Recent advances in AI are transforming how we combat fraud and abuse and implement new security protections. These advances are critical to meeting our users’ expectations and keeping increasingly sophisticated attackers at bay, but they come with brand new challenges as well.
This week at RSA, we explored the intersection between AI, anti-abuse, and security in two talks.
Our first talk
provided a concise overview of how we apply AI to fraud and abuse problems. The talk started by detailing the fundamental reasons why AI is key to building defenses that keep up with user expectations and combat increasingly sophisticated attacks. It then delved into the top 10 anti-abuse specific challenges encountered while applying AI to abuse fighting and how to overcome them. Check out the infographic at the end of the post for a quick overview of the challenges we covered during the talk.
Our second talk
looked at attacks on ML models themselves and the ongoing effort to develop new defenses.
It covered attackers’ attempts to recover private training data, to introduce examples into the training set of a machine learning model to cause it to learn incorrect behaviors, to modify the input that a machine learning model receives at classification time to cause it to make a mistake, and more.
Our talk also looked at various defense solutions, including differential privacy, which provides a rigorous theoretical framework for preventing attackers from recovering private training data.
Hopefully you were to able to join us at RSA! But if not, here is re-recording
and the slides
of our first talk on applying AI to abuse-prevention, along with the slides
from our second talk about protecting ML models.
We are in the midst of the fourth industrial revolution. Instead of steam machines or textiles, our economy is becoming ever more tied to technology. In order for our digital economy to thrive, we as a collective society need to have trust in our technology. Yet, the technology world has done very little to earn that trust.
During RSA David Duncan, VP, Product Marketing and Mark McGovern, VP, Product Management discussed our state of digital trust and how not improving it will impact the growth of our digital economy. Duncan pointed out that the digital economy is the 5th largest economy in the world. The growth of this economy is essential to our current way of life and a lack of trust caused by a series of preventable breaches and loss of personal data is threatening this growth. It is estimated that the digital economy has lost $3 trillion in growth due to a lack of trust in technology. And when companies don’t earn trust on their own, governments take action. Just look at the slew of new regulations and legislations coming out, especially in Europe. After the Equifax breach, the former CEO was forced to testify in front of Congress, and just recently Mark Zuckerberg was asked to do the same in order to answer questions about breaches in privacy.
As McGovern pointed out during his presentation, the digital economy has us living in a paradox. We want better technology, faster and with more access but we also want to it be more secure. The equation doesn’t add up with the way we think about security. This is why we need a modern approach to things like application security – where security is a function of software quality and is built into the development process. And of course we need to have a modern approach to identity and access management. This means things like single sign-on, advanced authentication, directory services and mobile AppSec. And we need to make use of behavioral analytics so that IAM becomes background and not a nuisance.
We live in a borderless world, our security needs to be borderless too. Otherwise it becomes inconvenient and we cannot build the trust with our customers we so badly need for our economy to continue growing.
During the RSA conference Sam King, general manager of CA Veracode lead an engaging discussion with Art Coviello, former CEO of RSA and Robert Knake, senior fellow for cyber policy at the Council on Foreign Relations and senior research scientist at Northwestern University’s Global Resilience Institute.
While the conversation touched on a variety of topics, the prevailing theme was on the need for a private and public partnership and the how much we can depend on the government for cybersecurity assistance. According to the panelists, the main thing holding the government back from improving overall cybersecurity of our country is a lack of technologist in government. As the questions posed to Mark Zukerberg during his congressional hearing demonstrated, our government officials are not entirely sure how this Internet thing works.
This is exactly why we need a partnership between government and the private sector. Companies know what is needed but do not have the authority or reach to get it done. While government has the authority they require the expertise of the private sector to determine what should be done.
How to respond to state sponsored cyberattacks also came up during the conversation. Should we respond in kind with our own cyberattacks? In our increasingly connected world, what is to say those counter attacks don’t end up impacting our own citizens and critical systems? Questions about the effectiveness of economic sanctions also came up. This seemed to be preferred to the concept of a mutually ensured digital destruction that escalation would create.
During the Q+A with the audience one particularly poignant question arose. After years of deadly shootings we’ve seen a group of individuals come together and protest. Regardless of which side you fall on the gun control debate – you cannot deny that this grassroots effort has been effective at creating change. Private industries are responding to their calls. Do we need a similar grassroots movement to entice the private sector and government to respond to the cyber threats facing our modern world? What will it take to spur citizen activists into action around this issue? It’s a question that keeps going around in my head after leaving this panel.
The panelists left the discussion on a positive note talking about the progress they’ve seen and how protecting our digital society is possible with cooperation from private sectors and government. As this issue becomes more and more relevant, I look forward to seeing how this debate evolves.