security and how easy it is to secure it and approve it.   I normally don't push security folks to these kinds of events/announcements, but this one is a big change for security. I strongly urge security leaders and practitioners to see this themselves because these will change how security teams can mitigate AI risk (and also fundamentally change how people do work in general). Two key things caught my attention: 1. New product (Bing Chat Enterprise) that is built on ChatGPT that is designed for enterprises (inherits security/privacy/compliance policy, follows existing permissions, data is logically isolated and protected within Microsoft 365 tenant, verifiable answers, text/image interactions and coverage, etc.). This will also be very widely available (included at no additional cost in Microsoft 365 E3, E5, Business Standard and Business Premium). https://lnkd.in/eWQTBvS4   2. Content Safety features that provide powerful features to mitigate common AI risks (see screenshot) https://lnkd.in/exdZw4xA   Do these magically mitigate all AI risk? No Will it help many organizations get started on AI safely? Yes Will it increase demand on security to approve AI usage from business and technology colleagues? Yes! The productivity demos very impressive and included having AI compare a proposed project against existing products in the market and generating SWOT analysis in seconds. These tasks are critical to business decision makers and normally take hours/days/weeks for experts to build. I expect a lot of job tasks will be transformed by AI significantly in the next few years (and fast!)   I can't find the full keynote recording link at the moment, but this is a link to all the announcements with demo videos, etc. https://lnkd.in/emru8U5w

Last week, Gartner quietly introduced something new: AI Usage Control (AI-UC). While SSE is sliding deeper into the trough of disillusionment (and SASE not far behind), AI-UC is the first category that speaks directly to the most urgent risk in enterprise security today: uncontrolled AI usage. According to Gartner: “AI usage control provides fine-grained categorization and intent-based policies, enabling safe adoption of third-party applications while mitigating security risks.” This is a big shift. Because while organizations sprint to adopt GenAI (often through shadow usage), most security teams lack tools that can help them effectively control this. CISOs don’t need more dashboards telling them they have a problem. They need control. ✅ What AI apps are employees using? ✅ What are they doing with them? ✅ Is sensitive data at risk? ✅ Can we stop it before it leaves? AI-UC is the first answer built for that. A purpose-built control layer for GenAI. Excited to see this thinking go mainstream and even more excited to be working on it at Harmonic Security.

This entrepreneur, on the heels of ChatGPT Mania, launched a military-grade solution to bring SLMs to enterprises: While working at Hugging Face, Mark McQuade encountered challenges helping enterprise customers adopt GenAI. Some companies resisted closed-source AI APIs due to a lack of transparency. Meanwhile, they avoided open source models over security concerns. Mark realized that overcoming a trust deficit was the primary obstacle for enterprise GenAI adoption. Inspired to find a solution, he teamed up with Jacob Salowetz and Brian Benedict to build Small Specialized Language Models (SLMs). Mark, Jacob, and Brian launched Arcee backed by $5.5M in early funding. What makes Arcee stand out is its ability to train, deploy, and monitor GenAI models within a customer’s own cloud environment. This ensures data privacy while granting full model ownership. I got to know Brian while he was working at another Flybridge portco a few years back. He had a great understanding of enterprise sales and what drives leaders at Fortune 1000 companies. Arcee allows companies to host models in their Virtual Private Cloud from pre-training to post-development, ensuring that the data never leaves the organization. These models are more secure and can be up to 50% less expensive to train. The greatest advantage is that this reduction in size and cost does not come at the expense of reduced performance. They can be even more effective since they are tailored to a particular need. Arcee has a US patent model which showed a 50% improvement over baseline models. Acree gives companies higher ownership, control, and customization over their models, and avoids vendor lock-ins. We expect this will massively drive enterprise adoption, which has been lagging in recent years. My firm Flybridge participated in their seed round given three compelling factors: 1. Massive growth projected for enterprise AI spend 2. Team with clear understanding of market needs 3. Strong solution addressing gap in market Key lessons from Acree's story: • Overcoming the trust deficit is the primary barrier for enterprise GenAI adoption. Arcee directly addresses security concerns through its encrypted training and deployment system. • Talent with intimate market knowledge is invaluable when building solutions tailored to industry needs. Arcee's founders have the expertise to create technology addressing enterprises' pain points. • First mover advantage will go to GenAI platforms securing significant funding upfront. With $5.5 million raised already, Arcee can expand its workforce to seize the expansive market opportunity.

