AI-Fueled Breaches and Code Scrutiny for 2024? Venafi Thinks So

By Greg Tavarez, TMCnet Editor  |  January 09, 2024

AI promises to supercharge decision-making capabilities, automate tasks, and unearth hidden insights, At the same time, the cloud's flexibility and scalability let businesses adapt to lightning-fast market shifts and optimize costs.

No doubt this is a win-win situation: AI fuels growth, and the cloud fuels the AI, thus creating a virtuous cycle that puts early adopters in the pole position of the competitive race.

With that said (as businesses race toward AI-powered innovation and cloud-native agility), they'll face a growing storm of security challenges in 2024, according to machine identity management provider Venafi. The company released its top five predictions for 2024, painting a picture of an increasingly complex attack landscape driven by supercharged developers, malicious AI and tightening regulations.

The first trend listed by Venafi is the rise of the "1000x Developer" and "1000x Hacker." Venafi anticipates a significant escalation in both development and attack capabilities fueled by AI. This will put a strain on businesses and their security strategies. Keep in mind that businesses are already struggling. According to Venafi research, 75% of IT and security leaders believe speed and complexity of Kubernetes and containers creates new security blind spots, while 59% of respondents admit to already having experienced security-related issues within Kubernetes or container environments

“Organizations can't feasibly hire 1000 cyber pros to compete with these threats. The solution lies in embracing the power of automation operating at machine speed,” said Kevin Bocek, Vice President of Ecosystem and Community, Venafi. “The only way to keep up is with the power of automation operating at machine speed. If developers are using AI to be 1000x more productive, we need the ‘1000x CISO’ and ‘1000x security architect.’”

Malicious actors will increasingly weaponize AI with a particular focus on "AI poisoning" attacks designed to manipulate machine learning models. Such attacks will be characterized by threat actors targeting the ingress and egress data pipelines to manipulate data as well as poison AI models and the outputs they produce.

AI is being used across a wide variety of business-critical workloads. This means that maintaining the integrity of such systems needs to be of paramount concern, especially in an election year. With major elections coinciding with the mass adoption of Generative AI, Venafi is expecting to see AI supercharging election interference in 2024.

“The concept of trust, identity and democracy itself will be under the microscope,” said Shivajee Samdarshi, Chief Product Officer, Venafi. “This will put even greater onus on individuals to scrutinize and make informed decisions as well as on media platforms to root out false content.”

Another trend circles around regulation tightening the developer grip.

Let’s look at Europe. The EU’s Cyber Resilience Act will undergo revisions in 2024 due to concerns about liability for data breaches and open-source software, experts say. The Act's current wording raises fears that even well-intentioned developers of open-source code could be held responsible for security vulnerabilities exploited in downstream uses by commercial entities.

Meanwhile, a growing emphasis on "Know Your Code" initiatives, bolstered by regulations like the U.S. Executive Order on Software Bill of Materials, will compel organizations to meticulously track the origins of the code they rely on. This task intensifies with the rise of AI-generated code, further blurring the lines of provenance.

Failure to comply with these stricter requirements, say analysts, could expose companies to cyberattacks and hefty fines.

As organizations grapple with scaling security and governance across complex cloud environments, the focus will shift from centralized controls to workload-level security in 2024. According to the research, 69% of IT professionals admit migrating old security vulnerabilities to the cloud, further complicating matters in increasingly distributed environments with multiple trust boundaries.

To regain control, 2024 needs to see a strategic shift toward workload-level identity and access management. This means leveraging federated identities like SPIFFE to unify security across diverse cloud infrastructure, ensuring consistent governance and leveraging existing encryption capabilities.

The last trend expected for 2024 is that outages will double, or even triple, in 2024 as machine identity lifespans shrink. Google (News - Alert) has already announced intentions to reduce public trusted TLS certificate lifespans to 90 days – a crucial step to hampering cybercriminals looking to misuse identities. However, most organizations aren't prepared for this, so expect a bit of chaos.

“We’ve seen the impact of certificate related outages recently, with entire payment systems going down, leaving people unable to refuel their car, or buy groceries,” said Bocek. “As certificate identity lifespans decrease, this will become much more common, unless organizations automate machine identity management."

Venafi's predictions offer a glimpse into a cybersecurity landscape brimming with both opportunity and danger. While technological advancements like AI hold immense potential, they also introduce new avenues for exploitation.

Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]