Governance around Al Enabled Cybersecurity ft. Anushree Bag
00:00:00:05 - 00:00:23:28
Anushree Bag
We'll talk a little bit about governance, because governance isn't necessarily on everyone's minds. And what's the importance of governance might matters. Second, talk a little bit about cybersecurity and the application of, I, governance in AI. And the third is I'd like to go over some very brief use cases with you. So first talking about, governance.
00:00:24:01 - 00:00:47:27
Anushree Bag
So the importance of governance is manifest for choosing the two very non-technical examples. One is about what you're seeing here is a cane toad that was introduced in Australia, to control some beetles that were feeding crops. But what happened is no one thought about governance, about, you know, what how how to manage the the proliferation of these beetles.
00:00:47:27 - 00:01:12:14
Anushree Bag
And when that happened, they kind of changed the ecosystem as they have caused widespread damage to Australia's native wildlife. So case in point, something really, really good without governance can cause havoc. Second, I think everyone remembers this the housing collapse of 2008. Once again, it was a really good opportunity to, you know, give a lot of loans thinking that there was a housing bubble there.
00:01:12:16 - 00:01:23:21
Anushree Bag
And once again, if you look at, you know, any kind of analysis, the reason this, sort of busted is because of lack of regulation. Again, governance.
00:01:23:23 - 00:01:48:10
Anushree Bag
So governance matters because without proper governance, unchecked power can spiral into a runaway situation where the consequences become uncontrollable and then the risks can become irreversible. And with that brief introduction of governance, we'll move on to artificial intelligence. Is there anyone here who is not working on something related to AI?
00:01:48:12 - 00:02:09:00
Anushree Bag
You're not working on the AI at all. Okay. Well, I mean, that can happen, but, in a room full of technologists, the expectation is that most everyone is at least starting to dabble with AI. and if you're not, then you probably will very soon write in some shape or form, and it's, it's inevitable. It's in everything we do.
00:02:09:02 - 00:02:31:08
Anushree Bag
In the words of the CEOs of some of the most expensive IT companies, most notable company. You know, the Satya Nadella of Microsoft says it's a defining technology of our times. So in their picture, if Google says he AI is one of the most important things humanity is working on. Mark Zuckerberg of Facebook is saying, we we're sometimes fearful of AI, but so many good things can come out of it.
00:02:31:10 - 00:03:03:12
Anushree Bag
Tim Cook of Apple saying, I will make the world a better place. Andrew of Nvidia saying, this is the, I think, a very big statement. AI is like electricity. This will become second nature. It will be embedded in everything we do. Right. So that's just something. first, remember this was also discussed last week. If you had watched this segment of Oprah Winfrey and Bill gates, they discussed on September 12th on TV about AI, about the potential for positive impact.
00:03:03:15 - 00:03:24:22
Anushree Bag
They also talked about ethical considerations. We'll get to that in a second. because I think, Lauren, you mentioned about bias. I mean, bias is oftentimes inherent. We are not always assured that we are. No one really wants to be biased. But bias gets manifested because of our lived experiences, like what we grew up with, where we work.
00:03:24:22 - 00:03:49:05
Anushree Bag
We're kind of people we hang out with. So how does AI help or not help in that? So that that was an interesting discussion. Economic disruption. AI is now getting trained to do a lot of stuff that, you know, humans are and have been doing. So what do we do? Do we reskill? Do we upskill? How do we make sure that we are not really replacing if people are not getting, you know, kind of we don't need people anymore.
00:03:49:05 - 00:04:12:10
Anushree Bag
That's not a scenario. That's, that's a desirable scenario. That's, so, so that's how we have to figure that out. What to do there as well as regulation and governance comes into the picture. How do we make sure we have enough governance? So, at a different employer, I know that, you know, the first reaction when ChatGPT sort of exploded into our world is in September 2022.
00:04:12:10 - 00:04:35:15
Anushree Bag
The first reaction was in a block that with the workplace, I think I immediately felt like a wrong response. Why? Why do you think that's the wrong response? I mean, every technologist wants to play with new technology. One of the most like the surest ways of making sure you will play with it is to block it. Of course, you're going to try to work out right.