Folks ask me whether I have any examples of GAI impacting Cybersecurity in a good way. The answer is yes. I do. For example, on the morning of May 30, 2023, CrowdStrike unveiled the digital marvel known as Charlotte AI. A generative AI security analyst of unparalleled prowess, Charlotte AI draws (her?) strength from some of the world's most impeccable security data. What sets her apart is her ceaseless evolution, guided by an intimate feedback loop with CrowdStrike's cadre of threat hunters, managed detection and response operators, and incident response virtuosos. At the moment, Charlotte AI emerges as my beacon of hope for burgeoning IT and security professionals, illuminating their path to quicker, wiser decision-making. In doing so, she trims response times to critical incidents, an invaluable asset in the realm of cybersecurity discovery and detection. But wait – Charlotte AI is also the quintessential force multiplier. All SOC operators, analysts and managers out there will get that she pulls the drudgery out of the equation, automating the tiresome tasks of data collection, extraction, and search and detection. She's the virtuoso conductor of the cybersecurity defense orchestra. And, she doesn't stop there; she propels enterprise-wide XDR use cases into overdrive, navigating every nook and cranny of the attack surface and seamlessly integrating with third-party products, all from the Falcon platform. But, Charlotte AI is not alone. Across the pond, Darktrace, my first network immune system integration partner in 2012 (and thus always a favorite), now employs truly advanced AI technology, including their DETECT™ and RESPOND™ products. Their mission is simple: safeguard over 8,400 global customers from the security and privacy challenges that generative AI tools and LLMs will deploy. Darktrace's Cyber AI Loop, fueled by its proprietary Self-Learning AI, weaves a coat of interconnected capabilities, standing as the bulwark, defending data, individuals, and businesses against the ever-present specter of AI-directed cyber threats. Within this ecosystem, its risk and compliance models pull wisdom from customer data. They decode the daily rhythms of users, assets, and devices, and with unwavering autonomy, unearth subtle anomalies that foreshadow impending threats. For a real-life example, this very same Darktrace Self-Learning AI sounded a loud alarm in May 2023, upon deftly intercepting an attempt to upload over 1GB of data to a generative AI tool at one of its customer's locations. While a happy ending, we were reminded once again of the indomitable hidden strengths of GAI, lurking in the digital shadows, pouncing on anything that moves. There are other cases. Cisco has some recent acquisition news that is inspiring as well. The future is brightening daily. Let’s keep getting smarter. https://cybered.io/ The Future. Now.

In the second issue of AI Career Edge, we tackle the crucial topic of Personal AI versus Company AI, providing key insights for leaders on effectively integrating AI into their organizations. The lack of a formal AI policy could lead to security risks and hinder collaboration, as employees might use personal AI tools with company data. A strategic approach to AI can significantly enhance productivity by up to 40% while ensuring data security. Key options for AI adoption include: ➡ Microsoft Copilot Enterprise Accounts: Offers robust security for connecting business data with AI, ideal for organizations heavily invested in Microsoft's ecosystem. ➡ ChatGPT Teams or Enterprise Accounts: Tailored for collaboration, with security features varying by version to meet the needs of businesses of all sizes and industries. ➡ Third-Party Integrations and Custom AI Solutions: For specialized needs or heightened security concerns, such as in finance or healthcare, these options provide tailored capabilities and strict compliance with regulatory standards. Leaders must weigh these options against their organization's specific needs, considering factors like data security, compliance requirements, and potential productivity boosts. This edition of AI Career Edge aims to guide you in choosing the right AI strategy to stay competitive and innovative.

