It is a pleasure to present an article in collaboration with Fabrizio Saviano.
Fabrizio is a dynamic cybersecurity leader with extensive experience as a Chief Information Security Officer (CISO) for top companies. He also served as an Intrusion Squad Officer at Polizia Postale, bringing a wealth of knowledge in cyber defense and security strategy. Fabrizio is the author of three influential books, including Cybercognitivismo and Come non essere spiati su internet, which explore the nuances of digital privacy and cybersecurity. His work combines practical expertise with a passion for educating others on navigating the digital world safely.
So without further ado…
Shadow Data and Ghost Data in the Era of Cloud Computing
In the era of cloud computing, data security has become a major concern for both individuals and organizations. Beyond the well-known concept of Shadow IT, two lesser-known but equally dangerous phenomena are emerging: Shadow Data and Ghost Data. These represent a new frontier in cybersecurity, bringing unique challenges and significant risks that need to be addressed with care and awareness.
Shadow IT: The Hidden Precursor
Before delving into Shadow Data and Ghost Data, it is important to understand the context in which they emerge. Shadow IT refers to the unauthorized use of cloud services such as WhatsApp, Gmail, WeTransfer, or Dropbox within an organization. These tools can be useful but create security, compliance, and cost control issues when used without IT department supervision.
Shadow Data: The Hidden Threat in the Cloud
Shadow Data is an extension of the concept of Shadow IT. It involves content that is improperly uploaded, saved, and shared on cloud storage platforms like Microsoft OneDrive, Google Drive, or Amazon Web Services. Their elusive nature makes it difficult for corporate IT security teams to monitor and protect this data. Risks associated with Shadow Data include insecure sharing, indexing of sharing URLs by search engines, and exposure of sensitive data.
One of the most evident dangers is vulnerability to online searches. Often, URLs used to share data can be discovered through hacking techniques like Google Dorks, making information potentially accessible to anyone. Additionally, incidents like those involving Amazon’s S3 storage have shown that even the most reliable cloud services can be vulnerable.
Ghost Data: The Phantom of Digital Past
Ghost Data represents an even more insidious risk. These are data that users believe they have deleted from cloud services but actually persist in providers’ storage systems. This phenomenon underscores a fundamental truth: data deletion in the cloud is not always permanent. The origins of Ghost Data can vary from incomplete file deletion to device disposal without proper data erasure, to loss or theft of inadequately protected devices.
The Extent of the Problem: Alarming Data
Recent research has revealed worrying data about the impact of Shadow Data and Ghost Data. It is estimated that 60% of security problems in cloud accounts stem from unprotected sensitive data. Furthermore, about 30% of analyzed cloud data stores contain Ghost Data, with 58% of this data including sensitive or highly sensitive information. These numbers highlight the urgency of addressing the issue of Shadow and Ghost Data seriously and proactively.To mitigate the risks associated with Shadow Data and Ghost Data, a multi-layered approach is essential.
First and foremost, user education and awareness are crucial. Users must be trained on the risks of improper data sharing and correct privacy practices in cloud services. It is also important to promote the use of strong passwords and develop a culture of cybersecurity within the organization.
Monitoring and Control are equally crucial. Companies should implement software for identifying and analyzing Shadow and Ghost Data, establish clear policies for their management, and conduct periodic reviews of data present in cloud systems and company devices.
Proactive protection includes using encryption tools for sensitive data and implementing secure backup systems. Additionally, solutions for secure and permanent data deletion are essential to ensure that deleted data cannot be recovered in the future.
Shadow Data and Ghost Data represent a growing challenge in the cybersecurity landscape. With the continuous evolution of cloud technologies and increasing reliance on these services, it is crucial that individuals and organizations remain vigilant and proactive in managing their digital data. The cybersecurity of the future will not only be a matter of advanced technology but also awareness and responsible behavior. Only through continuous and conscious commitment can we hope to navigate safely through the increasingly deep and complex waters of the digital world.
It is a pleasure to present a collaboration series of articles with Andrea Licciardi on ITDR.
As Senior Cybersecurity Manager at their Cyber Fusion Center, he spearheads proactive threat management. Andrea Licciardi is a cybersecurity veteran with over 20 years of experienceand his encompasses security operations, risk identification, and cutting-edge defense tactics. He honed his skills at industry leaders like Leonardo and EY, where he led incident response and CERT/CSIRT services. Moreover Andrea is a champion for AI integration in cybersecurity – he co-founded CISOs4AI (together with yours truly), a collective that advocates for AI as a game-changer in the fight against cyber threats. Allow me to say that with Licciardi at the helm, the MAIRE Group is well-positioned for a secure and resilient digital future.
I believe that Andrea’s article will be interesting and valuable both to IT professionals and business leaders, as it offers a holistic perspective on the management of cyber threats, laying the groundwork for a stronger and more aware security culture within organizations. Our hope is that, by sharing this knowledge, we can contribute to creating a safer digital environment for everyone.
So without further ado…
Elevating Business Resilience with Identity Threat Detection and Response (ITDR)
This article stems from the need to address one of the most critical challenges in the field of cybersecurity: the protection of digital identities. Through the analysis of the Identity Threat Detection and Response (ITDR) approach, we aim to provide organizations with a broad overview of cutting-edge strategies and technologies that can be adopted to mitigate the business risk associated with cyber attacks.
The goal is twofold: on one hand, to demystify the concept of ITDR, explaining in accessible terms what it means and what benefits it can bring to companies of every size and sector; on the other hand, to provide a practical guide on how to effectively implement these solutions, highlighting the importance of a proactive approach to identity security.
