Picking Pennies and Three Other Mistakes in Thinking About Cybersecurity in the Age of AI

by Katie Bates

by Katie Bates

December 13 Blog

For more than a century,¹ artificial intelligence (AI) has been a specter in the pop culture zeitgeist.  Stories about creations overthrowing their creators have instilled in us a fear that we may be getting too advanced: We may be putting in motion a creation that will soon refuse to be controlled.  We may be—right now—creating our very undoing.

Bret Arsenault,² Microsoft’s Chief Information Security Officer, doesn’t disagree.

In an era where the speed, scale, and sophistication of cybersecurity attacks aided by AI have changed the landscape of what it means to build a good defense, Bret points to several causes for alarm:

• Automation and evolving tools have made it easier than ever to crack passwords and other authentication. He and his team oversee and respond to more than 12,000 password attacks per second.
• Attacks are increasingly global endeavors. He and his team monitor and track 300 nation-state actors around the world. Some attacks are straightforward, but it’s the people who are patient and work low and slow, under the radar, who frighten him the most.
• Cybercrime has become a thriving economy recently surpassing the global illicit drug trade.³ Attacks that used to take training and expertise to execute now require only the ability to write a check.

But through the darkness, there is light.

As long as there have been innovations, there have been advances in crime.  A unified mail system?  Mail fraud.  Telephony? Telephone fraud.  Financial services?  Financial fraud.  Internet?  Cyber fraud.  Bret contends that this is simply a new form of the same fight and sees his role as helping people and companies to protect themselves.  In his talk at Microsoft Ignite,⁴ Bret laid out four common pitfalls that you want to avoid in your cybersecurity journey:

1. Picking up pennies in front of a steamroller

The biggest mistake a company can make with cybersecurity in the age of AI is to say, “We don’t understand it, and we don’t want to do it.”  As platforms shift there are risks, but there are even greater opportunities.  The recent progression to cloud-based computing has led developers to code faster and more efficiently using new tools like open-source coding.  The use of distributed cloud computing has opened up avenues to scale that were previously unheard-of, enabling the Microsoft team to process more than 65 trillion security events per day.

2. Failing to update your company’s secure development lifecycle

Every new product produced by Microsoft or anyone else should be secure by design, secure by default, and secure by deployment.  Make it easy for users to make the right choice! Microsoft’s shift to make multifactor identification (MFA) an opt-out for users, rather than an opt-in, resulted in unprecedented levels of compliance.

3. Throwing out tried and true cyber security practices

Many of the methods we’ve used to secure our companies are still invaluable.  The big three are having a strong ID, ensuring good device health, and enabling pervasive telemetry.  I’ll expand a bit on strong ID below but suffice it to say that you want to be sure a user is authenticated and that they are who they say they are.  It may seem like common sense, but older technology is easier to break into if for no other reason than the fact that bad actors have had more time to practice.  Keeping devices up to date with the latest updates and security patches is key to supporting a strong cyber defense.  And, finally, you won’t be able to stop an attack if you don’t know it’s happening.  Pervasive telemetry—that is, continuous monitoring of the environment, collecting data, and reporting it for analysis—is a must.  Collecting and monitoring usage data can help thwart an attack that comes from an unexpected part of the globe or otherwise violates expected user behavior.

4. Neglecting identity security enhancements

MFA remains a cornerstone of cybersecurity policies; 80% of cyberattacks can be thwarted by instituting MFA.  The guidance now is to expand on that by not only instituting MFA for all users, but encouraging companies to invest in phishing-resistant MFA⁵ and token binding,⁶ a protocol that ensures a security token is usable only from the intended device.

It used to be that the mere mention of MFA would trigger a collective groan in an organization.  Anyone who’s spent a significant amount of time online can tell you how they’ve seen passwords evolve from short and simple to increasingly long and complex with a variety of letters, numbers, and symbols.  It doesn’t have to be this way. Identification via biometric markers such as fingerprint or face recognition may well mean that the password era is coming to a close.  After all, Microsoft’s employees haven’t used passwords in years.

Avoiding these four pitfalls may seem easier said than done.  Where does a small company even start?  Cloudforce has become a leading Microsoft partner helping institute cybersecurity policies, practices, and cutting-edge tools for our clients in every industry.  If you’d like to hear more about how to work with our team to discuss your organization’s cybersecurity posture, let’s connect!

______

[1] The Czech Play That Gave Us the Word ‘Robot’ | The MIT Press Reader

[2] Bret Arsenault (microsoft.com)

[3] Cybercrime surpasses illegal drug trade and we still don’t think it’s a big deal (updated) | CSO Online

[4] How we secure the Microsoft estate

[5] Require phishing-resistant multifactor authentication for Microsoft Entra administrator roles | Microsoft Learn

[6] Token protection in Microsoft Entra Conditional Access | Microsoft Learn