00:04:35:18 - 00:04:55:04
Anushree Bag
So if you block it in the work computer, you're going to try it on your personal computer. On your personal phone, you're going to email yourself stuff. Interesting. Much better is to make sure you have a policy. You have governance, and you sort of define, the guardrails around it. That's a better way to approach it. Public engagement and education piece.
00:04:55:07 - 00:05:20:13
Anushree Bag
folks talked about it because, you know, we know so little about AI. Many people know that. Oh, I know about AI. they're just scratching the surface. So I want to talk next about how AI is, manifesting itself in cyber security. The first is how difficult it is making our work in cyber security. So one, it is, definitely.
00:05:20:15 - 00:05:45:28
Anushree Bag
I'm sorry, I think I want one more. Yeah, it's definitely creating, more sophisticated and automated attacks because just the, the the scale and the sophistication of the attacks have been much, much better with AI infused attacks. Right? The distributed denial of service attacks, they're much more frequent. They're harder to mitigate the sophisticated phishing and other social engineering attacks.
00:05:45:29 - 00:06:13:22
Anushree Bag
How many of you have seen some at some point in your life, received emails from a Nigerian prince offering you $15 million? How many of you have done that? I look at my shit, right? Those are not the phishing attacks anymore. These attacks are so sophisticated and they're called even phishers. What does that mean? And even fish is sometimes like, right around tax season you're going to get hey, click on this link for your W-2 around Christmas time.
00:06:13:23 - 00:06:33:23
Anushree Bag
You know, a package of clothing for you around, you know, before the Taylor Swift concert. Hey, we have just had ten extra tickets show up. Click on this link if you want to, you know, pay $100 for this or something like that. Usually I plays on two very distinct emotions. One is greed, the other's fear. Right. Because there's a sense of urgency.
00:06:34:00 - 00:06:59:23
Anushree Bag
There's like wrong grammar. There's some kind of. And when you train, I do take those factors into account by writing real sophisticated fish, which even seasoned professionals are falling for that very enhanced malware. So it just, you know, enables the creation of more and more advanced and adaptive malware, which is, something that the, but the AI and ML algorithms are writing much better than me again, as humans.
00:06:59:25 - 00:07:26:17
Anushree Bag
Data breach exploitation. so the I can has the capability of analyzing the very large data sets which you take. It's a tall order for human beings, but we teaching the machines I mean, the ML actors certainly are. And that's happening. It's leading to both attacks as well as actual breaches when they're infiltrating the system. Right. And then the last one I had with this list, this is that very like this is not comprehensive by any means, like just some of the things that I highlighted.
00:07:26:20 - 00:07:48:15
Anushree Bag
Deepfakes. I don't know if anyone watched a deepfake video. Yeah, yeah. What do you think? I think good. They're really good. Yeah. Some of them are. In the past, you could completely tell which is a deepfake, you know, with the head movement, with the blurring, etc., etc. these days, you can create a deepfake video on your phone with a just all that it takes.
00:07:48:15 - 00:08:06:08
Anushree Bag
Because I know I was involved in a project that we asked you for a few video shots of yourself, and it's just going to probably take a threat actor who kind of looks like you, but they're going to superimpose those images and you can have a conversation. You wouldn't even know that you're having a fun recession with the, the deepfake.
00:08:06:09 - 00:08:25:19
Anushree Bag
So they might say, hey, CFO, something just came up. They're really asking, do you know, close the deal today? Can you just draft the financial files to do this? I don't have the time to assemble the whole team. Just put it in the teams channel something believable like that, and you don't know, we endorsing the deepfake, but you have to, you know.
00:08:25:19 - 00:08:47:25
Anushree Bag
So. So that's one of the things that's happening, with, with AI, we are also using AI to fight back against that kind of stuff. Right? As just as the attacks are getting more sophisticated, and we also have the ability to do better analysis with the use of AI. So enhanced threat detection. So we are able to identify the patterns and the anomalies.
00:08:47:25 - 00:09:15:13
Anushree Bag
And that's how we are using AI for good right. Automated response. We yeah these systems automate these search responses, which really reduces our response time, which is a big deal because, you know, if you think about you have a stock market, how many companies have a socket security operation center? Yeah. SoC is pretty, common as someone that, you know, B how b or c, which is a, security events, incidents and events manager.