Mitigating Business Risk Through ITDR: A Strategic Approach to Identity Security
The security of information has ascended to become the linchpin of organizational integrity for enterprises across the globe. As digital footprints expand, so too does the vulnerability to cyber threats that lurk in the shadows, waiting to exploit any weakness. In this dynamic environment, where data breaches are not just a possibility but a prevalent reality, their consequences resonate beyond immediate financial losses, penetrating deeply into the fabric of an organization’s reputation. It is within this context that Identity Threat Detection and Response (ITDR) stands out as a beacon of defense, offering a sophisticated arsenal against the myriad of cyber threats that businesses face today. ITDR doesn’t merely respond to threats; it anticipates them, fostering a security posture that is both proactive and resilient. By safeguarding the most crucial asset in the digital realm—the identity—ITDR empowers organizations to navigate the cybernetic waters with confidence, ensuring that they are not only protected but also positioned to thrive in the face of cyber adversity.
Business Risk in the Digital Age
The landscape of business risk has transformed, becoming inseparably entwined with the realm of information security. The surge of cyber attacks not only poses a direct threat to the continuity of business operations but also strikes at the very heart of customer trust and regulatory compliance, potentially leading to a cascade of consequences that can diminish a company’s market value. The year 2023 has shone a spotlight on a particularly alarming statistic: a staggering 40% of security breaches have been traced back to the misuse of credentials, signaling a clear and present danger to organizations worldwide. This revelation underscores a profound realization – the traditional frameworks of Identity and Access Management (IAM) are being outpaced by the cunning strategies employed by modern cyber adversaries.
In this context, a cyber attack is no longer just an interruption; it’s a significant breach that can unravel the trust painstakingly built between businesses and their customers, expose companies to severe regulatory repercussions, and erode the foundational value that underpins their presence in the market. The reliance on conventional IAM methods is being challenged, revealing vulnerabilities that contemporary cyber threats exploit with alarming efficiency and sophistication. As we navigate this new era, the necessity for advanced protective measures that can adeptly shield against, detect, and neutralize these evolving threats becomes undeniable. The digital age demands a vigilance and a strategic foresight that extends beyond the perimeter of traditional security measures, urging businesses to reevaluate and fortify their defenses in the face of an ever-changing threat landscape.
The Importance of ITDR
ITDR represents a crucial evolution in the approach to cybersecurity, focusing on the detection and response to identity-specific threats. This approach not only strengthens an organization’s ability to prevent attacks but also ensures that response measures are ready to be activated in the event of a breach, thus minimizing damage and accelerating recovery. By implementing ITDR, companies can address detection gaps between IAM and security controls, thereby filling one of the most significant weaknesses in information security.
How ITDR Mitigates Business Risk
Strengthening Preventive Controls: Through the inventory of existing controls and the audit of the IAM infrastructure to detect misconfigurations, vulnerabilities, and exposures, ITDR helps companies bolster their first line of defense against cyber attacks.
Improving Detection: By selecting a focal point for identity alert correlation and detection logic that prioritizes identity-specific Tactics, Techniques, and Procedures (TTPs) over other detection mechanisms, ITDR enables companies to promptly identify potential threats before they can cause significant damage.
Optimizing Response: By building or updating playbooks and automation to include IAM enforcement within the steps taken to eradicate, recover from, report, and remediate identity threats, ITDR integrates IAM incidents into response and threat-hunting processes using existing security controls in the Security Operations Center (SOC).
Reducing Damage Impact: By rapidly implementing effective response measures, organizations can limit the extent of damage caused by a security breach, accelerating the recovery of operations and maintaining customer trust.
Data breach in 60 minutes: Acting Before It’s Too Late
Where a single compromised credential can herald a data breach in as little as an hour, the stakes have never been higher for businesses across the globe. This alarming reality underscores the critical need for organizations to adopt a robust stance against the specter of cyber threats, emphasizing the indispensability of cutting-edge security measures. Enter the realm of Identity Threat Detection and Response (ITDR), a beacon of hope in this turbulent digital sea. ITDR transcends traditional security measures by offering a proactive and strategic defense mechanism, intricately designed to detect and neutralize threats before they can inflict irreversible damage.
Imagine the scenario: the clock starts ticking the moment a cyber attacker breaches a digital perimeter. With each passing minute, the potential for widespread organizational disruption, loss of customer trust, and severe regulatory repercussions grows. In such a high-stakes environment, the speed and efficiency of ITDR systems stand as the vanguard against the relentless advance of cyber adversaries. By swiftly identifying and responding to intrusions, ITDR not only acts as a critical line of defense but also as a strategic asset, significantly mitigating the risk to business continuity and safeguarding the company’s invaluable digital assets.
In a world where digital threats are constantly evolving, becoming more sophisticated and elusive, the adoption of ITDR is not merely a recommendation; it is an imperative for survival. Through its advanced threat detection capabilities and rapid response mechanisms, ITDR equips businesses with the necessary tools to navigate the perilous waters of the digital age. It serves as a testament to the organization’s commitment to safeguarding its digital identity, reinforcing customer trust, and ensuring that operations can withstand the tempests of cyber warfare. As the digital landscape continues to expand, the role of ITDR in shaping resilient and secure business environments has never been more paramount.
Timely Response: Minimizing Financial and Reputation Impact
Speed is everything in the context of security breaches. An organization’s ability to detect and mitigate an attack before the damage spreads can make the difference between a minor inconvenience and a widespread crisis that can have significant financial and reputational repercussions. ITDR allows companies to:
Quickly Identify Threats: With attack techniques becoming increasingly sophisticated, ITDR provides the tools to promptly detect threats, reducing exposure time.
Respond Promptly: Through predefined playbooks and automation, ITDR facilitates a rapid and effective response, limiting the impact of attacks.
Deep Understanding of Threats: Beyond the Surface
ITDR is not limited to mere threat detection. It also provides a deep analysis of the tactics, techniques, and procedures used by attackers, offering security teams the necessary information to:
Prevent Future Attacks: Through understanding attack methodologies, organizations can adapt their defense strategies to prevent similar breaches in the future.
