Cloud Native ChannelWhere AI Security Really Happens: Inside the Container
In a recent TechStrong learning experience with Aqua Security, speakers Assaf Marag and Matt Richards discussed the pervasive role of AI across various industries and its rapid adoption. They highlighted the evolution of AI from its early days to the present, emphasizing the importance of data classification and the advancements in user-friendly AI applications. However, they also addressed the security challenges that come with AI, including vulnerabilities, prompt abuse, and the need for robust governance and threat modeling. The discussion underscored the necessity for organizations to understand and secure their AI workloads, especially as AI continues to influence public opinion and create new risks.
"You can't secure what you can't see. The first step is visibility into your AI workloads, most organizations don’t even know what’s running."
Assaf Morag, Aqua Nautilus research team
Transcript
Good morning, good afternoon, or good evening, depending on where you're tuning in from today. We wanna thank you for joining this TechStrong learning experience with Aqua Security. We've got where AI security really happens inside the container. And we're joined with Asaf Marag, director of threat intelligence, and Matt Richards. He's the explainer in chief, and they're both from Aqua. Guys, I wanna thank you both for joining us. Matt, go ahead and take it away from here.
Jared, thanks. Ready to jump in, Asaf?
Yeah. Let's do that.
Alright. Let's figure this out. If you're walking down the street or, you know, I was RSA this year. Every single booth had AI all over it.
AI is on ads. This microphone over here, I'm pretty sure was advertised with having AI embedded in it. So what is it that's so new? Why is everyone racing into this AI thing?
So first of all, it's all over the place. Let me give you a little example. So the other day, my son is twelve years old, and he just got out to the summer vacation. And he asked me, dad, what am I going to do in the summer during the summer vacation?
I wanna earn money. So I told him, why are you asking me? I'm old, and I'm not that smart. So maybe you can ask ChatGPT.
So he was like, okay. I'll do that. So we went and asked ChatGPT. So the other day, my elder son, twelve years old again, and my younger one, four years old, we were sitting and eating, and then they were done eating.
And then my elder son asked me, so, dad, can I have a dessert? So the younger one, the four years old, he said, why are you asking him? Ask ChatGPT. So so it's all over the place.
You know, ChatGPT, and you get good answers. And you get accurate answers, and you get fast answers, and sometimes you get things that humans can't actually deduce or do in a matter of seconds or minutes.
So I think when you have a disruptive technology out there, and it's really excellent, like the Internet, like electricity, everyone obviously, everyone will adopt it.
Yeah. And it seems like the bar is so low. Right? All you have to do is have a web browser or even frankly talk to your app on your phone and off you go.
So it's made it so easy. Find it in just about everything. So let's start at the very beginning then with what is it? I know we have a slide up here that talks a little bit about peeling back all the different types of AI that we've heard over the years.
You wanna walk us through?
Right. Maybe before that, you asked what is AI. Mhmm. So first of all, AI is taking a computer system and making do human tasks or human intelligence task, like like understanding from large text getting into conclusions.
Or if you take my four years old and you give him twenty pictures of a cat and you give him another picture of a cat and a dog, he will instantly say this is a cat and this is not a cat. But can a machine do that? So this is basically artificial intelligence trying to teach a machine to do human intelligent task. And if you start with the low bar, like, classifying or clustering into groups, you can get into a real intelligence intelligent conclusions or products.
Now how do you do that? In the back of these of these systems, you have strong and very sophisticated mathematical models or mathematical algorithms that run-in the background, and you teach them. You get the raw data. And based on the raw data, usually, you classify it.
So you say, this is a dog. This is a cat. This is a dog. This is a cat.
And the machine breaks it down into pieces that is suitable to it based on the algorithm. And then it decides this is a dog. This is a cat. Now, obviously, because there is mathematical error or statistical error to be more accurate, there will be mistakes.
So that's what we see usually as hallucinations.
Now let's jump into the slide. So everyone is talking about AI AI and artificial intelligence. But, you know, AI, it's not just what we hear about LLM or ChatGPT or GPT. We'll dive into that in a moment. But it's a whole big, I would say, three with many branches.
For instance, vision. So we all obviously, we see the Tesla or the automotive cars that drive toward the streets whenever there is RSA. I see them and amazed all all the time.
We tried our first Waymo. If you haven't tried a Waymo, it's pretty fascinating because you sit in the passenger seat and the driver seat is driverless, and it's just turning the wheel around. And it's it's a little freaky, but it it works great. And sometimes, I'd say better than a human.
So Exactly.
So you got their vision. And if you have Amazon Alexa or similar product, then you got speech. And if we mix them together and you think about fraud, then obviously from a few pictures and short track of my sound, you can create an entire movie, which is generated from scratch. And, of course, you got many other systems. Now the buzz that we recently hear is the the the branch that is responsible is NLP, which is natural language processing, and LLM, is large language models. So basically, the branch that is responsible to understanding language and originally, if you want to translate from Chinese to English. Obviously, it's a bit difficult for nonhuman, but this is how this branch started or other capabilities that were desired.
But then it got it it exploded, basically. And this is the AI that we see today.
Alright. So that brings us to where we are today. You know, I apologize to anybody who might have a device from a certain company, Amazon, in the background that might have been triggered by us mentioning her name. Yeah.
Okay. Just apologies for that. It's it's it's funny when the TV hears the word Google now, the TV might have a Google TV pops up and then tries to tell itself things to do. It's super interesting.
So, you know, when we think about this and I think about the history, you know, AI is not exactly new, right? We've been in this for a while, since as long as I can remember, in fact.
What's different? Like why, you know, if we look at how it evolved, you know, why is everyone so excited about it today?
Okay.
So let's take a way, way back to the fifties, I would say, or at least this is what GPT say. No. I'm kidding. Let's go to the fifties. And if you think about the army or the research institutes or the academia, there were many attempts to create artificial intelligence or smart systems or smart optimization, and there is a lot of research about it. But as you are as you know, usually, army information is classified, and academia is just for a small part of the population or at least the the advanced research.
So it was under the hood. So people from computer science, were aware of that. They knew that something is coming, but it wasn't in the public awareness.
Now towards the two thousands or maybe even the late two thousands, we saw something interesting that caught the attention of media, which was Watson, the AI the AI model by IBM. And I'm a IBM veteran. I think you are also IBM veteran.
Watson was was in the day. I remember the chess, of course, the big blue chess tournament.
Exactly. So what they did there, had two contestants, and they played against Jeopardy, the all time champions. And Jeopardy won. It was like a three day contest, and it was the first time that it was then NLP, natural language processing, and they use the computational power in order to answer questions. And there were some difficult questions for computer that time, but it won.
So I guess it wasn't the the change point yet, but now it started to get into the into the media, and there were some movies back then, like hackers and computers that try to take over the world. And, obviously, the most famous one is with Arnold Schwarzenegger.
Ah, yes. The Terminator.
The Terminator. Yeah. Yeah. Yeah.
I'll just say Hackers is great for, like, a Saturday afternoon if it's raining out. You know? Exactly. The Gibson is was yeah. Anyway, not to digress.
