Gen AI: Decoding the new shiny thing!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
thank you and welcome everyone so after the steam engine electricity and the internet the next big thing that Gartner sees will have a similar impact on mankind is generative AI the hype will subside as the reality of implementation sets in but the impact of generative AI will grow as people and Enterprises discover more Innovative applications for the technology in Daily work and life so I would again like to welcome everyone listening in as well as the panel here today with me uh this panel discussion is organized by the official isc2 chapters of Columbo and hbad I am anurak tiwari the moderator for this discussion today uh with the disruptive power that is predicted out of jna uh we would want to break it up into some of the fundamental questions that you and I would have as we grapple to keep up with this fast evolving threat that hits the mainstream headlines in late 2022 uh we have with us an esteemed and diverse panel which will help us break this topic and bring to the table unique perspectives as they approach jna from their respective Realms um I would do a quick round of introduction with the panel that we have here uh I'll start with krishnani uh she is a season leader with over 20 years of experience across all phases of software development life cycle and Beyond uh she currently heads the Microsoft security solution iing for ai. cloud unit in TCS for customers across the major geographies C's a postgraduate in technology has led teams in automation product engineering and research and evangelization of emerging Technologies to name a few and our interests include understanding the intersection of evolving Technologies with Legacy technology transformation Journeys and understanding the human elements of computing and security the next we have here is Harish Harish is a cyber sec security director and thought leader with wide experience in security strategy security architecture security operations cloud and infrastructure Security death acop security compliance and so on uh also he has worked a lot on Innovative Technologies security things including those that are opposed by gen blockchain data analytics and RPA uh Harish has led strategic cyber security transformation and implementation projects and has managed large teams for multiple clients and industries as well last but not the least we also have rajdeep Sharma uh he's an information security and risk executive with 16 plus years of experience in successfully leading complex strategy governance and operational engagements for Global Financial Service organizations uh and big five consulting firms across Canada us and India Raj deep has demonstrated expertise in leading various aspects of cyber security program through proficient handling of diverse roles across the first and second lines of Defense so in a nutshell I'm glad that we have this diverse panel because we have one who is a security architect we have somebody from the technology who is looking at gen and trying to see how it's disruptive and then we have the risk and compliance person who is sweating with looking at all the different things that are happening around him and how to make sure that we are still meeting business objectives while being secure and compliant so without further delay I think I'll just dive straight into the discussion and I'll open up the question first with Harish and I would really want to have Harish thoughts on Harish what what really changed in the recent times in the space of generative AI that it is such a birz word now gen AI I believe was introduced almost back in 1960s in chatbot we've been reading and studying AI as as part of my graduation postgraduation almost decades and two decades ago so what really changed that everybody is now talking about geni uh if you could break it up for us I think that would be really helpful sure um thank you an and thanks for the introduction um and it's great to be here uh with Krishna and Raj as well so I'm looking forward to um very informative and fruitful discussion um coming back to your question um why is it such a buzz word now you're right in that generative AI as a field of machine learning is not new um it's been around for a while before we delve into the cause for the bus since you started with me I will attempt to provide an overview of the technology behind generative AI um I know we've all um had some type of uh introduction to this technology AI in general um and then neural networks and a lot of that during our education um but from a technology standpoint uh like the name suggest geni uh it's a class of AI algorithms that can generate content such as text music videos um and even code and now even voice So within the generative AI space um there are certain machine learning models called large language models which are trained on massive amounts of data uh text which enables them to interact with humans in in a natural language basically mimicking the human so these llms are based on an architecture called the Transformer architecture now this is new because this wasn't covered in in our academics so this was introduced in a white paper published in the year 2017 so I think the white paper was titled attention is all you need uh you can Google it and it's an interesting read uh if you have background in that area now this architecture in my opinion was a breakthrough as it elevated certain key limitations with traditional neural networks that powers most of these AI algorithms right especially the traditional neural network architectures for NLB national natural language processing so for instance it was easier to achieve uh parallelization with Transformers compared to say a recurrent neural network or convoluted neuron Network a CNN of course we could do parallelization with CNN as well but their architecture had limitations with processing sequences of variable LMS now the uh another challenge was with was with limited context so both RNN and CNN um they had limited context for each element they could process input sequence one element at a time whereas Transformers had larger context capabilities so it is this Transformer architecture that is powering most of the the large language models we are seen today in fact the GPT in chat GPT stands for generative pre-trained Transformer now coming back to the question right why is it is it such a buzz so the technology has been around for a while yes there has been improvements in that technology over the years as as early or as late as you would call it maybe 2017 2018 uh but why is it such a buzz word now especially uh if the technology has been around for a while um I think um it has become a buzzword after the launch of Chad gbt open it was then that regular people started realizing the potential of J and its ability to have humanlike conversations of course we had chatbots in the past uh those were conversational Q&A based uh but they had to be there were limitations and also uh I had worked on chatbots where I had to feed the FAQs beforehand kind of predict what the user might ask also pre-bake the answer so there were limitations with with the earlier jackpots although there were improvements but J has taken this uh leads and Bounds forward so its ability to have humanlike conversations while providing meaningful responses well most of the time meaningful I would say if not all the time right uh that kind of uh picked people's interest also ch's ability to maintain context right which which allowed humans to interact with it like a regular human I think brought this technology into further Limelight um so I think those were two reasons for the buzz and also when CH GPT launched with gpt3 model now there are different models that power uh uh there different versions of these models that power various chatbots uh there are gp3 models such as Ada babage curri uh which were trained on data of various sizes but the gp3 model that Chad GPT launched a few years ago was trained with about 175 billion parameters and had a token size of about 2,000 tokens approximately I think 2049 if I'm not mistaken um and it was trained on data until October 2019 um so for when it launched obviously there was a lot of interest on that on the on how the product was performing and today the gpt3 models are actually considered Legacy the model with which chbt had initially launched it's considered Legacy and there are now GPT 3.5 and even GPT 4 models which are better at reasoning even uh which Support also much higher token sizes ranging from about 4,000 8,000 to even 16,000 and 32,000 tokens and this is for context so these models and the token sizes help with maintaining context so these models are getting better by the day and the buzz I think is only going to go higher at least for the next couple of years and um the last reason for the buzz is also the entry of many players right large medium and small including many startups in the space offering Innovative services