You're listening to the Cyber Wire Network, powered by N2K. The ones who haven't faced a major crisis, especially startup companies, for instance, who are just starting companies from the beginning being an agentic rollout, I think we're going to see a lot of vulnerabilities coming in. The same old problem hasn't changed. It comes down to maturity. How mature is your business? there's always going to be organizations that invest in that, and then there's always going to be the ones that don't. Hello, and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolan. And if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when new episodes go live. And if you're a returning subscriber, thanks for spending some more time with us. Give us a rating, drop a comment below, let us know what you think about the episode. This is the best way to support the show and it helps me understand what you want to hear more about. Today, Joe Hladik and Amit Malik from Rubrik Zero Labs returned to expose the agentic paradox found in their latest report, The State of the Agent, Understanding Adoption, Risk and Mitigation. We discussed why the majority of security and IT leaders expect AI to outrun their security guardrails and why even more now are starting to fear for their job security. Stay until the end to learn what the heck organizations can do to address the agentic paradox. Let's get into it. Well, thank you again for both of you joining the podcast. It's great to have you both again this time. And so I'm really excited to dive into some of the findings from the report that you recently put out. And what I want to start with is the report notes that 86% of leaders expected AI agents to outpace their security guardrails within the next year. So my first question, Joe, I want to direct this towards you. Looking at a high level, are we sprinting towards a cliff? Why is there such a high urgency to adopt this technology across the enterprise? That's a big question. Well, I think if we're talking generally speaking, there's a lot of, before we get into security and all that, businesses are seeing a large benefit in what agent capabilities are, right? So if you can get rid of the buzzwords and what is an agent? It's an identity. Think of like a bot that you can task, and that bot will then have access to LLMs. So it's a bot that can query LLMs, get an answer from it, and then execute the task based on that answer. So just like you using an LLM, you get the response, and then you can take action based on what the LLM provides you. An agent is effectively that. It's not a replacement for a human, but what it does is it's not necessarily like, you know, sentient and acting on its own entirely. It's still an autonomous routine that's more like a bot. But what it is, it does use LLMs to get more information than the executed task. So when you think about it, like from a business point of view, that's a very powerful tool. Because what you can do is you can automate literally everything. the problem comes into play when people try to automate everything because you need some level of control or I should say you need some level of command and control from a human perspective and what you're actually building or executing upon so if you have a whole hive of agents performing all these different tasks for one you want to know what they're doing and one if they're doing the right thing so there needs to be some level of integrity So if we think about the CIA triad that everybody knows, confidentiality, integrity, and availability, those three aspects are very lacking right now for any sort of agentic AI implementation. For one, the confidentiality aspect of it is you have to have the right access privileges. one in order for it to do the tasks that you've set out to do but is it even authorized to do those tasks and the problem i think is that a lot of employees even the lowest level employees have the power of agents at their disposal and this is a paradigm shift because when you when any sort of automation in the past was implemented it usually took leadership and leadership decision-making to occur to enable engineering to automate tasks, right? Now everybody in the lowest levels may have access to agents and they will have all this autonomy infrastructure but backing them up and they may not have the authorization or the privileges granted to them to actually perform these tasks. So that governance is a problem. The integrity too as well, like how do you know what the agents are interacting with? Um, that's a big thing, um, as well as availability. So availability to me, which we'll talk probably more later is more akin to what we're calling observability. So one, having visibility into what the agents are doing, but being able to observe all the actions that they're taking. Um, that's another critical, um, gap right now. And a question for you, for the practitioner, how are you able to ensure that guardrails are in place when agents are designed inherently to find the most efficient path around obstacles? What are those policies? What does that governance framework necessarily look like for a business? Yeah, very interesting question, Caleb. I think the things that Joe talked about and the issues that we have in the agent-to-K.I. space and especially when it comes to the security, because it's a relatively new stuff. like, you know, most of the traditional things that were there that we used to, you know, the security community used to do might not really be applicable because the inherent nature of the probabilistic nature of the LLNs, right? So some of the guardrails will