Securing Generative Al Use Cases, Threats, Risks, And Skills So Ga ‘Summary ving enterprise terest integration ane sdopton This reper deals the depiciments ar eel to oot genertve A the primary use cases threats, and what securty ane risk teams wl nee to etend against as hs emerging eesrology gees mainsteen, Topics Se =D =a) Interest, Anxiety, And Confusion Dominate Discussions About Generative Al ‘The release of Stable Diffusion and ChatGPT went viral mast immediately, grabbing wide tention and speculation .. along with plenty ef hijinks from securty researchers. Secutty and risk (S4R) teams need to adapt how thelr enterprise plans to use generative Al or they will ne themselves unprepared to defend It (see Figure 7), Today's secunty leaders: + Worry about impact on thelr securty tear fst. Yes, generative Al will change how securty programs operate, but well befare that happens twill change workflows for ather enterprise funetions, Unfortunately, mary CSOs tune out news about new technologies, considering ita elstraction. That reasonable — but entirely mistaken — reaction becomes tomorrow's lemergency when the security program leamns the marketing team plans to use 2 large language model (LLM) to arocuce marketing copy and expects itto do so securely, Worse yet, seecury leaders follow up with an even mare devastating decision: Implementing « araconian Polley that bans LLM adoption, which only etves employees underground, costing the security team visibility ang understanding how the tech is used and increasing risks. ‘Thinkin terms of code, rot naturel language. One ofthe interesting ways to subvert or make unauthorized use of generative Als fncing creative ways to structure questions or ccommanes, While bypassing safely controle online is fun for hobbyists, those same bypasses could allow generate Alto leak senshive data such as trade secrets, ntellectual property, er protected dato, Expect to add “prompt securty engineering” skilsto your team via hing ot+ Lack the right thitc-patty risk renagement cuestions to ask generative Al vencors. Sure, advanced organizations with heavy research and development budgets will ul their ow Al systems — but most companies will buy generatve Al solutions from a vender or receive them bundled in an offering they akready subscribe to. Every SER pro knows the danger and complexes inherent in managing supplies. This emerging technology creates new supply chain securty and third-party rsk management problems fr secur teams and introduces adeitionalcomplexiy olven that the foundational models are so large that detailed aueiting of them is impossible, + Need to deploy mocem secutty practices for Al success. Many security technologies that will secure your fms adoption of generative Al already exist within the cybersecurity domain, Two examples include API security and pivacy-areserving technologies. These technologies ave introducing new controls to secure generative Al This will free your team to werk with ew vendors technologies, and acaute and train on new skils, While processes also serve as Useful securty controls, generative Al will uncover procedural gaps in cemains invelving data leakage, data lineage and observailty, and privacy Fovet Sls, Requremerts, Ane Corts Necessary To Secure Generatve A sowie vevwrienens ences Prompt engineering ‘Supply chain secunty eta tineage anc ebserabity Pi sccurty ‘Thit-paryrskmanagement —_Prvacypresening technology Departments, Use Cases, Threats, And Risks Most arganizatons will buy — not build — generative ll Many may net even buy generative Al ‘rectly, but wll receive it via bundled integrations such as Microsotsolans fr Coat, CrowdStike's introduction of Chariale A, and Google Claus Securly Al Workbench, This forcing funetion mandates that S&R leaders understand the relevant departments use eases, thre and Fisks based on thelr current vendors and buneling strategies. To achieve ths, combine Genevatve ‘AlPrompts Productulty.Imaginatian. And Innovation In The Enteraise with the framework from The 150's Guide To Securing Emerging Technalogy and ereate a table that lists each tem (see Figure 2) This wll help provide context an the challenges the adoption of this emerging technology will introduce. Deparimerts, Use Cases, Treats, nc Risks: EeeToa dua poor oersa = atte Fepiintion al cpmeon j marketng ference prs rlse lore Tegeerton stow meters Dig cons ond lofmtaraneay od post ttoed aeto ‘sono Chea cagy ess Potent ont end = es senna Design Sse : ee Image generation tools inspire ‘or video content » Die Reta designers, allowing them to. Imokuptes nmnmaine mg cite cocimertaten + bata teakoge Eider workon Tove important systom deals ‘ocarpony wort ncmaly + baat a Pretamers se LMS od ‘Code security ‘ors code and automaticaly emesis cae eatin hat ‘otetonpewng ff penann documenta sous SE ey ‘ee Developers ‘violates intellectual property. 