AI Security Fireside Series: Trellix's Generative AI Transformation

00:00

[Music]

00:04

hi everyone uh today I'm honored to be

00:07

joined by Mark and Hol who is the uh CTO

00:10

of cloud and AI at trellix Martin

00:13

welcome thank you for having me uh so

00:16

Martin um you know uh we're we're here

00:18

to talk about uh here to talk about AI

00:21

talk about uh you know Ai and security

00:23

uh you're obviously a leader in the

00:24

space and this week you announced uh a

00:26

lot of really exciting things I want to

00:28

get started by just sort of like you

00:30

know um as a kind of like for a frame of

00:33

reference just to kind of like get your

00:35

take on how do you think about um

00:38

basically like Ai and AI risk like what

00:41

are the some of the um you know what

00:45

what are some of the the the risks that

00:47

you know the organizations are kind of

00:49

uh facing uh when when they're adopting

00:52

Ai and their applications yeah it's you

00:54

could write novels on the overall risk

00:56

in AI I think the way that I I initially

01:00

try to explain it uh is to look at it

01:03

like application security and most of

01:05

the OA top 10 uh for llms uh are really

01:09

about application security the

01:11

difference with AI is that it often uh

01:13

creates an opaque layer in between the

01:15

input in the output traditionally if you

01:18

look at something like SQL it's a

01:20

structured language and so you can

01:22

understand if it fits a format what you

01:24

find with generative AI is that the the

01:26

prompts themselves don't fit a

01:28

particular format so suddenly a lot of

01:30

the controls that we had in place are no

01:32

longer relevant and it's very difficult

01:34

to figure out what is coming in and what

01:36

is going out which means that it's hard

01:38

to put policy in place yeah um that that

01:41

makes a lot of sense and that that's

01:43

that's exactly what you know what we're

01:44

seeing it's it's harder to for policy

01:47

and um and I feel like you know what

01:49

we're seeing is also there kind of like

01:50

a lot of right like kind of

01:52

vulnerabilities right like Associated

01:54

like uh you know with AI and those uh

01:57

we're kind of seeing um you know now

02:00

kind of coupled with the fact that you

02:02

know with generative AI uh AI is a is uh

02:06

you know we're also getting instructions

02:07

to the machine right then then that kind

02:09

of uh you know the the risks kind of exp

02:12

exponentiate and you know and then you

02:14

know it's harder to put these controls

02:15

in place so um speaking a little bit

02:19

more on the kind of on the on the

02:21

benefits now of of AI though um I I know

02:25

that you know you guys have been uh

02:28

doing really forward things

02:30

uh things with AI uh and you you know

02:33

your organization specifically so I'm

02:35

just curious to hear a little bit more

02:36

about how do you feel like AI has been

02:39

transforming uh what you do and uh your

02:42

organization yeah fundamentally it's

02:44

allowing machines to do the machine

02:45

stuff and humans to do the human stuff

02:47

is the way that I think about it so uh

02:49

specifically at trellix with h we just

02:51

launched something called TRX wise and

02:53

one of the key components to that is the

02:54

ability to have ai read the Machine

02:57

level information and make decisions

02:59

based on what it's been given and we've

03:01

never been able to do this before really

03:03

it's just in the last year where

03:04

generative AI matured enough to

03:07

conceptually understands uh what

03:09

security is so it'll understand things

03:11

like what a password spray attack is so

03:13

if you give it information and say is

03:15

there anything wrong with this it'll say

03:17

yeah that was a password spray attack so

03:19

we've never had this before and suddenly

03:21

all the Investments that you know we've

03:23

been making over the years to collect

03:25

data to process that data to even do um

03:27

anomaly detection on that data is now

03:30

much better because the output from that

03:32

anomaly detection can now be triaged by

03:34

the generative AI itself which has a

03:36

fundamental concept of security things

03:38

like password spray attacks so what this

03:41

does is automates a ton of the things

03:43

that humans used to have to do and it

03:44

can say a human needs to look at this or

03:47

even as you learn to trust it and see

03:49

the output you can say nope I I agree

03:52

with this every time I want you to go

03:53

and take this action and move on and the

03:56

key thing is that lets humans do the

03:57

human level stuff so for our customer

04:00

that means that their security areas may

04:01

be able to talk to key business units

04:03

and say what is the worst thing that

04:05

could happen in your business unit build

04:06

threat models around that find out what

04:08

other Telemetry they might need and then

04:10

put that into the system so that AI can

04:11

continue to work on that that yeah um so

04:16

yeah I mean like those I I really like I

04:18

really like kind of like the the sort of

04:20

framing like kind of the machines do

04:21

what what machines do best less humans

04:23

like do it and it feels like uh with

04:25

something like that it really like Auto

04:27

kind of can can really kind of automate

04:30

a lot and uh and uh and basically um

04:34

sounds like it can really Empower

