CISOs Navigating the GenAI Tide: Actionable Insights from SANS Institute

The adoption of Generative AI (GenAI) is transforming industries, ushering in a new era of innovation and efficiency. However, this technological leap also brings unprecedented cybersecurity challenges. SAP, a global leader in enterprise software, has outlined its approach to GenAI cybersecurity, offering invaluable insights for Chief Information Security Officers (CISOs) and security professionals. Drawing from SAP's strategic document, SANS Institute presents the top five actionable cybersecurity considerations for navigating the GenAI landscape.

1. Adopt a Proactive Security Methodology

SAP's GenAI cybersecurity strategy, grounded in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), presents a proactive security methodology that is critical for addressing the challenges of GenAI technologies. This methodology encompasses governance, identification, protection, detection, response, and recovery, laying a comprehensive foundation for integrating GenAI into cybersecurity strategies effectively.

SAP highlights the importance of this approach with its commitment to "depth-in-defense principles extending our ability to identify, protect, detect, respond, and recover." This encapsulates the need for a multilayered defense strategy, acknowledging GenAI's unique vulnerabilities and ensuring mechanisms are in place to counteract potential threats.

Enhancing SAP's methodology with a focus on actionable steps, organizations should:

• Governance: Establish a governance model that not only oversees the development and deployment of GenAI policies and projects but also ensures compliance with ethical standards and legal requirements. This involves setting up a cross-functional governance board that includes stakeholders from security, legal, IT, and business units to oversee GenAI initiatives. It is critical that organizations quickly establish policies to address these issues.

• Identification: Develop a comprehensive asset management system that catalogs and classifies data, algorithms, models, and infrastructures involved in GenAI operations. This system should be capable of identifying critical assets and assessing their vulnerability to attacks, thus facilitating a risk-based approach to security. The policy should address asset changes within the organization and ensure transparency when using GenAI.

• Protection: In addition to traditional cybersecurity measures, protection in GenAI requires implementing AI-specific security practices. These might include securing AI data pipelines, protecting model integrity, and ensuring the confidentiality of AI training data through techniques like federated learning and differential privacy. Developers creating applications and systems should be trained and utilize resources like the OWASP Top10 LLM and the MITRE ATLAS.

• Detection: Leverage GenAI capabilities to enhance threat detection mechanisms. This could involve using AI-driven analytical tools to identify subtle anomalies in system behavior that might indicate a security breach, thus enabling faster and more accurate detection. Many toolsets involved in threat detection also incorporate AI capability, and we review our systems regularly.

• Response: Craft GenAI-informed incident response plans that include scenarios involving AI systems as both the target and the tool of cyber attacks. This includes developing procedures for isolating affected systems, conducting forensics on AI models, and restoring services securely.

• Recovery: Implement strategies for rapid recovery that leverage GenAI technologies to minimize downtime and data loss. This could involve using machine learning models to predict potential failure points and simulate loss and recovery simulations to ensure they are effective and efficient.

This enhanced methodology not only prepares organizations to tackle GenAI-related security challenges but also enables them to leverage GenAI advancements securely and efficiently. Adopting these steps fosters a robust, adaptable security posture that protects against evolving cyber threats while embracing GenAI innovation.

2. Understand and Address GenAI-Specific Risks

SAP's strategy delineates three critical risk categories for GenAI: adoption, vulnerability, and weaponization. These categories underscore the importance of a nuanced approach to GenAI's unique challenges and the complexity that comes with its adoption. As noted, "GenAI technologies are so immensely complex that understanding their operation is an active field of scientific research," which highlights the dynamic nature of these risks and the necessity for continuous learning and adaptation.

To navigate these risks effectively, organizations should:

• Adoption Risks: Prioritize awareness and training to mitigate human error and ensure responsible use of GenAI. Establish guidelines that delineate safe practices and create a culture of security mindfulness among users and developers.

• Not all GenAI systems and implementations are equal. Local AI models, cloud API AI solutions, AI databases, and services each have their own data security and privacy practices, policies, and licensing agreements. Study these carefully and understand the implications for data security.

• Vulnerability Risks: Implement rigorous security protocols for GenAI models, including regular vulnerability assessments and the adoption of secure coding practices. Stay informed about emerging threats specific to GenAI, such as prompt injection attacks or model exploitation.

• Weaponization Risks: Prepare for the potential misuse of GenAI by adversaries by incorporating threat intelligence into security strategies. This includes understanding how GenAI can be used in phishing attacks, voice and video cloning attacks, malware development, or to enhance the sophistication of cyber threats. Prioritize continuous learning amongst security teams as the threat landscape is evolving rapidly.

For each of these risk categories, a proactive stance—characterized by ongoing education, robust security practices, and an agile response strategy—is essential. By staying ahead of the curve and anticipating how GenAI can be exploited or pose new vulnerabilities, organizations can safeguard their digital assets while harnessing the full potential of this transformative technology.

3. Prioritize Data Security and Integrity

In the realm of GenAI, SAP emphasizes the paramount importance of data security, underpinned by rigorous data classification, labeling, and handling protocols. The inherent complexity of GenAI technologies demands more than traditional security measures, as noted, "Strong access control and monitoring are proven, effective defenses for traditional software. But in the case of GenAI, these approaches alone are insufficient," underscoring the necessity for advanced protections.

