 So, and welcome to this episode of the security angle. I am your host, Shelly Kramer, and I am the managing director and principal analyst here at theCUBE Research. I'm joined today by my colleague and fellow analyst and member of theCUBE Collective, Joe Peterson. Joe, welcome, it's great to see you. Thanks for having me. Well, of course, one of my favorite parts of every week. So today's episode, we're gonna focus on the role of data loss prevention and protecting against AI data expiltration. Who say that five times fast? So why are we thinking about this today? Well, it's a pretty easy one. With the rise of popularity of generative AI in the enterprise, data loss prevention solutions, of course, have become an important tool in the CISOs toolbox. And what we're going to explore today in this episode is really the risks that Gen AI presents and how DLP vendors are adjusting and being able to better serve the market. So with a little background here, as I mentioned, generative AI, of course, is fast moving. It's incredibly disruptive. And while Gen AI is no doubt driving productivity gains and doing lots of positive things, it's also creating new security risks. We've talked about these risks before here on our show. And the reality of it is, is that Gen AI capabilities are increasingly being used as much for bad as they are for good. So the integration of AI in cybersecurity presents challenges and opportunities, making it crucial for organizations to adapt and protect themselves, including things like their corporate networks, mobile apps, and those sorts of things. And that's really where our focus on DLP tools today come in. And just a quick, quick background, the role of DLP tools in general data loss prevention is a set of tools and procedures that form part of an organization's overall security operations and strategy. And they detect the loss and the leakage or the misuse of data through unauthorized use, data breaches, and exaltation systems. So let's drill down a tiny bit further. DLP solutions are appliances, software, cloud services, data supervision that allow organizations to help prevent non-compliant data sharing. So they play a really big role within an organization. And I know that you want to share some information about how these tools are used, Joe. So take it away. Absolutely. So DLP tools are designed to protect data, right? Data that's at rest, data that's in use, data that's in motion, and the solutions are really capable of understanding the context and the content of the data that they're protecting, right? So there's a thing called content awareness and context awareness that you're probably familiar with or that you've heard about. But let's take a look at kind of some of the nuances of DLP. Full DLP, again, it protects data at rest and in motion, and it's context aware of what is being produced. That means it's looking at keyword matches. It's incorporating metadata, the role of the employee in the organization, who wants the data, and it's helping make a decision about the sensitivity of that content. Channel DLP is specific to a certain kind of data. So most often, data in motion and over a particular channel, for instance, that channel could be email. So there might be some content awareness there, but in most cases, those solutions are really looking at keyword blocking. So, Shelley, I know that you're gonna sort of walk us into how AI has found a home as part of the solution set for a DLP solution. Oh, absolutely. You know, one other solution I did want to touch on is there's a solution called DLP light, which is an add-on to enterprise solutions, and they generally only monitor data at rest or data in use. They're most often not content aware. So, again, it's kind of like, these solutions are solutions that we're familiar with. Full DLP is like getting in your car and putting on autopilot, right? And it's taking control and it's providing lots and lots of coverage. And then channel or DLP light provide less functionality. So I think that's kind of interesting. You know, so we're gonna talk now a little bit about, you know, DLP is kind of finding a new home as a new purpose as it relates to the AI generation, the era, and that really is all about protecting AI data exfiltration. So one of the cybersecurity is involved with GenAI is the potential for attackers to utilize it for multi-vector social engineering attacks and creating clean malware code. So for all the things that we're using GenAI for that are helping us spur productivity and increase efficiencies, whether, you know, for developers writing code and things like that, well, hackers are using GenAI as well to create malware code and things like that. So attackers are using GenAI also to create language models that can launch targeted voice, email and text attacks. And that really makes it difficult to protect against because all these things seem legitimate. I swear I have become an attack vector lately through SMS channels. And I keep getting emails from other people within my company, you know, with a whole message that says, you know, hey, Shelley, you available. And I've gotten to the point where I just messaged back, sure, let me guess, you need me to run out and buy up a bunch of Apple gift cards for you because you're in a meeting and you can't, you know, but anyway, that's what's happening all the time, right? But so GenAI is being used to trick people into doing things and clicking links and clicking links, clicking links and that sort of thing. So lots of challenges here and being able to protect against sophisticated attacks and identifying potential threats is really a big part of this equation. So as I mentioned, the good news is that we're seeing security