04:35

security teams right like having it like

04:37

this this is right sounds amazing um so

04:41

I guess kind of um I'm I'm curious then

04:44

you guys like develop uh you know like

04:47

models yourselves right and uh and you

04:50

know and and you're using kind of like

04:52

um you know Best in Class like if for

04:56

for this kind of development I'm curious

04:58

um how do you think about open source

05:00

versus uh uh you know versus kind of

05:04

like off-the-shelf models like do you

05:06

feel like there's is there kind of like

05:08

a world where it's like feel like it's

05:10

it's mainly open source or only open

05:11

source you feel like it's like it's uh

05:14

you know kind of like these offthe shelf

05:15

models like how how do you guys think

05:16

about it yeah to me it's especially

05:18

interesting because we test all these

05:19

different models to for our use cases to

05:21

see which ones work the best and I

05:24

talked about uh having AI make security

05:26

decisions and what has been most

05:28

interesting is that the open source

05:29

models tend to be smaller and we get

05:32

essentially the same decisions out of

05:34

smaller models but they're much less

05:36

descriptive in why they made that

05:37

decision so if they have fewer

05:39

parameters they'll have fewer tools to

05:41

explain the decision that they made and

05:44

we're taking a lot of data giving it uh

05:47

good grounding so it makes good

05:48

decisions and that's why we're able to

05:50

use most models to make these decisions

05:52

but from a customer perspective they

05:54

need to understand why the AI made its

05:57

decision and so for that we're finding

05:59

that the the closed Source models are

06:01

larger and we'll have better

06:04

descriptions for why they gave that that

06:06

information but at the same time the

06:08

smaller models can be run in very

06:09

different places uh for very different

06:11

uh costs and they can make the same

06:13

decisions so I think it's going to be

06:14

very interesting over the you know next

06:16

year or so to see the uh the decision

06:20

making that occurs at a corporate level

06:22

decide do we want to go this route or we

06:24

want to go this route or which

06:25

situations call for which model on the

06:27

threat actor side since we're in

06:28

security I think it's a very interesting

06:31

uh discussion around open versus closed

06:33

and I think for me it it's an

06:36

interesting discussion but it's largely

06:38

academic because if there's even one

06:40

decent open- Source model that means

06:42

that you know threat actors can use that

06:44

and so for me it's kind of a binary

06:46

question uh are there controls in place

06:48

that would prevent a threat actor for

06:50

using this for for evil purposes and the

06:52

answer is no thread actors are using

06:54

this today all the time and that that

06:56

ship has sailed that's a done deal and

06:59

in interestingly we've also found that

07:01

even for the close Source models it's

07:02

not particularly difficult to get around

07:05

the policies that they have in place so

07:07

threat actors can use the close Source

07:08

models just like the open source models

07:10

so I think from the the debate about

07:13

what should be published like that um

07:15

and what attackers can use I think that

07:17

that's probably a moot point right now I

07:20

think the larger question around open

07:22

versus close is probably more around

07:23

copyrights and the The Source data

07:25

that's used I know there's a number of

07:26

lawsuits right now pending on that I

07:28

think that is probably going to be the

07:30

larger discussion long term uh versus is

07:33

it dangerous or not to have these models

07:35

open or closed I agree so um yeah I I

07:38

really like kind of how you're saying

07:39

that you know that it's an academic

07:41

discussion because like you know the uh

07:44

you know the Bad actors already have

07:46

access to uh you know the you know

07:48

basically state-of-the-art models and

07:50

they can use them we could just you know

07:51

we're better off like kind of assuming

07:52

that that is the case right and now kind

07:54

of like building right protection you

07:56

know given that um you know we're you

07:59

know we're in kind of like a similar

08:00

boat where you know we're constantly

08:02

kind of in debate about like okay um you

08:05

know there new new attack technique new

08:07

new new new method right new algorithmic

08:09

approach for like you know attacking you

08:11

know models like do we do we let the

08:13

world know do we you know like uh we

08:15

publish it or not and and I feel like

08:17

we're you know a lot of times we're kind

08:19

of uh we we feel the same right it's uh

08:23

you know we we need to assume that like

08:25

uh the threat actors like have access to

08:27

these kinds of uh you know techniques

08:29

and we're about you know better off and

08:31

uh you know making them you know being

08:33

open about it so the larger Community

08:35

can you know can use it and enjoy and

08:37

kind of learn how to how to defend

08:39

itself you know from you know from that

08:42

um so with that right and and given that

08:45

you guys are kind of um well aware of

08:49

like kind of threat actors like in the

08:50

space how does your team think about AI

08:53

security you know so obviously you guys

08:56

are using you know uh you know you guys

