Securing Generative AI – Discover, Comply, & Protect
Enterprise adoption of generative AI brings powerful business benefits, but also significant risk. APIs are the mechanism upon which organizations are rapidly incorporating generative AI (GenAI). Cequence can help discover GenAI use and assess its adherence to relevant governance and compliance while ensuring sensitive data, intellectual property, and machine learning models are properly protected.
GenAI Runs on APIs
Third-party GenAI tools are typically available as third-party SaaS or on-premises models. Outside of individuals interacting with chatbots, APIs are the primary method with which to interact and integrate these GenAI tools. In fact, in most cases, APIs are the only method of interaction, so it is imperative to ensure those APIs and the data transacted through those APIs is known, monitored, and protected.
GenAI Offers New Opportunities – and New Risks
The wide availability of GenAI-as-a-service makes it easy to incorporate attractive AI-powered functionality into existing applications, often without any corresponding review or approval from IT or cybersecurity teams.
Key questions often go unasked, let alone answered:
What applications and APIs are using Gen AI?
Is sensitive data being shared inappropriately both with and via Gen AI?
Do we have proper controls governing GenAI use, including API documentation?
Are we testing our GenAI APIs for governance, risk, and compliance?
Are we protecting our Large Language Models (LLMs) from malicious access?
Using a Discover, Comply, Protect framework is something that we see customers naturally identify with, given its proximity to other frameworks like MITRE and CSF. The steps can be performed individually in any order, but carry the most power and deliver best effect when all are in play.
Discover
In cybersecurity, we often say that we can’t protect what we can’t see, and that definitely applies here. To safely use GenAI with a known quantity of risk, one must first understand where it’s being used. Cequence discovery identifies and inventories all APIs in use, whether they are internal, external, or third-party.
Comply
As organizations mature, they usually put internal governance in place – their own as well as regulatory governance, where applicable. For example, some organizations forbid their software engineers from using external AI to help write source code due to intellectual property concerns. Other organizations might allow AI use for marketing purposes but prohibit any sharing of sensitive data.
Cequence actively monitors API transactions (including GenAI APIs) for inappropriate sensitive data flows. Additionally, Cequence also offers the industry’s first test suite to evaluate applications using Large Language Models (LLMs) against OWASP LLM Top 10 threats.
Protect
There are two sides of the protection coin that deserve our attention. On one side, we want to protect the organization’s IP, infrastructure, and systems from malicious AI. On the other side, we need to protect the organization’s AI from malicious tampering and manipulation.
Protection from AI
For GenAI to deliver on its promise, it must “learn” with training data. However, that doesn’t mean your organization has signed up to freely provide access to its intellectual property without discussion or compensation and may wish to block AI scraping bots from applications, websites, and other content-rich assets. Using a continuously updated global list of AI bots, Cequence helps you control this access. Without requiring user configuration, AI bot activity can be automatically identified and blocked.
Through business logic abuse, bad actors can use legitimate APIs to carry out their attacks or defraud an organization. Cequence prevents this.
Protection for AI
Of course, an organization’s Large Language Models (LLMs) must be protected from inappropriate or malicious access. Cequence uses GenAI to autonomously generate threat mitigation policies that we use to either block attacks natively or work with third-party applications (like a WAF) to thwart sophisticated, resourceful attackers in a fraction of the time that it would normally take (what took 30 minutes is now a single minute).
Also, excessive usage of GenAI systems can lead to unintended spending and “denial of wallet” type of situations. Misconfiguration, human error, application error, and malicious intent can all trigger excessive usage. Cequence can monitor GenAI usage and meter the usage based on enterprise policies
AI/ML Innovation
Listen as Hari Nair, VP of Product Management at Cequence, discusses the newest features of the Cequence Unified API Protection platform, including ML-based threat classification, automated AI bot detection and mitigation, and more.
Find out how Cequence can help your organization.
Cequence security experts will show you how we can help to protect your applications and APIs with a personalized demo.
