Cybersecurity Snapshot: RSA Conference Special Edition with All-You-Can-Eat AI and ChatGPT
Check out our roundup of what we found most interesting at RSA Conference 2023, where – to no one’s surprise – artificial intelligence captured the spotlight, as the cybersecurity industry grapples with a mixture of ChatGPT-induced fascination and worry. Oh generative AI, it hurts so good!
My, oh, my – so much talk about AI!
Artificial intelligence starred at RSA Conference 2023 this week, with keynotes, panels and hallway chats about AI’s threats and opportunities for cybersecurity reverberating throughout Moscone Center.
However, the massive conference, now in its 32nd year, also had space for other important cybersecurity topics, like zero trust, supply chain risks, cloud security and ransomware.
Heck, even Doc Brown went back to the future to make an appearance – at a quantum computing panel. Yet, it makes you wonder: What could this man – who transformed a DeLorean into a time machine in 1985 – do with ChatGPT today?
But we digress, Marty! Check out what caught our attention at the conference – and buckle up, because where we’re going, we don’t need roads!
(Susan Nunziata and Jirah Mickle contributed to this week's Cybersecurity Snapshot.)
(Credit: RSA Conference)
1 - AI here, there and everywhere
Although RSA Conference 2023’s official motto was “Stronger Together,” AI was the unofficial topic. If we took a drink every time someone said “AI” we’d have been hospitalized with acute alcohol poisoning before the end of the first day.
Rohit Ghai, RSA CEO, got things started by putting AI at the center of the opening keynote “The Looming Identity Crisis” on Monday. “AI will cause us humans to be totally confused about our role in this world,” Ghai said, minutes into his speech.
He discussed why AI will be key for securing identities, saying: “Without good AI, zero trust has zero chance. Bad AI will take us for a ride. And identity is a sitting duck.” And he also chatted onstage with an AI avatar he called “GoodGPT.”
Not long after Ghai’s talk came a keynote conversation between former Cybersecurity and Infrastructure Security Agency (CISA) Director Chris Krebs and U.S. Deputy Attorney General Lisa Monaco, during which she said that when it comes to AI, the Department of Justice (DOJ) is “very focused on what the adversary nation-states are doing to acquire, use and abuse disruptive technologies.”
To that end, the DOJ and Commerce Department jointly launched in February the Disruptive Technology Strike Force, whose goal, according to a statement, is to “target illicit actors, strengthen supply chains and protect critical technological assets from being acquired or used by nation-state adversaries.”
Bright and early on Tuesday morning, the panel session “Security As Part of Responsible AI: At Home or At Odds?” tackled a wide range of legal, ethical and governance issues, leaving security professionals with three key takeaways:
- Consider what you can do culturally on your team to cultivate a sense of responsibility when it comes to the development and use of generative AI
- Identify the key stakeholders within your organization who can help solve the legal and ethical problems and assemble a feedback loop within your organization
- Make time to understand the threat model these technologies represent and take an appropriate risk-management approach, assessing both near-term and long-term risks
AI was also discussed in the context of cyberthreats to the music industry; attacks against operational technology (OT) environments; phishing-detection evasion; generation of malicious content; and many other scenarios.
2 – How Tenable harnesses AI to streamline research activities
Can ChatGPT-like tools help cybersecurity researchers be more efficient and effective? Yes, according to some early, yet promising, experiments conducted by Tenable.
At the conference, Tenable Research released its new report “How Generative AI Is Changing Security Research,” where it explains how the team has developed several generative AI tools that use large language models (LLMs) for reducing cyber research complexity and boosting efficiency.
The report details how Tenable Research is experimenting with these tools to accelerate research capabilities in these areas:
- Reverse engineering
- Debugging code
- Improving web app security
- Increasing visibility into cloud-based tools
And if you have a conference pass that lets you watch sessions on demand, check out these presentations featuring Tenable speakers:
- “Ransomware: From the Boardroom to the Situation Room” -- Tenable CSO Robert Huber participated in this panel about how federal cyber officials might respond to a major cyberattack.
- “Exposure Management: The Rise of Proactive Cybersecurity Platforms” -- In this session, Tenable Chief Product Officer Nico Popp explained how exposure management delivers the foundation for tomorrow’s preventive security.
3 – Report: Cyber intel sharing remains a work in progress
We hear this constantly: The cybersecurity community would benefit from improved collaboration and information sharing. Easier said than done, right? What hampers communication and cooperation? How can more valuable data be shared faster?
That’s the focus of the report “A Foundation of Collaboration: Enhancing and Acting on Shared Cybersecurity Intelligence” that MeriTalk and RSA Conference released during Carahsoft’s Public Sector Day.
Two hundred cybersecurity decision makers – 100 from the federal government and 100 from the private sector – were surveyed, and their answers show that while there’s been progress, much work remains ahead.