so generative AI is now a product category right previously we probably had uh products that were AI enabled uh that had machine learning models on the back end but generative AI is now a category in itself it has a a SC a niche for itself so the kind of products being offered are in my opinion disruptive such as you know the co-pilots which claim to immensely improved human productivity I've been toying with a few of them and there's there's clearly my personal opinion there's clearly a marked improvement in my productivity as I started using these sc- Pilots I'm also evaluating a few of these so these are changing and impacting many domains such as you know email and document generation summarization search uh video graphic designing Music Creation and so on um I think these are some of the key reasons for the pass in my opinion got it got thanks thanks s so I think what I also see is chat GPT has almost become like the synonym for geni although that's just one of the most popular Avatar of gen that uni or any common man can actually use in their day-to-day work while there are so many scenarios and use cases that are still yet to be exploded um from an Enterprise standpoint and maybe even from a nation standpoint which time will tell but I think it's ful to know that uh whenever we talk about jna it's very easy to um kind of talk about chat GPD because it's it's so popular it's so common it's so um Everybody of us probably have used it by now uh and and played with it and uh so so I think that's helpful I'll come back to more on that as we progress on this discussion I would want to uh you know take this conversation further and also uh maybe go to Krishna next next and talk about from her perspective you know the role that you play and and and the intersection of technologies that you are in what makes you so excited about gen from your perspective what are those specific use cases that uh you know you are really excited about uh where do you from your Vantage Point how do you see things of these different Technologies merging uh which includes gen as well yeah yeah yeah thank you for that U as I was I was I was listening to Harish was it was it was very helpful in you know uh going through the entire journey of where where it has all started few decades back and then where we are now and and why this buzz and all about so the two keywords that I made a note of or you know that caught my attention very much were he said you know meaningful conversations with context right so that is where the current wave of of Interest around the geni Technologies it's all centered around that how well are we contextualizing and how meaningful is the conversation going to be with right if not if if you look at it just as a as a generative one as something which let's say you know as as he rightly said there were chart boards from very long before in fact I would say 10 years before when when there was a technology that can take your FAQs and then build a a chbo kind of a thing where you select a question and answer comes up we were excited now today when I start building content by giving a few keywords and and um you know letting chart GPT or or Bard know what am I looking for specifically what kind of adds I'm looking for the kind of essay or the kind of output that comes for it's way way way beyond what we had seen in the previous ofcs right so again if I if I mix that with where I am coming from right I've been advocating for security as in you know cyber security you know mostly on cloud Parts again the hybrid Technologies part and then how this mixture comes up and then uh there are already complications of you know what is on premise what is what is on cloud and then what gets transmitted from within your uh premise to to out of your cloud and then imit this complications throwing AI particularly throwing your gen right so how do I how do I knowing that and coming from a security background uh I mean all of us are supposed to be doubting Thomases right all of us are are trained and ingrained in ourselves that you know you question everything you know follow a zero trust approach never trust anything now from there our journey towards leveraging or harnessing this gen as a right tool you know to to improve the productivity Harish was also mentioning about improving human productivity so that is where my particular interest areas of how do I Define more and more use cases around cyber security so primarily I would say if I have to know categorize them bucket them the first one would be on how do I enhance my defensive air techniques it could be it could be you know vulnerability detections and uh Auto remediation suggestions which is coming beautifully in a lot of the tools that are already there in the market right in one form or the other if you have to stretch it to an extent then our BAS brid and attack simulations where you need a lot of you know computational power and thinking of multiple scenarios wherein you can break the system down so in all these places where you need a lot of uh uh know human capacity that can get replaced by L know computational capacity I can go ahead with a um with with a with a use case around J and then if I have to combine our Advanced llms um let's say let's say such as you know open AI gp4 if I combine that with a specific security model it can contextualize and then argument the capabilities of an existing security analyst right U you can you can think of something like an Adaptive risk scoring and then if I go a little further how about an interactive threat intelligence right so so this model I talked about a large llm let's say open Ai and then um you you put a security specific model on top of that then start consuming the the trillions of daily signals that come in um it could be anything uh a threat intelligence that that comes in right if you take for example Microsoft Defender threat intelligence there are about 65 trillion daily signals that come in so can I take all of that and then can can I develop a a use case around that right so that is where the birth of a few of these assistive products such as let's say Microsoft security copilot or you know Microsoft M365 coil all this comes into play the those are the ones that are attempting to deliver in this promising use case right so if if we look at uh a minorly ml supported or a strong you know cyber security skilled resources and then they having to go through this or you know a summary of these 65 trillion daily signals Vis having a security co-pilot or let's say a use case around that that does all this summarization for me and then Me by defining a certain priority rules and then um you know letting it know what are the most impactful ones what should be addressed primarily then I would be able to prioritize my day as a security analyst I would be able to prioritize my day by by enhancing or building on this J use case again if I drill down further so what is it leading to so okay I I spoke about a large llm model I spoke about using a A gp4 or op security contextualized model and then I talk about infusing the summary that's coming from my know threat intelligence Fields so so that is where I have drill on the basic the first and foremost thing that comes to my mind is false positive reduction so how can I reduce the the number of false positives where that is where now human effort goes in a lot of human effort goes in so those are the easy automatable ones and easily fed as an input to my J and that can bring this down and then give me a some again going from there what is it eventually leading to my next Cas use case or the one with the strong benefit is reduction in the response time right so let's say I have a team of let's say 40 uh stock analyst or security analyst sitting in my sock and then if they having to go through not not all 40 could be of of equal competence sry equal cap levels which is you know we know about the shortage of skills that we have in this area now all of this going through a man manual process of you know me trying to do it on my own I didn't get something let me reach out to a better expert or you know security lead and then go there and get rather if I use jna to generate a a step bystep context or a you know procedural guidance um by using a natural language like you know model and then have an investigation sequence and and then that bring it down if you look at it that will definitely bring down the investigation time from hours or even days in an extreme extent to few minutes right so when when you do have an identification being done and then again again as I as I always say we have to handle this with with caution we should never ignore the man in the loop the human intelligence should never be underrated again they should come up as suggestion to the analyst and then if you choose that you know one of these alerts is definitely strong positive or A positive to be acted upon that is where I can I can see gen or you know EOP Pilots maybe you know guidance in having a