Rethinking cybersecurity strategies for the AI era

• Combat AI-driven cyber threats with proactive measures.
  
• Embrace proactive cybersecurity against AI attacks.

In our increasingly connected digital landscape, the threat of cyberattacks continues to evolve at an alarming pace. New technologies, while bringing about revolutionary changes in communication, commerce, and lifestyle, have also introduced complex challenges for security professionals. Cyber threats are not just growing in number, but also in sophistication, creating an ever-changing battlefield in cyberspace.

Bad actors, whether individuals, groups, or state-sponsored entities, are no longer restricted by resource constraints. They are increasingly well-funded, allowing them to leverage cutting-edge technologies to compromise systems. Artificial intelligence, machine learning, and advanced malware are just some of the tools now in their arsenal, which they use with alarming effectiveness.

In this high-stakes scenario, the question arises: Is it enough for organizations to merely avoid being the “low-hanging fruit”? Can companies simply aim not to be the easiest target, or is a more proactive stance required in this dynamic and perilous threat landscape? The emerging consensus among cybersecurity professionals leans towards the need for a more proactive stance. It’s no longer enough to just have baseline defenses in place. Organizations must stay one step ahead of their adversaries, requiring them to rethink and strengthen their cyber defenses constantly.

Tech Wire Asia had the opportunity to speak with Deepen Desai, Global CISO and Head of Security Research & Operations, Zscaler at Zenith Live in Las Vegas regarding this matter, and he said that we’re now in an era where zero trust is universally acknowledged.

Rethinking security: Zero trust and beyond

The evolving tactics of malicious entities extend to weaponizing trusted platforms like MOVEit, a well-known file transfer software, for their nefarious purposes. Such platforms, meant to enhance productivity and facilitate seamless workflow, are manipulated to orchestrate severe cyberattacks, endangering the security of sensitive data and systems. It underlines the grim reality that the tools designed for digital transformation can also become instruments for significant security breaches.

Amidst this escalating threat landscape, organizations must remain vigilant and proactive in identifying areas of potential risk and mitigation – the so-called ‘low-hanging fruits.’ These areas, if addressed correctly, can significantly enhance an organization’s security posture with comparatively minimal effort.

“One such critical area is implementing zero trust, a security concept centered on the belief that organizations should not automatically trust anything inside or outside their perimeters,” said Desai. “Instead, they must verify everything trying to connect to their systems before granting access. This approach is no longer optional but has become a necessity in the current cybersecurity landscape, with virtually all organizations now embarked on this journey.”

However, simply adopting a zero trust model is not enough. Prioritizing specific aspects within this model can greatly improve its effectiveness.

According to Desai, one such priority should be ‘user-to-app segmentation.’ This process involves segmenting access permissions so that users can only access the applications they need to use, thereby reducing the potential attack surface. It is a crucial part of a zero trust strategy, helping to prevent lateral movement within a network if a breach does occur. By prioritizing such aspects of the zero trust model, organizations can significantly enhance their defenses against the relentless threats they face.

The second focus area is patch management. The days when a 30-60-90 day approach sufficed are long gone. “Today, even internal assets that are not exposed to the internet are vulnerable to exploits,” said Desai. “Thus, patching should be a priority, especially when it comes to severe issues like remote code execution or unauthenticated access and execution of code.”

Just like the MOVEit vulnerability, Desai emphasized that these vulnerabilities need immediate attention. Any delay can lead to trouble, especially when using a VPN with host connectivity rather than application.

The third point doesn’t involve product promotion but focuses on the strategic implementation of security measures and procedures. Desai made it clear that he strongly supports the concept of enlightening users precisely when they commit an error, rather than waiting until they fall prey to a cyber attack and then enrolling them in security awareness training.

“Don’t get me wrong; the latter should still occur. For instance, anyone falling for your red teaming exercise should be educated,” he elaborated. “However, when a real attack happens, you won’t always have the opportunity to educate without causing significant damage.”

Internally, Zscaler utilizes a feature known as Web Caution. If an individual happens to click on a link from a phishing email, Zscaler intervenes by alerting the user against submitting their corporate login details or downloading anything from the dubious source. This tactic has led to a substantial reduction in the number of click-throughs. It stands as an illustration of how security measures can be harnessed effectively, irrespective of whether Zscaler or any other control mechanism is in use. The strategy of educating users at the moment of their mistake can lead to highly beneficial results.

AI in the hands of bad actors is bad for cybersecurity

However, the worrying trend of bad actors harnessing the power of AI to launch even more deceptive and convincing attacks points towards a critical future challenge. These advanced threats include AI-created custom voice messages for scams and AI-enhanced phishing attempts, potentially even extending to the misuse of OpenAI’s API calls. This illustrates an escalating cyber arms race, wherein our security mechanisms must continuously adapt and innovate to outpace the threat actors.

“Let me give you an example. Imagine a situation where someone takes an individual’s public speaking engagement and, using machine learning, creates a custom voice message. This person makes a call to an employee saying, “Hey, this is the specific individual, I’m here, I need you to do this,” and then the call cuts off. However, that voice mimics the individual’s voice perfectly. Someone else has crafted this message using machine learning, utilizing existing, publicly available speaking engagements,” Desai explained.

This is followed by a text message that reads, “I’m in an area where the network is bad. My phone doesn’t have good connectivity. Can you do X, Y, and Z for me?” At first glance, a text message may not seem threatening.

However, Desai mentioned that many individuals have grown more alert over time, developing a sort of instinct to detect potential scams. When they have just received a call that seems to verify the sender’s identity, it creates an additional layer of authenticity. Consequently, the use of machine learning to make these types of attacks more convincing is a trend that is likely to increase.

The role of security companies: Data collection, research, and beyond

Prominent security companies like Zscaler play a crucial role in this arena. Zscaler is at the heart of all communications between a user and any destination, which provides it with a wealth of data. This data, amounting to 500 trillion daily signals and scanning 300 billion transactions, is used to train models to detect anomalies.

Watch the video below on how Zscaler’s zero trust works:

In this age of generative AI, the company with the most data and visibility will likely come out on top. Without data, there’s a limit to what can be achieved, underscoring the importance of research and data collection in cybersecurity.

---

---

---

---