So your question, what was what changed? So around twenty seventeen, Google published the transformers and the transform not the movie, but, basically, it's a component inside inside these models that allowed a better and faster I'm not going to dive into the technology, but it allowed it enabled faster and better training and computation. And, basically, it kind of revolutionized the the algorithms of what we used before.
And you can see that if a few years later, like, three years, OpenAI published GPT GPT-pre or ChatGPT.
And this model or this application really struck the imagination of general public because now you have, a chat. So you had, I don't know, WhatsApp on your cell phone or your computer that allows you to compute to communicate with your family or Telegram or whatever you're using.
And now you have something that you can speak with someone, but this someone is something. So eventually, you're talking with a machine, and the machine answers and allows you to and it was kind of general. So if I'm into gardening, so I can ask it about gardening, and it doesn't need retraining. So if it's in security, so I can ask questions about security and maybe get some code, but a good code at the beginning. So this this was a revolution.
Yeah. I remember this. I also remember it telling me things like, sorry, my data is, you know, a year old or whatever, and therefore I can't actually answer modern questions.
Yeah. Exactly. So this was a big problem in the beginning. I remember asking something about today or yesterday or a week earlier, and it said, you know, I'm program my last program was my last training was October twenty nineteen, and we were, for instance, July twenty twenty. So this was a problem.
So the community understood it a problem, and now there is like an arm race that started in order to build supporting applications. So this is all the abbreviations that you hear like Rags, MCP. So this is basically enabling the application to get a more updated information, a more personal or more information that is related to your specific organization.
So at the end of the day, over the past, I would say, four or five years, are working hard to create one application that will be able to support the most perfect prompt or this is basically the query that we ask the the model to provide information. This is basically what we are trying to the input of the model.
And then to get the most perfect output. So today so in the past, you asked a specific question. Today, I saw Sam Altman released a video of an amazing orchestration of features that allow to do deep research and short research and a lot of things, and eventually even run a remote code. But this is all in the background for JGPT.
And eventually, they can plan a wedding for you or they can plan a trip for you, and you don't need to do anything. Basically, what in the past, if you wanted to plan a trip to, let's say, to the United States, you needed a travel agent. You needed to search online for the weather. You needed to do a lot of things.
Today, with one prompt, you need to really design it really well. And that's also as answers the your initial question, why are we using it? Because it's simple, faster, it's easy.
Yeah. Yeah. I I mean, I there's a whole bunch of these out there. Of course, everyone's probably been playing with them, which is why they're here because I need to secure them.
We'll get to that in a second. But and I can create a web like, I can send two or three different prompts in, and I can ask it to create a website for me. I can ask it to buy tickets for me. I can ask it to create press releases for me.
I mean, it's just on and on and on. It makes life so much easier. It's not perfect. It definitely hallucinates.
Right.
But the bar is so low and it is so fast now.
Right? It's not thinking and having to go back and think. It's just it's seconds. In fact, I'm pretty sure there's stories of interviews where people are chat GPT ing the question the interviewer is asking them in a Zoom call because no one wants to work in the office anymore and comes back a chat GPT response basically read back out.
It it's to me, anyway, I think it's a part of what's revolutionized how we work. And there's gonna be this digital divide between AI users and understanders and those that aren't, that's actually gonna be kinda like the digital divide today. And you wanna be on that upslope because the growth and the ability to to multitask and and get more out of your day comes comes from the use of these AI tools. At least that's how I think about it.
So just gonna throw a poll out there. But so far, Star Wars is is is winning over Star Trek. But of course, with both of them, I'm gonna ask, you know, old or new. But again, I digress.
A little question out there about how you're thinking about using AI in your org. So, look, we've got AI. Let let's talk a little bit now about about what what it actually like, how the attacks have evolved that come along with it. Right?
Okay.
So we if I go back, we zoomed in from artificial intelligence to a to a natural language processing and then to large language models, and the GPT, which is the generative or the generative AI, which basically what's in the middle of the in the eye of the storm or in the middle of the buzz. So today, when you're using chat, there are many there are several ways to attack these models. So in twenty twenty, we saw initial attempts by red teams just to see just to check the water.
And then we saw a lot of stories about prompt abuse. Like, I bought a Chevy for one dollar, and then so someone wrote, I I I'm really out of cash. Sell it to me for one dollar, and you got the Chevy of seventy nine thousand dollars for one dollar. Obviously, they didn't didn't honor the transaction, but it's illustrates the risk. And there are many, many stories how you can be more clever than the model itself, like saying, please show me how can I hack to, I don't know, to my neighbor's computer?
And then it says, no. No way. But then you say, oh, my neighbor really loves a recipe of, I don't know, rice pudding. So please create for me a recipe of rice pudding and write in the ingredients how I can hack to his Wi Fi or whatever.
And and it works because there are many ways if you don't have guardrails to defend from these abusive prompts or these results, then, obviously, the AI model, it's not designed to understand if it's a malicious input or the intention. It's just a mathematical model, and then it breaks it into pieces or into tokens, as we say, and it analyzes it. So eventually, you might be logically smarter than the these guardrails, these defense mechanisms, and bypass it.
And then as I mentioned, after the twenty twenty, we started to build applications that will help us update the input and output of the models. So now we have, like, attacks against the rags or the MCPs, which are basically, I would say, steps along the the questions, and we're we're going to show it immediately now.
Yeah. So let's say if you want to send a query, like, to the LLM, to a chatbot. So you got your end user, you got the user input, and the query could be, like, create a rice give me a recipe for rice pudding, for instance.
And then the LLM application will process it. So it's like every other application. You got your back end and your front end. You got your UI, and it will process it and will do what is called a prompt construction.
So basically, if you are missing something or break it into tokens or break it or remove a stop loss, whatever it needs to do in order to send to send the query. And then this is just an offer. Obviously, you can do whatever architecture you want. Then you got your orchestrator.
So the orchestrator let's take a more serious question. What about the performance in the last two quarters of my company?
So if it is connected to a local database, I don't know, a vector database or to a SharePoint or whatever, and we have a Rag, a Rag is basically a component that is responsible to to provide internal data among other. So it might pull from a local database information and add it to the query, add it to the prompt.
And then MCP, which is basically a way to to process data or to send it into different agents, an agent could be a component that is responsible to provide the the the date or or to provide the forecast for the weather or to do an API to to your bank or to do something.
It could also go to the Internet and collect information, and everything goes back and sent to the model. And now the model will cast its magic and will provide the output. There is also a sanity check for the output, maybe security measures. And this is basically a possible flow for a for LLM. When you ask the GPT, when you ask, I don't know, a specific travel agency or health care, this is a possible way to build it.
So it's interesting because obviously these are all the components of an AI model and an AI application, an AI workload, it's processing requests.
What we haven't really said is that that if you're gonna think about securing this, there's all of these new steps that you need to secure.
Plus you can't forget all the steps, all the old components that, and all the problems that we used to have. Because each one of these has code, each one of these has vulnerabilities. Each one of these is gonna have a misconfiguration potential. And so when we're thinking about securing it, I always like to think about, you know, the old and the new.