step by step procedure in in how do I mitigate this and then again apply human Intelligence on how much of this or you know the estate that you should be covering there could be there could be fewer areas that you know we could be overlooking you know by lack of procedural uh guidance right all that can be brought down if I implement this use case around January okay when I said the ability to prioritize a lot of times let's say there is a you know High severity vulnerability or there is a an alert and then how did we respond to that as right it is extremely crucial to document this knowledge you know document what did the team do and then how did we mitigate what are the timelines so did I last time I mitigated let say eight hours or you know applied the patch in four hours so this time what is it going to be or you know what of the P of steps that I took so every time when this postf factor analysis happens it's a huge manual activity right similarly if there is an auto Playbook being created who's going to do the documentation part me who know our programmers we know our security analysts we are always on the go for finding out the next problem to fix or you know finding out the next challenge to solve but who will do this mandatory housekeeping work of let's say documentation uh you know pruning the code to fit a standard and so on and so forth all these activities can definitely be given to gen these are important tasks again but these are not so critical that they would require a human effort always yes human requir effort would still be required when I'm talking about an approval or you know one cursory glance to whatever is there and then this in addition to this this also gives me an ability to prioritize my time right rather than an analyst at the end of a a major event he having to spend four hours or six hours and documenting the stuff collecting details from from let's say Sentinel or a Splunk and then putting it down there can be a a code in place or a a product snippet in place that does all of it then again there is one important aspect wherein you know I'm I'm agging my engineering team to take it up as their uh next security use case which is you know separating weak signals from noise again weak signals are not no signals they are not noise they are still signals but then if you look at the interesting aspect of ubaa okay so there could be signals that are not way too strong that automatically come up on your radar but then those are still those could still be signals at an early stage so we consider them as weak signals and then we don't act on it until they mature again lack of time lack of skill and all this stuff now particularly when your ASR when your attack surface area is huge the number of you know weak signals getting mixed in with noise with with non signals is very very high if you train a model if you if you generate a develop and fulfill a use case you implement a use case for that how do I Define what do I consider as you know early signals or weak signals you know maybe the effort that spent in in a stronger signal after it's been manifested as a threat right the amount of effort that the team spends in would definitely come you know it's like you know shifting left as we say in the in the otherwise in our programming world how do I shift left how how do I catch these uh threats very early on in their life cycle I think that is another interesting area where uh you know J can help me all in all uh in a way in addition to this the stronger benefit here one of the ones that Harish had you know cursorily passing difference that he has made is about you know human productivity right and uh and skill availability all of us knew um the the shortage of skills that we have in in cyber security area now uh most of this about more than 50% of these points would directly lead into uh you know argumenting the skill set or you know you know helping out the te in handling the the skills that would require more fness at a larger level I can use these gen use cases to support me in that part right and then this is a major uh this something that excites me a lot more in my engineering team that is what I definitely lack on and then if I look at the people who I who I even if I have to deploy them as you know the regular security engineers in my sock then what can they do visavi what can they do with the assistance of let's say a security co-pilot or a use case the difference is is humongous so that is what I'm betting on so that is why I'm so excited about you know having this intersection of gen with with security and that's that's what I'm coming from yeah thank you thank you Krishna it's very interesting and thanks for sharing that excitement looks like um uh you know uh for all of us at least on this panel as well as the broader audience uh who would be interested in this topic would come from a security background and looking at how um gen helps um you know while it helps the whole world in many different ways how geni helps in our own domain to make our uh ourselves more productive and more effective and a lot of things that you talked about was a lot on security operations how geni can enhance and make the different aspects of security operational use cases more effective more uh maybe proactive um and and then augment existing capabilities uh I think one of summarize in one word anur I would say four to five so that is where we have to look for J right I'm not referring to the other fortify but um how do I fortify the existing security efforts using you know harnessing the potential of right right and also not just for the security operations of the security team but also in that context which you touched upon was shift left right so many of these things that we do um today uh after the fact in the true def cops model how gen can really make that you know in its purest form by moving many of these um signals or you know the the computing power that geni has and and the and the kind of prescriptive um guidance that it can provide how that can be leveraged by the by the shift left concept so I think that was interesting and I'm looking for I'm sure um you know that when we say people working in these use cases there can again be two buckets one is people who are using jna within their organizations and creating those custom use cases um which you know maybe on the business side or on the it side and then there are these product companies I think Harish talked about how the different startups have come into the play and gen being a category of itself so a lot of these product vendors and oems now trying to harness gen and adding it as a top up on their existing products and services that will also be something very interesting to look forward as we track this in the coming years thank you so um so again I think taking that Spirit uh from um U you know what what just was mentioned I would move to Raj I think um and I you know Raj as you come from you know the the risk and compliance background um and you've heard um so much of excitement from Krishna wi and some of the technology set up from Harish you know and I'm sure you're hearing about about this every day uh all around you from the business from it from customers stakeholders let's get jna out let's do this let's do that let's show some you know uh value what keeps you what what worries you like um what would be something that keeps you awake when you know the businesses across are trying to push for adoption of J so much and especially when they try to do it at great speed so we don't have enough time years at our hand to look at things and cautiously take those steps how do you approach this situation um uh you know looking around you thanks am thank you for the question and uh thank you for the learnings from my esteemed colleagues here um so you know I I tend to keep my devices and my worries off my bed so I sleep pretty well but um uh and and that confidence you know has built up over the last few years or such most responsible organizations today have well integrated business technology and security compliance processes as well as communication channels so as we heard from Krishna and Harish right everybody is like you know questioning everything we've been taught to think about security and compliance while we design our processes and while we kind of you know um use technology to uh facilitate business processes so security is no longer a blocker but more as an enabler and in some cases even an accelerator or a differentiat so that's that's what kind of gives me U the peace and comfort right businesses come upfront to us to ensure that they do not have to re-engineer the processes later on uh to meet evolving compliance or um you know the threat landscape considerations later on right um so there is there's this General understanding that you know sustainable and responsible technology adoption Fosters Innovation while respecting security and compliance data protection and privacy principles so that's that's the solace