not really be there. But one interesting thing that we are talking about in our report is, you know, kind of providing a very simple framework to see sort of the practitioner community that when they see the agentic AI as a system, right, they should kind of see it as a three-layer approach. One is like two-layer, which basically the actual hands of the AI, you know, agentic system that actually carry out the stuff. Let's say if you have to write a code or you have to read a database or you have to do your task, right? So these are the tools that actually carry out those things, right? And then cognitive layer is basically the brain, which is the LLN in nut cell that actually makes these decisions like which tool to invoke and what really you know needs to be there what task needs to be there some reasoning has to be there and then the another very important layer that we are kind of stressing in the report is the identity layer because most of the time people are when looking at the agentic ai system they are mostly talking about the you know the tool and cognitive layer there is not much focus on the identity piece but i we believe that it's very very equally important that we, you know, kind of consider identity as a part of this framework. And from a guardrail point of view, as I described, like, you know, if we divide the agentic system into these three layers, then each of these layers have its own issues. And they, you know, kind of provide different set of challenges Like when it comes to tool layer we have to be you know it really depends on what type of tool If it is a database read and write tool then we have to make sure that it least privileged It does not really alter anything in the database or, you know, stuff like that. And if it is like cognitive layer, then we have to make sure that, you know, the cognitive layer related attacks like prompt injection, indirect prompt injections, those are, you know, kind of mitigated. But from a guardrail point of view, these things are evolving right now, right? So what we recommend in terms of or the proven methods that we have also provided in our report by the means of auditing the mainstream agentic applications like ChatGPT and Gemini, though majority of the testbed or the test cases that we have done, they obviously, I mean, the major provider have much more strong controls and the guardrails and they are not material risk for them. But if an organization is taking an authentic AI application and then they are deploying it, they should make sure that like sandboxing or the LLM guardrails and then the firewalls, those are in place and make sure that the input and output of each layer basically is basically properly audited. And another aspect of this is that, you know, human in the loop should also be there when we are, you know, kind of doing these type of things. So from a holistic point of view, I feel that this framework should provide working operational models to practitioners that they can leverage in terms of their threat modeling and deploying the guardrails for the agentic system. Absolutely. And another stat that stood out to me in this report was that a little bit less than half, it was 44% of respondents said that their biggest fear was compromised agent misuse or shadow AI. Honestly, I'm surprised that it was 44% and not a little bit higher. But also only 23% of leaders claimed that they had complete oversight of the agents in their environment. So my question for you, Amit, on this is what does that look like on the ground? How does a defender find an invisible agent that has hijacked and been used as somewhat of an insider threat now? correct i think this is a much much bigger problem and we have seen that with the with the with the evident of open claw or the moldboard the people are talking about that became very popular in terms of the commodity of the ai agents right so people were like installing it and then there were lots of risk that came out of it like credential got exposed or supply chain risk came when the other people tried to deploy the plugins for those things so it is a very big risk in terms of looking from an organization point of view, because right now the agent is basically, is nothing, just an integration of an LLM and then tools and, you know, you just do and carry out your, your, you know, kind of stuff or the tasks that you do. Now, in terms of the observability, definitely there has to be the solutions that can really, you know, kind of identify this type of tooling in the environment. And, you know, it's easier to identify the tools that are on, let's say, the cloud service providers, because those are kind of more managed in terms of that. Let's say if you do something on, you know, GCP or AWS and stuff like that. But if you are running something on your, I would say, on your laptop, then it's much difficult to kind of identify those things. Then it comes mostly on like how, based on the technology, how we really, you know, going to identify those things. Wonderful, wonderful. So Joe, I do want to go back to you on this one. So the report outlines that 88% of leaders said that they wish they had an undo button to roll back agentic actions, but really none of them had the capabilities to do that. From a technical perspective, why is this so hard for organizations to roll back, whether it's a compromised agent, whether it's an AI agent going rogue? What's the guardrail there? Well, one, I would probably say the problem is context. back to what I said earlier with confidentiality, integrity, and availability. Part of the problem, I think, is the second