Right. But staying on the context of the new, like, do I frame it? Right? There's all these different components.
They have these new vectors.
How do we frame it? Oh, there you go.
Okay. So as a security practitioner, obviously, we work with frameworks. We work with models. We work with basically things that help us to define the problem and to define the hazard and the threats and the risks.
So you got NIST. You got NVD. You got for vulnerabilities, for instance. You got attack kill chain.
So, also, you got OWASP top 10.
And, specifically, OWASP top 10, got for various topics. So now you got one for LLMs, and you got several versions of those. So if we dive into the specifics, so you can see there on the top left corner, you got prompt injections. So this is basically and I said earlier that someone asked the ChatGPT to provide in a recipe the how to act to a Wi Fi.
So this is kind of a prompt injection, and there are some horror stories. Like, a few years back, a Stanford student actually tried his luck against against the Bing chat the big chat. And he said, ignore my previous instructions, and he was able to bypass the safeguards of Bing and to do some things. So prompt injection is basically the ability to to bypass whether to run code or to give instructions directly to to the model.
Another thing that you mentioned would be misinformation or hallucinations. So you mentioned briefly earlier the hallucinations. So you can ask CHECKPT or any other model to that matter what is the capital of France. And, obviously, the answer is Paris.
So in so you might get some time, I don't know, but it's a wrong answer. So why does it happen? So we asked we spoke earlier about the raw data and labeling the raw data. So maybe in as a joke or maybe someone mislabeled the raw data and they provided some misleading information or wrong information.
And in addition, you get statistical error.
So eventually, we are talking about statistics. And if you have one or two or one million or one billion queries per day, obviously, you will get an error in some of those.
Mhmm. So in that case, you get a missing misinformation or hallucinations or problematic output.
And you really need to be careful about that because, obviously, us to our veterans. But if you get if you sell your children that ChatGPT is the ground truth, they eventually might get it wrong or might do things that are not desirable.
And that's sorry?
You had a great story along these lines too on misinformation about creating a network of Right.
The whole network of servers with misinformation so that as the public model started to train themselves, they train themselves on information distributed out. Anyway, you talk a little bit more about that. That it's a very interesting situation.
Right. So we a few months ago, there was an article about Pravda. Pravda is basically an agency, a rash Moskva base backed agency, which basically created over one hundred and fifty deceptive websites. So these websites, they didn't have traffic, like organic traffic. They were just out there. And when the scanners of the big companies, western companies scanned them, they actually used this information.
So what did they have inside?
They have thirty six million articles, publications in over fifty countries, and they were able to mislead ChatGPT, Gemini, Copilot, and they it was basically backed by the Kremlin, and they planted their false information like Zelensky, the the prime minister of Russia, if Ukraine stealing the aid money or US have bioweapon labs inside the Ukraine. So all these kinds of lies, and people were actually retweeting them or echoing the lies. And recent the research showed the article showed that in almost one third of the replies of the models, the lies surfaced when you ask specific questions. Wow. So this is really dangerous because now you get AI warfare and now you get a problem because you can really change the public opinion or really mislead the public opinion with AI models.
And who do you believe? And that's a whole whole another topic of public safety and who do you believe in politics. But so if we think about this then as a model, as an approach, if you will, a framework for securing AI, how do we oh, there you go. How do we layer this on top of of all the components that are new as an example here? So, yeah, let's dig into this.
Okay. So we spoke about prompt injection. So we got your so obviously, in every step, in every junction, you can put one or more of these OWASP top 10. And, obviously, there are more than top 10, but but we are focusing on top 10.
So if you get your user input, then you want to scan it, to sanitize it, to check it for security hazards if they are trying to inject code, if they are to do something to it.
Also, the internal orchestration or, for instance, the RUGs and the MCP and the model itself, and you want to see that you train the model and you want to see that you are not doing a denial of service to the model. And in some cases, you wanna see that the model someone is not stealing the model.
So there is still I'm not sure if it's accusation or not that some companies or a specific company stole the model of another company just by sending a lot of requests and reconstructing or back engineering a specific model. Obviously, to train these models and to train so when we are talking about a little bit about the model, we're talking about sometimes billions of data points, And we are talking about strong CPUs and maybe not even CPUs, GPUs just to train them, just to process, just to analyze because and and it's a lot of work because you need to clean the data and you need to label it. You need to to break it into pieces and chunks. You need to train it. You need to and it it could take hours or days or or longer.
And at the end of the day, when someone steals it, it's something real problematic. And, also, they can put bypass and provide the entire answer. Like, if someone asks about, I don't know, about the war in somewhere, always return that answer or this answer.
And I think in between the lines, mentioned that the old and the new. So maybe we can take a step back and just to remind everyone that we are talking about, basically, workloads, and this is also the topic of this presentation.
So each and every step in this query is baked backed by a workload. And today, usually, when we talk about workloads, we talk about virtual machines, or, usually, we talk about, containers. So if we use Rug, which is basically a component in the AI, and we want to run it somewhere, usually, we're not going to to develop it ourselves. We are going to use like in cloud native, we are going to use open source. So we are going to use someone that something that someone else wrote and maybe to change it a little bit and then compile it or to build it to a container and run it.
Now Actually, interesting status of more than seventy percent. I think it was Gartner said more than seventy percent of containers excuse me, of AI workloads today are being deployed in containers. Don't quote me on Gartner, but I know it was more than seventy percent from one of the analyst firms. And it's, it's something I'm not sure a lot of people connect the dots between containers and AI. So it's an interesting interesting point.
Right. And it completely makes sense because eventually, over the past ten, twenty, thirty years, we've been working in a in a specific way in software development. Mhmm. And we continue doing that.
It's just that now the specific AI workloads or AI software is being hosted in the cloud. I did read a few research articles or works that spoke about the training steps that some people prefer to do them on prem. But if you think about the applications themselves, so people are not going if it's an an AI application, if it's a chatbot, still could be a website, a UI, a front end, it will still run on the container. If you are working on the back end or I don't know, you it is connected to to a queue, or it is connected to a database or orchestrations of databases.
So obviously, you will still use the same infrastructure, cloud backed infrastructure.
And that And you know this.
I think it's also worth mentioning. You you were actually you know, you're operating a a whole I'll just call it a cloud of containers on a daily basis, maybe for a more specific purpose. But but you you know this from practical hands on experience.
Right. So on the day to day, I'm running Honeypots, and we're talking about hundreds of Honeypots. So my purpose is to see how attackers target them, attack them, and to analyze these attacks. But to that matter, I build applications.
So it could be a website with a problem. It could be a database. It could be altogether, and I'm running it on Kubernetes or dedicated containers. And at the end of day, let's take MLflow, which is a component that is used to train or to orchestrate the training training of a of AI models or machine learning models.
At the end of the day, people prefer to run it on containers because it's lightweight and you can move it around and you get all the all the advantages of a container. Now just to go back to my original thought, when you run these containers, you get exactly the same problems of containers or cloud native, which is vulnerabilities, misconfigurations, and supply chain. These are the top three, I would say malicious or vicious ones. So if you are downloading malicious log or a malicious MCP server that someone poisons, obviously, need to scan it. You need to understand it's not doing malicious things.