vendors step up. They are providing solutions that are designed to protect specifically against AI data exfiltration. And, you know, this is data theft. This data theft can be done manually. It can be done, it can be automated. It is the intentional unauthorized and often covert transfer of data from a computer or other device. Businesses are huge targets for this and data, as you might imagine, data exfiltration attacks can be incredibly damaging to a government entity or organization. You know, one thing I was gonna mention when I was thinking about this was the attack against NVIDIA. And that happened in 2022. It was a lapsis gang. It was a data exfiltration attack and they were able to exfiltrate one terabyte of sensitive information from NVIDIA, a chip maker. And they also, this exfiltration also leaked the source code for the company's deep learning technology. So that's just one example. But this is, you know, a pretty big deal in terms of the risks that are associated with data exfiltration. Yeah, I agree. I mean, you know, if you kind of think about what some of the common data exfiltration techniques and attack vectors are, it's a lot of the stuff you talked about, Shelley. The social engineering stuff, right? The phishing, smishing, vishing. They sound like funny words. And if you didn't know that they were security words, you'd be like, what the heck? Right? What code are we talking in? What are we talking about now? Exploiting vulnerabilities, like unpatched endpoints, security flaws, right? And it's interesting as we sort of dovetailed what we know about data exfiltration and global adoption of AI, right? So we start to think about these things, the idea of walled gardens, the idea that you've got your corporate data and you've got these LLMs and you wanna borrow from the LLMs to make you smarter and faster, more responsive. But you don't necessarily wanna put your corporate, you know, jewels into the LLM, right? So it's given us a new lens to look through security at. And there was an IBM Global AI Adoption Index that came out in 2023. And one of the highlights from it was that day privacy and trust, as well as transparency concerns were some of the biggest inhibitors of generative AI growth in the enterprise, right? So I know that you found a couple of things interesting from that study as well. What stuck out for you, Shelley? Yeah, well, first of all, I will say that in every bit of research, whether it's research we've done or something that I've seen that somebody else has done, data privacy concerns top the list and data privacy and security top the list as it relates to gen AI concerns. So, or AI concerns in general. So that is not necessarily new information. You know, I thought that one of the things that stuck out to me in the IBM study was that as organizations are using AI for threat detection, monitoring and governance, they're doing it today at a solid 25%. 25% of the survey respondents in the IBM survey reported they were using AI for these things, detection, monitoring, governance. That number is only gonna go up because there's really not a downside here to integrating AI into security operations. I don't believe there is anyway. And I know that we've looked at some other data that I think it was a source that you and I were talking about earlier this week about gen AI and the enterprise by O'Reilly. I think you've got some interesting data points there. Yeah, I do. So that's exactly the name of the study and O'Reilly came out with it in late 2023. And in that study, O'Reilly data showed that two thirds of the enterprises report that their companies are using gender to the AI and all the companies that have gender to the AI installed, many are using five or more apps. So I found that interesting. I thought, well, that was more than I thought they would be using. I thought maybe two, maybe three, but five. And additionally, it's believed that at least one in five of those apps have extensive data permissions. So think about that. Think about the idea that, right? Yeah, right? The idea that how, kind of, who's watching the AI? It's interesting. I was chatting with a client the other day about the idea that they have a policy. They've explained to people that they don't want them to be putting corporate data into the LLMs, right? But back to who's kind of watching the henhouse, right? It's... I think the answer is... I think the answer, unfortunately, is terrifying. That in many instances, our CISO and our tech leaders want to believe that they have control over that henhouse, but there is so much shadow gen AI use that it is truly terrifying to think about. Well, but the other side of it is this particular CIO said to me, look, I don't want to stop productivity. Yeah. That was his net, right? I don't want to lock things down so far that I stopped productivity. And oh, by the way, do I really have the time to put in all the rules? So there's this sort of balance that they're struggling with. They're clear that they don't want their corporate data to be exposed, no question about that. But who gets to play? Who doesn't get to play? Do they want a note popping up that says, you're about to transfer some sensitive data? Do they want somebody higher up to get a note that says, well, so-and-so just transfer it. They have to think about how much they want to ratchet this down and what is important to them. And I think that those conversations are happening. But I know that public AI platforms like chat GPT are only part of the problem. What do you think? Well, I agree. And I think that, you know, I have so many conversations. We have our own LLM. I have so many conversations with clients who are working on internal initiatives, say, related