two in this regard, where integrity and availability. One, we don't have availability much in terms of telemetry. So tracking what all the agents are doing, for one, is going to increase the volume of logs immensely. So even if you were to log everything and every agent's doing, especially in a large enterprise, you're going to have a massive amount of logs generated. So for one, there needs to be an approach that somehow you aggregate all of that activity, but not reduce the efficacy of what the context is provided in the logs themselves. So for one, that's going to take some work from security professionals and others to figure out like, okay, well, what types of attributes, what types of activities do you want to track? and how are you going to forensically trace it back to things like an agent, a specific agent or identity? So things like agent ID, timestamps, all the classic logging metadata is going to be necessary, but it's the aggregation that's going to be the challenge in terms of figuring out how to manage the volume. That's the first problem. Because without that, you don't have any context. And without context, you can't make any informed decisions on how to act upon an agent, whether the agent is being misused, whether it's acting maliciously, or whatever the case is, right? In order to understand what it's doing, for one, you need to understand which agent it is that's doing it. And then two, you have to understand the context of how it reached its decision to perform the action. So like, you know, on like chat, GPT, or any AI, you can like open up and see how like the LLM is reasoning through its sort of thought process, quote unquote, to figure out what response it's going to give you. We almost need access and understanding to that for agents to actually see how they've reached the decision that they did. That would be another context point to then say, okay, this agent acted unintentionally, but accidentally deleted an entire email database. I'm calling out an actual case that actually happened a few months ago, right? Where it was an inside threat technically, but it wasn't acting maliciously. It was just doing what it thought was the right thing to do or most efficient thing to do. Context is important in those things, um, type of situations, especially when we start getting into the realm of more sophisticated nation state level types of attacks that are going to be leveraging agent agents to do this type of thing. I still don't think espionage is going to be the top use case for agents. Um, because subtlety, stealth, all of those things are incredibly important. And if you have a large agent swarm acting autonomously, that might be a little more difficult to keep that sort of stealth in place. But everything else I think is open, whether it's like ransomware, destructive attacks, critical infrastructure attack, anything like that, completely open because subtlety stealth is not necessarily key for those types of operations. And we've seen them already sort of starting to occur. So what I had just said with telemetry, that is what's going to inform us on what happened. But how do you stop it while it's happening? That's a different problem as well. So it will build on top of the telemetry. You need that context awareness. And then you also need to develop new detection measures that use that sort of telemetry to then inform you that an attack is happening I think we going to see an evolution of that as well where it be a combination of maybe both, where you'll have AIs generating signatures based on artifacts that we're recognizing, and then also recognizing new behaviors that are tied to specific types of agents or threat actors or shadow AIs or whatever we want to call them. And I just see this as an escalation. It's much harder for the defender to identify every hole in the environment and then fill those holes to prevent the attacker from exploiting it. So the task, that's why the task is monumental, is defenders just have more to deal with. And it's a more complicated process to get an AI to solve that for you, even though AIs make it a lot simpler. A lot of the underground context that I just talked about needs to exist for the AI to act in a way that like, okay, now I understand that we need to defend this specific thing, identity space or different things like the network, for instance. I'm certain humans are not going to be able to defend it in the same way that an AI would. So I think that's kind of where we're going to get at is we're going to see more AIs performing detection engineering type things. And quickly rolling out new signatures, new anomalies, new types of things more in one package rather than being separate. Right, right. Very interesting insights there. But yeah, I do want to shift gears a little bit and talk about another element in the report. And Joe, I'll direct this one to you. But it was 92% of IT and security leaders feared for their job security if their company suffers from an agentic-driven breach. Now, I know Rubric Zero Labs has tracked this idea of job security for quite a while now. And I want to kind of note the change over time. So is the real fear driven by the complexity of AI, or is it really more this increasing legal and personal ramifications for CISOs post-breach? How has this fear index changed over the past several years as Rubric Zero Labs has tracked it? I don't think it's actually changed. I think it's actually just evolved. I think some CISOs, and especially the ones I've talked to, there's a lot of new things that are going to be in place to protect CISOs as well, especially