🔒🔥 𝗦𝗵𝗶𝗻𝗶𝗻𝗴 𝗮 𝗟𝗶𝗴𝗵𝘁 𝗼𝗻 𝗔𝗜 𝗦𝗼𝗹𝘂𝘁𝗶𝗼𝗻𝘀: 𝗧𝗵𝗲 𝗡𝗲𝘅𝘁 𝗚𝗲𝗻𝗲𝗿𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝗦𝗵𝗮𝗱𝗼𝘄 𝗜𝗧 😱 In today's technology-driven environment, AI tools have become indispensable business assets, transforming operations and enhancing productivity. A recent article in The Hacker News discusses how the widespread adoption of these tools has also introduced potential data security risks. The unfettered use of AI tools without proper oversight can lead to data leakage, breaches, and unauthorized access, threatening the integrity of sensitive information and the overall security posture of an organization. One key concern stems from the increasing reliance on AI vendors. While these vendors offer innovative solutions, their security measures may not align with the rigorous standards of enterprise AI solutions. When integrated with enterprise SaaS applications, these AI tools can be potential backdoors, granting unauthorized access to valuable company data. To safeguard against these threats, CISOs and cybersecurity teams must 𝙥𝙧𝙞𝙤𝙧𝙞𝙩𝙞𝙯𝙚 𝙙𝙪𝙚 𝙙𝙞𝙡𝙞𝙜𝙚𝙣𝙘𝙚 𝙬𝙝𝙚𝙣 𝙚��𝙖𝙡𝙪𝙖𝙩𝙞𝙣𝙜 𝘼𝙄 𝙩𝙤𝙤𝙡𝙨. This includes scrutinizing the vendor's security practices, data governance policies, and compliance with industry standards. Additionally, 𝙘𝙤𝙢𝙥𝙧𝙚𝙝𝙚𝙣𝙨𝙞𝙫𝙚 𝙖𝙥𝙥𝙡𝙞𝙘𝙖𝙩𝙞𝙤𝙣 𝙖𝙣𝙙 𝙙𝙖𝙩𝙖 𝙥𝙤𝙡𝙞𝙘𝙞𝙚𝙨 should be established to govern the use of AI tools. These policies should ensure that access is restricted to authorized personnel and that data is handled carefully. 𝙀𝙙𝙪𝙘𝙖𝙩𝙞𝙣𝙜 𝙚𝙢𝙥𝙡𝙤𝙮𝙚𝙚𝙨 on the potential risks of using unvetted AI tools is paramount. Regular training sessions should be conducted to raise awareness of data security protocols and emphasize the importance of using approved tools and following established procedures. Organizations can empower employees to make informed decisions that protect sensitive information by fostering a culture of data security awareness. While establishing clear guidelines and regulations is essential, it's equally important to c𝙪𝙡𝙩𝙞𝙫𝙖𝙩𝙚 𝙖 𝙘𝙤𝙡𝙡𝙖𝙗𝙤𝙧𝙖𝙩𝙞𝙫𝙚 𝙚𝙣𝙫𝙞𝙧𝙤𝙣𝙢𝙚𝙣𝙩 where employees view the security team as a trusted resource rather than an impediment. Building open communication channels and making policies easily accessible can foster a sense of partnership, encouraging employees to seek guidance and report potential concerns promptly. By proactively mitigating AI-driven data risks, organizations can safeguard their information, maintain compliance, and ensure uninterrupted business operations in the ever-evolving digital landscape. Read the full article here: 👉 https://lnkd.in/edW94amN #AI #Cybersecurity #DataProtection #BusinessSecurity

I consistently hear from CIOs, industry leaders, and peers that security is their biggest concern when it comes to bringing generative AI into their businesses. There's mounting pressure on CIOs to deploy AI— but they need to do so responsibly. Some interesting stats: In a survey we conducted with ISG (Information Services Group) a few months back, they found that 78% of CIOs see generative AI as crucial for organizational productivity, and 59% anticipate a surge in shadow IT due to employees' eagerness for generative AI adoption. https://bit.ly/44UjIDh In a recent article by CNBC, 80% cite data privacy and security concerns as the top challenges in scaling AI, with 45% of organizations encountering unintended data exposure when implementing AI solutions. https://cnb.cx/4bJQl95 Here are some tips I shared with CNBC's Rachel Curry on AI and data security: ✅ Companies should have a centralized AI strategy to vet AI solutions and determine what content to connect. ✅ Connecting only a limited amount of enterprise information with LLMs will not yield valuable output. Connecting as much information as possible while maintaining appropriate permissions makes the most sense. ✅ A soft rollout is a good way to test the waters of a new program before embracing it company-wide. Glean always takes into account all real-time enterprise data permissions and ensures that employees only have access to information that they're allowed to see, helping you ensure levels of accuracy and security not possible with general-purpose AI models.

Secure AI System Development To avoid the pervasive "bolted on not built in dilemma" we must ensure security is a core part of AI adoption and use. Luckily, there are excellent resources to help ensure as an industry we keep security a core part of AI. Just this week the Cybersecurity and Infrastructure Security Agency and National Cyber Security Centre released "Guidelines for Secure AI System Development" It covers: - Why AI Security is Different - Who is responsible for developing secure AI - Secure AI Design, Development, Deployment and Operations & Maintenance This publication builds on efforts such as CISA's Secure-by-Design/Default and National Institute of Standards and Technology (NIST)'s Secure Software Development Framework (SSDF) It also cross-maps to excellent resources such as Supply Chain Levels for Software Artifacts (SLSA) and OWASP® Foundation's OWASP AI Exchange If you're interested in secure AI usage, this document is a great resource!