AI – Innovation or Exfiltration Tool: How to Maximize Productivity While Reducing Organizational Risk

The New Frontier of AI and LLMs  

We’ve recently witnessed groundbreaking developments in artificial intelligence (AI) and large language models (LLMs). In 2023 alone, AI has significantly influenced diverse sectors, from healthcare’s advanced diagnostic tools to finance’s sophisticated risk assessment algorithms. Creative domains have seen a surge in AI-assisted content generation, heralding a new era of digital creativity. We also can’t ignore product development, where AI-driven tools have significantly accelerated software development lifecycles and enabled developers to automate coding tasks and debug more efficiently. 

Yet, as we ease into early 2024, the challenges accompanying these AI advancements loom large. Cybersecurity threats have evolved to include AI-powered phishing and deepfakes, malicious bots and generative malware tools, and targeted attacks on machine learning models and AI system infrastructure, all demanding more robust defense mechanisms. Ethical issues, such as algorithmic bias and privacy concerns, have intensified, emphasizing the need for responsible AI deployment. As we step into the new year, our focus at Exabeam is on embracing AI’s transformative potential while vigilantly addressing these emerging challenges — and we want to help other organizations do the same. 

In this article:

• The New Frontier of AI and LLMs
• A Balanced Approach to Security and Innovation
• Internal Security Enabling Innovation
• Philosophy on Generative AI
• Responding to Incidents – The Struggle is Real!
• The CISO Perspective – Preparedness and Proactivity

A Balanced Approach to Security and Innovation  

Securing the business without hampering productivity and innovation is always a top concern. At Exabeam, we strive to strike that delicate balance for ourselves internally, and offer solutions that help global organizations do the same. We began  using machine learning (ML) models in our products to answer some of the most challenging security questions over 10 years ago — not because ML was trendy, but because it was quickly becoming the best tool for the job as legacy SIEM detection techniques fell short. Our modern approach is equally practical and forward-thinking; we have concrete, real-world strategies in place. 

For instance, we have implemented advanced natural language processing (NLP) search capabilities to assist  security analysts with executing more complex and in-depth queries. We’ve also pioneered the use of generative AI (GenAI) to explain and simplify multiple threat detections, thus yielding valuable security insights that not only accelerate productivity, but maintain the highest security standards. We are now evaluating new models to generate specific, factual information related to cyberthreats with the aim of providing context to threat intelligence, including indicators of compromise (IOCs).  

Internal Security Enabling Innovation 

Outside of what Exabeam is building in our products, our team members are not unique in their thirst to leverage public or private generative AI solutions. Across industries , many C-level leaders have enforced an “all or nothing” policy towards usage of these tools in an attempt to limit potential exposure, whether intentional or accidental. While this is a personal and widely polarizing decision, we have seen evidence indicating that attempts to holistically block all access or usage of GenAI tools can be even more harmful than taking no action at all. This is because employees will frequently find loopholes and workarounds to policy enforcement, often leading to more devastating outcomes and lack of visibility to exposure. The methods Exabeam utilizes to secure our digital environment and provide transparent visibility into team member usage of GenAI tools serve as a testament to our commitment to both AI cyber discipline and unique innovation. We work closely with industry vendors that provide controls and visibility into the content that team members are querying or uploading into GenAI tools. We then incorporate the output into our advanced AI-powered products that are built on over a decade of machine learning and analytics experience. This allows Exabeam to build anomaly detections based on team member behavior and develop keyword and pattern matching alerts for specific content, while visualizing potential exposure via data-rich dashboards. Visibility is a key component to feeling “in control” when it comes to managing an environment deploying or using AI-based technology. You can’t fight what you can’t see — by embracing the usage of the tools and augmenting them with line-of-sight capabilities, a SOC can visualize the way team members are using AI for good, or in some cases, abusing it to the detriment of the company. 

Artificial intelligence, with all its potential, can be a double-edged sword. On one hand, it enriches our capability to deliver valuable features, such as threat explaining capabilities. On the flip side, there’s the undeniable risk of misuse or abuse of these powerful tools. We’ve seen firsthand the cost to an organization when AI tools are misused — both internally and externally. It’s a delicate balance of leveraging AI for innovation while guarding against potential data exfiltration or leakage.  