when it comes to insurance policies. I've seen a lot of opportunities now where CISOs will also be covered just like other C-level officers. So I think that's a positive change. and one that's absolutely needed. Because historically, I think one of the problems that's been faced is that CISOs didn't have this type of protection. And they can get personally sued, right? So if you're a security officer leading this organization and then all of a sudden this breach occurs and then you're personally liable for it, that's a big implication and also a major deterrent for a lot of talent to want to take on that type of position right because if you can be personally liable for something why would you want to sign up for that um so i think that is a major challenge that we're overcoming right now where a lot of damage the damage has been done i think too many and i think that uh the ones who i don't want to say take on the most risk but they take a lot out of it will be protected in some ways, maybe incentivized more talent to take on these roles. So that's a positive. I think we're also seeing the transition to that right now. So that could be also a reason why there's a lot of fear is that CISOs may not even know this type of stuff is available to them yet. So there's that aspect too. So beyond the technical, right? It really comes down to like, how personally liable am I to my job, right? Because most of us have the benefit and the privilege to separate ourselves. So one, I think that's a major part of it. Two, AI is certainly on the mind, right? Because it's like it opens up every potential sci-fi nightmare that I know I grew up on as almost bringing into reality. And how do you fight against that? I think the one thing is to one understand what is actually possible versus the science fiction there's a lot of science fiction that has become truth but there's still a lot that's still science fiction so actually understanding what AI is truly capable of that it's non-sentient no matter what viral news you see out there sure it might exist in some dark hole of the universe I don't know but as far as we know it doesn't exist Right, we're not at Age of Ultron quite yet. Right, right. Which is a good thing, I think. That's why I've been really making a point to say they are LLMs. They are extremely advanced machines that do pattern recognition, and they produce a pattern in return. They are not thinking like we think. Even though we do have a part of that in our own brain, it's not the same thing. we have to understand the technology and really understand what its capabilities are. And there are a lot of unknowns, but don't lose sleep over those. That's the thing. Take control of what you have and know what your constraints are. And your constraints are usually going to be around your budget. At the end of the day, that's all we can do. Well, as we head into the final stretch here, Amit, I'm going to direct this one to you. 82% of the leaders in the report said that all of the advice is too theoretical that they're seeing across the market in terms of agentic readiness and security. So let's get a little bit more practical. What are the three actions that defenders can take right now to improve their resilience and their AI readiness? Yeah, definitely. I think the technology is evolving right now. So that's why, I mean, the frameworks are getting developed and then people are starting to deploy and all these things. So it's not as mature as it should be. So that's why the people are, you know, kind of facing the challenge. But from a practicality point of view, I would definitely suggest that, you know, see the agentic systems not as a, you know, as a consolidated system, but as a part of, you know, like in our framework, we are kind of saying three layers. but it depends on like how, you know, if you are looking at an attack pattern or let's say MITRE framework that are mostly driven by the type of attacks that are there. But see the problem from a different angle, like what are the components that are there. I would rather say that stick to the architecture, say that like just like in our case, when we are saying that tool layer, you know, the cognitive layer and the identity layer. and then you know uh you know decide and look at each layer because each layer is having some different set of challenges and they they have the ability to do uh you know different level of damage at each layer so uh look at the threat modeling of those things by looking at that that part and then see where the you know uh the the challenges are and then then trying to to fix those Like for example like in tool layer is very very serious because that is actually the one that is carrying out the activity right It interacting with your database It is interacting with your you know the internal stuff that you are trying to do So make sure that it is running inside ephemeral containers. You have, you know, network, you know, segregations. You have firewalls in place. You are doing, you know, input and output, you know, validation of these things so that the tool does not really do anything, you know, wrong as per the environment. So we have described the recommendation in our report in more detail, and we have also given some insight into how the mainstream platforms have implemented to some degree these controls. So I do feel that the workspace isolation and sandbox, this type of isolation is very, very essential in deploying these systems. Right. And Joe, I'll go back to you for this one. What are two inconvenient truths that every security leader is ignoring right now that they