to content, right? And so they're thinking about how they can, you know, collect all this content that they have across your organization, feed it into an LLM, be able to maximize the use of that content and all that sort of thing, which is great. But I think that a lot of times people aren't thinking about the tons of sensitive information that are often contained in corporate LLMs. And so, you know, while platforms like chat GPT are a concern and what somebody might be innocently loading into chat GPT, that's your corporate data to help them develop a report or some other piece of content or do some research or whatever. And they're just trying to do a good job, right? And chat GPT is great, right? And why should not use it, right? And so of course there's a risk that they could upload sensitive information into a platform like chat GPT, which is really not good. But I think that, you know, you have equal concerns when it comes to corporate LLMs and how accessible they are throughout the organization. And, you know, I think this leads to conversations that need to be had about segmenting data and restricting and permissioning it. And all of these things are really key components of a data security strategy. So I do think about that a lot. And there are of course many ways to protect sensitive data. And a DLP is one of the tools in that arsenal. The goal of tools, DLP tools is to align corporate policy around the goal of DLP tools in AI operations, of course, let me clarify that, is used to, you know, put corporate government governance. Here's my problem with speaking today to put corporate governance in place around AI data exfiltration. And DLP can help clients classify and filter documents and it can help restrict outbound data from leaving SaaS applications. Like all of those things to me are so incredibly important. And they're the, you know, the devil is always in the details, Joe. And we can talk about Gen AI and Gen AI use at a high level. But when we start thinking about, you know, restricting outbound data from SaaS applications, classifying and filtering documents, like that's where it gets down to the nitty gritty that I think is so tremendously important. Yeah, you're right. And, you know, this is causing something to come to light that is the bane of every CIOs. You know, it's something in there to do pile, which is data classification because you can't segment and provide permissions unless your data is clearly labeled and clean. Yeah. Right. So there's this housekeeping aspect of, you know, something that's happening right now. But good news is, the good good news is we are starting to see some security vendors come to the table. And I want to talk about a few solutions. And I know that you do as well. Yes, absolutely. Yeah, Sky High Security added DLP to their CASB solution. Good idea. Yeah, great idea. Yeah, great idea. Cyber Haven automatically logs data, moving to AI tools so that organizations can understand how that data is flowing. And then it offers them the ability to create guidelines and policies around patterns in the data. Oh, and I think that's really, I mean, to me, that's an important part of this. Pattern identification is so key. Right? Our friends at Google did a Google-sensitive data protection service that includes Cloud DLP. And, you know that, that's a great thing. Cloudflare, their Cloudflare One platform began to include DLP for generative AI in May of 2023. And then two more. So they're a little bit ahead of the game, right? A little bit. I like it. I like that. Yeah, right? Two more for me. And then I know, actually three more for me that I know you have a couple. Code 42 created the Insider Risk Management Program, Launchpad, which allows clients visibility into the use of chat GPT. It detects copy and paste activity because, you know, everybody likes to copy and paste. Don't we love it. And then it can block that activity. So no copy and paste in a bunch of cool stuff right into your LLM. Because Code 42 is going to stop you. Fortress Digital Guardian DLP tool allows the IT team to manage gen AI data protection across a spectrum that goes from complete access blocking, you know? I mean, security has long been called the Department of No. So if they want to wear that hat, they can, right? Two, blocking of specific content just like customer info or source code or can just monitor. And then my last one is due control. In addition to just blocking gaps and granting permissions, due control takes things a step further by evaluating the risk of the AI tool being used. And the platform also educates the user of those risks and other alternatives. Like, did you really want to send that file? Yeah, I like that. I like that. So I think some other folks doing some interesting things with DLP in this space, Zscaler. We talk about Zscaler on a regular basis. They're doing some really impressive stuff. Zscaler's AI apps. They're AI apps category blocks access. And it also offers warnings to users going to AI sites. You know, are you sure you want to go there? And I love, by the way, whenever I get a warning like that, do you ever do that? Maybe using Google to search something and you know, you get a warning that a site isn't secure because they've let their security search a bit expiry? I don't know. Yeah, I'm not, yeah, no. But anyway, so if you've ever experienced that, this is a little bit like what Zscaler's solution is. Palo Alto, long leader in the security solution space. Their data security solution is a totally solid choice for safeguarding sensitive data from exfiltration and unintended exposure through AI applications. Symantec, another big player in the space. They recently added Gen AI support to its DLP solution. It