Our unique approach to building visibility into how employees use publicly-accessible tools like ChatGPT is a cornerstone of our security strategy. By closely monitoring and understanding usage patterns, we can preempt potential risks and ensure responsible use of these powerful technologies.  

At Exabeam, we recognize that most incidents of data loss or exfiltration are accidental rather than malicious. Therefore, we place a strong emphasis on training and education. Our policies are designed to prevent accidental breaches, and our enforcement mechanisms are robust yet fair. Ultimately, we aim to create a culture of awareness and responsibility. 

Philosophy on Generative AI  

When it comes to SOC operations, the highest-performing organizations already have a group focusing on content creation, automation, process, and innovation. GenAI falls into this exact use case.   

The careful adoption of GenAI represents the greatest revolution in information security, both as a risk and an opportunity. As such, principled adoption is key. An organization must resist the desire to adopt technology without a clear purpose. Instead, one should define the problem and choose the best steps for the highest ROI. The first step to adoption should be asking how the technology can help the organization with the fundamentals of security.   

Here are some questions and rules to consider as you form an adoption philosophy around GenAI:  

1. Is there a current governance process for content creation and acceptable use?  
2. Always state the problem in plain language prior to any new technology or process creation.  
3. Example: “Systems outputs from X yield inconclusive and unclear next steps due to junior staff.”  
4. Success (and even failure) criteria should be clear and measurable. 
5. Example: “Current audit support for the SOC consists of 20% of our yearly hourly effort. Success with GenAI should move this to 10%.”  
6. If a measurable benefit can’t be seen, then no change should be made. Look at multiple metrics, including whether the solution saves time, identifies a problem, or makes a decision and performs a remedial action. 
7. Input and output validation must be auditable, have defined legal limits for acceptable use, and be tagged according to type (threat detection, investigation, and response – TDIR – processes, audit support, etc).  
8. Auditors must be aware of which processes involve GenAI. 

Responding to Incidents – The Struggle is Real! 

Every organization struggles with the same balancing act that we do at Exabeam. As a community, we can all learn from each other to help implement new strategies that ensure  enablement and protection stay balanced. Unfortunately, despite best efforts, security incidents can — and will — occur. Preparation is key, and it all starts with an incident response plan. 

A thorough incident response plan should account for multiple scenarios, such as: 

• Employees accidentally or intentionally uploading sensitive company information, such as: 
• Customer data 
• Personally identifiable information (PII) 
• Internal source code, configuration files, product documentation, etc. 
• Secrets (including passwords, API or cryptographic keys, user credentials, hashed secrets, or similar) 
• A compromised or poisoned model or data set 
• The introduction of inaccurate or biased information into public content by an employee using generative AI tools 
• Employees downloading or accessing unvetted, potentially risky AI models 

Clear policies need to be in place to cover each of these areas and any others specific to the business. A successful response strategy must also be swift and effective, minimizing potential damage and learning from each incident to strengthen defenses. 

The CISO Perspective – Preparedness and Proactivity 

As a CISO, the key to navigating the AI/LLM landscape is preparedness. This includes having a clear, organization-wide policy with enforcement mechanisms, dedicated AI/LLM usage training, and tools like dashboards and anomaly detection for comprehensive visibility. A comprehensive response plan, integrated into a disaster recovery plan (DRP), helps ensure that an organization stays one step ahead. 

Moreover, we advocate for a carrot vs. stick approach. By understanding and accommodating the legitimate use of these tools, you can prevent the creation of workarounds or unauthorized accesses. We all must embrace innovation responsibly in order for our journey into the future of AI/LLMs to be  both secure and productive.

Get the 2023 Exabeam State of TDIR Report

Security is fast-moving and the stakes are high. You must raise your game to beat the adversaries. Attacks are sophisticated and hard-to-detect, legacy SIEM is limited, and security teams are overwhelmed with data, unable to see a complete picture of a threat. Until now.

Get your copy today to read more about the latest TDIR challenges and trends. Download the report.