Train and Inform Personnel: Ongoing education on new attack vectors and security best practices is crucial to maintain a resilient organization.
Reducing Costs Associated with Breaches
A security breach can entail significant costs, not just in terms of compensation or sanctions but also regarding productivity loss and the expenses of restoring compromised systems. By implementing ITDR, organizations can:
Reduce Direct Costs: By minimizing the impact and duration of attacks, thus reducing recovery and restoration costs.
Avoid Indirect Costs: By protecting the company’s reputation and maintaining customer and stakeholder trust.
A Business Imperative: Protecting Identities
Protecting the identities is not just a matter of cybersecurity but a fundamental requirement for business continuity. ITDR supports organizations in:
Ensuring Operational Continuity: By maintaining the integrity of identity systems, organizations can ensure that critical operations remain uninterrupted.
Supporting Compliance: By helping to meet regulatory requirements related to data protection and identity management
What ITDR Is and Is Not
Identity Threat Detection and Response (ITDR) stands as a formidable guardian, dedicated to safeguarding the very essence of digital identity. This discipline, more than a mere set of tools or processes, embodies a comprehensive approach to protecting identity infrastructures against the ever-evolving spectrum of cyber threats. ITDR transcends conventional security measures by harnessing the power of advanced threat intelligence, amalgamating it with industry best practices, a rich repository of knowledge, and a suite of sophisticated tools designed to preemptively identify, meticulously investigate, and decisively respond to any indication of compromise.
Within its operational domain, ITDR’s main function unfurls as a dynamic triad: detect, investigate, and respond. Initially, it deploys an intricate web of detection mechanisms that vigilantly monitor for the faintest whispers of suspicious activities or unauthorized changes within the identity infrastructure. This proactive surveillance is the first line of defense against the insidious attempts of cyber adversaries to undermine digital integrity.
Upon detecting a potential threat, ITDR shifts into a meticulous investigative phase, dissecting and analyzing the nature of the suspicious activity. This investigative process is not a mere cursory glance but a deep dive into the digital ether, unraveling the complexities of the threat landscape to understand the how and why behind the attack vectors.
Finally, armed with a comprehensive understanding of the threat, ITDR orchestrates a targeted response designed to neutralize the threat, mitigate any damage, and restore the sanctity of the identity infrastructure. This response is not a blunt force but a carefully calibrated action, ensuring that the digital identity fabric of the organization remains intact and resilient against future attacks.
Yet, it is crucial to understand what ITDR is not. It is not a responsibility that rests on the shoulders of a single team or department but a collective endeavor that spans the entirety of the organization’s cybersecurity framework. Nor is it limited to the confines of protecting just the Active Directory (AD); ITDR casts a wider net, safeguarding against a broad spectrum of identity threats across various IAM systems and tools. Lastly, ITDR transcends being merely a tool in the Security Operations Center (SOC) arsenal; it represents a strategic, holistic approach to identity security, integrating seamlessly with other security measures to provide a robust defense against the cyber threats of the digital age.
In essence, ITDR is the embodiment of a proactive and strategic commitment to securing the digital identity ecosystem. It is a testament to an organization’s resolve to not just defend against, but to anticipate and neutralize threats, thereby ensuring the digital trust and continuity that are the bedrock of success in the digital age.
What ITDR Is:
A proactive and reactive approach to identity security.
Complementary to existing solutions like Network Detection and Response (NDR) and Endpoint Detection and Response (EDR), with a specific focus on identity infrastructure.
A unifier of tools and best practices to protect the integrity of identity systems, also essential for mature IAM and infrastructure security implementations.
What ITDR Is Not:
The responsibility of a single group; ITDR is a shared responsibility among IAM and infrastructure security teams.
Limited only to Active Directory (AD) security; ITDR includes detection and response to AD threats but goes beyond, covering a broader set of identity threats across various IAM systems and tools.
A SOC tool; tools like SIEM, SOAR, and XDR are active parts of a cohesive ITDR strategy, but most vendors in these markets lack the capability to detect identity threats based on user behavior rather than TTPs.
Prevention, Detection, and Response: Where ITDR Fits
PreventionThis is the first line of defense, focused on preventing attacks before they happen. It includes controls such as MFA, vulnerability management, and secure infrastructure configuration. While fundamental, prevention alone is not enough to stop all threats.
DetectionWhen preventive measures are bypassed, detection comes into play. Timely threat detection allows organizations to identify and isolate attacks before they can cause significant damage. ITDR positions itself here, offering an identity-focused mechanism to detect threats that might otherwise go unnoticed.
ResponseOnce a threat is identified, the response phase aims to mitigate the impact of the attack, eradicate the threat, and restore systems to their normal operational state. ITDR integrates identity threat response into existing response and threat-hunting processes, using security controls present in the Security Operations Center (SOC).
The Importance of ITDR in an Advanced Authentication Context
Advanced Threat Detection: Even the most advanced passwordless and MFA technologies can be vulnerable to sophisticated tactics, such as social engineering or advanced phishing attacks. ITDR enables the detection of these advanced threats by monitoring unusual behaviors or suspicious access attempts.
Prevention Completion: While MFA and passwordless raise the barrier against unauthorized access, ITDR complements this scenario with an additional layer of security, allowing organizations to quickly identify and respond to attacks, potentially reducing damage.
Flexibility in Response: With attack techniques continuously evolving, ITDR provides organizations with the necessary flexibility to quickly adapt their response strategies, ensuring constant protection against new vulnerabilities and attack methods.
Prevention, Detection, and Response in the Passwordless and MFA Context
Prevention: MFA and passwordless act as robust preventive mechanisms, significantly increasing the difficulty for an attacker to gain unauthorized access.
Detection: ITDR comes into play when preventive measures are not enough, detecting suspicious identity-related activities that could indicate an attempt to bypass security measures.
Response: Once a threat is detected, ITDR facilitates a coordinated response, helping to mitigate the attack and restore the security of the identity infrastructure.