allows for classification, management of AI platforms. What I like about Symantec's platform, they also use optical character recognition and it analyzes images. So, and I think that this is important. There are also content formats that most DLPs can't recognize. So that optical character recognition catches non-standard images and kind of, you know, covers your butt. And I think that's really exciting and important. And lastly, next DLP comes to the table with some really cool policy templates. Starting in April of 2023, the company started to offer pre-configured policies that can help create out-of-the-box guardrails. And these templates are available for hugging face, Bard, Claude, Dolly, Koi, A.L., Ryder, Tome, and Lumen 5. I mean, seriously, if you're using any of these platforms, there's absolutely no reason for you not to check out at next DLP. And I love pre-configured things, templates that are just out-of-the-box that you can use and go and not have to think about. And, you know, all of these solutions, all of these companies are definitely worth checking out if you aren't currently thinking about DLP and, you know, data exfiltration concerns as it relates to AI. Right, and you can talk about process all day long and it's super important, but another element is people. And, you know, as we're wrapping up here, one of the biggest challenges that organizations face, which was outlined in the IBM study, is internal resources. One out of every five organizations surveyed for the IBM study shared that they don't have employees with the skills needed to use AI or automation tools and 16% report that they can't find new hires with those skill sets. So here's a shout-out to all the, you know, younger folks that we met, we both mentor. Get your AI skills up, right? Work on getting some certs. Get your AI skills up, that is true. I cannot tell you, though, in good news on that front, you know, I've mentioned probably 1,000 times that I have twin high school seniors who are getting ready to head to college in the fall. And both of them are math and data geeks and math and science geeks. And they have not really ever been interested in technology and what mom does for a living and all that sort of thing. But I cannot even begin to tell you how many conversations I've had with them about data and how, you know, a skill set that involves data and data analytics and really bringing those capabilities to the table and understanding cybersecurity and cybersecurity threats and how important that is. And I think at least one of them who's gonna go to the business school path is listening. But beyond that, I am involved in a lot of conversations with parents of college students and or soon to be college students and the interest in the cybersecurity field is off the charts. So that's good. That's good. We need more girls in cyber. We need more girls in cyber, yes, absolutely. So, you know, when you think about the impact of an attack, a data expiltration focused attack and your preparatory information, your source code like NVIDIA, the attack that NVIDIA suffered, all of the confidential information that you have amassed over the years and that sort of thing, not to mention, of course, employee data, customer data, all this sort of thing. So there's no wonder, it's no wonder that CISOs don't sleep at night. I mean, seriously, this has to be the most stressful job on the planet. So when, you know, I think we'll leave you with this. What do you think about moving forward? When think about data expiltration, the risks that it poses, especially in the AI age, and think about what you need to do to integrate security awareness and best practices in your culture. I mean, truly, you need to infuse a culture of awareness about the risks that we are all presented with every day. And, you know, again, we talk about this, we talk about this in every single show, but, you know, employees are the first line of defense and they're also the first place that attacks happen. And, you know, through email, through SMS, through voice messaging, those sorts of things, but having regular conversations about data protection is so important. And also having regular conversations with your team about the use of AI internally and how to use AI correctly, how to access data within the organization correctly, what to put into a public-facing platform like ChatTBT, what not to put in there and just kind of understanding that because, you know, people aren't, this isn't necessarily a part of people's DNA, right? It's a new world that we're navigating and so learning those things, I think is incredibly important and kind of inculcating those best practices into your culture is really how you can protect and defend. And I think that, you know, I think the other part of it is that, and I recommend this all the time, you know, strong trusted, strong relationships with trusted vendor partners is the key to success. It's the path forward to think that we can create everything internally and that we should reinvent the wheel and build all these things ourselves, doesn't make any sense. There's some amazing vendors out there providing top-notch solutions and some of them we talked about here, but really I think that's, you know, partnering with security vendors who can help protect against data loss prevention in this AI age is smart business. But I do agree, good advice. All right, and with that, we're gonna wrap our show today. Thanks, Joe Peterson is always for spending this time with me. It's always a pleasure. And to our listening audience, thank you for hanging out with us. Be sure to hit the subscribe button. If you're watching on YouTube or listening, streaming this video and we will see you next week.