in this but to your point the second half of your question that you know um the rapid adoption or the Hasty adoption of any technology be gen or otherwise right um would bring about uh issues or considerations um that ought to be discussed today rather than tomorrow after something goes wrong right um I'll I'll basically classify these considerations into three big buckets um one there are considerations inherently with the technology right any any technology in this case Genna um second their considerations internal to an organization um and then some related to the ecosystem so external considerations so we'll discuss um you know your your question and perspective of these three considerations um coming first to inherently with the technology obviously we we've just heard uh from our U you know esteem panelists that you know it has a number of applications in cyber security in business in in every sector marketing and such right um so so it's it's it's definitely um you know there to make a difference right and it's not something that anyone can you know hide being under a rock and escape from you're going to have to adopt now or later but it's it's good to be cognizant about and understand what it can do today and what it cannot do today so Harish mentioned um it can provide you know meaningful response most of the time at least right so that's the caveat that might keep certain businesses which need like 100% accuracy 100% of the time away at least in the short term until the next versions kind of you know improve upon this and um you know and we seeing how rapidly that is happening like as as Harish mentioned the version that was released last late last year is already obsolete right um so so there there's not a whole lot of time for that to happen but there is still some time until legal healthare or such applications which need this 100% accuracy still you know would would Embrace this wholeheartedly um so there's this bucket of trust and confidence that the tool needs to still work upon or build we've had cases and we've heard cases about you know lawyers kind of using chat GPT more generously and and citing citations from there in their code proceedings and then being fined about it right so at least in India two law lawyers have been fined for using citations which they pulled from chat gbt so that's that's a concern from a trust and confidence perspective right as we train these models more with more context with more um you know data um these concerns would would basically iron out right but until then misinformation disinformation campaigns using chat GPT or the Reliance on this information for business critical you know work would continue U to be done with caveats right that's where uh we would need that human oversight to continue to ensure that whatever we are using in our processes is foolproof right um through each of the methods of you know the um training of of these engines or the storage of this information there are various considerations that come in ently with the technology what is the data that we are using right is it sensitive data that we are feeding to a tool that will be exposed to others right would that lead to um any issues you know and from a um basic CIA perspective confidentiality integrity and availability perspective um will I be still able to identify plagarism for my universities or such right um those those are all valid and just considerations with there be copyright infringements will there be legal exposure for something that I used blindly you know from um chat GPT so one is inherently with the technology there things to improve and second there needs to be a layer of human supervision that is required still from that perspective as long as these two are there I I can you know I I security uh and and business Representatives don't really need to sweat it out right um the second bucket that we kind of look at is internally within an organization so as Harish mentioned especially in the recent you know times there has been rapid democratization of you know jni technology um so so what really is a cause of worry from an internal perspective is um lack of visibility um we we discussed just now and you rightly mentioned an that you know there are use cases which are being built and which are being rolled out on a daily basis there are o M and there are vendors who are coming up with these things there are also individuals who are using chat jpt and such b and other uh things at their personal as well as professional level um one key area of concern is are they really aware of the security and compliance considerations that come with it right are they aware of the current limitations of this technology and uh do they know about the safe usage of these um you know applications AI ml applications um into their daily um business responsibility right are they feeding sensitive data to it if I'm getting my code checked or code generated or if I'm feeding my code in to check for errors or such am I risking the API keys that come with it right am I risking sensitive client information or private um you know internal confidential information am I even kind of exposing my int forms intellectual property so these are all my internal business considerations and um a lot of it has to do with lack of awareness right so uh um I I think there is a need for the organizations to ensure that there is um you know an update on their acceptable use policies there's an update on their training modules to sensitize their user base on what is what is sustainable and responsible adoption of this technology what are the pitfalls that we need to be um really aware of and we need to kind of navigate through this um the third bucket is basically the external factors now when you talk about external factors there are various um ecosystem and entities right and there are adversaries who've been using jni for attacks that are you know based on like you know we've heard in the media about deep fakes we had heard about you know voice calls going on and you know people fooling mothers based using the voice um you know manipulated voice of their children so all of this is now a reality so we have to kind of Coach you know our ecosystem about how to deal with this earlier when when we used to take fishing awareness trainings we used to say that one of the pointers um to identify a fishing Emil is look for grammatical errors or punctuation marks or such right now adversaries are using chat GPT to generate L which are 100% accurate right in terms of language punctuation and such so some of the common threads or understandings need to be kind of Revisited right what what what do our trainings kind of you know tell the user now right it should not be that they see a well worded email and everything they feel that oh this is not a fishing email because it looks so rightly done right it's now being done using an artificial intelligence to um uh on on the same hand like in the same voice right you know we heard from kishna very rightly that it could assist you know the blue team as well it could assist uh the security operations Incident Management rule generation analysis crunching that large information 65 trillion daily signals right to identify the ever ever evolving malicious patterns so so there is there is good news you know there is a silver lining at the end of the tunnel as well um the the second ecosystem partner that that really we need to consider here there is um the Regulatory and compliance framework um yes we've had um a whole lot of Buzz about one law in the European jurisdiction which kind of talks about you know sustainable adoption um and develops some kind of a framework for us to reference but as we know especially the jurisdictions that the audience belongs to um you know India Sri Lanka um we not we not very you know early adopters or we are not like you know um ahead of the curve when it comes to um establishing guidelines and establishing um a Regulatory Compliance framework around technology or its usage right so we have to be aware of it we have to look outwards we have to look for where these guidelines exist and and reach out to them um a third external factor is um for most of the technology world and the since the rapid digitization in the covid and the postco era as well there there have been risk models that have helped us you know move forward like you know um there there zero trust and such um you know that's that's really helping organization even for AI the availability of risk man models is there but it would mature over a period of time right so so the industry consensus of how to handle these challenges of how to handle these risks will be baked into formalized methods of risk assessment and such specifically aimed at AIML systems AIML use cases right so that's that's the third external um you know factor that we need to consider um having said that like you know obviously there's no fear mongering here and there's no deal breaker here all these factors with the