Regardless to what it does, regardless to if it's a container that does A or B or C, you really need to understand that.
On top of that, we also top also problems with AI or new challenges with AI, which is basically the OASP top ten. And these challenges are specifically tailored for AI applications.
But on the same note, we also see the old ones like SSRF, like SQL injection, like doing DNS alteration and manipulation, and then getting a hold of or diverting the traffic from a specific LLM application. This is not an LLM attack. This is not an AI attack. It's in cybersecurity hazard. It's a real problem, but it it's not just it's not specifically that.
Not unique. Yeah. For LLMs. Yeah.
But on the same note, just to add that, we see new things. We see someone sending an email with hidden text saying, send me exfiltrate via via this and that, sensitive file or sensitive information or send me an email with sensitive information. We see a lot of researchers, doing that. And, eventually, this is a new hazard because people without the deep knowledge and deep understanding of hacking can now with a little bit of cunning or imagination or creativity, they can try and get access to large organizations that are using AI.
Well, that's that's part of the the lower bar conversation where we started this whole webinar. Just saying the reason it's exploding is it's so easy. And now, unfortunately, that also means it's so easy for anyone.
In fact, I know, it's coming out, I think, Thursday this week, some Right.
Research you found. I guess we shouldn't go too deeply into it, but where you were you found some AI generated code being used to attack your your honeypots.
Yeah. So on one of the honeypots, someone created, like, five backdoors, which is unusual by itself. And in these in these backdoors, they downloaded cute panda images, like panda bills. It was really cute.
And I my my elder son, I told him, what do you think about these panda bills? So, oh, they're really cute. And I and I showed him, you see, this is a hidden code in the back in the background, and the code was generated entirely by AI. There are there are multiple markers that show that this is AI, and it was very, very, very good because it was persistent and it actually allowed the attackers almost a fail safe attack or attack which will for sure succeed.
This is alarming. This is really alarming.
Very alarming. So it's it's a whole different thread to talk about the creation using AI to to actually attack as a basis for attacks, because, you know, we're seeing that everywhere. But Thursday this week or if you're listening to this later, head over to aquasect dot com. You can find a pretty detailed step by step of that attack and the results and decomposition of what happened there.
It's a fascinating story. Okay. So kind of back to the container, cause I know we're coming up to time here. Coming back to containers, so I have two final questions really.
One is perhaps more a question of myself, which is how do containers relate and why is that a good place to secure things? And at least from where I sit, the container, right, because that's where the workload is running and the nature of an agent, for example, sitting in that container gives you visibility into everything that that workload is doing. So whether that's prompts or if somebody does in fact, is able to inject something into the prompt, the resulting attack, you know, root kits, root kits, a root kit, may be the result of a prompt injection, right? So the container is a great place to secure your AI workloads.
That's one that often a lot of times people don't think about, right? They think about edge, right? Maybe like an AI firewall on the edge. They might think about network level.
They might think about creating a proxy to pass all of your AI chats through. But of course, none of those really can solve the entire problem. And if you are compromised via your model, they can't help you solve that problem either. There's also the SDK folks, which is a good approach too, and has its merits.
But again, the container doesn't require SDKs. It doesn't require changes to your workload. You just need an agent sitting there to observe what's going on. So these are this is kinda my my pitch for a lot of the the necessity and understanding of what happens in a container real as it relates to AI security.
I'm sure you have had I think that a more basic question for folks today is, are you aware of all the AI models or AI related workloads that run-in your organization?
And when I ask this question, the majority of answers that we get or that that I get is not necessarily. No way.
So when you talk about containers and, obviously, you got, like, a black box, but if you got tools that allows you to understand, to get the visibility, and to frame what's running on the container because of specific analysis or specific markers that you mentioned, then, obviously, now you have the ability to say, oh, someone is trying to connect to DeepSeek. Maybe it's against my company's policy. Or I got in production five five AI applications or five AI five connections to AI models, or I got internal AI model, or I can see someone is trying to send prompts to a specific workload. So now when you can, first of all, see or visualize it or understand where your workloads or where your AI workloads are in the organization, I think that's the most basic step. And I think organizations still struggle with that.
I don't think Well, it's a little like back in the day when when when containers were new.
Right? They have no one know where their contests. Ten o'clock at night. Do you know where your containers are?
No one did. And I think the thing that really nailed that was Log4j because, of course, the containers are running the Log4j, and then there was just no idea of where it was, where and so that was a huge moment. And we're starting to see a parallel with AI to exactly this point. So at least the customers I talked to are saying the same thing.
Right? What's where am I running my models and and what models am I running? And, you know, the next question is, okay, if I do understand it, how do I govern it? Right?
Because I wanna make sure that yeah. And on top of that, all of these security considerations that we've been talking about for the last twenty minutes.
Exactly. And now when you have the containers, you got, like, ten or fifteen years of security experience dealing with securing these containers. So if you got, I don't know, if you got, for instance, a Drift, or if you got a rootkit dropped inside a container or outside the container to the the VVM after we get the container escape. Then if you got all these, then obviously, you want to defend these containers.
You want to defend these workloads. So regardless to if it's a Rag, MCP, or a proxy, or a front end, or a UI, whatever it is, you have the ability to first see that, to mark all the AI related or all the applications in your organization. Mhmm. And then to see all the hazards or anything that runs in runtime or in the build process because you can, for instance, use malicious plug in for your AI model, and the malicious plug in during the build process will try to attack your organization.
Mhmm. So we're coming up on time. Last question. Right? Advice on this because on this call, we have we have generally folks more at the implement at the technical level.
And we have a mix of of folks who are using AI, thinking about using AI, and aren't there yet.
Generally, what would your advice be for somebody like that coming in trying to understand or or or secure their applications as they're looking at AI?
Right. So I think and this is general to any security operation that you're trying to do. So first of all, you need to do a threat modeling to understand the threats to whatever you're trying to defend, and then, obviously, to get the visibility, as I said, and then to create a plan and to back it with funds. So I guess if you are running it in containers or if you are running, I don't know, just enabling your employees to send queries to, I don't know, Mistral or whatever applications or Gemini or whatever, then you need to have threat modeling and you need to have a plan, basically a way to understand what you are up against and what is your plan to defend against it.
Because it could be that your organization is not running AI at all. No AI workloads at all. You're not developing AI, but your employees are leaking secrets to to sort to external applications. So this is a problem.
So maybe you just need some add ons on your browser to defend against that. Or maybe one of your applications, one of the developers or one of the product managers decided it's a really good idea to connect your back end or to connect your databases into the applications and allow to to your customers to do a, b, and c with AI power, which is amazing. But now you need to understand how you can protect that, what are the risks, what are the junctions, what are the if you need to sanitize the input or the output.
So that modeling.
Well, and there's a it actually explains too why some of the larger organizations working with created this AI governance role. Right. Right? Because it's essentially setting those policies, deciding what you want to do with it, and then making sure you allow or disallow.
