AI in Cybersecurity - Between Myth and Reality

So, and now, with that, we are going into the conference itself right away. I hope I made you now curious to all the upcoming talks. This is our program for the rest of the day. And our next speaker is the co-founder and principal analyst of KuppingerCole. I was actually talking about the past. He will also talk about an agenda, but now about the agenda of tomorrow. Please welcome Martin Kuppinger on stage. And a warm welcome to everyone here in Frankfurt.

Yeah, I'll talk a bit about still more near-term, because we're talking 2025, a bit about the CSO agenda and what we as analysts see as the things you should keep an eye on in 2025. So, it's a bit forward-looking, but it's not whatever 2030, 2040 or so. 2040 sounds, by the way, really, really long away. But I had this discussion with, for instance, around the ACP identity management retirement. If you do that, you should think about 2040, because if you replace an IGA tool or other complex tools, and then you have a lifetime of 8, 10, 12 years, then you're easily at 2040.

So, 2040 is something you should have in mind, because a lot of your investments will be for 2040. We don't make it, sort of, don't recognize it that much usually, but it's something to keep in mind.

So, we see a lot of evolution in cybersecurity these days on both sides, the attacker side, but also on the defender side, on the technology side. We clearly have the situation that we are, especially, so I'm Germany, our economy is not as strong as it could be.

A lot of, surely, homegrown mistakes anyway. But we are a bit under this pressure. We must focus on resilience, clearly.

So, being resilient against attacks. Efficiency and look at emerging technologies.

So, in this agenda, I'll talk about 10 areas. 10 always is good for these things. As an analyst, you use metrics, you use 10 or 7 of this, etc.

So, identity security. When we just look at the simple fact that the number of account takeover attacks right now is surpassing the malware-based attacks, it becomes very clear that identity is at the forefront of everything we do in cybersecurity, or a lot we do in cybersecurity. I look at the cybersecurity tool optimization, or something you should have had on the agenda for decades, surely. Recovery and resilience. Something which is also not super new, but still not done well in many organizations. We look at consolidation of detection response.

So, maybe getting rid of some of the PR types of solutions by combining things. Quantum safe encryption. I had some discussion about this with a colleague. I see a lot of discussions around crypto agility nowadays, and yes, we need to be prepared for the future.

So, it's something I see on the agenda. Secrets management, very important, but we'll talk about non-human identities already. AI security, yes, and governance, how do we keep it under control? And you'll see AI pops up a second time. Supply chain security, also heavily driven by regulations nowadays, but also being a typical entry door of attackers at scale, in this case. We all have seen what can be the impact if something goes wrong at a certain type of supplier. In this case, it wasn't an attack, it was just a mistake, but you all remember the incident a bit earlier in the year.

And we know the impact of these things can be massive because they multiply. Zero trust, not that. And last but not least, again, AI, but it's more, how can we utilize it?

So, the one thing is really more looking at sort of the flip side, which is how do we keep it under control? And the other is how do we sort of utilize it? How can we benefit from it? I start with the identity fabric, something we created a couple of years ago.

Matthias, my colleague, will have a separate talk on that. It is, at the end of the day, the ability to integrate diverse identity services into a cohesive system.

So, the term fabric, in that sense, has this dual meaning it has in the English language, which is, on one hand, it produces identity services, and on the other hand, it's a mesh. It connects the services. And I think that's the way we should think about it. And we've got done really a lot of advisories with organizations of different types. And this has proven to be a very well and very good approach to streamline the investments in identity security. And identity also is, to me, very clearly the key for zero trust and for compliance.

Because zero trust, at the end of the day, zero trust starts with Martin, authenticates using a device, goes over the network to a service, does something which impacts data. All is driven by software, but the starting point is the identity.

So, what you should do, from my perspective, is use an agenda. And that's the actions, key actions. By the way, we just published this morning also a longer report, which goes much more into detail. It's available on our website.

At least, it's definitely available when you have membership. Don't know whether it's before or behind the paywall. You'll see. You should conduct a gap analysis. Where do you stand? What is lacking? And we will launch a new identity fabric. We will launch a new reference architecture. There are a couple of new things coming in because we have this non-human identity management. We have decentralized identity. We have a lot of things happening in this market.

So, you should develop an adoption roadmap, actionable one, and you should think about the role ITDR, Identity Threat Detection Response, plays within identity management. You could argue ITDR is just the nice name for the ugly user behavior analytics because if you tell a German worker council, oh, we will implement user behavior analytics, they will shout at you. If you say, oh, we do identity threat detection, then you're doing something very positive. Not very different technology-wise, but wording sometimes really plays a role.