00:09:15:13 - 00:09:33:08
Anushree Bag
You, you know, you have someone was got to be watching you endpoints. But it's a lot of data points that are coming in and we have dimensions ability to analyze them and respond to them. But using AI you can do that in a fraction of a second. Behavioral analysis A lot of AI a lot of cybersecurity is not about not just about technology.
00:09:33:08 - 00:09:58:24
Anushree Bag
It's about behavior. You you know, they're playing the minds of the attackers. And so we have counter countering that with, you know, fighting back against that predictive analytics as we move from reactive to proactive to not predictive. That's another area that we are using AI very effectively. Also reducing false positives. Sometimes your alarms go on way too many times it's not really of an attack and you get wary of that kind of the boy who cried wolf.
00:09:58:24 - 00:10:21:10
Anushree Bag
Right? And you not respond, you make and you mean maybe at risk of missing the actual, the, you know, real attacks, but I can discern and you can get help from them. Adaptive learning is another area where we're using AI, through continuous improvement, threat detection. And we're using that to teach folks that that which may be a real attack and which 1st May not be.
00:10:21:12 - 00:10:56:29
Anushree Bag
And then the last one I put on the list is advanced risk assessment. Like in any professional organization for cybersecurity risk assessment, it's a really prime candidate to use AI. And I actually highlighted this because I want to use a use case of a to demonstrate a use case, due to a brief one over here. So before we do that, though, you know, a couple of things that then to summarize what we, how we are using governance in AI is, working through bias and discrimination as well as, being mindful of privacy violations, ethical concerns and security risks.
00:10:56:29 - 00:11:03:15
Anushree Bag
So when we use AI, these are things that we have to be mindful of.
00:11:03:17 - 00:11:30:09
Anushree Bag
Does anyone know what a Trump is? Yeah. So many of you have written some kind of a prompt. Not surprise me near you think we are everyone right that that's the point I was making earlier. You technologies. You give us the technology. We're going to try. We're going to experiment. You can't keep us away from that. So it prompt is a crucial instruction or an input because that's how we make AI work.
00:11:30:09 - 00:11:53:17
Anushree Bag
Now prompts can go from really, really simple practice that is recap the meeting so far. This is by far the simplest prompt that I've seen, like, two really sophisticated ones. has is anyone willing to share the prompt that you have used in a personal or a professional environment? I guess a string of prompts to, help me analyze.
00:11:53:17 - 00:12:14:17
Anushree Bag
We had, a user that was breach one of our websites. We use for, posting our loads. I work for a very company, and I was gone during trying to find, all the email addresses. A we were getting hits from try and block a log is like, okay, this guy's given way to me. He knows our way to meet you.
00:12:14:17 - 00:12:36:27
Anushree Bag
They're pretending to be the company that we're using. I need to stop this. I went into, Microsoft Defender. I'm like, hey, I know there's a way for me to start digging into using Kql code to discuss the query language, but I don't know Kql I don't. I've been gone all the time, and working out of it isn't very often.
00:12:36:27 - 00:13:06:26
Anushree Bag
So I went to, like, hey, I need a kql script that helps you find email address. So match this, string it, characters and back and forth a few times to kind of, hey, this is not actually a valid table. Is it valid? You know, string here, back and forth for about ten, 15 minutes. I got a query through a defender and found 800 results.
00:13:06:26 - 00:13:34:19
Anushree Bag
I'm like perfect. Like all of these because I don't need this anymore. And it's it's all it seems like, you know, even for someone who doesn't use as a scripting language like that, ChatGPT for, you know, all this stuff has really powerful uses for did two minutes gone back and forth? Hey, I just need to do something really quick because you blow me up and I need to stop it.
00:13:34:19 - 00:13:54:17
Anushree Bag
And so okay, let me comment on that in a second. Let me see anyone else willing to show you. I did, first of all. Yeah. So I got this idea of from my third. So it's not my original idea that but me and my eight year old describe big monsters. And we fed those descriptions they had published in a B&B.