shouldn't be about AI and human oversight? well one uh i would say probably the the most inconvenient truth is probably the explosion of identities um it's just right now i think we're trying to get a hold of like what number it actually is what's the ratio from human to non-human identity um i know in past reports we've given numbers we've coded numbers from our partners as well. But I think we're at a point now where it's like, well, everybody has a different number. I think it's become a subjective thing in that you can thank AI for that, especially with agents. I think, so that is an inconvenient truth, and I think it's obvious why. Identity management in itself becomes an insurmountable task. Well, I shouldn't say insurmountable. Everything is possible, right? What I think is happening is it's moving so quickly that it's making it harder to catch up and manage. That's kind of what I'm getting at. The reason is that agent identity is just like I've used this in the past, like elastic infrastructure in the cloud. You can have VMs spin up and spin down in a matter of seconds, just like identities. That's kind of the same thing. We're in this elasticity with identities right now. um the second inconvenient truth is what i'll go back to the telemetry piece um there's going to be a lot of hard work here because it's a matter of like i i post a few of the technical challenges there's a lot more um and it's something that my team or admit myself and others are currently trying to figure out like how do we actually come up with actionable telemetry for agentic AI, that one can handle the elasticity of different agents being created and destroyed and vice versa, all that stuff. That's another inconvenient truth because no matter what anybody says right now, like, oh, I have complete visibility into my environment. Okay, you have visibility, but we're talking about observability, right there's a then the reason is there's a key difference like you may see all of them but you are you actually observing what they're doing right there's a big difference to that and that's what i'm getting at is that's the second inconvenient truth is like from visibility get to observability so that's the same to your point earlier the difference between visibility and observability is really like the context like yeah you can see that they're there and that they're doing things, but are they doing the things that you want them to? Are they doing things that you don't want them to? That context-rich insight is really the difference between the two terms for sure. Well, as we close out the conversation here, I'll ask both of you the same question. I'll start with you, Amit. What is the single most important message you want to leave with our listeners today? I think my message would be that AI is coming, definitely. Be responsible and deploy it with responsibility. That's what I would say. Otherwise, the consequences could be very, very dangerous. Right. Joe, what is your single most important message that you want to leave with everyone today? We live in a scary world. I think we need to take a deep breath and really reflect on all the decisions that are being made. I'm not talking about the greater There's a lot of things happening. I want the scope down to just the AI problem. But I think it can relate to everything else as well. Reflect on the decisions you're making. There's a lot of doomsdayers as well, as there always has. Always has been with pretty much anything. That's unhelpful. When you're constantly talking about how things are going to be destroyed, how jobs are going to be lost, how the world's going to end. That's never helpful. Just remember that and reflect on it and realize how we can leverage AI in a positive, beneficial way. I want the benefits to be realized from AI for the world. But I think security has a major position to live in within this because without us, without us protecting critical infrastructure, hospitals and things like that, you still need humans. do this type of stuff. Because we're building these things. We should be in the loop on these things. I'll end it on this. It's like organizing a party and no one inviting you to the party you just organized. You're being left out of the loop. No, you want to go to the party you organized. It's the same thing with AIs. If we're building all these things, you should be very smart in terms of looping in the humans at different checkpoints to make important decisions. And that's the message Joe and Aliva. I'm tired of the doomsayers. I'm tired of this apocalyptic scenarios. There's always things going down. And there always will be. But there's also a lot of positives in the end of it. So I'll leave it there. Right. Well, what a wonderful sentiment to leave us on. So Amit, Joe, thank you both for your time today. It was really great having a conversation about this report. For those listening in, we'll link to the report in the show notes. And if you want to check out anything more about Rubric Zero Labs, you can check out their website. and thank you again for joining us, both Joe and Amit, and until next time. All right, thanks, Caleb. And you, Gab. That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about. And if you want to reach out to me directly about the show, send me an email at data-security-decoded at n2k.com. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Iben, content strategy by Mayan Plout, sound design by Elliot Peltzman, audio mixing by Elliot Peltzman and Trey Hester, video production support by Bridget Krikeywild and Sorel Joppy. Until next time, stay resilient. you
