Blog

It’s 11:30 pm, do you know what AI your apps are hanging out with?

August 6, 2024 | 5 MIN READ

by John Dasher

AI attack surface, api compliance, api attack surface, discover api attack surface, secure api attack surface

Digital Transformation and Expanded AI Attack Surfaces

A key trend that we continue to see amongst our customers is digital transformation – transforming legacy and monolithic applications into decentralized, predominantly API-first applications that are distributed across multiple data centers, potentially across multiple cloud providers. That’s why organizations have a much bigger API attack surface today than they ever had with monolithic applications. Further, with the surging popularity of Artificial Intelligence (AI), organizations are modifying and creating applications that make direct use of AI, and they consistently do so through the use of APIs.

What you might not know is that Cequence also has a powerful Artificial Intelligence (AI) story of our own to share, and today’s announcement builds on that further.

So, what’s the AI angle here? Unveiling an Organization’s AI Risk Landscape in Modern Applications

Many of these digitally transformed applications are now taking advantage of AI, using either native AI technologies or relying on external AI technologies from vendors like OpenAI and Anthropic.

Today, Cequence helps organizations discover how many of their applications are AI-enabled in this manner, using external AI frameworks. Armed with this knowledge, organizations can now be armed with an idea of what their supplier risk is like. They learn which third-party AI suppliers they are dependent on, as well as get an idea of the compliance posture related to these AI workloads.

Managing Risks Across External AI Frameworks

Much of the AI communications from these applications to those external AI vendors happens over APIs, with data being exchanged between the two parties. Organizations want to know where their data is going, and to the extent it’s running off into the arms of an AI provider, that it’s an approved provider. Increasingly, we’ll see AI usage being allowed, but only through approved AI interactions or AI engines. Much like consolidating your approved/authorized hosting providers.

Further, organizations want to ensure that no sensitive data flows from these applications to an external organization, approved provider or not. And if it does, they want to be able to ensure that it is residing in a secure location with that third party.

Cequence enables organizations to discover all their applications that are using AI, especially from external sources. By integrating with existing network infrastructure, we can easily discover all the APIs and workloads within the organization that are interacting with external AI frameworks.

Identifying AI Attack Surface and Defending Against AI Data Leakage

Further, we are unique in that we have an external API attack surface discovery product that allows organizations to discover applications and API hosts in their environment that seem to be hosted on AI frameworks. For example, if they have an application that is hosted on Hugging Face, a popular machine learning (ML) and data science platform and community, we can automatically detect that and reveal the related API hosts that comprise their AI exposure surface.

Cequence is unique in being able to articulate this outside-in perspective. Our software tells an organization what their AI exposure to external AI frameworks like OpenAI and Claude is, as well as the AI attack surface stemming from the AI apps they’ve built themselves in service of various business use cases.

Second, once these AI workloads are discovered, we examine the communication that happens between the application workloads and the third parties, like the third-party AI frameworks. We analyze the content that is being exchanged, and we can detect sensitive data such as PII or payment information like that specified in the Payment Card Industry Data Security Standard (PCI DSS).

Compliance and Governance in AI Integration

In fact, PCI DSS v4.0 requirement 6.3.2 requires organizations to be able to audit and list all their third-party dependencies. Cequence helps organizations achieve compliance with PCI DSS v4.0 by automatically discovering all the third-party frameworks and the communication that is happening between them.

Cequence also leverages AI for defense. We are a Machine Learning (ML) AI vendor ourselves, using ML technologies to counter attackers by detecting the sophisticated ML-based attacks being staged against our customers’ applications. Cequence utilizes AI technologies that detects these sophisticated attacks, fingerprints the attacker’s behavior and tracks them even as they evolve their attack, and stops attacks in real time.

Go Forward Armed with Knowledge

We applaud forward-thinking organizations leveraging new tools like AI. However, it’s equally important to make sure that its utilization is understood, purposeful, and doesn’t run afoul of any relevant Governance, Risk, and Compliance (GRC) requirements. By employing API discovery of AI applications and APIs, ensuring their compliance with internal governance and external regulations, and making sure that attacks are swiftly detected and mitigated, AI can be a powerful technology to propel organizations forward.

As a leading API security vendor, Cequence helps organizations discover the internal, external, and third-party APIs in use amongst their applications, helping bring APIs into compliance with security best practices as well as protect them from malicious actors who may be targeting these APIs for data exfiltration, fraud, or other malicious purposes.

Want to learn more? Get started with a free, no-obligation API security assessment that provides an attacker’s view into your organization’s APIs. Or better still, book a personalized demo.

John Dasher

Author

John Dasher

Vice President of Product Marketing

John Dasher, Cequence VP of product marketing, has extensive cybersecurity experience having held leadership roles contributing to 9 successful startup exits. Firms include Banyan Security, RiskSense, Niara, Good Technology, McAfee, PGP, and 11 years at Apple developing award-winning hardware and software products.

Related Articles