technology inherently with the technology will improve over time U internally within the organization we saw all stakeholders being very cognizant and aware about these you know pitfalls and we are working uh jointly towards you know remediating these and externally as well like we we have if we have um one side of the coin where adversaries are using it we also have another side of the coin where the blue team is actively using it regulations are being drafted on a day-to-day basis as well so just to summarize I would say that you know once my kid is of reasonable age I don't stop him from using a scissor I just make I just ensure that he gets a safer tool and I inculcate safe usage and best practices so awareness is going to be the key here thank you yeah thanks thanks uh Raj I think it was well articulated in terms of what um and how you can approach this uh situation and in my view based on what You' said also I mean if you would agree I think it's more like uh no matter what technology I think it was blockchain a couple of years back everybody was talking about and then now it's gen I mean every time we talk about any such new technology at the Block um the fundamentals don't change I mean if you still look at the fundamentals of risk management the fundamentals of people process technology controls the the Spectrum in which you look at and then the fundamentals of you know looking at controls from what are the physical technical process administrative controls you know all those things that we read and studied as we started our careers in security can still apply to any Beast or do out there uh to really dissect it and kind of get to a level of comfort uh to say okay we've done the basic hygiene check and then the rest of it is uh you know something that we learn and improve um so I mean what you said I mean training is another thing I think at the end of the day um human is human are the weakest link no matter how much and what you all do in the organization ation I think training as for traditional um environment Remains the Same as important issue here as well because um that that is something is even more important um from a uh from a from the scenarios that you talked about you know you know more advanced fishing attacks and things like that deep fakes Etc so great thanks uh thanks uh Raji for that overview and your perspective on it uh I would um you know go back to Harish to have a question which is now a logical extension to everything that we have heard you know you you've heard uh a technologist uh from a security standpoint excited about doing new things and and and trying to use it we've heard about the concerns from the risk and compliance standpoint and then I want to ask you Harish because uh you must have been in those situations as well where you know there are business business stakeholders trying to get value out of Genna U it could be it team as well or technology teams and you as the security architect uh trying to be the bridge between the business use cases that they're trying to achieve and the security risks and security threats that we trying to mitigate uh so when you're in that situation um how do you typically face that what have you seen um um you know you know while while while trying to de with it what what do you think would be some of the myths that you would have you would want to share with us that you would like to bust as well um maybe if you could share some thoughts on on that that would be great sure thanks um from my experience I learned and in fact I will I'll summarize the conclusion first right I learned that this technology is not as harmful to Enterprise data confidentiality or privacy as it was initially made up to be and I also think Enterprises are slowly realizing this and I'm talking primarily from a security and compliance perspective of gen and not General AI related risks you know such as hallucinations and buyers they've always always been there uh specifically with generative AI I think organizations are now realizing U that obviously with the hype there was also um a lot of backlash on the technology because of certain incidents so when lgpt first launched uh just like with most emerging Technologies most Enterprises were not entirely sure about the use cases and the security or compliance implications of its usage in the Enterprise and on top of that there were new incidents being reported every couple of weeks right the the data and intellectual property issues property leakage issues we read read about at Amazon and Samsung and a few other companies um also I think open AI was not a known known name at at least not outside the tech and AI circles not until then and and lastly there was no Enterprise grade or Enterprise ready offering available for Gen at the time so initially there was a lot of push back today I think we have Enterprise grade Solutions available such as with you know Azure open AWS bedrock and even openi Enterprise offerings right which allows companies to securely use large language models within their Enterprise B boundaries for um for dedicated usage by their employees and in turn keep their business data within their control or even monitoring schol so in this context one myth that um that one myth that I would like to PST is uh that these llms do not learn from our data on the fly so when you submit a prompt the input that user provides to these models and receive a response from the model such as CH gbd it is not immediately learning from your data right there in fact training in llm is is an involved and computationally intensive process so it involves chunking tokenization uh and training which takes months uh if not weeks and I'm not even talking about the uh the computational hardware that is required with gpus and arrays of gpus and so on so if you put data into a model it does not immediately learn from that data and start providing that same data in its responses to other users but yes one important dis distinction here is uh that the model provider can capture your data separately outside the model prepare it and then train the model with your data uh but this is this is the model provider or the service provider using or if you will misusing your data so this risk is there with any SAS provider today which you can mitigate or manage through your third party risk management strategies um the other important point that I would like to highlight and this is not really a myth uh but something that enterprises should keep in mind when deploying llm integrated apps especially is about the new and emerging risks associated with these models with the usage of these models um there have been new attack vectors such as prompt injections and jailbreaking wherein people have been able to get these gen based chat assistants to respond with content that is considered offensive or unsuitable for for users um but at this point vectors like prompt injections uh mostly they both being used for fun there could be more serious brand reputation implications for Enterprises um if these models are used to return some unsaving content by an official business app but otherwise so far we've just seen uh people exploiting this for uh for fun uh there are other new vors as well uh with with marish are you on mute I think you went on mute no I haven't no I can hear you now maybe it's something okay okay so like I said last last few seconds if you could repeat that that would be great uh I I was just talking about uh the brand uh reputation uh that uh the brand reputation hit that enterprises might take if uh um you know something like prompt injection was exploited on on an official business app that's exposed to the internet uh in fact there are also other s not just prompt injection right oasp has already put out the OAS top 10 for L&M applications now highlighting the top 10 security issues associated with llms in the wild today so this covers risks like apart from propt injection training data poisoning insecure output handling um and then uh sensitive information disclosure and so on uh similarly there's also miter that has you know Atlas which is which is more generic uh adversarial threat landscape for AI system uh this covers various tactics and techniques that attackers can leverage uh to you know Target AI Integrated Systems not specific to gen so mitlas is also you know the tactics listed are um you know off the top of my head things like ml model inference API access full model access model evasion and so on so in just I I can draw a parallel between gen Solutions and open source so there are risks associated with both uh some of them are new and emerging uh but we cannot completely block their usage in an Enterprise temporarily yes until we figure out our strategy until we determine how we want to securely enable this but in the long term maybe not right um yes there are a few Industries where it may remain permanently blocked um or they will deploy their own internal versions but as long as we able to uh you know understand