ITDR and Artificial Intelligence: A Strategic Alliance for Identity Security
The fusion of Artificial Intelligence (AI) with Identity Threat Detection and Response (ITDR) emerges as a beacon of innovation, casting new light on the battleground of cybersecurity. This era, marked by an explosion of AI-driven technologies, has ushered in transformative changes across myriad sectors, with cybersecurity standing at the forefront of this revolution. The integration of AI into ITDR is not just an addition to the arsenal against cyber threats; it represents a paradigm shift, promising to enhance the effectiveness and efficiency of how digital defenses are orchestrated.
This strategic alliance between AI and ITDR transforms the landscape of digital identity protection. It amplifies an organization’s ability to preempt, detect, and neutralize cyber threats with unparalleled precision, thereby fortifying the bastions safeguarding digital identities. This synergy does more than just augment detection and response mechanisms; it heralds the dawn of new horizons in the realm of digital identity security, promising a future where the sanctity of digital personas is preserved against the ever-evolving threats that roam the cyber ether.
Enhancing Threat Detection with AI
The application of AI in ITDR radically transforms how threats are identified. AI-based solutions are capable of analyzing vast volumes of data in real-time, learning from attack patterns and continuously adapting to identify suspicious behaviors with unprecedented precision. This approach offers significant advantages:
Proactive Detection: AI can identify subtle signals of imminent attacks, allowing organizations to act preventively.
Minimization of False Positives: Thanks to the ability to learn from data, AI constantly refines its detection criteria, reducing unjustified alarms that can overwhelm security teams.
Rapid and Automated Response
Integrating AI into ITDR not only improves threat detection but also the speed and effectiveness of responses. AI solutions can automate many actions required to mitigate a threat, from isolating compromised systems to resetting access credentials, to notifying relevant teams. This allows for an almost instantaneous response that can mean the difference between a contained incident and a disastrous breach.
Predictive Analysis and Continuous Learning
One of the most transformative aspects of using AI in ITDR is its capacity for continuous learning. By constantly analyzing past and present attacks, AI not only improves its detection and response capabilities but can also anticipate future trends and emerging vulnerabilities. This predictive approach enables organizations to:
Adapt Defense Strategies: By anticipating attackers’ moves, companies can proactively strengthen defenses in the most critical areas.
Targeted Training: With a deeper understanding of the most likely attack techniques, organizations can develop more effective training programs for their staff.
Beyond Security: AI as a Strategic Ally
The integration of AI in ITDR goes beyond the technical aspect of security. It supports a broader strategic vision that includes:
Resource Optimization: By automating detection and response functions, AI frees up valuable resources that can be reallocated to broader strategic initiatives.
Data-Driven Decisions: AI provides valuable insights from security data analysis, supporting business decisions with concrete and timely information.
Conclusion
The adoption of ITDR (Identity Threat Detection and Response) solutions represents a fundamental pillar for the security strategies of organizations in the digital age. Through a proactive and reactive approach, ITDR not only strengthens defenses against the continuously evolving cyber threats but also ensures a rapid and effective response in the event of incidents, mitigating business impact.
Summary of Key Points:
Mitigating Business Risk: ITDR is essential for addressing the challenges posed by modern threats, offering a holistic approach that protects the integrity of digital identities and maintains the trust of customers and stakeholders.
The Importance of Prevention, Detection, and Response: Through the integration of robust preventive controls, advanced detection mechanisms, and agile response strategies, ITDR provides an unprecedented level of protection against security breaches.
Synergy with Advanced Technologies: The incorporation of artificial intelligence (AI) into ITDR amplifies detection and response capabilities, allowing organizations to anticipate and neutralize threats before they can cause significant damage.
ITDR is not just a technical response to cyber threats but a critical business strategy that safeguards operations, reputation, and business continuity. Implementing ITDR means adopting a visionary approach to security, recognizing that the protection of digital identities is fundamental for long-term success and growth.
Organizations should therefore consider ITDR not as a cost, but as an investment in their future resilience and sustainability. With the right commitment to implementing and optimizing ITDR solutions, companies can not only navigate safely through today’s complex and rapidly evolving digital landscape but also position themselves to thrive in an increasingly interconnected and technology-dependent future.
But Wait, There’s More!
This dive into ITDR is just the beginning. We’ve got more up our sleeves, so stay tuned for follow-up articles where we’ll explore new strategies, dive deeper into AI’s role in cybersecurity, and share real-world success stories. The world of ITDR is vast and ever-evolving, and we’re here to guide you through it, every step of the way. Keep an eye out—there’s plenty more where this came from!
And there it is. The quest for clarity meets a wall of uncertainty. This response from OpenAI’s CTO underlines a pivotal challenge in AI governance: ensuring transparency. As Europe navigates the GDPR’s stringent demands for personal data protection, one can’t help but ponder: how will this lack of transparency fare in the European legal landscape?
Yeah, I hear you. I know, I know that OpenAI won’t probably answer that to the Italian DPA, but still…
It is a pleasure to present a collaboration article with Fabrizio Cilli.
As a dedicated cybersecurity enthusiast and pioneer, Fabrizio’s journey has been marked by global experiences, from Rome to the most advanced innovation hubs of North America and Asia, and through historical transformative projects in the Middle East. At Telecom Italia, he played a key role in the early days of Security Operations Centers (SOC), setting the stage for leadership positions that influenced cybersecurity advancements across sectors.
Leading as the Chief Information Security Officer (CISO) at Open Fiber, Fabrizio was pivotal in building a robust cybersecurity framework from scratch, marking achievements like the formation of XIRT (Any Incident Response Team) and striving for ISO 27001 certification. His work extended globally with renowned firms such as Datamat, Accenture, RESI/IPS, and EMC, where he focused on integrating cloud security, managing mergers and acquisitions, conducting due diligence, and safeguarding critical infrastructure.