Whom of you feels that he has exactly the right type of cybersecurity tools in place he or she should have? Oh, no one. Okay.

Yes, we usually have a lot of tools. Some we feel don't deliver that much value, some gaps, et cetera. We need to get better on that because at the end, tools for all, we have inefficiencies, we have risks, and we need to optimize and align with our business needs.

So, which technologies suites a certain purpose better? Which tool of the tools is the better fit? How should your portfolio look like from an investment perspective? This all can be done with relatively simple methodologies.

So, it's really not rocket science to do that. So, benchmark yourself, review the tools for relevance. I know it's hard to retire security tools because you always argue, what happens if an incident happens just in that area?

So, on the other hand, you can't have every tool in place. So, at the end, it's about optimization, understanding what helps best against what. Create an optimization framework. It's really not difficult. You also clearly should look at AI to leverage the efficiency in integration. I've seen some really cool stuff for integration based on AI. I see a lot of, and I'll touch this in a minute, a lot of stuff which is really interesting when it comes to using AI for sort of augmenting people.

Honestly, I believe AI currently mainly is not artificial intelligence, but augmenting intelligence. That's where it's increasingly good as long as we understand that sometimes AI tends to hallucinate.

So, we need to be a bit conscious, but overall, I think it helps. Resilience. I had some talks over the past 12 months around resilience and wars and talks, and it was very interesting always when you raised the question about what is your most critical system in your organization?

So, a very common answer is SAP, very generic, which SAP is not one SAP. There might be parts which are really critical, others not.

SAP, HR, HCM is not a critical system. If it's out for a day, who cares? Aside of a few HR people, honestly.

No, this is not what breaks your business. There are other systems that break your business. Interestingly, once you're a manufacturing or retail company, it usually is the system that controls the chaotic storage. Someone from a retailer once told me before, their largest storage, it would take them three months to get all the goods out of it and three months to fill it again if they would lose all the data about what is stored where. This is business critical.

So, we need to understand this, and we need to be able to get these systems back. And yes, a backup is nice, but if you don't know how to restore it, in which order in a complex tiered architecture across the databases, across the application systems, in a high availability environment, if you haven't trained that, if you haven't practiced it, you're in trouble when the problem occurs.

So, understand it, test it, run your business impact analysis regularly. And if your managers say, okay, we don't need a business impact analysis, this is just not acceptable. You need to understand the business impact because we all know cyber security incidents can kill organizations. And not doing a business impact analysis is then just mismanagement, nothing else. You can quote me on this. Conduct recovery drills, understand all the business continuity plans. At the end of the day, we in IT and IT security must understand what is the most critical thing to protect.

What is it that brings the business down, what kills the business? And sometimes, and we have seen a lot of these incidents, and sometimes it's just the final nail short on the coffin. But at the end of the day, it is something which has an impact on business and which has demonstrated it has.

So, we need to get better here. We need to think about threat detection.

So, currently, every couple of weeks, a new DR thing is popping up. So, probably the next is DSPR for data security, detection response, and so on.

So, we will see probably some more of these because marketing people like it. Sorry to all the marketing people in the room. Probably also some analyst firms who create the three, four, five-letter acronyms really love it. But anyway, the point is that we should think about how do these things come together?

So, EPDR, NDR, ITDR into XDR. So, a combined thing. How do this relate to our security operation center we run ourselves or which we run with some support via MDR, managed detection response, as a security operation center, as a service?

So, what we should do is really invest in unified or unifying platforms. We need to look stronger at the identity part, the ITDR part.

So, really understand the identity threats. Integrate ITDR with SIEM and XDR. My colleague, John Wright, fully pointed out that there are not that many vendors who have ITDR capabilities and XDR. But this is the advice to the CISO. If the vendor is not there, then go for others.

So, it's a call to action for vendors. We need to bring these things together successfully. And depending on where you are, you might go for a unified solution. You might go for different solutions to integrate. All can be done, which also means if you're a vendor and you have only one piece, look for integrations. That's easy to do. Quantum threats, yes. We can discuss whether this quantum thing is a bit like fusion energy.

So, we will talk about it in 50 years and fill that there. Wait and see. I think it's hard to predict because there will be sort of… Yeah. If someone has a great idea, it might go very fast.

If not, it might take very long. So, it's a bit like the quantum leap required in innovation, so to speak, for quantum computing. And then also the cryptography element here. But what we must start doing, because it can happen at any time, what we must start doing is we must understand where our cryptographic vulnerabilities are and begin a phased adoption and look at what is happening around the standards. This is something really about preparation. That brings us also to the next part, which is around secrets management. We need to look at… Theoretically, it brings us… No.