08:59

you're using cfdr models you're doing

09:01

fine tuning uh you know model Integrity

09:03

is important for you you know there's

09:05

there's a lot of like you're accessing a

09:07

lot of data so how do you you know how

09:10

do you think about AI security so at a

09:12

high level I think of it similar to how

09:14

I think about Cloud security and that

09:16

one of the most important firewalls you

09:18

have in Cloud security is an account ID

09:20

as then what's running in one account

09:21

should be partitioned from what's

09:23

running in another account and there you

09:24

know organizations have many accounts

09:26

for one for each project Etc uh

09:28

depending on your cloud provider what

09:30

what you means account and I think some

09:32

of that partitioning can apply in the AI

09:35

space as well and what I mean by that is

09:37

when you're saying I'm going to execute

09:39

this prompt there needs to be full

09:41

understanding of what that llm has

09:43

access to through apis at that time and

09:45

whether or not it's authorized so some

09:47

of that is simple arback but as I

09:49

mentioned earlier what I find is that

09:51

the the implementation of the llm often

09:54

confuses architecture teams and

09:56

development teams and suddenly they

09:58

forget their application security 101

10:00

and they they forget that you need to

10:02

have this authenticated uh control that

10:04

you can't trust the input that's coming

10:05

in um recently one of the the major

10:08

office providers has had a very serious

10:10

vulnerability where anything that would

10:12

come in over an email if you ask a

10:14

question of that email it would consider

10:16

the content of the email to be part of

10:18

the prompt so it was completely

10:20

untrusted input and that meant you got

10:23

completely untrusted output so this is a

10:25

serious vulnerability so kind like

10:27

prompt

10:28

injection prompt injection is what it

10:30

ends up as and that is one of the worst

10:34

things that can possibly happen so this

10:36

is a big deal people need to understand

10:38

that um as these kinds of uses of AI

10:42

come out different organizations have

10:44

different levels of maturity and

10:45

understanding how they can Implement

10:47

these things and if they uh mix their

10:49

controls they can cause serious

10:51

vulnerabilities amazing yeah could could

10:54

not agree more um yeah I I wasn't aware

10:58

of that uh that that case I think that's

11:00

a that's a really interesting one but

11:02

huge

11:03

vulnerability um so I guess kind of U

11:07

maybe just to just to conclude um you

11:10

know uh I'm sure there you know there

11:12

are a lot of there are a lot of people

11:13

watching I think that there there are a

11:15

lot of people who are um you know sort

11:17

of thinking about uh you know securing

11:19

AI in their own organization uh and you

11:22

know trying to like as on the one hand

11:24

they're kind of like racing to you know

11:27

uh you know to kind of like a Ai and and

11:30

kind of like you know um and transform

11:33

you know the the organization like into

11:35

like kind of an AI first organization

11:37

but at the same time right um they're

11:40

they're aware of the you know all the

11:42

you know the potential vulnerabilities

11:44

uh the various like security

11:46

issues

11:48

um what would you recommend to uh in you

11:53

know someone who's like leading an

11:54

organization someone who's maybe

11:55

responsible for the security of the

11:57

organization who's now looking to to

12:00

like uh incorporate you know adopt AI so

12:03

the at the very beginning you have to at

12:04

least itemize what AI is being used so

12:06

one of the worst things that can happen

12:08

is different places using uh different

12:11

AIS in different ways and not talking to

12:14

each other and not finding out best

12:15

practices and things that you need to do

12:16

for security for it so if you're a CIO

12:19

or a ciso one of the top things you need

12:21

to do is not restrict the usage of it

12:23

but at least document the usage of it if

12:25

you try to restrict it you'll get Shadow

12:27

it people will work around it because

12:29

they're trying to be productive so you

12:30

want to enable that productivity but you

12:33

need to also understand where all these

12:34

things are what projects are using it

12:36

and then Implement best practices so at

12:39

trellix we have an AI Center of

12:40

Excellence that we use to provide those

12:42

best practices that makes a lot of sense

12:45

um yeah I think uh and we're we're

12:48

seeing that uh we're seeing that as well

12:49

I feel like kind of policy first right

12:52

itemizing kind of what you know what AI

12:54

uh is used for and kind of like the

12:55

access that it has uh and then you know

12:58

following policy then uh that's that's

13:00

the only way where you can like actually

13:01

figure out like what is the right like

13:03

implementation of security practices

13:05

right for uh so yeah I think that's

13:08

that's very good advice well Martin

13:10

thank you so much for you know uh for

13:11

taking the time to to chat um really

13:14

appreciate it and uh yeah very very you

13:16

know excited and looking forward to

13:18

seeing like what you guys continue on

13:19

doing at Relic it's really you know

13:21

mind-blowing thank you it's been great

13:22

thanks for having me thank you