the risks be aware of it Associated risks associated with this new technology and we are able to design controls around these risks and threats um that could be things like you know internal deployment validation continuous monitoring retraining I think the security and compliance Community should be okay to allow businesses to explore deploy and use this technology within the Enterprise got it got thanks arish thanks I think it's uh assuring to say or to summarize that it's not as bad as it sounds or as it's perceived maybe again it comes along with the the the hype that is there around people making different points of view and people just subscribing to whatever suits them and it's great to know uh people on the ground how things really are so thanks for clarifying those myths and busting those as well as uh uh having a a positive view towards ni and how it can change things for better uh more than for the worse so uh I think I would um you know um just again extend this a little further on you know we heard about Harish talking about how he is dissecting gen from a security standpoint as more and more of it's getting adopted you know maybe a question to you Krishna I mean he would be um as I think this year or let's say if you put the timeline in my view and I've not done full research on it I would just say that 2022 was the point where it was just announced to the world 2023 has been the time people are just kind of figuring out what to do with it 2024 and Beyond will the time when you will see people actually doing something real uh and coming think com things coming into fuan so as more companies start adopting it around you which is the year of 2024 what would be uh you know um from your standpoint how do you think businesses and Technology should approach adoption of jna in their organizations that needs both the security and compliance as well as time to Market objectives uh what should be an approach when they take this journey sure that's a that's a very uh I would say tricky question here you are talking about time to Market objectives as well as you know using jni and you know eling the benefits of it I would I would want to look at it this way see um any any technology that's that's uh going huge as you rightly said the industrial Revolution and then invention of steam engine and maybe invention of wheel before that so all these had their own time to mature but whereas you know that if you look at this gen and then adoption or explosion of gen if you were to use the word it didn't have as much time for us to all understand sinking see the repercussions the couple of cases that uh you know Ras had mentioned about know the lawyers being you know Fin and that's that's just about India where you know we are we are not technology adoption leaders we are always you know followers there right but still we found FES and then we also know about the class action suits that's happening that are happening against U know jiub as well as a few other companies right so there are extreme cases now we are reading it when we read about those in news we are on the other side of the board now your question asks me if I'm on this side of the table if I'm inside the organization right or inside uh uh a group that's responsible for uh for the repercussions that would come in right so I would I would also want to include the the geographical importance right the kind of so when we talked about data privacy what did Europe do so it was not a knee-jerk reaction but then they came with gdpr and then they just said we're shutting our parameters in a way in a way so none of our data you look at countries like Germany they're the extreme district and then when you when you go to the rest of Mainland Europe and then how it know sprads when you go to us and rest of the world so similarly some you know regulations or I would say some guidance it's starting to come from governments right as as fresh as last week last um yeah last week Rishi sunak was announcing about uh Na safety Institute he talking about uh the the leaps and Bones of this technology is going on and and how uh his government as well as the leading governments are are looking at uh you know trying to balance out what is safe and what is not right and then um just just few hours back uh less than a day back there is also an announcement there is a uh the first world AI safety Summit that had happened and then the governments including that of the US and the UK and a few more um know France and Korea and South Korea and so on they they did sit together and then they they were they agree to know formulate a guideline you know um I would say they they would want to see how um I mean yeah they had representation not just from government but also from n Academia and Civil Society so the primary is to test the safety of AI models before they are released right so they are going to set up AI safety institutes and then that's covering the public domain or you know public sector capability right they would want to test the the most advanced Frontier models now when when I uh step a little backwards from the geography from the nation or uh the world bodies if I step down to an organization level If I Were A C if I were a ciso and I would also be having my own Targets on how I should be you know as I think you know R was mentioning right security is an enabler we should always be looking at it as an enabler uh in achieving business objectives right so how do I continue to look at ji as another enabler and not an impediment so that is where again touching on other point that Ras had mentioned the human factor and he he touched on a beautiful thing which is awareness right awareness is the key how do I I people how do I uh you know let people know that this is this is something to do or this is something not to do or how do I let them know how these open models or know how this closed model work right I I'll just replay my understanding so closed model is where we use uh you know the openly available stuff like you know chat gpts where you don't know what's there in it that's a closed model so you don't know it's a black box you just use their apis or you know you just use their web versions and then you feed in your inputs and then you get the output you have no clue on what's the algorithm that's running behind and how it's being trained you know that's a closed model but uh if you look at an open model it's it's something that you deployed within your premises either either on premise or in a I would say private Cloud maybe right so how that is where you deploy your own algorithms or you you take a version of a commercially available model and then uh deploy it or you know install it and start using it only with your data now where I the the reason why brought in these two is as a ceso or as a CTO I should be willing to work on the models that train or you know that that balance these both so it's always an Architects or technocrats uh you know always his his vision or his responsibility is to balance out between U few important things like you know performance or you know safety time to market right so that is where I say adding a human element to that and then putting your topdown approach what comes to my mind is develop a a trustworthy AI framework right that should be covering responsible AI guidelines and that should be covering your organizational Vision your concerns the kind of industry you are in right so all of this should come into play and then that is where your uh your AI framework should be coming from and then you take an integrated approach for risk and governance right so far all of us are more or less from the cyber security domain and then risk compliance and governance we can never run away from that that's always in our in the back of our minds whenever we do or you know whenever we perform any kind of an audit now how do I integrate uh you know this AI guidelines into my risk and governance framework that's another aspect now it could be uh it should in fact it should include guidance for classification and and I would say prioritization of use cases when I say uh classification as in you know is this is this okay to be exposed to open internet is it not okay again if I look at prioritization what impact is it going going to have on on my business in the long term or in the short term again if one use case has to know go into production if they want to run it on production data so what is the workflow what are the approvals who all stakeholders need to be understanding uh you know man in the loop basically who are the men in the loop or who are the people in Loop so that's again the other part of the uh the framework that I'm talking about and then again as I speak about every one of these people have to be aware of the implications and the responsibility that they carry in making it a safe framework for everyone the other important aspect here is see no one model is perfect though it appears to be so right we have seen across know different