“chief information security officers should establish a balance between allowing employees the freedom to take advantage of new and helpful tools like ChatGPT, while at the same time ensuring critical data cannot be exposed via these platforms.”
Hi, Devin. Welcome to the CIO Influence Interview Series. Please tell us about your role at Menlo Security
As CISO of Menlo Security, I am responsible for the company’s internal global cybersecurity team. I provide internal guidance and policy insights to both the company and our customers, and I am focused on reducing the company’s risk and security exposure.
What has changed in the Browser Security landscape since the launch of ChatGPT? How did you prepare for this massive AI disruption at Menlo Security?
ChatGPT and similar generative AI platforms saw an enormous surge in user adoption almost immediately. With so many people eager to test the capabilities of ChatGPT and understand how it might help them perform different tasks – both personal and work-related – our team at Menlo recognized that this also introduced another element of security concerns.
We analyzed generative AI interactions from 500 global organizations over a 30-day timeframe and found more than 10,000 incidents of file uploads into platforms like ChatGPT< Microsoft Bing and Google Bard.
We also found nearly 3,400 instances of employees copying and pasting sensitive information into these platforms.
Everyone must be aware of the potential for sensitive data to be leaked in this manner and for guardrails to be put in place.
For example, we recommend limiting what can be pasted into input fields (either via restricting character counts or blocking known code, for example), and executing app commands in a remote browser which offers the opportunity to stop sensitive data from being exfiltrated. Guardrails such as these offer the company more protection while at the same time allowing employees to take advantage of these innovative and helpful platforms.
Recommended CIO Article:
How Businesses Can Move from AI-Curious to AI-Ready
Please tell us the difference between a CIO and a CISO. How have your responsibilities as a CISO changed in the last 3 years?
One key difference between a CIO and a CISO is that while a CIO is typically responsible for procuring and maintaining technology, it is the CISO’s responsibility to ensure these tools are secure and to set and enforce policies for their secure use.
CIOs oversee the entire technical infrastructure and focus on functionality, efficiency, optimization, ROI, etc. CISOs protect this technical infrastructure from cyberattacks, data breaches, security vulnerabilities, malicious software and insider threats.
Could you highlight what should be CISO’s approach toward developing and enforcing organizational security policies with generative AI tools?
As mentioned above, the key is establishing a balance between allowing employees the freedom to take advantage of new and helpful tools like ChatGPT, while at the same time ensuring critical data cannot be exposed via these platforms – either intentionally or unintentionally. Setting clear policies on what can and cannot be entered into the platforms as part of a prompt and then training employees on those policies is of course a solid first step – but we all know by now that training on its own is not enough.
There must be additional guardrails in place to serve as a safety net.
What are HEAT Attacks? How are these different from the Legacy Reputation URL Evasion (LURE) attacks?
HEAT stands for Highly Evasive and Adaptive Threats – these are a type of cybersecurity threat that is characterized by sophisticated techniques such as dynamic behavior, file-less attacks, and delayed execution to avoid detection. They are attacks that are specifically designed to fly under the radar and evade traditional security tools that attackers know most organizations currently employ (e.g. SWG, EDR, and firewalls).
Legacy Reputation URL Evasion (LURE) attacks are one type of HEAT attack in which threat actors bypass web categorization. LURE attacks exploit the binary categorization of URLs on SWG and URL filters which flag URLs as either trusted or untrusted. Therefore, threat actors take over a trusted site or in some cases build brand new sites and build credibility until it is flagged as a trusted site, then use those URLs to launch phishing attacks.
Some other examples of HEAT attacks include:
Malicious password-protected files
Bad actors send malicious payloads in a password-protected attachment via email. If the attachment is password protected, it can’t be opened and scanned by traditional email security tools, but most organizations allow these attachments to enter inboxes so work isn’t disrupted. Attackers are well aware of this loophole and take full advantage.
