 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
PARIS — At KubeCon + CloudNativeCon Europe in mid-March, generative AI was everywhere — in the keynotes, in the sessions, in the fevered lunch break conversations about inference and GPUs. But one place it shouldn’t dominate, according to Ev Kontsevoy, CEO and co-founder of Teleport, is in discussion of how to secure applications and infrastructure against AI-generated attacks.
He’s heard a lot of such chatter, however.
“Maybe it’s just because it sounds exciting,” Kontsevoy told The New Stack at KubeCon. “It definitely sounds like a movie plot: They expect the cybersecurity industry to also employ AI to fight AI.”
AI can certainly help analyze activity and spot anomalies within an organization’s systems, he acknowledged. But the problem is, humans are still in charge, and humans are notably careless, however unintentionally, with secrets. They share passwords. They leave their laptops on the subway. The security goal in the age of AI innovation, he believes, is to get rid of those secrets.
“Social engineering will never go away. Attackers will always find a way to trick you into giving them your credentials,” he said. “We are unreliable, moist robots.”
The AI revolution is going to make cybersecurity threats more common and the need to secure all the things more urgent. Part of the challenge, Kontsevoy noted, is how easy and cheap it will become to launch a scam.
For instance, he walked TNS through an example. Say a company is making a change to its payroll system. It sends an email, or holds an all-hands meeting, perhaps on Zoom, to announce it.
Then, “you get a phone call. And your boss on the phone says, ‘Hey, by the way … do you mind giving me your password for something?’ You’re gonna instantly trust that phone call. Because first of all, you just walked out of the meeting.”
The caller is not your boss; it’s a deep fake, derived from a sample of their voice. The hacker who scams you out of your password found out about the all-hands meeting by monitoring social media. Before current AI tools, setting up that fake phone request “is all human labor. It’s expensive, right?” Kontsevoy said.
By contrast, “generative AI brings the cost of this attack to almost zero. This means that a teenager out of the Chicago suburbs will be launching these attacks — hundreds a day. That’s why you have to make an infrastructure resilient to bad behavior and get rid of all the secrets, because the frequency of these sophisticated identity attacks due to general AI is going to be tenfold, or maybe a hundred.”
Attackers most often get ahold of credentials — unused, carelessly stored, or shared too freely — to do their dirty work.
Developers and engineers make it all too easy, according to a 2023 report by Unit 42, the security research arm of Palo Alto Networks:
A 2022 report from Unit 42 also pointed to some unforced errors in the way organizations handle security:
Another issue, Kontsevoy said, is the growing fragmentation of identities in data centers. “We have so many technologies now we’re running in these data centers, because of ever-increasing complexity,” he said.
“Every single layer in the technology stack manages its own security; it’s an island. So you have Linux servers, then you have numerous databases. And then you have cloud APIs, like AWS, you have Kubernetes deployed in there — and all of them have their own doors.”
“Which means that companies need to have competent teams to configure every single layer,” he added. “Every single layer has its own authentication, its own authorization, its own encryption, its own audit.”
The more technologies you accumulate, the greater your exposure to attack. The more your organization scales, the more “doors” and the more opportunities for secrets to fall into the wrong hands.
It’s nearly impossible to keep track of so many “doors.” As a result, Kontsevoy said, “The probability of human mistake goes up.”
To sum up, he said, “It’s not really a technology problem. It’s almost like a human behavior problem. So the solution is to consolidate identity for everyone and everything.”
Several security vendors automate monitoring and other functions; at KubeCon, Teleport announced enhanced features designed to help keep Kubernetes-run container infrastructure safe.
Now, Kontsevoy said, “if you put Teleport into your infrastructure, it will proactively scan and find all these technology layers. And it will consolidate identities across all of them, including Kubernetes.”
The new capabilities also help users define access control more granularly at the pod and resource level. Identify and fix weak access patterns, and replace static credentials with time-limited certificates backed by multifactor authentication.
Going forward, to keep applications, infrastructure and data truly safe, Kontsevoy said, organizations need to stop their reliance on secrets for identity authentication and instead adopt three-point criteria: a user’s specific device, a biometric marker (like a fingerprint) and a personal identification number (PIN) code.
Think of the iPhone: certain activities, like downloading an app, require facial recognition, and recognition of the device and typing in your Apple ID code.
“You don’t need some magical technology,” he said. “It’s already available. It’s not just Teleport. You could implement hardware backed by metrics for everything you use already. Just go and make that investment. Because instead of thinking that ‘I am defending against AI,’ just change your thinking a little bit and say, ‘I am defending against bad human behavior.’”
Kontsevoy was featured in a 2023 edition of The New Stack Makers series on tech founders.
