Leveraging The Benefits Of LLM Securely 

Uploaded on 2024-06-24 in TECHNOLOGY-Key Areas-Artificial Intelligence, TECHNOLOGY--Developments, FREE TO VIEW

Generative AI (GenAI) based on large language models (LLMs) has created a breakthrough in the way humans interact and leverage AI technology. From generating human-like text to powering conversational interfaces and automating complex tasks.

Even though we are at the early stages of LLM adoption, businesses are ramping up their capabilities to build LLM-powered applications.

Initial findings from our customers reveal that one out of four customers are building LLM-powered applications and around 20% of them are using OpenAI as their LLM . And according to a developer survey by Stack Overflow 70% of developers are using or are planning to use AI tools in their development process. However, while businesses are strongly driven to embrace LLM adoption, in many cases a fear or lack of knowledge relating to the evolving attack vectors that come with it and AI-powered threats will be slowing down innovation. 

The Open Worldwide Application Security Project (OSWAP) Top 10 list for LLM applications has driven further awareness around the risks from LLM adoption by highlighting the critical need for security tools and processes to confidently manage the rollout of GenAI technology. Three key areas of focus within the OWASP Top 10 for LLMs include Prompt Injection, Insecure LLM Interaction, and Data Access.

But how do these specifically affect cloud native applications, and what is important to know about these attack vector techniques? 

Examining the top three LLM risks, identified by OSWAP: 

1.    Prompt Injection:  A new but serious attack technique specific to LLMs. Here the attacker crafts inputs designed to mislead or manipulate the model, with the intention to generate unintended or harmful responses. The model relies on input prompts to generate outputs and allows attackers to inject malicious instructions or context in line with these prompts. Prompt injection, if not identified, can lead to unauthorised actions or data breaches, compromising system security and integrity.

2.    Insecure LLM Interaction:  LLMs interact with other systems, increasing the risk that their outputs can be leveraged for malicious activities, such as executing unauthorised code or initiating cybersecurity attacks. These threats pose significant risks to data leaks, and identity theft and compromise both security and data integrity. 

3.    Data access:  LLMs store all the information they consume, heightening the level of data leakage risk when sensitive information is unintentionally exposed or accessed by an unauthorised person through the model’s output. The risk associated with improper data access controls is significant as it can lead to unauthorised data exposure, or breaches jeopardising both privacy and security. Proper controls are essential to mitigate this risk and ensure sensitive information stored within an LLM is processed and stored securely.

Businesses must be able to confidently navigate the complexities of LLM-based application development and deployment, ensuring compliance with regulatory standards and safeguarding against malicious exploits.

Here are the three key steps organisations must take to secure LLM applications from code to cloud:

1.    Discovery step: It is important to remember that as GenAI brings more simplicity for setting up applications, cybercriminals are seeking the same benefits. For example, AI agents can easily and quickly optimise productivity and speed into operations, but this evolution must be coupled with a robust security strategy for managing and monitoring agent-based systems. 

It starts by asking some crucial questions, about who and how GenAI is being used across the organisation and for what LLM applications. A thorough assessment is needed here, that identifies the various LLM applications or planned applications and how they interact with the full lifecycle. From code to cloud. The process involves identifying which microservices in the application have used or are backed by LLM-generated code and assessing the most common vulnerabilities associated by the nature of the application.

Understanding the different kinds of threats and integrating them with a business strategy will make sure LLM applications securely empower rather than hinder the business.

2.    Protecting vulnerabilities across the cloud lifecycle: Then it is about protecting the application that uses AI across the entire cloud application lifecycle. It is essential to employ advanced code scanning technology to identify and mitigate the unsafe use of LLM in application code, including unauthorised data access , misconfigurations, and vulnerabilities specific to LLM-powered applications.

By actively monitoring the workloads of LLM-powered applications, organisations can prevent unauthorised actions that LLMs might attempt, such as executing malicious code due to prompt injection attacks.

3.    Implementing guardrails: Employing specific GenAI assurance policies serve as guardrails for developers of LLM-powered applications. These policies will prevent unsafe usage of LLMs when based on practices from the OWASP Top 10 for LLMs.

With GenAI assurance policies enforced, alongside holistic protection across the entire cloud native application lifecycle, businesses and industries can truly embrace the transformative potential of GenAI.

New standards and comprehensive protection for LLM-powered applications from code to cloud bridges the gap between security requirements and development processes. Thus, allowing organisations to fully embrace innovation while mitigating potential risks.

Gilad Elyashar is Chief Product Officer at Aqua Security

Image: Google DeepMind

You Might Also Read: 

The Cybersecurity Risks Of Generative AI:

DIRECTORY OF SUPPLIERS - AI Security & Governance:

___________________________________________________________________________________________

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

 

 


 

« US Blocks Leading Cybersecurity Firm Kaspersky
Large - Scale Supply Chain Hack On Auto Industry »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Zybert Computing

Zybert Computing

Zybert Computing provide server solutions with built-in security and information protection features for the SME market.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

ISO Quality Services Ltd

ISO Quality Services Ltd

ISO Quality Services is an independent organisation that specialises in the implementation, certification and continued auditing of ISO and BS EN Management Standards including ISO 27001..

VNCERT

VNCERT

VNCERT is the national Computer Emergency Response Team for Vietnam.

Idaptive

Idaptive

Idaptive delivers Next-Gen Access through a zero trust approach. Idaptive secures access everywhere with single sign-on, adaptive MFA, EMM and analytics.

Africa ICS Cyber Security Conference

Africa ICS Cyber Security Conference

Africa's largest ICS Cyber Security Conference and Expo. The only platform that will proudly present top level B2B and B2C networking opportunities.

NDK InfoSec

NDK InfoSec

NDK InfoSec is a specialist Information Security and Cyber Security search firm. We're not just a security function in a larger generalist recruitment company.

IT Jobs Watch

IT Jobs Watch

IT Jobs Watch provides a concise and accurate map of the prevailing IT job market conditions in the UK.

Optimum Speciality Risks

Optimum Speciality Risks

Optimum Speciality Risks are an experienced team of cyber insurance experts, backed by Lloyds of London.

Isovalent

Isovalent

Isovalent deliver the most advanced Kubernetes networking & security capabilities to the most demanding of enterprise users.

Zephyr Project

Zephyr Project

The Zephyr Project strives to deliver the best-in-class RTOS for connected resource-constrained devices, built to be secure and safe.

Chainguard

Chainguard

Founded by the industry's leading experts on open source software, security and cloud native development, Chainguard are on a mission to make the software supply chain secure by default.

Royal United Services Institute (RUSI)

Royal United Services Institute (RUSI)

The Royal United Services Institute is an independent think tank engaged in cutting edge defence and security research. Areas of research include cyber security and resilience.

Twinstate Technologies

Twinstate Technologies

Twinstate Technologies specializes in cybersecurity, proactive IT, and hosted and on-premise voice solutions.

Disecto Technologies

Disecto Technologies

At Disecto, we provide SaaS based Data Discovery, Classification and a remediation solution for data privacy compliance.

Nuke From Orbit

Nuke From Orbit

Nuke's mission is to put you back in control of your digital identity when your smartphone gets stolen.