HTML smuggling
Attackers will break up a malicious file into smaller pieces of seemingly benign information and embed these within the HTML code of a website. This bypasses detection by commonly deployed security solutions such as proxies, sandboxes, and firewalls. Once received by the browser, these smaller pieces of information are assembled into an executable malicious payload inside the target’s browser. This is a highly effective method for delivering banking trojans, ransomware, and data reconnaissance tools.
MFA bypass
This is a form of phishing in which the bad actor gets around multifactor authentication by either inundating the user with MFA requests until they approve or intercept MFA tokens.
We’re seeing more and more of these attacks happen on mobile devices which often lack enterprise security altogether.
How do HEAT Shield and HEAT Visibility solutions prevent zero-hour phishing, malware, and ransomware attacks?
Menlo Security’s HEAT Shield provides isolation-based behavioral analysis to detect and block HEAT attacks targeting the web browser where traditional, detection-based security tools fail. It uses AI analysis and computer vision capabilities, and URL risk scoring and interprets threat signals from within the web browser – a dataset that is invisible to network security solutions. HEAT Shield supports any browser and any endpoint operating system to protect all w********** against HEAT attacks – no matter what browser users choose.
Top Cybersecurity News from Menlo Security:
Menlo Security and Carahsoft Partner to Deliver Leading Cloud Security Solutions
Users and enterprises are protected against even Zero-Hour attacks because Menlo’s solution does not rely on “known bad” signals and instead conducts real-time analysis.
The HEAT Visibility dashboard from Menlo Security allows you to view the number of evasive threats and other malicious web requests targeting your users, enabling SOC teams to maximize browser security. It easily integrates with existing SIEM, SOAR, and SOC platforms for faster incident response.
Effective and definitive protection against HEAT attacks is critical as phishing and ransomware continue to top the charts in terms of the most persistent and damaging cybersecurity attacks, and this trend continues year after year because threat actors know how to evade the most commonly deployed security tools. Advanced browser security is needed to block both HEAT and Zero-Hour attacks.
Lighter notes:
Burn the midnight candle or soak in the sun?
I love to get up early before everyone else to set the tone for the day.
Coffee, or Tea?
I’m a coffee snob. Single-origin pour-over is my go-to.
Your favorite Menlo offering that you want everyone to know about:
HEAT Shield. The product’s real-time phishing blocking can stop even the most sophisticated attackers.
First memorable experience in your career as a cybersecurity technology leader?
After starting in the CISO role at a previous company, I led my team to completely revamp the security program. It took a couple of years, but after that, we started to receive many compliments from our customers on the improvements. It was unexpected but very rewarding to see the external recognition from our own customers on the program our security team had worked so hard on.
One thing you remember about your employee (s):
Empathy. I believe empathy is a key quality for security practitioners and I love to see the team demonstrating it.
Most useful app that you currently use:
Audible. I have some days of long commutes and it’s great to be able to listen to books and make the most of that drive time.
Thank you, Devin! That was fun and we hope to see you back on CIO Influence Interview soon.
[To participate in our interview series, please write to us at sghosh@martechseries.com]
As Menlo’s CISO, Devin is responsible for providing internal cybersecurity guidance and policy insights to both the company and our customers. He is also focused on reducing the company’s risk and security exposure. Devin has over 20 years of experience in cybersecurity. His previous experience includes security positions in several Fortune 100 organizations. During his time with both Mandiant and the U.S Federal Reserve, Devin had hands-on experience mitigating large, high-profile breaches and dealing with highly motivated global threat actors.
Menlo Security protects organizations from cyberattacks by eliminating the threat of malware from the web, documents, and email. Menlo Security’s patented Isolation-powered cloud security platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience.
Menlo Security is trusted by major global businesses, including Fortune 500 companies, eight of the ten largest global financial services institutions, and large governmental institutions. The company is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JPMorgan Chase. Menlo Security is headquartered in Mountain View, California.