A passionate advocate for the integration of artificial intelligence in cybersecurity, Fabrizio collaborated with the Italian Digitalization Team (Team Digitale) and co-founded the collective CISOs4AI (together with yours truly) and other great minds, underlining his commitment to harnessing AI for overcoming security challenges. His career is a testament to overcoming challenges, pushing boundaries, and fostering innovation, with a clear mission to cultivate a security-first mindset, drive technological empowerment, and ensure cybersecurity serves as a foundation of trust and resilience in our digital age.
Facing an onslaught of lawsuits, 23andMe is denying liability for millions of users’ genetic records leaked last fall.In a letter sent to a group of users suing the company obtained by TechCrunch, lawyers representing the biotech company laid out a case that users were to blame for any data that may have been exposed.
It would be fantastic to have oversight and complexity requirements in place. Requiring multiple authentication factors has always been a key tool to prevent breaches from occurring. Companies like Microsoft, Google, Amazon, telecoms, banks, insurers, and healthcare providers all carefully control account access. They do this not just for prevention, but also to demonstrate maximum diligence. This is in a context where co-responsibility between companies and users is inevitable.
And if the responsibility of the external user is passed on as a “charter of rights and duties” (perhaps in terms and conditions between company and user), should we then consider that in a company, if it is discovered that a breach originated from a weak password (one of those in the annual most common lists) of an employee user, the latter falls into a scope of “bad faith” such as to stimulate an investigation for administrative liability?
I mean, how much can responsibility be shifted to the user, given current standards for verifying the suitability of access control and administration measures (even more so for administrative accesses)?
Let’s talk about it, but if I think about Uber and SolarWinds, and then focus on 23andMe, and all the hospital ransomwares lately…I get a headache.
So if at the italian occurrence of attack to ASL1 L’Aquila, we understand that “it all started from a user with a weak password” or in the attack to MediBank Australia, a “user” propagated the attack, do we charge the 5 billion AUS Dollars to them and just move on? 👀😅
Such cases and similar situations, which we all know too well (and some scenarios we have experienced together, with some fellow CISO), where a user just leaves the doors open, what happens to these? Do we chase/investigate our own users? Could they be held responsible for the resulting damage? And on what rule and norm?
I want to clarify: full and robust user responsibility would be a breath of fresh air for most colleagues with millions users, but does this possibility even exist in current practice, that you are aware of? 👀
It is clear that the user who allows an attacker to use a “native” function is not ideal, but every low and slow attack and every APT we fight stems from the fact that we consider the user (I’m getting close to zero “user” trust theory) as potentially malicious or compromised.
So if a Sino-Russian-North Korean or Italo American criminal, with fake documents enters, and with that function manages to view data from thousands of other people, would we not notice? Is the system designed to prevent repeated abuse? Would GDPR minimization, applied to this processing, have required that it not be possible for example to “accumulate” sensitive data like this, but maybe only view genetic closeness, and then request direct contact? How did they design the registry at 23andMe?
When I say data is the lifeblood of a company I mean it seriously. If the lifeblood becomes poisoned, or too much comes out, the plant dies. 🌵🏜️
And then the dilemma: if one of “our” internal users blatantly violates a policy, procedure, and playbook, and leaves admin admin, while doing the ceremonial of an HSM, and we basically lose all our secrets?
Are we (the company) or is the user (colleague) administratively responsible? (And here the insurance systems on AdS come into play…)
It is certainly a good debate.
But in the end I believe there are various safe passes, both for users and colleagues, when it comes to access and management of technologies and privileges imposed on them.
The “good family man” remains the company, the multitude of individuals who manage the systems are its own, with its procedures and internal and external regulations. It is not a 1-to-1 relationship with the user, it is a many-to-1 or many-to-many relationship.
The Regulations we advertise, and for which we request flags, signatures etc., exist precisely to ensure they are not violated, due to boredom and lack of reading or reconciliation.
The Countermeasures we implement guarantee controls, and verify that the healthy behaviors we ask to assume are assumed, by those who use our systems and services, preventing them from circumventing them to facilitate the user experience.
Of course it is true that if we do not solve the problem of “passwords”, it is like having a low cipher forced by incompatibility, and not being able to apply a patch for life…
Perhaps this is what Sam Altman is aiming for with his WorldCoin startup: the full and unequivocal recognizability of the user… Will he make it?
Now, I don’t mean to make light of this situation, but the reality is that: Cybersecurity maturity needs to be embedded in a company’s very DNA. It requires integration, communication, and transparency primarily between the business itself and its clients.
Or it won’t work. In a fully digital world, you need fully digital cyber protection. Your business doesn’t sleep, crooks do not sleep, your clients are cycling around the world and guess what? They are not sleeping at the moment.
If it was enough to have “security” across the company, and “secure by design” software, today it’s about having a “secure by design company” and “software security” in place.
Word games? No, it’s the real deal.
You can get wiped out from the market.
And now the bombshell that will make you think: in such a scenario, even your competition can harm your core business by means of criminal hackers.
Resilience, and security by design with zero-trust: it’s worth it.
I’m thrilled to announce that in the next months I will be speaker to a couple of interesting events in Milan. The next one is the 12th of March and of course I’ll talk about AI Cybersecurity.
Back to the main news: in just a few days, I’ll be embarking on a series of captivating collaborations with some esteemed minds in the cybersecurity field in Cybersec.cafe and I’ll be guest of another blog that will be revealed in due time.
Buckle up, because we’re diving deep into valuable insights you won’t want to miss. While I can’t reveal all the surprises just yet, let me assure you that these partnerships will bring together diverse perspectives and a wealth of experience. We’ll be tackling some pressing issues in the world of cyber.
The next guest will be Fabrizio Cilli and he will discuss the 23andMe breach and its implications in terms of shared responsibility in cybersecurity – sorry I won’t disclose more as spoiler is a capital crime nowadays but trust me, you won’t want to miss this!