technology aspects so you should be able to the mindset should be that you know you should go ahead with poly models not as a not with the uni model you can you cannot take one let's say close model like chart GPT and then try and apply all all your use cases on top of that whereas at the same time because why why do I go with that Clos model your your computation and all that infostructure you need not have to invest so much and then U the availability of staff to to create maintain and configure your local models that risk is not there when you're going with these Clos models but then the large risk you run is when you are trying to get data from chart gbt or or something like that the data that you're given is going out of your premise right it may may or may not be used to to train the model ass such it could be pre-trained one right as as for the definition but then your data is leaving your Prix it's hosted on cloud it's poed on on SAS right so that's a concern that you always should run in your mind so whether while a lot of these vendors u j product vendors categorically deny that nothing of that Sur is happening we know a lot of these examples that happened before so what we thought versus what had actually happened and then uh eventually leading to know legal procedures that that go on and on and on we saw Facebook apologizing we saw uh Apple Cloud being lead so on and so for so once the data is out of your promise there is no guarantee as to there is no at least you know forever guarantee that it stays so right so you have to carefully weigh between what model to use for what okay so one of the safer approaches would be to to go ahead and use a closed model that's openly available on internet for the data that is okay to be exposed right and then use your open models where you have your own algorithm and then you have you deploy it on top of an llm within your network within your boundaries for uh for IP or for with data that is critical to your business do that on an open model okay so you how do you strike that balance what do you how do you decide which goes where is what should be defined in your AI framework your responsible AI framework or trustworth AI frame whatever name you want to give it it so that becomes a crucial step in fact that is a a journey which would allow you to Define uh how do I I trade off how do I handle this tradeoff again if I have to take um a couple of examples maybe we know all these hedge funds right or these investment advisers right so where they go ahead and uh uh what what do they do so they they analyze the performance of multiple companies over years right it could it could be decades or it could be much more than that so you analyze their performance and then choose if you know that fund should be included in my portfolio or not and that's what these investment advisers do now what do they act on they act on publicly available information correct they act on the the annual reports they act on uh I would say U whatever is the the quarterly reports annual reports how is it performing over year on year on all such stuff which is data available on the internet so go ahead use your close models for that you don't need to know how this data goes in and where this data gets stored all that you need is a particular insight and you can always develop a use case around that that uses takes information from these multiple companies website over multiple years and then eventually you come up and then uh uh you know develop a model on a Clos model sorry develop your use case on a Clos model whereas if I take an example of giving a personalized travel advisory there what is a personalized travel ADV let's say let's say Krishna wants to travel and uh she uh just one moment please sorry gentlemen that was a that was mury walking into my room uh sorry for that yeah problem now um if I take a personalized travel advisory so how does it go so so Krishna wants to travel to someplace with her family U maybe she's looking for a for a Beach vacation maybe with a bit of Heritage or you know force and all that thrown in now this is all the information that I don't mind sharing to a travel website correct so Krishna feeds in all this information so let me just take all that information let let my Clos model do that analysis and then finally give set of recommendations I'm fine with that I'm okay because however I'm traveling and this information is not to confidential right but if you look at it from the travel company point of view this information let's say I'm talking about any particular travel package window this information can definitely be sent to a close mot that's available over inter internet with no harm because the customer herself is is willing to share it to internet now then comes the next step how do I calculate the package right so that is where I'll have to tell that uh I have to talk about um I could be having my own business sensitive pricing list that I have with different hotels right so let us say I I become up some hotel in Goa or or it could be you know some place like um what should I say some place Wales so how do I uh combine this combination that comes from the open sorry from close model and then combine it with the pricing sheet that I have with each of these hotels that is business system information this information should not be out in the internet right I could be having some preferred rate with let's say marot I could be having some preferred rate with with hat Park hat and this information is sensitive to how I run my business because that impact that's the pricing that I provide to krishn correct so that is where this this uh mean this use case at least I think is beautifully shows us how a company should combine these two models you know go with the poly model combine a closed model that's available on internet with your specific model that's there now within within your premises and still give uh uh an almost uh a real time advice to the customer that's be the time constraints the beating the the turnaround and then also the pricing consideration at the same time not risking the the data privacy and not leaking the the sensitive details that do I do have so we should definitely be looking at going ahead with all this now why am I can this not be taken by a business leader why should there be a framework around here again comes the point of awareness the point of having a uh uh the risk of know awareness of risk exposure all this comes into play now rather than expecting each of or each of the business Executives to be aware of this it should be better to have a guideline or a framework in place so that you know my time to Market targets are met keeping in mind the the cost Effectiveness that comes by increasing staff productivity by using these gen models and not compromising on the Delta privacy part a long answer to the straightforward question and I'm sure my fellow B would have a few comments on this thank you yeah thank you Krishna I think uh thanks for simplifying the approach I would say I think in the uh you know let's say I mean how it sounds to me is we we we start whatever you call it the framework with integrated AI framework or whatever the word comes but basically there is a um um a a grounding board where it is combination of again people process technology aspects with AI uh at the center uh which includes aspects of risk and compliance as well so how do we once we have maybe that's the question which which I'm going to come next to Raj to but once we've figured out how we build that framework and how do we stand that up which will then drive the things about uh the next steps of the journey which is okay based on the framework the framework will tell you okay if you're using a certain category of information or classification of information based on your business uh importance you then Define the deployment models or the models that you talked about uh uni model or poly models and then the remaining is I would say um the rest of the system life cycle kicks in but having that framework uh which gives you that 360° view of what and where to go for certain use cases is very very critical element of this journey is what what is the key takeaway and uh and and with and for that I think I would just want maybe uh Raj because um in from your sense you know when we um or any company for that matter is trying to build this framework where do we start from I mean there are many Frameworks for general information security out there uh I know we talked in this discussion couple of uh I mean a lot of U rapid um uh release of different guidelines and regulations as we speak but from your research and your experience so far Raj what do you would suggest for for the listeners uh where should they start building this framework what resources we have available uh where do we start from perfect thank you an um so there there are Frameworks available as we've discussed like you know there are there are standards that are out there and they've