Key actions for bolstering data security in GenAI applications include:

• Enhanced Data Management: Develop comprehensive data governance frameworks that not only categorize and label data but also ensure its integrity throughout its lifecycle. This includes strict controls over data access, usage, and storage, especially for data involved in training GenAI models.

• Establish User Training: Acceptable GenAI usage needs to incorporate data classification and align with GenAI usage. Acceptable use policies, emerging global legislation, SOC, and ISO requirements need to be considered when putting any protected data into GenAI toolsets, and users need to be trained accordingly.

• Advanced Monitoring and Access Control: Implement next generation monitoring tools that leverage AI to detect anomalies in data access and usage, providing a proactive stance against unauthorized or malicious activities. Access controls should be dynamic, adapting to the evolving risk landscape specific to GenAI operations.

• Encryption and Anonymization: Use encryption techniques for data at rest and in transit and anonymize or tokenize sensitive data used in GenAI model training to prevent exposure of identifiable information.

By prioritizing these enhanced security measures, organizations can ensure the confidentiality, integrity, and availability of data central to GenAI technologies, mitigating risks and safeguarding against potential breaches. This approach not only protects sensitive information but also builds trust in GenAI applications by demonstrating a commitment to data security and privacy.

4. Brace for Emerging GenAI Threats

SAP's white paper sheds light on the novel vulnerabilities introduced by GenAI, such as prompt injection, glitch tokens, and AI hallucinations. These unique threats necessitate cutting-edge defensive strategies. Highlighting the potential for misuse, SAP cautions, "Adversaries can take advantage of this trust whether GenAI outputs insecure code, AI hallucinations, or simply bad advice," underlining the urgency for tailored security measures against these specific vulnerabilities.

To effectively counter these emerging threats, organizations should:

• Robust Validation Processes: Establish rigorous validation protocols for GenAI outputs, ensuring that the generated content, whether code or data, undergoes thorough security checks before deployment or utilization. This includes conducting reviews by subject-matter experts and robust software development life cycle tools.

• Continuous Security Training: Equip teams with the latest knowledge of GenAI threats through ongoing training and workshops. Understanding the landscape of potential vulnerabilities can empower developers and security professionals to address risks preemptively.

• Collaborative Threat Intelligence: Engage in threat intelligence sharing platforms to stay informed about the latest GenAI vulnerabilities and attack vectors. Collective knowledge can drive the development of more effective defense mechanisms.

By adopting these strategies, CISOs can prepare their organizations to confront and mitigate GenAI's unique challenges, ensuring that innovation remains a force for growth rather than a vulnerability to be exploited.

5. Leverage GenAI to Strengthen Cybersecurity Defenses:

SAP acknowledges the dual nature of GenAI as both a potential cybersecurity challenge and a significant ally in enhancing security measures. The integration of GenAI into security processes offers innovative avenues for automation, advanced threat detection, and overall enhancement of an organization’s cybersecurity posture. "By leveraging GenAI responsibly and appropriately,” SAP believes, “GenAI can enable new security automation capabilities, reduce risk, and help to improve the overall security posture of SAP and our customers," showcasing GenAI's transformative impact on cybersecurity.

To capitalize on GenAI's potential, it's crucial for organizations to:

• Embed Automated Security Processes: Consider GenAI-driven technologies to automate routine and complex security tasks, thereby increasing efficiency and allowing cybersecurity teams to concentrate on strategic security planning and incident response.

• Enhance Threat Detection: Use GenAI’s capacity to process and analyze vast datasets to identify subtle, emerging threats more swiftly and accurately than traditional methods allow. Evaluate and consider implementing AI-driven cyber-threat detection solutions.

• Refine Risk Management: Apply GenAI tools for dynamic risk assessment, offering real-time insights that enable organizations to swiftly adapt their security strategies in response to new threats. Evaluate the NIST AI Risk Management Framework and consider implementing applicable RMF measures.

• Cultivate a Culture of Continuous Learning: Establishing a culture that prioritizes ongoing training and education is essential. This ensures that security teams, developers, and all staff remain ahead of the curve in understanding and leveraging GenAI for security and in interpreting and responding effectively to GenAI-generated insights and alerts. Regular training sessions, workshops, and simulations can prepare the workforce to utilize GenAI tools and critically analyze their outputs, fostering a proactive stance towards cybersecurity.

• Encourage Collaborative Analysis and Interpretation: Promote an organizational culture that values transparent AI use and collective analysis of GenAI results, encouraging teams to question, interpret, and validate AI-generated data and decisions. This collaborative approach ensures a broad spectrum of expertise is applied to understanding the nuances of GenAI outputs, leading to more informed and effective decision-making.

Incorporating GenAI into cybersecurity strategies mitigates associated risks and leverages its vast capabilities to secure digital assets more effectively. By fostering a culture of continuous learning and collaborative analysis, organizations can stay ahead of cyber threats and maximize GenAI's benefits, transforming potential vulnerabilities into formidable cybersecurity strengths.

Moving Forward

SAP's GenAI cybersecurity strategy provides CISOs with a vital framework for managing the complexities of GenAI in cybersecurity, focusing on proactive security methodologies, understanding GenAI-specific risks, and utilizing GenAI to strengthen defenses. However, the cornerstone of this strategy's success is the emphasis on continuous training. As the GenAI landscape evolves, equipping teams with the knowledge to navigate and leverage these advancements becomes crucial. Training ensures that CISOs and their teams are not only prepared to tackle emerging threats but are also proficient in harnessing GenAI's potential to secure the digital future effectively.