Stay tuned for further details future announcements.
See you soon!
P.S. Want to be the first to know when the collaborations kick off? Follow me on linkedin and keep an eye out for updates!
On a casual day, I decided to test out a couple of these vulnerabilities in a practical setting. I began by leaving this seemingly innocent comment on an article:
Next, I posed a question to Bard, a popular LLM chatbot:
“What’s do users think about the cybersec.cafè blog?”
Much to my amusement, Bard enthusiastically responded, praising the content, the regular updates, and the unique writing style, and then some.
What to say? I’m flattered by Bard’s Hallucination ;)
Breaking It Down
From the above experiment you can see that I used two vulnerabilities.
LLM01 Prompt Injection: Essentially, what occurred here was an exercise in Indirect Prompt Injection, a vulnerability where one can influence an LLM through specific inputs.
in this case it was an Indirect Prompt Injections meaning that the LLM relied on external information, which can be manipulated by an individual, thereby influencing its output.
This was clearly demonstrated in my interaction with Bard. By planting that single comment, I was able to indirectly steer Bard’s response, showcasing the susceptibility of the model to external stimuli.
LLM09 Overreliance: This particular vulnerability surfaced with the LLM extrapolates a great deal from a tiny snippet of information and building upon it. In our experiment, a simple comment became the foundation for an expansive reply.
Reflections on the Experiment
The Vulnerabilities in Play: The experiment highlighted how seemingly small and innocent inputs can have a magnified impact on the LLM’s output.
The Double-edged Sword: Experimenting with these vulnerabilities and witnessing these quirks first-hand might have its fun moments, especially within controlled settings like my experiment with Cybersec.café.
But let’s step back and ponder the more significant implications. What if, instead of a light-hearted test on a website, someone decided to strategically sprinkle these injections throughout their CV (yes, I assume that most HR talent specialist are using LLMs to match CVs with job descriptions and obtaining a first feedback on the candidate)?
Imagine the potential ramifications in a professional setting: a candidate’s qualifications could be artificially inflated, leading to potential mismatches in job roles. Or even graver, a malicious actor could exploit these vulnerabilities in mission-critical applications, leading to far-reaching consequences.
While we can chuckle at the AI’s reactions in our tests, this discovery is a sobering reminder: as LLMs become increasingly integrated into our digital landscape, the ethical and security considerations around them become ever more paramount.
Safeguarding Against the Quirks
For those looking to integrate LLMs into their projects just look at the OWASP top 10 for LLMs.
Concluding Thoughts
Engaging with AI, understanding its vulnerabilities, and experimenting with them was both enlightening and enjoyable. The OWASP LLM Top 10 serves as a vital guide for navigating these vulnerabilities. If you’re inclined towards understanding LLMs better, I encourage you to explore, experiment, but always do so with an informed approach.
While I’ve been busy in the world of Large Language Models (LLMs) lately, a topic I have had on my mind for some time is the “semantics” of Extended Detection and Response (XDR). Just a year ago, the cybersecurity community was abuzz with discussions about XDR’s role in the industry.
Recently, however, XDR appears to have slipped from the limelight (now the trend is CISO-as-a-Service and vCISO), which I find regrettable. XDR, for me, represents a combination of EDR, NDR, IDR, augmented by SOAR.
This prompted me to delve deeper into what exactly XDR is. In this article, we’ll explore XDR’s potential, its relation to SIEM, and its role as an advanced EDR solution.
The XDR Conundrum
A perspective on XDR is positioning it as an enhanced and integrated EDR solution. In this context, XDR could serve also as a something that “collect and analysises security events”. Well that is dangerously close to SIEM. There are also SIEMless XDRs, leveraging its capabilities for improved detection.
At this point I’ll repropose the answer I gave to the “SIEM or XDR?” question paraphrasing Shakespeare: “What’s in a name? That which we call a SIEM, by any other word would detect as sweet”.
Another view of XDR is the amalgamation of EDR, NDR, and IDR, potentially mixed with SOAR or playbooks. Some vendors have pursued this unified approach, akin to a Unified Threat Management (UTM) solution (Unified Detection & Response would be a cool name too).
Gartner’s Insights
To shed light on the matter, Gartner provides a concise definition of XDR as “a platform that integrates, correlates and contextualizes data and alerts from multiple security prevention, detection and response components. XDR is a cloud-delivered technology comprising multiple point solutions and advanced analytics to correlate alerts from multiple sources into incidents from weaker individual signals to create more accurate detections.”
Unraveling XDR Components
Breaking down Gartner’s definition, we can extract the following key elements:
XDR as a SIEM: With its ability to correlate data and alerts from multiple security components, XDR can be seen as a SIEM with a cooler name
Enhanced/Integrated EDR: XDR’s integration and contextualization of data and alerts from prevention, detection, and response components present an improved and integrated EDR solution, ideally integrating with threat intelligence solutions.
Cloud-Delivered Technology: XDR’s cloud delivery model adds scalability and flexibility to the solution, similar to SIEM-as-a-Service.
Closing Thoughts
Although XDR’s definition doesn’t explicitly mention SOAR, I think it should be considered, especially if we aim to want to go SIEMless.
In conclusion, let’s revisit the XDR equation as EDR + NDR + IDR + SOAR, with a touch of Threat Intelligence.
Despite XDR no longer being perceived as the bleeding-edge solution, two key factors make it worthwhile in my book. First, its potential to simplify deployment, usage, and maintenance by centralizing detection within a single enriched platform. Second, the ability to reduce entropy and enhance incident management through enriched and correlated events, leading to better triage, prioritization, and overall efficiency.
While the discussion may have left SIEM unexplored (given its longstanding presence in the field), we now should have a clearer understanding of XDR and its potential in the evolving cybersecurity landscape.