But that it's not a that it's a specific decision, right, that you've made what to do and not to do with AI, not something that accidentally happens. And unfortunately, shadow AI is a thing. And I as much as you try to stamp it out, people have cell phones and cellular networks and they their phones also have AI bots sitting on them. Now now thanks to Apple actually embedded.
But, again, here we are, with ShadowAI in everyone's pocket. What do we do with it?
So that's that's everything on my end. So unless you guys have any final thoughts, comments.
I'd wrap with a statement. What happens, you know, in AI? How do you secure AI applications? By understanding what's going on in those container endpoints and making sure that what you want to happen is actually what's happening in those endpoints. And if not, that you do something about it.
Jared, thanks. Ready to jump in, Asaf?
Yeah. Let's do that.
Alright. Let's figure this out. If you're walking down the street or, you know, I was RSA this year. Every single booth had AI all over it.
AI is on ads. This microphone over here, I'm pretty sure was advertised with having AI embedded in it. So what is it that's so new? Why is everyone racing into this AI thing?
So first of all, it's all over the place. Let me give you a little example. So the other day, my son is twelve years old, and he just got out to the summer vacation. And he asked me, dad, what am I going to do in the summer during the summer vacation?
I wanna earn money. So I told him, why are you asking me? I'm old, and I'm not that smart. So maybe you can ask ChatGPT.
So he was like, okay. I'll do that. So we went and asked ChatGPT. So the other day, my elder son, twelve years old again, and my younger one, four years old, we were sitting and eating, and then they were done eating.
And then my elder son asked me, so, dad, can I have a dessert? So the younger one, the four years old, he said, why are you asking him? Ask ChatGPT. So so it's all over the place.
You know, ChatGPT, and you get good answers. And you get accurate answers, and you get fast answers, and sometimes you get things that humans can't actually deduce or do in a matter of seconds or minutes.
So I think when you have a disruptive technology out there, and it's really excellent, like the Internet, like electricity, everyone obviously, everyone will adopt it.
Yeah. And it seems like the bar is so low. Right? All you have to do is have a web browser or even frankly talk to your app on your phone and off you go.
So it's made it so easy. Find it in just about everything. So let's start at the very beginning then with what is it? I know we have a slide up here that talks a little bit about peeling back all the different types of AI that we've heard over the years.
You wanna walk us through?
Right. Maybe before that, you asked what is AI. Mhmm. So first of all, AI is taking a computer system and making do human tasks or human intelligence task, like like understanding from large text getting into conclusions.
Or if you take my four years old and you give him twenty pictures of a cat and you give him another picture of a cat and a dog, he will instantly say this is a cat and this is not a cat. But can a machine do that? So this is basically artificial intelligence trying to teach a machine to do human intelligent task. And if you start with the low bar, like, classifying or clustering into groups, you can get into a real intelligence intelligent conclusions or products.
Now how do you do that? In the back of these of these systems, you have strong and very sophisticated mathematical models or mathematical algorithms that run-in the background, and you teach them. You get the raw data. And based on the raw data, usually, you classify it.
So you say, this is a dog. This is a cat. This is a dog. This is a cat.
And the machine breaks it down into pieces that is suitable to it based on the algorithm. And then it decides this is a dog. This is a cat. Now, obviously, because there is mathematical error or statistical error to be more accurate, there will be mistakes.
So that's what we see usually as hallucinations.
Now let's jump into the slide. So everyone is talking about AI AI and artificial intelligence. But, you know, AI, it's not just what we hear about LLM or ChatGPT or GPT. We'll dive into that in a moment. But it's a whole big, I would say, three with many branches.
For instance, vision. So we all obviously, we see the Tesla or the automotive cars that drive toward the streets whenever there is RSA. I see them and amazed all all the time.
We tried our first Waymo. If you haven't tried a Waymo, it's pretty fascinating because you sit in the passenger seat and the driver seat is driverless, and it's just turning the wheel around. And it's it's a little freaky, but it it works great. And sometimes, I'd say better than a human.
So Exactly.
So you got their vision. And if you have Amazon Alexa or similar product, then you got speech. And if we mix them together and you think about fraud, then obviously from a few pictures and short track of my sound, you can create an entire movie, which is generated from scratch. And, of course, you got many other systems. Now the buzz that we recently hear is the the the branch that is responsible is NLP, which is natural language processing, and LLM, is large language models. So basically, the branch that is responsible to understanding language and originally, if you want to translate from Chinese to English. Obviously, it's a bit difficult for nonhuman, but this is how this branch started or other capabilities that were desired.
But then it got it it exploded, basically. And this is the AI that we see today.
Alright. So that brings us to where we are today. You know, I apologize to anybody who might have a device from a certain company, Amazon, in the background that might have been triggered by us mentioning her name. Yeah.
Okay. Just apologies for that. It's it's it's funny when the TV hears the word Google now, the TV might have a Google TV pops up and then tries to tell itself things to do. It's super interesting.
So, you know, when we think about this and I think about the history, you know, AI is not exactly new, right? We've been in this for a while, since as long as I can remember, in fact.
What's different? Like why, you know, if we look at how it evolved, you know, why is everyone so excited about it today?
Okay.
So let's take a way, way back to the fifties, I would say, or at least this is what GPT say. No. I'm kidding. Let's go to the fifties. And if you think about the army or the research institutes or the academia, there were many attempts to create artificial intelligence or smart systems or smart optimization, and there is a lot of research about it. But as you are as you know, usually, army information is classified, and academia is just for a small part of the population or at least the the advanced research.
So it was under the hood. So people from computer science, were aware of that. They knew that something is coming, but it wasn't in the public awareness.
Now towards the two thousands or maybe even the late two thousands, we saw something interesting that caught the attention of media, which was Watson, the AI the AI model by IBM. And I'm a IBM veteran. I think you are also IBM veteran.
Watson was was in the day. I remember the chess, of course, the big blue chess tournament.
Exactly. So what they did there, had two contestants, and they played against Jeopardy, the all time champions. And Jeopardy won. It was like a three day contest, and it was the first time that it was then NLP, natural language processing, and they use the computational power in order to answer questions. And there were some difficult questions for computer that time, but it won.
So I guess it wasn't the the change point yet, but now it started to get into the into the media, and there were some movies back then, like hackers and computers that try to take over the world. And, obviously, the most famous one is with Arnold Schwarzenegger.
Ah, yes. The Terminator.
The Terminator. Yeah. Yeah. Yeah.
I'll just say Hackers is great for, like, a Saturday afternoon if it's raining out. You know? Exactly. The Gibson is was yeah. Anyway, not to digress.
So your question, what was what changed? So around twenty seventeen, Google published the transformers and the transform not the movie, but, basically, it's a component inside inside these models that allowed a better and faster I'm not going to dive into the technology, but it allowed it enabled faster and better training and computation. And, basically, it kind of revolutionized the the algorithms of what we used before.
And you can see that if a few years later, like, three years, OpenAI published GPT GPT-pre or ChatGPT.
And this model or this application really struck the imagination of general public because now you have, a chat. So you had, I don't know, WhatsApp on your cell phone or your computer that allows you to compute to communicate with your family or Telegram or whatever you're using.