That was too fast. Here we go. Or not. Okay. Theoretically, I would jump to the next slide. Here we go. Secrets management. There are a ton of different types of secrets out there.

API keys, credentials, tokens, passwords still. So, yes, we can get rid of passwords in most use cases nowadays. And it's really much easier to do IT without passwords than with passwords.

Anyway, I'm probably on a daily basis asked to come up with new passwords whenever I purchase something. Then again and again this username password thing happens. Sometimes a passkey is used, but still rare.

So, our challenge is that we have a lot of different elements around it. So, we have privileged access management, which is more about privileged access passwords, but also SSH keys, et cetera, to servers, to systems. We have non-human identity, or maybe you call it machine identity management. I'm not a believer in the term machine identity, because for me a machine moves, makes noise, et cetera. But you can argue about that, and I'm currently arguing a bit with someone else.

So, the clicker is not working super well currently. So, could you maybe just move from the back? I'll get on you. It's not the first time that this happens to me during a keynote, so I'm getting used to it. Okay.

Yeah, this one works. Cloud infrastructure entitlement management.

So, all these service accounts accessing resources in your cloud. Whom of you knows about which service accounts are accessing which resources across all the infrastructure as a service clouds you are using? Who really has full insight into that?

Okay, you, that's not a surprise, but the rest. So, you have a problem, because some of these service accounts are much more powerful nowadays than your standard admin account, which has a route to whichever server.

So, you have a problem. You need to tackle it. We have the traditional enterprise key and certificate management, so rotating keys, certificates, et cetera. We have the quantum safe encryptions. We have a sprawl of secrets vaults nowadays, so everyone is popping up as a new secret vault. We need to get a grip on it.

So, we need to get better in this area. Understand what is happening in IT and in DevOps, because we need to join these areas here. Align the secret management with the different other types of initiatives. Moving towards at least a consistent approach, maybe not a unified approach that might be a bit too big as a term, but a consistent approach.

Okay, AI. We need to leverage it safely. We need governance. We need to understand what it does, so security as well as quality. Manage the AI, manage the bot identities. I tend to use the term AIdentity here, so the identity for AI, but also the other way around, AI for identity, which I think will become a very big theme and a very complex theme, because you have some interesting relationships. If a bot acts on your behalf, doing something, then you already have a relationship, but this change can be even much longer. Train your teams to collaborate, but also to understand what is happening.

I think most of you probably have used some of the tools like ChatGPT, and we all know sometimes it hallucinates. So, I, for instance, observed that, which has a good and a bad side, that ChatGPT is very good in proposing links to coping or core research. Unfortunately, that research usually, that link doesn't exist, but usually it's a very good idea of what we should do in research.

So, there's also a positive side, hinting me on, oh, Martin, you should write about that. Unfortunately, the link is just a hallucination.

Okay, we need to look at a supply chain. So, we have a software supply chain, but we also have a lot beyond the software supply chain, like the people. We onboard B2B organizational supply chains, document the data we exchange, transport supply chains, where we all have learned that they are very vulnerable.

So, we need to look at the supply chain risks and have the risk assessments, mandate secure supplier practices, establish incident response protocols, also when things go wrong there. We finally should adopt zero trust because it's still a very important and valid concept. Even while the term has been a bit overstressed, the idea behind still is correct.

And yes, the picture from the NIST looks like a bit from the 1980s, true, but the idea behind this is much more modern than the style of the graphic. So, identity verification, micro-segmentation, readiness assessments, move forward, look for the lower hanging fruits and then go for the more complex things here. And last but not least, embrace generative AI. You can do a lot of very good things in the age of skills gap by using generative AI as an augmenting intelligence, doing it right, but then it's really helpful, powerful. I'm running a bit out of time.

So, key takeaways, build resilience, optimize your tools, look at emerging threats because at some point they are there and when you're not prepared and you're in trouble, understand what can kill your business. So, you have the agenda, you need to look for the innovation part, prepare for the future, for the optimization, focus your investments, targeted divestments.

So, get rid of stuff you don't need anymore that doesn't help you anymore. And last but not least, resilience.

So, be stable when something goes wrong. Christoph, I thank you. Okay. I think we have no time for questions.

Yeah, that was the plan. No, but you know how to reach me. I'm on LinkedIn. I'm everywhere available.

So, just drop the emails and I'm here around you the next days as well. Thank you, Martin.