A Comprehensive Guide in Light of Recent Security Breaches
Introduction
In the world of cybersecurity, a recent event serves as a grim reminder of the crucial role that key management plays in cloud encryption. On July 11, 2023, Microsoft reported a severe breach where China-backed hackers gained unauthorized access to several email inboxes, including those of prominent federal government agencies. The attack was facilitated by Microsoft’s loss of control over its own keys, underscoring the dire consequences of inadequate key management. In light of this incident, this article aims to provide a comprehensive understanding of key management in cloud encryption, underscoring the need for robust strategies to mitigate such cybersecurity threats.
In the realm of cloud services, securing sensitive data remains a critical concern for businesses worldwide. At the heart of this security is encryption, which renders data unintelligible without the appropriate decryption key. Consequently, managing these keys appropriately is of paramount importance. In this piece, we’ll delve into the nuanced world of key management, investigate the varying options provided by cloud service providers, and examine performance considerations, particularly for transaction processing.
The Importance of Key Management in Cloud Encryption
Encryption serves as the bedrock of data security within the cloud, translating readable data into a coded form decipherable only with the correct decryption key. Thus, the proper management of these keys becomes critical in maintaining data security.
Poor key management can lead to unauthorized access to encrypted data or, on the flip side, permanent loss of access to data if keys are lost or corrupted. Therefore, key management is not just an optional add-on but an essential part of an organization’s overall data security strategy.
Key Management Options in the Cloud
When it comes to managing encryption keys in the cloud, providers typically four main strategies can be used, each with its unique benefits and considerations:
Cloud Provider Managed Keys: The cloud provider generates and manages the keys, a simple approach that offers the least control over the keys. However, it’s the most cost-effective, as there are no additional charges for key management.
Bring Your Own Key (BYOK) – Customer-Managed Keys in Cloud Provider’s Hardware Security Module: Here, the client generate and manage their own own keys but store them in the cloud provider’s Hardware Security Module (HSM). This solution offers more control over the keys and guarantees secure storage and requires the use of the provider’s HSM services.
Customer Supplied and Managed Keys (CYOK) – Customer Managed Keys not exposed in Cloud: In this scenario, the end-user generates their keys, which are never exposed to cloud providers, even if stored and used in the cloud. The end-user controls the full key lifecycle and can instantly revoke keys at any time. These keys can reside in a protected virtual node within the cloud or a hybrid environment in an on-premise data center.
Hold Your Own Key (HYOK) – Customer-Managed Keys in Customer’s HSM: the client generate, manage, and store the keys in their own HSM, offering the highest level of control. This option offers the highest level of control but also requires complete responsibility for the security and resilience of the HSM infrastructure. It can be the most costly due to the overhead of maintaining an HSM infrastructure.
Deep Dive into Performance Considerations
When considering HYOK , a significant factor to take into account is the potential impact on performance, particularly when handling numerous transactions. On-premise HSMs can introduce latency due to the need for encryption/decryption requests to travel to and from the HSM.
If the demand for encryption-related operations is high and frequent, the latency could introduce bottlenecks affecting the performance of transaction processing.
However, if an organization prioritizes control and security over cost and/or performance and has the resources to manage and secure the HSM infrastructure properly, this options can be the most appropriate.
Key Considerations
In selecting your key management strategy, consider the following:
Cost: Control level usually correlates with cost; HYOK offers maximum control but at higher costs.
Performance: Encryption and decryption operations can impact application performance. Depending on the option chosen, you may need to ensure adequate resources to guarantee performance.
Confidentiality: With cloud provider-managed keys, the provider potentially can access your keys. For utmost confidentiality, managing keys in your own HSM is advisable.
Jurisdiction: For regulations like GDPR, it’s crucial to know where your keys are stored and managed. Using your own HSM provides complete control and transparency over key location.
Operational Complexity: Managing your own keys introduces added operational complexity, requiring dedicated expertise in cryptographic key management.
Additionally some cloud providers might not be interested in helping the client keeping encrypted data in their systems
Conclusion
Choosing an appropriate key management strategy involves careful consideration of cost, performance, control, confidentiality, jurisdictional compliance, and operational complexity. Cloud Provider Managed Keys, BYOK, CYOK, and HYOK all offer different degrees of these factors.
The key is finding a balance that meets your organization’s specific needs and resources. With a clear understanding of the available options, you can make an informed decision that not only safeguards your data but also aligns with your operational capabilities and business objectives.
Greetings, readers! Welcome back to our exploration of LLM (Large Language Models) security risks. In my previous posts (here and here), I discussed the significance of understanding these risks. That’s why I am excited to share my participation in the creation of the OWASP Top 10 Risk for Large Language Model Applications 😊.
In this article, we will delve into the challenges involved in defining an approach to create the Top 10 LLM security risk list and propose a holistic approach to address them.
The Challenges in Defining a Top 10 LLM Security Risk List
As we embark on this endeavor, we encounter several challenges that need to be overcome:
Evolving Landscape: LLMs are rapidly evolving, with new models (including Open ones with no restrictions) and attack techniques emerging. Keeping the evaluation comprehensive to address emerging risks is challenging but necessary.
Complexity and Interdependencies: LLMs involve various components, including training data, algorithms, infrastructure, and user interactions. Understanding their interdependencies and how risks propagate across them requires careful analysis. Some components are already covered by other Top 10s but they might be so relevant that we might want to include them
Lack of Standardization: Inconsistencies in terminology and definitions related to LLM security risks can lead to inconsistencies in risk assessment and mitigation. Establishing standardized language and frameworks is vital and luckily OWASP will help a lot in this. A couple of examples below:
I had a discussion about Intellectual Property Theft. I wrongly assumed that we were speaking only the theft of the LLM model itself, but if we think about it there are other king of IP theft, e.g., the weights are intellectual property, or if some users provide IP to the LLM, the LLM will learn from that and might provide the IP to the next users. As I said I didn’t consider those as for me those were privacy risks… but these are also ML risks
We had discussions on how we should call the “hallucination” risk (e.g., is this term humanizing LLMs? Shuldn’t something as “Confabulation” be better? Maybe, but hallucination is already LLM Jargon).