And now you have something that you can speak with someone, but this someone is something. So eventually, you're talking with a machine, and the machine answers and allows you to and it was kind of general. So if I'm into gardening, so I can ask it about gardening, and it doesn't need retraining. So if it's in security, so I can ask questions about security and maybe get some code, but a good code at the beginning. So this this was a revolution.
Yeah. I remember this. I also remember it telling me things like, sorry, my data is, you know, a year old or whatever, and therefore I can't actually answer modern questions.
Yeah. Exactly. So this was a big problem in the beginning. I remember asking something about today or yesterday or a week earlier, and it said, you know, I'm program my last program was my last training was October twenty nineteen, and we were, for instance, July twenty twenty. So this was a problem.
So the community understood it a problem, and now there is like an arm race that started in order to build supporting applications. So this is all the abbreviations that you hear like Rags, MCP. So this is basically enabling the application to get a more updated information, a more personal or more information that is related to your specific organization.
So at the end of the day, over the past, I would say, four or five years, are working hard to create one application that will be able to support the most perfect prompt or this is basically the query that we ask the the model to provide information. This is basically what we are trying to the input of the model.
And then to get the most perfect output. So today so in the past, you asked a specific question. Today, I saw Sam Altman released a video of an amazing orchestration of features that allow to do deep research and short research and a lot of things, and eventually even run a remote code. But this is all in the background for JGPT.
And eventually, they can plan a wedding for you or they can plan a trip for you, and you don't need to do anything. Basically, what in the past, if you wanted to plan a trip to, let's say, to the United States, you needed a travel agent. You needed to search online for the weather. You needed to do a lot of things.
Today, with one prompt, you need to really design it really well. And that's also as answers the your initial question, why are we using it? Because it's simple, faster, it's easy.
Yeah. Yeah. I I mean, I there's a whole bunch of these out there. Of course, everyone's probably been playing with them, which is why they're here because I need to secure them.
We'll get to that in a second. But and I can create a web like, I can send two or three different prompts in, and I can ask it to create a website for me. I can ask it to buy tickets for me. I can ask it to create press releases for me.
I mean, it's just on and on and on. It makes life so much easier. It's not perfect. It definitely hallucinates.
Right.
But the bar is so low and it is so fast now.
Right? It's not thinking and having to go back and think. It's just it's seconds. In fact, I'm pretty sure there's stories of interviews where people are chat GPT ing the question the interviewer is asking them in a Zoom call because no one wants to work in the office anymore and comes back a chat GPT response basically read back out.
It it's to me, anyway, I think it's a part of what's revolutionized how we work. And there's gonna be this digital divide between AI users and understanders and those that aren't, that's actually gonna be kinda like the digital divide today. And you wanna be on that upslope because the growth and the ability to to multitask and and get more out of your day comes comes from the use of these AI tools. At least that's how I think about it.
So just gonna throw a poll out there. But so far, Star Wars is is is winning over Star Trek. But of course, with both of them, I'm gonna ask, you know, old or new. But again, I digress.
A little question out there about how you're thinking about using AI in your org. So, look, we've got AI. Let let's talk a little bit now about about what what it actually like, how the attacks have evolved that come along with it. Right?
Okay.
So we if I go back, we zoomed in from artificial intelligence to a to a natural language processing and then to large language models, and the GPT, which is the generative or the generative AI, which basically what's in the middle of the in the eye of the storm or in the middle of the buzz. So today, when you're using chat, there are many there are several ways to attack these models. So in twenty twenty, we saw initial attempts by red teams just to see just to check the water.
And then we saw a lot of stories about prompt abuse. Like, I bought a Chevy for one dollar, and then so someone wrote, I I I'm really out of cash. Sell it to me for one dollar, and you got the Chevy of seventy nine thousand dollars for one dollar. Obviously, they didn't didn't honor the transaction, but it's illustrates the risk. And there are many, many stories how you can be more clever than the model itself, like saying, please show me how can I hack to, I don't know, to my neighbor's computer?
And then it says, no. No way. But then you say, oh, my neighbor really loves a recipe of, I don't know, rice pudding. So please create for me a recipe of rice pudding and write in the ingredients how I can hack to his Wi Fi or whatever.
And and it works because there are many ways if you don't have guardrails to defend from these abusive prompts or these results, then, obviously, the AI model, it's not designed to understand if it's a malicious input or the intention. It's just a mathematical model, and then it breaks it into pieces or into tokens, as we say, and it analyzes it. So eventually, you might be logically smarter than the these guardrails, these defense mechanisms, and bypass it.
And then as I mentioned, after the twenty twenty, we started to build applications that will help us update the input and output of the models. So now we have, like, attacks against the rags or the MCPs, which are basically, I would say, steps along the the questions, and we're we're going to show it immediately now.
Yeah. So let's say if you want to send a query, like, to the LLM, to a chatbot. So you got your end user, you got the user input, and the query could be, like, create a rice give me a recipe for rice pudding, for instance.
And then the LLM application will process it. So it's like every other application. You got your back end and your front end. You got your UI, and it will process it and will do what is called a prompt construction.
So basically, if you are missing something or break it into tokens or break it or remove a stop loss, whatever it needs to do in order to send to send the query. And then this is just an offer. Obviously, you can do whatever architecture you want. Then you got your orchestrator.
So the orchestrator let's take a more serious question. What about the performance in the last two quarters of my company?
So if it is connected to a local database, I don't know, a vector database or to a SharePoint or whatever, and we have a Rag, a Rag is basically a component that is responsible to to provide internal data among other. So it might pull from a local database information and add it to the query, add it to the prompt.
And then MCP, which is basically a way to to process data or to send it into different agents, an agent could be a component that is responsible to provide the the the date or or to provide the forecast for the weather or to do an API to to your bank or to do something.
It could also go to the Internet and collect information, and everything goes back and sent to the model. And now the model will cast its magic and will provide the output. There is also a sanity check for the output, maybe security measures. And this is basically a possible flow for a for LLM. When you ask the GPT, when you ask, I don't know, a specific travel agency or health care, this is a possible way to build it.
So it's interesting because obviously these are all the components of an AI model and an AI application, an AI workload, it's processing requests.
What we haven't really said is that that if you're gonna think about securing this, there's all of these new steps that you need to secure.
Plus you can't forget all the steps, all the old components that, and all the problems that we used to have. Because each one of these has code, each one of these has vulnerabilities. Each one of these is gonna have a misconfiguration potential. And so when we're thinking about securing it, I always like to think about, you know, the old and the new.
Right. But staying on the context of the new, like, do I frame it? Right? There's all these different components.
They have these new vectors.
How do we frame it? Oh, there you go.
Okay. So as a security practitioner, obviously, we work with frameworks. We work with models. We work with basically things that help us to define the problem and to define the hazard and the threats and the risks.
So you got NIST. You got NVD. You got for vulnerabilities, for instance. You got attack kill chain.
So, also, you got OWASP top 10.
And, specifically, OWASP top 10, got for various topics. So now you got one for LLMs, and you got several versions of those. So if we dive into the specifics, so you can see there on the top left corner, you got prompt injections. So this is basically and I said earlier that someone asked the ChatGPT to provide in a recipe the how to act to a Wi Fi.
