Zero Trust in an era of Deep Fakes, AI Malware and Inflated Vendor Claims

Two of our most valued commodities, trust and certainty, are coming under assault in an unprecedented manner. While the AI revolution has led to widespread concerns about its impact on jobs, a far greater problem is starting to appear – the impact on who and what we can trust and whether we can be certain about anything at all. In this article, which was pre-promoted recently live on the BBC, Bill Mew, our EMEA Associate explores the implications.

In the era of ‘on premise’ tech you could assume that everyone on the network was within a safe ring-fenced environment. However, as we have moved to hybrid and distributed environments where staff work from home, systems reside in the cloud and access occurs over the internet, organizations have needed to move to a Zero Trust model where every connection, every user and every attempt to access data needs to be questioned and verified. 

Likewise when staff or visitors arrive at your offices, their ID can be checked before they are allowed entry. However, when you join your next video chat, how do you know whether the faces that you can see are the actual team members or clients that you think they are, or whether they are sophisticated AI-generated deep fakes.

And AI can also be trained to scan for vulnerabilities and write code for new malware variants. Not only is this an added challenge for virus scanners, but how do you know whether the software or patch that you are about to use is the real thing – even the certification could have been faked.

Moreover AI can be used to penetrate and manipulate other AI systems. If the results from a calculator or spreadsheet are manipulated, you can tell – 2+2=5 is easy to check and to spot. However as AI systems are essentially black boxes where the results are impossible to predict or check, you cannot tell if these systems have themselves been compromised or are currently being manipulated by potentially malicious actors.

To make things even worse, you cannot even be sure that the tools that you would use to counter security threats are themselves up to the job. Tech vendors making inflated claims about the functionality of their systems is nothing new, but in a world where there is very little that you can trust, you at least need to have confidence that the tools you are relying on for your protection are going to be effective. It’s really hard to know who to believe (although thankfully there’s a new Commvault eBook to help – see below).

Four questions that organizations need to ask themselves:

1. How alert are your users to the new kinds of threats that are targeted at them? AI is enabling threat actors to automate their attacks thus massively increasing not only the volume, but also the believability of everything from phishing attacks to deep fake videos. You are no longer simply combating crude or poorly spelled emails, but everything from eloquent text and graphics to sophisticated video where almost anyone can be realistically faked. Users unfortunately find most cyber training incredibly dull and all too often it all goes ‘in one ear and out the other’. For cyber hygiene training to be memorable and therefore effective it needs to be far more engaging and immersive – just like the threats themselves. At the same time automation is essential to sift through the vast volume of threat and prioritize those that actually matter most. Automation is also needed on a far wider basis for all aspects of data management, capturing, securing, analyzing, reporting, visualizing, and distributing both structured and unstructured data.
2. If you are going to use AI for business critical systems then how do you think you’ll be able to tell if or when it has been compromised? If even the leading experts in AI admit that they cannot always tell how answers are generated or predict what results will be, then how can you hope to tell if your system has been compromised or if it is being manipulated in some way. And it is not only cyber criminals that are the threat here, there is also a significant insider threat from rogue employees.
3. Are cyber insurance or ransomware warranties a substitute for data protection? Unfortunately cyber insurance and ransomware warranties can not only lead to complacency, but they can actually even be counterproductive. If cyber insurance premiums come out of your cybersecurity budget then this leaves less to actually spend on protection. In addition, regulators have also warned that insurers lack the ability to accurately price most cyber risk and ‘without an effective ability to measure risk, cyber insurance can therefore have the perverse effect of increasing cyber risk.’ Aware of the problem, insurers are either increasing premiums or including extensive policy exclusions or both. Some policies now have so many exclusions that they are almost worthless, with companies sometimes either getting only a fraction of their incident costs covered or none at all. Plus some vendors have introduced ransomware warranties that are even more of a worthless distraction. This is why regulators are adamant that cyber insurance and other such schemes are only ever supplementary to cybersecurity and incident response, and never a substitute for either of them.
4. How ready are you to respond in the event of a cyber incident? No matter how much you spend on cybersecurity, no organization is 100% secure. You therefore need to be prepared for the worst. Do you have immutable backups in place? Are these air-gapped from your operational systems to keep them secure? Do you have a plan for where you’re going to back up to, if your current environment is compromised? Do you have a cyber incident response plan? Do you test both this plan and your backups regularly? And when testing your incident response readiness do you use fully immersive simulations for just desktop exercises or powerpoint training? The World Economic Forum says that fully immersive fire drills are now essential.

Four questions that organizations need to ask their vendors:

1. Is your cloud data protected? Many companies assume that cloud providers are responsible for protection and backing up their cloud data. Few providers, even mainstream ones like Office 365, include this as standard and ‘90% of organizations could not recover 100% of data they backed up in a public cloud service’ according to ESG.
2. Will more bolt on backup tools make us more secure and protect all your workloads? You may think that ‘more is better’, but in reality complexity is the real enemy here. Few vendors have integrated backup tools that cover traditional workloads, as well as cloud-native ones, plus SaaS, Office 365 and Kubernetes. If you pull together different services to cover it all, will your staff have skills in managing all these tools and will some workloads fall between the cracks?
3. Is ‘Zero Trust’ enough? Employing a ‘zero trust’ framework is an important start, and almost all vendors now support it in some manner, but it would be foolish to assume that this is enough. Some vendors have reactive rather than proactive ransomware features that only kick in after the damage is done. You’re better off with fully integrated proactive threat deception technology that can actively track intruders and lead them away from valuable data. 
4. Is data security better than or equivalent to data protection? Threat detection and protection are essential, but full data protection is far more than this. Fire safety requires more than just fire doors. You need sprinkler systems and extinguishers too. Data protection isn’t just about data security or indeed just about backups, but it includes recovery, automation and so much more.

Confidence in your data protection systems is essential. If you are going to be in combat where you cannot be confident that those approaching you from all directions are either friend or foe, then at the very least you want to be able to rely on the fact that your gun won’t jam and that your body armor will provide some protection. Thankfully a new eBook from Commvault (see below) sets out in even greater detail how to spot some of the threats and inflated vendor claims.

It is a war out there and we are locked in an arms race, with malicious actors using AI to find vulnerabilities and exploit them, as fast as those responsible for our protection use similar AI tools in a race against time to find the same vulnerabilities and seek to patch them first. The winners will be the ones with the best AI, as long as they’re able to prevent their own AI from being compromised.

Trust me – it’s time to take these matters seriously. When the threats are automated and never sleep, when it is becoming almost impossible to tell what is fake and what is not, and when some vendors take as little as 5 min to detect threats while others can take 24 hours, it is time to be asking these important questions.

This is no fake – believe me!

Reference: Commvault eBook “All That Hype Around Data Protection? Question it.”