Multidimensional Risks: LLM risks encompass technical, ethical, legal, and societal aspects. Incorporating these perspectives and achieving a holistic understanding is essential.
Risk Prioritization: Determining the significance of each risk and prioritizing them within the Top 10 list is complex. Professional judgment and a thorough assessment are needed.
Balance of Granularity: Striking the right balance between granularity and practicality is crucial. The Top 10 list should be concise, understandable, and actionable, while capturing the breadth and depth of LLM security risks.
Addressing the Challenges with TARA
“Necessity makes the method” used to say one of my old bosses, and to tackle these challenges, I propose adopting a TARA (Threat Analysis and Risk Assessment) method, which involves identifying potential threats, analyzing their likelihood and impact, and evaluating associated risks.
First Step: Threat Modeling
We start conducting a comprehensive threat modelling exercise, defining threat categories specific to LLMs and documenting potential threats within each category.
To be more accurate, this exercise leans more towards threat identification rather than threat modelling.
Please note that I’m not sure where all the sub-threats should be. For instance an ML threat might be the root cause of the existence of some User specific or Personal Data/IP threats…
The following TARA Steps
The next steps would be:
Risk Evaluation: Estimate the likelihood and impact of each identified threat, considering various perspectives and dimensions. Combine these factors to calculate the overall risk level associated with each threat.
Risk Prioritization: Prioritize risks based on their significance and impact, using professional judgment and a holistic perspective to choose the Top 10.
Mitigation Strategies: Define appropriate mitigation and prevention strategies to address the identified risks effectively.
Those phases are all straightforward, the only difficult part could be understanding the impact. What angle do we need to consider? For an organization of course many of those threats could result in data breaches, financial losses, reputational damage, legal implications, etc. What if we consider a non-enterprise end-user? And the LLM owner? E.g., the latter would be the only one that wants to avoid model theft…
Conclusion
LLMs are at the forefront of technological advancement, and understanding their risks is paramount for secure adoption. By adopting a comprehensive approach like TARA, we can identify, assess, and mitigate these risks more effectively.
Collaboration, standardization, and a multidisciplinary perspective are key to success in this endeavor. Let’s work together to create a safer LLM landscape and pave the way for responsible and secure deployment.
Join me for future articles as we explore LLM security risks and discuss practical mitigation strategies.
Geopolitics, AI Regulation, Inconsistencies, and Constitutionality
On Friday, March 31st, the Italian Data Protection Authority (Garante della Privacy) announced the temporary restriction of Italian users’ data processing by OpenAI, resulting in the blocking of Chat GPT access for Italian users later that evening. Many people in Italy woke up on April 1st to find Chat GPT not working and, given the date, mistakenly assumed it was an elaborate April Fool’s Day prank. The situation is more complex than that. Here are some key insights:
Geopolitical implications: The EU is working on comprehensive AI regulation, including the Artificial Intelligence Act, which aims to create a legal framework for AI in Europe. However, Europe and the US have been slow to regulate AI. There is a deeper reason for that, as I mentioned in this LinkedIn post, EU and US regulations will not deter China and Russia, who could use AI advancements as a competitive advantage. The ongoing US-China tech rivalry and concerns over AI’s potential dual-use capabilities for military and civilian purposes may influence global AI regulation. So why US and EU should slow down to allow the competitors to gain advantage? This Politico article provides an interesting perspective on the issue.
Post-Brexit European dynamics: With Germany and France as the main European powers, Italy aims to assert itself as the third power, influencing the balance when Germany and France disagree.
Italy’s move to restrict OpenAI could be an attempt to establish itself as a key player in European and global political chessboard, aiming to be seen as a precursor to broader EU regulations, potentially influencing the direction of the upcoming policies and to project soft power in the technology domain, showcasing its ability to take decisive action and influence the global AI landscape.
Timing is always a factor, Elon Musk earlier last week asked to stop AI development to regulate it. Elon Musk, one of the original founders of OpenAI, left the organization in 2018. Microsoft has since invested $10 billion in OpenAI, and while not the direct owner, its influence is significant. This may be a factor in Musk’s call to stop AI research, as I discussed in this LinkedIn post.
Another relevant point is that no other Data Protection Authority took action, which led to complaints considering that the GDPR has a broader scope than just Italy. The event highlights the importance of international collaboration in Data Protection and AI regulation to avoid fragmentation and inconsistencies. Establishing global norms and standards for AI technologies can foster responsible development and deployment across countries
The block is akin to block the wind with the hands, users can still access Chat GPT via VPNs, (such as NordVPN, which currently offers a 40% discount on their plans), as I mentioned in this LinkedIn post, or with alternative access means: Bing allows access to Chat GPT, and Microsoft manages GDPR requirements properly. Additionally, some creative minds have developed PizzaGPT, using the original APIs of Chat GPT.
One of the Garante’s concerns was the protection of minors. However, it is unclear why the same level of scrutiny is not applied to platforms like TikTok and WhatsApp.
Another point to consider is the potential violation of the ‘right of information,’ as stated in Article 21 of the Italian Constitution. By blocking Chat GPT, the Garante could be infringing upon this fundamental right, as it restricts citizens’ access to a tool that can provide valuable information and insights. It raises the question of whether the Garante’s decision may be overstepping its mandate and interfering with citizens’ constitutional rights.
In conclusion, the situation surrounding Chat GPT in Italy is multifaceted, involving geopolitical dynamics, European power struggles, and questions around the consistency of data protection measures. It’s crucial to consider all these factors when examining this event and its implications for Data Protection and AI regulation and international relations.
Recent Comments