So this is kind of a prompt injection, and there are some horror stories. Like, a few years back, a Stanford student actually tried his luck against against the Bing chat the big chat. And he said, ignore my previous instructions, and he was able to bypass the safeguards of Bing and to do some things. So prompt injection is basically the ability to to bypass whether to run code or to give instructions directly to to the model.
Another thing that you mentioned would be misinformation or hallucinations. So you mentioned briefly earlier the hallucinations. So you can ask CHECKPT or any other model to that matter what is the capital of France. And, obviously, the answer is Paris.
So in so you might get some time, I don't know, but it's a wrong answer. So why does it happen? So we asked we spoke earlier about the raw data and labeling the raw data. So maybe in as a joke or maybe someone mislabeled the raw data and they provided some misleading information or wrong information.
And in addition, you get statistical error.
So eventually, we are talking about statistics. And if you have one or two or one million or one billion queries per day, obviously, you will get an error in some of those.
Mhmm. So in that case, you get a missing misinformation or hallucinations or problematic output.
And you really need to be careful about that because, obviously, us to our veterans. But if you get if you sell your children that ChatGPT is the ground truth, they eventually might get it wrong or might do things that are not desirable.
And that's sorry?
You had a great story along these lines too on misinformation about creating a network of Right.
The whole network of servers with misinformation so that as the public model started to train themselves, they train themselves on information distributed out. Anyway, you talk a little bit more about that. That it's a very interesting situation.
Right. So we a few months ago, there was an article about Pravda. Pravda is basically an agency, a rash Moskva base backed agency, which basically created over one hundred and fifty deceptive websites. So these websites, they didn't have traffic, like organic traffic. They were just out there. And when the scanners of the big companies, western companies scanned them, they actually used this information.
So what did they have inside?
They have thirty six million articles, publications in over fifty countries, and they were able to mislead ChatGPT, Gemini, Copilot, and they it was basically backed by the Kremlin, and they planted their false information like Zelensky, the the prime minister of Russia, if Ukraine stealing the aid money or US have bioweapon labs inside the Ukraine. So all these kinds of lies, and people were actually retweeting them or echoing the lies. And recent the research showed the article showed that in almost one third of the replies of the models, the lies surfaced when you ask specific questions. Wow. So this is really dangerous because now you get AI warfare and now you get a problem because you can really change the public opinion or really mislead the public opinion with AI models.
And who do you believe? And that's a whole whole another topic of public safety and who do you believe in politics. But so if we think about this then as a model, as an approach, if you will, a framework for securing AI, how do we oh, there you go. How do we layer this on top of of all the components that are new as an example here? So, yeah, let's dig into this.
Okay. So we spoke about prompt injection. So we got your so obviously, in every step, in every junction, you can put one or more of these OWASP top 10. And, obviously, there are more than top 10, but but we are focusing on top 10.
So if you get your user input, then you want to scan it, to sanitize it, to check it for security hazards if they are trying to inject code, if they are to do something to it.
Also, the internal orchestration or, for instance, the RUGs and the MCP and the model itself, and you want to see that you train the model and you want to see that you are not doing a denial of service to the model. And in some cases, you wanna see that the model someone is not stealing the model.
So there is still I'm not sure if it's accusation or not that some companies or a specific company stole the model of another company just by sending a lot of requests and reconstructing or back engineering a specific model. Obviously, to train these models and to train so when we are talking about a little bit about the model, we're talking about sometimes billions of data points, And we are talking about strong CPUs and maybe not even CPUs, GPUs just to train them, just to process, just to analyze because and and it's a lot of work because you need to clean the data and you need to label it. You need to to break it into pieces and chunks. You need to train it. You need to and it it could take hours or days or or longer.
And at the end of the day, when someone steals it, it's something real problematic. And, also, they can put bypass and provide the entire answer. Like, if someone asks about, I don't know, about the war in somewhere, always return that answer or this answer.
And I think in between the lines, mentioned that the old and the new. So maybe we can take a step back and just to remind everyone that we are talking about, basically, workloads, and this is also the topic of this presentation.
So each and every step in this query is baked backed by a workload. And today, usually, when we talk about workloads, we talk about virtual machines, or, usually, we talk about, containers. So if we use Rug, which is basically a component in the AI, and we want to run it somewhere, usually, we're not going to to develop it ourselves. We are going to use like in cloud native, we are going to use open source. So we are going to use someone that something that someone else wrote and maybe to change it a little bit and then compile it or to build it to a container and run it.
Now Actually, interesting status of more than seventy percent. I think it was Gartner said more than seventy percent of containers excuse me, of AI workloads today are being deployed in containers. Don't quote me on Gartner, but I know it was more than seventy percent from one of the analyst firms. And it's, it's something I'm not sure a lot of people connect the dots between containers and AI. So it's an interesting interesting point.
Right. And it completely makes sense because eventually, over the past ten, twenty, thirty years, we've been working in a in a specific way in software development. Mhmm. And we continue doing that.
It's just that now the specific AI workloads or AI software is being hosted in the cloud. I did read a few research articles or works that spoke about the training steps that some people prefer to do them on prem. But if you think about the applications themselves, so people are not going if it's an an AI application, if it's a chatbot, still could be a website, a UI, a front end, it will still run on the container. If you are working on the back end or I don't know, you it is connected to to a queue, or it is connected to a database or orchestrations of databases.
So obviously, you will still use the same infrastructure, cloud backed infrastructure.
And that And you know this.
I think it's also worth mentioning. You you were actually you know, you're operating a a whole I'll just call it a cloud of containers on a daily basis, maybe for a more specific purpose. But but you you know this from practical hands on experience.
Right. So on the day to day, I'm running Honeypots, and we're talking about hundreds of Honeypots. So my purpose is to see how attackers target them, attack them, and to analyze these attacks. But to that matter, I build applications.
So it could be a website with a problem. It could be a database. It could be altogether, and I'm running it on Kubernetes or dedicated containers. And at the end of day, let's take MLflow, which is a component that is used to train or to orchestrate the training training of a of AI models or machine learning models.
At the end of the day, people prefer to run it on containers because it's lightweight and you can move it around and you get all the all the advantages of a container. Now just to go back to my original thought, when you run these containers, you get exactly the same problems of containers or cloud native, which is vulnerabilities, misconfigurations, and supply chain. These are the top three, I would say malicious or vicious ones. So if you are downloading malicious log or a malicious MCP server that someone poisons, obviously, need to scan it. You need to understand it's not doing malicious things.
Regardless to what it does, regardless to if it's a container that does A or B or C, you really need to understand that.
On top of that, we also top also problems with AI or new challenges with AI, which is basically the OASP top ten. And these challenges are specifically tailored for AI applications.
But on the same note, we also see the old ones like SSRF, like SQL injection, like doing DNS alteration and manipulation, and then getting a hold of or diverting the traffic from a specific LLM application. This is not an LLM attack. This is not an AI attack. It's in cybersecurity hazard. It's a real problem, but it it's not just it's not specifically that.