Here are some positive findings:
- 90% of respondents say public-private partnerships boost cyber resilience
- A majority believe the volume and value of shared cyber intelligence has improved in the past year
- 47% say their organization proactively responded to a threat thanks to shared cyber intelligence
And some not-so-positive:
- Only 40% find current partnerships very effective
- 71% say their organization underutilizes relationships
- Biggest roadblocks to effective data sharing include a lack of training, trust, resources and sharing requirements
So what can be done? Recommendations include:
- Short term:
- Develop a detailed roadmap for your organization for gathering, analyzing and disseminating cyberthreat intelligence
- Reach out to smaller organizations and share details on cyber strategies and information sharing
- Mid term:
- Establish internal cyber intelligence teams from multiple departments within your organization and start to collaborate
- Reach out to external organizations, like information sharing and analysis centers (ISACs) and organizations (ISAOs)
- Long term:
- Adopt modern technologies that facilitate effective, real-time information sharing, such as tools for data protection, security analytics and security automation
- Stay a step ahead of attackers by reassessing your cyber goals annually, adopting the latest best practices and participating in public-private partnerships
The Public Sector Day also featured a panel discussion about how government agencies can pursue efforts to adopt zero trust. Moderated by Tenable CSO Robert Huber, the panel included several high-ranking federal cyber leaders from the Department of Defense, the White House and the National Institute of Standards and Technology (NIST). Topics discussed included:
- the 2024 deadline for agencies to embark on the path of a real zero-trust framework
- the efforts by NIST to develop a zero-trust practice guide
- upcoming tests around zero-trust infrastructure with cloud providers
4 – The “megatrends” driving cloud security
In his presentation “The Megatrends Driving Cloud Adoption – And Improving Security For All,” Phil Venables, CISO of Google Cloud, discussed how eight factors – including an increased competition among cloud providers and economies of scale – are serving to boost security.
He challenged the perception that cloud infrastructure is inherently more complex to set up and manage than on-premises infrastructure. Rather, he said, it’s the way on-premises infrastructure is typically handled — involving a siloed cast of specialists such as network engineers, storage engineers, systems engineers, systems architects and administrators, each with their own set of vendor products to manage and distinct area of responsibility — which makes it difficult for anyone in security to grasp the full complexity of the infrastructure.
“In cloud, you see it all at once,” he said.
For organizations looking to initiate or expand cloud deployments, Venables advised three basic steps:
- Take stock of your assets
- Initiate discussions about what a digital transformation should look like
- Think about what makes sense to move to the cloud
5 – Unpacking the U.S. National Cyber Strategy
When the White House released its National Cybersecurity Strategy in March, much attention was placed on its call to shift more cyberdefense responsibility onto system operators and technology providers. This was one of the issues discussed during the panel discussion “National Cyber Strategy as a Roadmap for a Secure Cyber Future,” moderated by DOJ CIO Melinda Rogers and featuring cyber leaders from the State Department, CISA, the FBI and the White House.
Melinda Rogers, DOJ CIO (Credit: DOJ)
The strategy, a 35-page document, outlines two major shifts, according to Robert Knake, who worked on developing the National Cyber Strategy and is acting principal deputy national cyber director of the Office of the National Cyber Director:
- Shifting responsibility away from the end-user companies (i.e., the business consumers of software and hardware) and onto the vendors. “We didn’t want victims to be left holding the bag,” he said.
- Moving from the 90-day sprints that have typically governed cybersecurity toward a long term outlook. While immediate needs will always require attention, Knake stressed the lack of a long view and noted: “We want to be planning now what cybersecurity should look like in 2033.”
Eric Goldstein, CISA executive assistant director, called on providers to be extremely clear about vulnerabilities impacting their networks, even if they don’t require customer actions, and to make sure all software arrives in customer environments with the right security controls already enabled by default.
FBI Assistant Director Bryan Vorndran noted that the FBI currently sees about 25% of the total number of cyber intrusions in the U.S., which means the agency has no visibility into three quarters of the threat picture.
Open source code packages and repositories and the overall security of the software supply chain are a major areas of concern. Knake noted that the strategy does not seek to hold the open source community liable but rather to shift responsibility to commercial software vendors for bad outcomes that result from poorly developed software.
“We’re never going to have perfect software,” Knake noted, but the goal is to define a standard of care for software vendors and provide “safe harbor” to vendors who demonstrate that they are adhering to those standards.
And the standards need to extend to academia. Vorndran noted that the Cybersafety Review Board report on Log4j, which was the impetus for the National Cybersecurity Strategy, found that there is no academic standard for secure coding in the American education system.
6 – Go forth and strategize
Security professionals looking to turn what they learned at RSA Conference 2023 into action were treated to a highly practical game plan during the session “Connecting the Dots: An Effective Cybersecurity Strategy.”
PayPal’s Head of Cybersecurity Strategy Dimitry Shvartsman and Head of Cybersecurity Architecture Dimitrios Tzimas acknowledged how the tactical day-to-day cybersecurity needs of an organization can overwhelm security leaders, making it difficult to devote time to long-term strategic planning. They broke down key steps and detailed the crucial stakeholders involved in shaping a security strategy. Their key takeaway? It all starts with understanding the business.
Questions to ask yourself:
- Am I aware of where the business is going?
- Am I aware at the right time?
The three drivers of a security strategy, according to Shvartsman, are:
- The security landscape
- The compliance and regulatory environment in which the organization operates
- The business goals and objectives
There are six stakeholder groups essential to developing an effective security strategy, according to Shvartsman:
- Security architecture
- Product management
- Security consulting
- Threat modeling
- Program management
Marketing may not be the first group most security professionals would think to engage but Schvartzman called out the importance of engaging marketing to:
- help explain to the rest of the organization what is being done and why;
- elaborate on the capabilities that are being developed as part of the cybersecurity strategy; and
- pull the business closer to the effort so they understand where they’re going
“If people understand why we’re doing things, acceptance in the business goes much better,” he said.
Tzimas stressed the importance of viewing your cybersecurity strategy not as a one-and-done exercise but as a constantly evolving “infinity loop” in which feedback, business changes, changes to the regulatory environment and changes to the threat landscape are constantly being assessed and incorporated.
Cybersecurity News You Can Use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.