1 pet eses Rampeecce cecopes wae ag | yotismitecun move prtcype cose an pena cence Als componsed + bela posorna Concer arte Sermons poaun + Dato ‘@, Data scientists a. esbscton Concealers doa «Peter copra ni ses - aera Sort open ehre troundLuiegenerted cose serena ff Saatovon meses vine Syne ta grea mel tng pon tomaion Stress enphcncs oe bata tanpesng evorsuresto aunty ie voce : Sales data used + pa nteten flO Seaton bp soe reoustey Scope eee Soles teas cold Woke cortact ome wus gange hd cote precrear wine generar roweoret Srstnting coma wl Operations Data used for decision-making ome wworny (PS Cette ecuson purpose htmpere Emotoyoe Secoing omens Sty oman caress Spetonce inches Srutmlenontons ‘Sauce: Fart Resse ne Usunarsedrproaicion,ctte, 2 arbton pond Both Large-Scale And Smailer Fire-Tuned Language Models Pose Cysersecuitty Risks Security leaders need to focus time, attention, ans budget on the large-scale foundational Al models being offered by Opendl, Microsoft. Google, and others. However as demonstrated by the leaked document sourced from Google entitled: We Have No Moat, And Neither Does pend ‘many smaller models will emerge that need protection. tis much mare lkely that your corporate ata willbe used to tran ane of these functional models. Generally, ng out that securty needs tw protect more of something is not great news, but there isa siver ning your axganization tains these smaller functional models using corporate data itis less Ikely to use corporate data in one of the large-scale foundational Al madels. Expect large-scale models to feature prominently in more Generalized use cases while your data science anc development teams use corporate dat te train and fine-tune smaller madels based on organizaton-specifc use cases. Secuting these niche ‘models won't be easy, butt fs much more manageable than securing the large-scale models, and vendors ike HiddenLayer, alypsoAl, and Robust Intelligence already exist to assist here. Adoption Timelines, Supplier Questions, And Skill Sets The sudden surge In generative Alin 2023 will become the defacto ease study In how emerging technology adoption radically shits and how hype can cause you te ignore something that brings Clsruptive change. To aveid scrambling for answers, use the fllowing methodology to understand protections for generative Al Implementation before it becomes your next urgent problem te solve.COTES BUTS USE ESTEE BY TPT THE MSPS CHAS STE TEGO SE pros can predict when thelr organization will understand the relevance of an emerging technology Generate A's dependencies include: 1) massive amounts of data to wan the models, 2 sled practioner to build the technology, and 3} substantial compute resources. Open built the fist twa and leverages clove forthe third. Then it found these eatalsts partnership with Microsoft that provides: 4 signifeant funding 5) beta test a scale, and 6) a path to enterprise customers. Together these elements created an inflection point (see Figure 3}. For most arganizations, the ‘adoption timeline for generative Al went fom "soan" to “yesterday” due to Microsoft anc ater vendors announcing plans to bundle these capatiliies into widely adopted ane deployed enterprise tots. errata Ae Depesercs aaa Dependencies Bese ca vue Q siaea prctnee [BL emerrsebutsng nd mearatons | sunt compute power EB) Sonneannno Se Compile Generative Al Third-Party Risk Management Questions Given that most organizations wil iné generative Al integrated into already deployed produets ane services, one immediate priority for security leaders is hitc-pary sk management When you buy a product or service th Includes generative Al you depend on your supalers to secure the solution. Microsoft and Google are taking that responsiblity as they bundle and integrate ‘generative Al into services like Copilot and Workspace, but ather providers will source Al solutions from ther oun supplier ecosystem, You will need to compile your set of supplier secutty ane risk management questions based on the use cases outlined above (see Figure 4 “Treen Risk Management GLestons or Supers OF Generatve Al Soles uostions What sataqures prevent melous or unauthorized tio ofthe Al models? Watts oe in place er session engatte? nat montorng. detection, alering, and response Cipeblies protect agent the rk of users ming {ueres hat are considored unsafe, unethical, oF dangerous? What conte prevent data leakage and what rmontring eat fr dat leakage? Looking for ‘ppropratty documented cones forthe most ‘bur misuse seannios Proper soe guards tat prevent tools tom Behaving In unexoncted and unten ways Contos ae necessary but nt suicent. Any Solion must aso have e process fom the provider ana your on ntl toms — to dent, Investigate, respond to, and remediate ay sues How the provider protects snstve corporate data from beiog shared with wauthorzed ees, ne how you ae nied in the event on employee orp to share sensive Information Identify Your Skill Gaps And How To Solve Them with adoption happening new. your secu Al, Security practioners need traning to understand prom team needs to getup te speed quickly on generative gineering and prompt injection tacks. Your thee-party risk management program needs help developing frameworks andFigure 5) Note that there is sti at least one question mark for competencies because ths area i veloping 50 auickhy Sls vertoy Bree Sk et Competency lve native computing Prompt eninsrng 2 age nteigence Inegent agen vay preserving tecmnleay Psecurty (regratoninpementaton) Timeline (mont) a6 eo 28 on Panner