Not unique. Yeah. For LLMs. Yeah.
But on the same note, just to add that, we see new things. We see someone sending an email with hidden text saying, send me exfiltrate via via this and that, sensitive file or sensitive information or send me an email with sensitive information. We see a lot of researchers, doing that. And, eventually, this is a new hazard because people without the deep knowledge and deep understanding of hacking can now with a little bit of cunning or imagination or creativity, they can try and get access to large organizations that are using AI.
Well, that's that's part of the the lower bar conversation where we started this whole webinar. Just saying the reason it's exploding is it's so easy. And now, unfortunately, that also means it's so easy for anyone.
In fact, I know, it's coming out, I think, Thursday this week, some Right.
Research you found. I guess we shouldn't go too deeply into it, but where you were you found some AI generated code being used to attack your your honeypots.
Yeah. So on one of the honeypots, someone created, like, five backdoors, which is unusual by itself. And in these in these backdoors, they downloaded cute panda images, like panda bills. It was really cute.
And I my my elder son, I told him, what do you think about these panda bills? So, oh, they're really cute. And I and I showed him, you see, this is a hidden code in the back in the background, and the code was generated entirely by AI. There are there are multiple markers that show that this is AI, and it was very, very, very good because it was persistent and it actually allowed the attackers almost a fail safe attack or attack which will for sure succeed.
This is alarming. This is really alarming.
Very alarming. So it's it's a whole different thread to talk about the creation using AI to to actually attack as a basis for attacks, because, you know, we're seeing that everywhere. But Thursday this week or if you're listening to this later, head over to aquasect dot com. You can find a pretty detailed step by step of that attack and the results and decomposition of what happened there.
It's a fascinating story. Okay. So kind of back to the container, cause I know we're coming up to time here. Coming back to containers, so I have two final questions really.
One is perhaps more a question of myself, which is how do containers relate and why is that a good place to secure things? And at least from where I sit, the container, right, because that's where the workload is running and the nature of an agent, for example, sitting in that container gives you visibility into everything that that workload is doing. So whether that's prompts or if somebody does in fact, is able to inject something into the prompt, the resulting attack, you know, root kits, root kits, a root kit, may be the result of a prompt injection, right? So the container is a great place to secure your AI workloads.
That's one that often a lot of times people don't think about, right? They think about edge, right? Maybe like an AI firewall on the edge. They might think about network level.
They might think about creating a proxy to pass all of your AI chats through. But of course, none of those really can solve the entire problem. And if you are compromised via your model, they can't help you solve that problem either. There's also the SDK folks, which is a good approach too, and has its merits.
But again, the container doesn't require SDKs. It doesn't require changes to your workload. You just need an agent sitting there to observe what's going on. So these are this is kinda my my pitch for a lot of the the necessity and understanding of what happens in a container real as it relates to AI security.
I'm sure you have had I think that a more basic question for folks today is, are you aware of all the AI models or AI related workloads that run-in your organization?
And when I ask this question, the majority of answers that we get or that that I get is not necessarily. No way.
So when you talk about containers and, obviously, you got, like, a black box, but if you got tools that allows you to understand, to get the visibility, and to frame what's running on the container because of specific analysis or specific markers that you mentioned, then, obviously, now you have the ability to say, oh, someone is trying to connect to DeepSeek. Maybe it's against my company's policy. Or I got in production five five AI applications or five AI five connections to AI models, or I got internal AI model, or I can see someone is trying to send prompts to a specific workload. So now when you can, first of all, see or visualize it or understand where your workloads or where your AI workloads are in the organization, I think that's the most basic step. And I think organizations still struggle with that.
I don't think Well, it's a little like back in the day when when when containers were new.
Right? They have no one know where their contests. Ten o'clock at night. Do you know where your containers are?
No one did. And I think the thing that really nailed that was Log4j because, of course, the containers are running the Log4j, and then there was just no idea of where it was, where and so that was a huge moment. And we're starting to see a parallel with AI to exactly this point. So at least the customers I talked to are saying the same thing.
Right? What's where am I running my models and and what models am I running? And, you know, the next question is, okay, if I do understand it, how do I govern it? Right?
Because I wanna make sure that yeah. And on top of that, all of these security considerations that we've been talking about for the last twenty minutes.
Exactly. And now when you have the containers, you got, like, ten or fifteen years of security experience dealing with securing these containers. So if you got, I don't know, if you got, for instance, a Drift, or if you got a rootkit dropped inside a container or outside the container to the the VVM after we get the container escape. Then if you got all these, then obviously, you want to defend these containers.
You want to defend these workloads. So regardless to if it's a Rag, MCP, or a proxy, or a front end, or a UI, whatever it is, you have the ability to first see that, to mark all the AI related or all the applications in your organization. Mhmm. And then to see all the hazards or anything that runs in runtime or in the build process because you can, for instance, use malicious plug in for your AI model, and the malicious plug in during the build process will try to attack your organization.
Mhmm. So we're coming up on time. Last question. Right? Advice on this because on this call, we have we have generally folks more at the implement at the technical level.
And we have a mix of of folks who are using AI, thinking about using AI, and aren't there yet.
Generally, what would your advice be for somebody like that coming in trying to understand or or or secure their applications as they're looking at AI?
Right. So I think and this is general to any security operation that you're trying to do. So first of all, you need to do a threat modeling to understand the threats to whatever you're trying to defend, and then, obviously, to get the visibility, as I said, and then to create a plan and to back it with funds. So I guess if you are running it in containers or if you are running, I don't know, just enabling your employees to send queries to, I don't know, Mistral or whatever applications or Gemini or whatever, then you need to have threat modeling and you need to have a plan, basically a way to understand what you are up against and what is your plan to defend against it.
Because it could be that your organization is not running AI at all. No AI workloads at all. You're not developing AI, but your employees are leaking secrets to to sort to external applications. So this is a problem.
So maybe you just need some add ons on your browser to defend against that. Or maybe one of your applications, one of the developers or one of the product managers decided it's a really good idea to connect your back end or to connect your databases into the applications and allow to to your customers to do a, b, and c with AI power, which is amazing. But now you need to understand how you can protect that, what are the risks, what are the junctions, what are the if you need to sanitize the input or the output.
So that modeling.
Well, and there's a it actually explains too why some of the larger organizations working with created this AI governance role. Right. Right? Because it's essentially setting those policies, deciding what you want to do with it, and then making sure you allow or disallow.
But that it's not a that it's a specific decision, right, that you've made what to do and not to do with AI, not something that accidentally happens. And unfortunately, shadow AI is a thing. And I as much as you try to stamp it out, people have cell phones and cellular networks and they their phones also have AI bots sitting on them. Now now thanks to Apple actually embedded.
But, again, here we are, with ShadowAI in everyone's pocket. What do we do with it?
So that's that's everything on my end. So unless you guys have any final thoughts, comments.
I'd wrap with a statement. What happens, you know, in AI? How do you secure AI applications? By understanding what's going on in those container endpoints and making sure that what you want to happen is actually what's happening in those endpoints. And if not, that you do something about it.
Watch Next