been there for a while now like you know ISO has has a standard out there about you know responsible um AI you know processes development processes and such um risk assessment for risk assessment 23894 um that's available um these as in any other you know case these provide high level guidelines that need to be tailored to the business specifics that need to be aligned to your organizational context right so that kind of you know tailoring would always be required but to your other part now what are the resources available they are in V if I was to list them and again this is uh a very um you know clear example where we can take help of Technology you know to to understand what is available with me today right from from a standard framework organization perspective what can I use in this in this um but I I'll just talk about a few of my favorites that you know obviously there's there is um the government organizations right and there is um the whole consultation process of formulation of the EU artificial intelligence act there is Nest as as always you know to our rescue um they have trustworthy and responsible AI Resource Center airc you know which we can refer to um there are as as you know Harish mentioned you know um nonprofit organizations like OAS right miter um ISC square and prer organizations um that that come out with you know these guidelines these these notific ations that can help organizations to you know Channel their energy and their processes in the right way um and and and the third you know critical um from this perspective would be um you know the the consultants and vendors you know who have pledged billions of dollars of investment in this area they come out with regular bogs blogs and posts and guidances on these you know um there there are ample Frameworks out there there are ample dos and don'ts out there that we can refer to to so these three kind of you know tend to be my top you know go-to things but there are other resources which which kind of meet specific use case requirements right you know if if it's more from a research standpoint or search from a new uh development standpoint then you have academic institutions and you have courses from these academic institutions that you can train yourself to there is you know um everyone from MIT to the iits and IM have courses aligned to artificial intelligence right uh there are books that you can refer to you know AI for healthcare AI for cyber security and such there are usual go-to especially for this audience right technology news outlets the ceso on CSO online and such you know uh c.com those those definitely are available um there are openai and other institutes who are kind of you know democratizing the use of Genna they have spent you know enough um you know and and have kind of made available enough resources to the common audience for this uh but again where I started from from you know businesses security and compliance teams H need to have this you know realization that the owners lies on them to educate their business stakeholders right to educate their ecosystem to um mitigate the lack of awareness provide bite-sized role-based trainings um which which have curated content tweaked to the organization or the institutes you know um environment threat landscape Regulatory compulsions and such we all need to work towards updating our acceptable use policies right based on the use of these resources to ensure that business doesn't have to go to 10 places to understand what they can what they cannot do or what's permissible or what's not right they have everything at one place as to how they can kind of you know um safely adopt this uh um technology with uh without hindering any sort of innovation or you know um kind kind of causing any road block or blockages thank you all right thank you so much ra so looks like there's a lot out there already which you mentioned and uh I just have one note on this anurak so that's that's a wonderful list that you had compiled r i mean I have been referring a few of these already uh you mentioned one good quote you know responsibility lies with you that's what organization need to to recognize uh in that concept I was I was going through we we started our learning and during that there is a beautiful shade model that Microsoft had published just like the way we have for for cloud technology there is also a Shar responsibility model that Microsoft has published for AI models as well so whether we use the SAS one or the regular one so we have to understand that even for the Clos models such as CH GPT or whatever the only responsibility that the window owns is the computational body right so that that entire line is is what is owned by the window so if you look at any other row it's all either shared or completely owned by the customer as an us right as organizations so that's that's one good rep I thought I should you know augment your super LK thanks for adding to that that's actually a wonderful resource thank you yeah I think some of the concepts from the later or the recent Technologies like cloud and blockchain and all will also help us learn how to deal with it like the shared responsibility makes a lot of sense because there is there is a consumer side and there's a provider side and provider can only do so much and the consumer has to do so much because things like you know bias or things like U you know those kind of risk can only be uh done by a shared model responsibility I think so that's a good U Insight thank you and and I was just about to say with so much out there already to learn and refer I think uh it'll be also interesting to know if there is a rationalized view of everything out there because like privacy used to be such a uh big word at one point and it continues to evolve at the end of the day it comes down to certain basic tenants right choice um uh conent sent and breach notifications similarly here I'm assuming in AI after all this that is going on and being published it'll just boil down to some basic tenets uh of AI shared responsibility for example being one of those important insights that you just shared and using that to come up with that framework that um initially Krishna when spoke about um which will not just let you adopt and and and you adopt and release new use cases into your organization but also to to to uh to directly evaluate what should be our priority um and where should we invest uh more money and time so with that I think it was a great discussion so far uh we've come to the end of the time for this discussion and I think I've been overwhelmed with so much of information that has been shared by the panelists here um I hope um all the panelists enjoyed hearing everybody's uh views from their respective uh um experiences and insights and perspectives um and um I I I'm taking away from this discussion that um few key things one is definitely an understanding of why J is so popular then while it's not really a really new technology that just came into being uh last year it has been there for a while the main thing is how things will evolve in the next few years which will really clear the dust around it um it's good to know that the P the the the panelists here are positive about gen so there is no negative sentiment about Genia it's all positive it's it's a good enabler a good technology I see fingers crossed so it's good technology to to consider and leverage for a better world and a better uh Mankind and uh I think uh some of the other things we talked about which uh uh you know while there are so much we can do from controls risk and compliance standpoint the human factor Remains the key element here as well which has been uh which is nothing new in security uh in general so it remains even more important than before because now it's on the human to really figure out what is real and what is a deep fake um and uh yes it's uh a lot out there already so although it's a new technology a lot has been written a lot has been spoken including this part this this particular discussion as well so it'll be interesting to know um how all of this information is leveraged into usable information uh by creating the integrated Frameworks uh that are working for the organizations and then use for adopting AI within those respective organizations um thank you so much to all the panelists here for your time and feedback and inputs and I hope everybody listening enjoys it as well um thank you so much for joining us today and I wish you all a very great day thank you appreciate thank you very much you
Info
Channel: ISC2 Colombo Chapter, Sri Lanka
Views: 585
Rating: undefined out of 5
Keywords: isc2, isc2 Colombo chapter, CISSP, SSCP, CSSLP, cybersecurity, Sri Lanka, security, digital landscape, CISO, CEO, CXO, digital safety, ai, open ai, gen ai, prompts, security and ai, cyberops, aiops, paloalto, data lake, Ai ops
Id: AGPt6Yyplxk
Channel Id: undefined
Length: 76min 57sec (4617 seconds)
Published: Sun Dec 24 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.