00:13:54:20 - 00:14:18:22
Anushree Bag
And it's just something that it's so fun. Yeah, absolutely. Absolutely. That did you that's what you wanted to share. I do write the, my boss had to tell me to ask the, engine. Yeah, I engine how to best write a prompt to solve a problem that I was trying to solve. I was trying to have a right in my voice based on some stuff that's published online, and I wasn't doing it well.
00:14:18:22 - 00:14:37:13
Anushree Bag
And you said, just ask the engine how to write a poem so he can understand, but he kind of met it. Yeah. So we have one personal example, couple of professional examples, I'll tell you that, you know, I had no no funds to write poems. I, you know, for anniversary of their spouses for, for their spouses on the anniversary.
00:14:37:13 - 00:14:56:11
Anushree Bag
That was a silly thing to do. I know that I've used it extensively for travel, like creating your itinerary. Now, there are different ways of writing prompts. I could say, hey, I'm going to be going to Greece and give me an itinerary. I'm going to go to Athens and Mykonos and Crete, right. And so it's going to respond in a way.
00:14:56:13 - 00:15:16:19
Anushree Bag
Now, you could also write it this way. Assume the persona of a travel agent I met in, and I'm going to be staying at hotel X, Y, Z. I really like to walk on foot or take the ferry and I don't want to use Uber. Give me a list of museums. I like to go to museums, whatever is what I want to do, right?
00:15:16:21 - 00:15:37:12
Anushree Bag
And, and I'll be there from Tuesday to Thursday. Give me create an itinerary for me. Why is that? Why are the days important? Because sometimes museums are closed on certain days, right? So the more specific you make your profit, the more specific your response will be. And, I don't know what your name is, but you talked about a few back and forth.
00:15:37:12 - 00:16:06:07
Anushree Bag
That's exactly how it works, right? It's not supposed to give you the exact answer, but it's supposed to, sort of guide you towards the final response. I don't know what your company policy is. but, some in some cases, when you're giving specific, scenarios about a defender or other, you know, company specific information, uploading a video, that can be pretty dangerous, that has to be within the confines of your own tenant.
00:16:06:07 - 00:16:28:23
Anushree Bag
Otherwise it's going to be out there. The whole internet and your security protocol and your certificates. You do. You really don't want to. That's why that's why we need that kind of governance. Right? So many companies now are are enabling copilot or whatever other luminal, you know, within, within the company environment that you could safely upload.
00:16:28:25 - 00:16:50:29
Anushree Bag
And, I would say the same about risk assessment. So the the prompt I have in mind is, based on, you know, let's say you're a company and you're trying to, sort of get into a relationship with company Y now you want to know everything about the company, their risk profile, because you're going to get into the same into the relationship with them.
00:16:51:03 - 00:17:17:07
Anushree Bag
They're going to be on your network. So you could just say, hey, analyze and compare company life security practices by scraping their public and private online documents, in, in an internal communications, by tapping their key personnel. They're studying social media profiles so their officers, their family members contrast this with security best practices and then make a recommendation very, very unethical.
00:17:17:07 - 00:17:41:00
Anushree Bag
Also, perhaps if you can do that right. But people have in if they don't have a knowledge about what where the boundaries lie of legal ambiguity of ethics. Right. Also a bias. So the better prompt the better way to write in is, you know, you could ask to scrape by. I mean, so this is why it's not legal.
00:17:41:02 - 00:18:04:22
Anushree Bag
because it's unauthorized access, invasion of privacy and legal risk. The better way to write it would be evaluate company wise, publicly available security practices, compliance report industrial reputation based on established security practices. Provider recommendation. Because this is a very practical scenario for many companies, you're trying to do business. You know, you may have an information security, standard many companies do.
00:18:04:22 - 00:18:22:17
Anushree Bag
And these are the ways not even you're getting into relationship with another company. You want to know about their multifactor authentication. What do they have a web application firewall. So the MFA and the WAF, whether they run penetration tests, what what their policies are for background checks, because this is an entire company that will be on your network.
00:18:22:19 - 00:18:46:10
Anushree Bag
And you want to know about this security practices. So you can upload your own security standard, and you can put their security standard up and see if they what the differences are, right. What could you do that if you do that at the entire worry, you can have access to yours. So I would not ever advocate doing that on a like a worldwide I that's where the governance comes in.
