The second half of the Security and Privacy track at Upgrade 2024 featured talks on “security by default,” the double-edged sword of GenAI, and the integration of attribute-based encryption (ABE) within a deployable security and privacy platform. The first of these three sessions was a presentation by ServiceNow Deputy Chief Security Officer Jeffrey DiMuro, who underscored the importance of implementing cybersecurity measures by default rather than by design.
Security measures are sometimes seen as drags on performance. But good brakes can actually help you go faster, said the executive of cloud computing software company and NTT DATA partner ServiceNow, alluding to an episode in the movie Ford vs. Ferrari. Extending the automotive analogy, DiMuro said that what appeared at first as optional design features – from seatbelts to safety glass to airbags and beyond – have now become standard if not mandated features. What about the manually enabled cybersecurity mechanisms that can protect users and organizations? Could they make a similar transition from design to default?
DiMuro said a number of features should be turned on by default, including multi-factor authentication/single sign-on (MFA/SSO), access controls, proactive email link testing, support for biometric authentication, and disabling of location tracking and cookies, among others. Failure to act has its costs, as cybercrime is slowing down the economy by more than $10 trillion annually. On the plus side, big tech has begun to implement some security-by-default features, and DiMuro also mentioned industry initiatives such as the Critical SaaS Special Interest Group (CSaaS SIG), which is part of the IT-ISAC member organization. ServiceNow co-founded CSaaS SIG with six other companies in 2022 to share vulnerability and threat information and raise the bar for SaaS security. “GenAI is accelerating the pace of change,” DiMuro said. “Now is a great time to apply those breaks, pause a little, and understand how we use security in a default manner so that we can accelerate and … adopt products and services like GenAI more readily.”
NTT Corp Chief Cybersecurity Strategist Mihoko Matsubara next pointed to the dual nature of GenAI. On the one hand, it makes matters worse by enabling cyber attackers to dramatically shorten the time spent on vulnerability research, phishing campaigns, anomaly detection evasion, etc. But GenAI also can be used defensively; for instance, to detect whether any given website is phishing or not. Using ChatGPT 3.5, NTT Security was able to distinguish whether a website was legitimate or not with 86 percent accuracy. “If you use ChatGPT 4, the accuracy ratio was actually over 98 percent,” she said. The technique was to ask ChatGPT three questions: 1) Does the site use typical social engineering techniques? 2) Does it manipulate the brand name? And 3) Could you explain your conclusions?
Just as cyber attackers are using new technology to accelerate the pace of their malicious efforts, so too must cyber defenders learn to act with “machine speed.” That imperative is underscored by an alarming 2023 Gartner prediction that half of all cybersecurity leaders would change jobs by 2025 due to work-related stressors. “They’re under overwhelming pressure… because the amount of their work is increasing every day,” Matsubara said. “That is why we have to empower our cyber defenders with new technologies as much as we can.”
The final session in the Upgrade 2024 Security and Privacy track discussed an implementation of the once theoretical-only ABE. NTT Research VP Strategy Tak Goto opened by explaining that ABE reduces the risk of data leaks while increasing usability by combining data encryption with access control, which is embedded into the data itself. “We call this the last line of defense,” he said. “You may think, ‘But we already have some access control feature implemented…’ And you are right, but most systems are implementing such access control features at the application level, systems level, or maybe physical layer.”
In a commercial exercise, NTT Research has collaborated with NTT DATA on a Security Privacy Integrity Protection (S.P.I.P.) platform, which bundles ABE, data anonymization, and multi-party computation. The platform can be further extended along the lines of “smart sovereignty.” NTT DATA, Romania, CTO Bojan Mrazovac said a zero-trust digital infrastructure model based on ABE and digital identity would be empowering: “People will be able to decide which consent they want to give to what part of the information.” With the U.S. federal government under a zero-trust architecture mandate, this development work is timely. NTT DATA Federal Services CTO Nat Bongiovanni said that his division already has a decade of experience building fine-grain authorization with attributes, which works “hand in glove” with the more capable ABE-based platform to enable what he called “spill-proof electronic files.”