You don't need AI Security. You need a checklist.

Updated: Nov 20, 2020

I love AI, I love the Sci-Fi of it, I love the real world expressions of it which we tend to call machine learning because nobody has actually achieved general purpose AI (unless you count GPT3 mostly being able to pass the Turing test which is freakin awesome by the way) But the fact of the matter is, most products that claim to be AI based don't really work, and if they do it's not the machine learning doing the heavy lifting.

So maybe there's a ML security tool out there and maybe it's awesome, but let me assure you. You don't need AI security. You need a checklist.

Here try this one:

[ ] Do you use an encrypted password manager? [ ] Do you use 2fa?

[ ] Do you rotate security credentials at least yearly? [ ] Did you review your security perimeter this quarter? [ ] Did you review your service accounts for the principle of least privilege? [ ] Do you have an effective intrusion detection system?

[ ] Do you have security policies? (including a patch policy)

[ ] Do you follow them? [ ] Do you offer security training?

[ ] Is it any good? [ ] Do you have any a sane secrets management system to keep secrets out of code?

And if you answered "yes" to all of the above, please, please please call me. I would be THRILLED to implement AI security for you.

Everybody else... start with the checklist. I suppose you can call me too, because it matters WHAT you put on your checklist and how you do it, but it's not rocket surgery guys. The common sense stuff goes a long way.

This all may sound super obvious, but it needs to be said.

I've worked with a dozen startups in the Bay Area. None of them could answer yes to all those questions (and to be clear, in my time at Google --a world leader in infosec, several of the above flipped from no to yes). Nobody who answers no to any of the above needs AI Security. Sure it'd be awesome, and I'd love to play with it, tune it, find awesome ways to

alert on subtle signals of compromise (I've started keeping a list of signals, hasn't everyone?), but I assure you you don't need AI.

If you don't believe me see some recent hacks: Remember the Twitter hack?

Provide adequate phishing training.

Create a collaborative culture where employees are empowered as infosec partners. Don't share the credentials to your admin tool in slack. If it happens delete the offending secret and rotate it. If you can't rotate passwords effectively, fix that too.

Remember the Capitol One hack? Don't use instance profiles with unrestricted admin credentials (this is pretty obvious in retrospect. The awesome thing about learning from other people's mistakes is that many things become obvious). Implement the principle of least privilege and then cycle through each identity every quarter and check for it.

Also, maybe try to alert on data exfiltration.

Here's actually a case where machine learning could have been useful. When that instance profile credential started doing stuff that was wildly out of character with previous activity an ML system could have sensed the departure from standard patterns and alerted a person.

Remember the Equifax hack?

Hire a CISO who understands that protecting the financial details of every US citizen is actually a big deal. Sorry that was unkind. How about some specifics: Make a patch plan and follow it (they did not) Deploy an intrusion detection system (hackers were in there for MONTHS) Create a forensic logging system (when asked what the hackers got, your answer can't be ¯\_(ツ)_/¯)

Alert on persistent inbound or outbound connections and large outbound transfers (come on guys data exfiltration is your biggest risk, at least have a plan on how to mitigate that risk.) and if you have an employee who fails as spectacularly as the CISO at Equifax, gently suggest that they might be better suited to work with lower stakes.

8 views0 comments

© 2020 by Ninja Ops.