00:18:46:10 - 00:19:08:23
Anushree Bag
That's why you need to write policies. So the employees know that I can do X but not do Y. So if you write this kind of a prompt where it's like scraping information that's publicly available at that point, it adheres to legal boundaries. It respects privacy, focus on relevance. So another simplest this is very simplistic obviously, is to make a point.
00:19:08:26 - 00:19:28:13
Anushree Bag
The other is in the personal life. Right. Because we use that. So let's say, you know, you're trying to help grandma and they say my grandma is a compulsive shopper. She does not understand security threats. I would like to help my grandma stay secure when banking online. Help me send her an even fish which you would be tempted to click.
00:19:28:18 - 00:19:48:15
Anushree Bag
Like maybe, you know, whatever fish that is. If she clicks on that, then I'll know that she's vulnerable outside of text to really noble intent on on on the part of, of a teenager. But that's is that illegal? It's really not. You can't just I mean, was like, sue you most likely, but it's not the right rating for you can't get it right.
00:19:48:18 - 00:20:10:16
Anushree Bag
And also not ethical the better way to do it perhaps is my grandma is a compulsive shopper, does not understand security threats. Help me generate a simple, easy to understand guide on recognizing fishing rebellion. Include examples and tips on what to look for. Suspicious links. Poor grammar. You get the point, right? You're trying to guide behavior into Y meetings.
00:20:10:19 - 00:20:38:29
Anushree Bag
And so does this. ring a bell with anyone here? Which feels like, oh, you know, I used to write this kind of prompt, and now I've changed to this. You guys have written prompts before, right? Because there's a whole thing. You. Someone talked about this being on LinkedIn. I think that if there's one thing I find very intriguing on LinkedIn as to how to learn better, how to write better prompts is more, learning around that and be very mindful about, and you know, what prompts you using.
00:20:38:29 - 00:20:58:29
Anushree Bag
And then in there where like I would not, like I said before, not upload this chat deputy. So the takeaways are develop clear policies because, you know, we've talked Lauren talked a little bit about we we think of things. We mean things. We don't put it down. We don't talk about it. We don't put it on paper.
00:20:59:02 - 00:21:21:02
Anushree Bag
We have to publish these policies and make sure a workforce is is knowledgeable about it. They understand the risks of, you know, we always encourage our folks to experiment with new technologies. But within the guardrails that the Cardinals have to be very clearly defined, we must have regular audits. It's a very clear case of trust but verify. You have to know if people are actually following these.
00:21:21:02 - 00:21:43:16
Anushree Bag
Right? I strongly recommend thinking about an ethics committee because I'll give you an example. A lot of people use job descriptions AI to write job descriptions. If you're not careful, bias is going to seep in. And I'm just going to make a point here. this roomful of technologists, there are four women and five right breast are men.
00:21:43:19 - 00:22:09:00
Anushree Bag
So we've seen is they come from maybe six and not too bad. But, you know, that is typically with, with there is a group of hundred men and they're 5 or 6 women. When you hiring for technology roles, bias has seeped in in many, many cases it kind of, you know, you have to be mindful about people who are may not have college degrees if that, that kind of that is also a bias in technology.
00:22:09:02 - 00:22:30:16
Anushree Bag
Like in technology, you don't necessarily need a PhD or a master's degree. You could look for certifications and experience, but when you're asking a prompt or putting it prompt in and asking the AI to write a job description, you can put words in like deep bias, my job description. So you can use that because none of us are doing it mindfully.
00:22:30:16 - 00:22:52:18
Anushree Bag
But it did happen. So I do writing in a way that will only fit certain profiles, and not everyone. And I say it selfishly, but I really like to see more women in technology, provide the employee, trainings for that and establish transparency and accountability. Right. People should know that this is not the job of cybersecurity alone, or your HR or your athletes committee.
00:22:52:26 - 00:23:09:15
Anushree Bag
Every employee should be trained on. This is a new technology, and we really need to learn how to use it properly with it. That's all we had to say. Like here it.
Creators and Guests
