AI-Powered Zero-Day Cyberattacks & Cloud Ransomware

Today we have a really wonderful topic, a very timely one.

We're gonna be talking about ai, cybersecurity, these zero dates, cloud ransomware, and AI threats and defenses.

I'll tell you, I was just working on the conference schedule and as we went through this, this was one of the most popular, uh, session topics that popped up.

So really excited.

You guys are getting a very early, uh, kind of version of that same thread here.

And today we have some wonderful presenters coming to join us.

So we've got, uh, Ted Popeye Edno, and uh, he's from Prominent and they're an IT consulting network integration as you see here, and managed services.

So a lot of you that are struggling to do all the things, wear all the hats, you rely on amazing vendors like our vendor partners that are here today.

I believe Ted also has his colleague Nicholas.

So Ted Nicholas, welcome.

We're so excited to have you with us today.

Thank you.

Thank you.

Thanks so much.

You too.

Excited to be here.

So, Alright.

Right.

Um, so let's get right into it.

And we wanted to start off with Nick, just introing prominent a little bit, and then we'll get into the details of how AI's affecting cybersecurity.

So Nick, I'll turn it over to you to start.

Thank you.

Okay.

It is great to meet everyone.

Just 30 seconds.

Just, you know, for those of you that don't know us, um, I, um, we prominent, well first to give you a little intro on Prominent, um, we were established in 1999.

So we've been in business about almost 27 years now.

Um, and we specialize in working with independent schools.

Um, that's actually a business vertical that I started at prominent, I've been with the organization my entire 27 years.

Uh, started out, uh, selling, uh, Sonic well firewalls and Barracuda anti-spam and, and meeting a lot of schools that way.

And that morphed into us basically realizing that there's was a great opportunity to offer, you know, IT services and solutions, uh, specifically to K through 12 independent schools.

And through our early experience with like emerging technologies, um, you know, specifically with Next Gen, you know, with, with, uh, stateful inspection, firewalls and web filtering and email security things that nobody had 27 years ago, really, especially schools, um, that was a great opportunity for us to learn more about the technology and build a business around that.

So, um, I, so we we're based in New York City.

Uh, we're located down the financial district, but uh, we serve, um, regional schools, um, so all across the tri-state area.

And then we work with, uh, you know, a lot of different schools that are across the entire US now, which segues into how I was introduced to, uh, Atlas.

Uh, one of my schools had recommended that, uh, we look into it, that, that we attend a conference that we become a member.

Um, so, um, for the last few years, uh, I personally, uh, the, uh, annual conference, um, I think over the last two years I was in Reno, and then last year I was in Atlanta.

Uh, Ted joined me actually last year in Atlanta.

And, um, you know, we're always looking to find, and, you know, it's, it's, first of all, it's great to be a part of the Atlas community.

I met a lot of really interesting people.

There's amazing vendors there.

Uh, you get to have, you know, great interaction with schools.

So we love working with Atlas and you know, we're, you know, we want to offer, you know, valuable information, um, you know, to the Atlas community.

And so we've just been focus on cybersecurity and, you know, we've been trying to think about, um, you know, strategic, you know, thought things that we could talk to schools about that we could educate them on, you know, which is why, you know, we put this, uh, webinar together today.

So that's us really in a nutshell.

We're an engineering based company.

We're about a 60 person organization.

We're privately owned, privately funded.

Uh, we work with about 40 different schools.

Um, our account managers, people like myself and our engineers have very, very hands-on personal relationships with all the, we find many people that work with prominent, you know, we have like amazing relationships with all the IT leadership, with the IT directors, CIOs, even down to the network managers and some of the help desk people.

Um, Ted, thank you for putting up this slide.

These are just, uh, the core technologies that we work with.

Pretty much everything on the infrastructure side.

So, um, systems integration, network integration, enterprise wifi, um, all your baseline technologies.

And of course now on the system side, that's all morphed into cloud.

Um, you know, whether it's, uh, product, you know, applications, you know, helping schools, you know, manage and enable that.

And then of course, we wrap cybersecurity around all of that innovative, all the new innovative AI based cybersecurity technologies.

And of course, we have all your foundational cybersecurity technologies, you know, firewalls, intrusion detection, prevention, endpoint detection and response.

But we're looking for ways.

We're constantly look looking at the market and trying to find solutions that, uh, we feel, you know, would be a benefit, you know, specifically for our K through 12 clients and looking at, you know, new threats and things like that.

And that's what Ted is gonna talk about today.

So if, uh, anybody has any, any questions after the event, you know about prominent, um, anything related we talk about today, you know, we're, we're here to answer any questions you might have.

Great.

Thanks Nick.

And there's no shortage of new threats out there and, uh, but there's a lot of exciting stuff on the defense, um, and the attacker side of things.

So we'll get all into that.

So I'll just start off here with, uh, what might be floating around in your head in terms of cybersecurity.

Um, on the news, in things you'll read online, you're constantly being barraged with headlines of attacks that are happening and details of attacks and how attacks are changing.

And it's really scary.

Uh, people often will react to these things and budget to cybersecurity projects or change the way they're doing things, um, and act in a reactive way where that might not be the best thing for cybersecurity.

But this is the nature of the landscape that we're in.

And now with AI coming on the scene as well, there's a lot more different, there's a lot of different attacks that are hitting us.

So these sort of things that will scare us will, will never stop, but we wanna find like a good way to actually do security that's not just reactive and not just based off, uh, the fear that we feel.

So let me take you back to two years ago when there were a few attacks, um, that actually have laid the groundwork for where we're at today.

Um, they just are good examples of, of where the future, um, is moving.

So cyber attacks don't have to be traditional things that you hear about, like ransomware or email business compromise, but they could be all different sorts of things.

So I gave two different examples here.

One on the left side is the New Haven Public Schools were affected by an, uh, business email compromise.

And the other on the right side is a MoveIt, uh, is the MoveIt data breach was, which was a supply chain attack.

So on the first one at the New Haven Public Schools, this might've been one of the first good examples of a highly impactful AI assisted, um, uh, attack, email business compromise attack.

The co o's email was compromised and they were able to get access into it to see all his emails.

They did that by just compromising his credentials, not necessarily using malware or using anything extremely sophisticated, but they were able to bypass a control.

And once they got into his mailbox, they were able to look through all of these emails and do correspondence with his vendors, specifically his school bus vendor, the school school bus vendor, and were able to convince, um, his vendors to take new accounts, um, to, uh, change where the payments were being delivered.

So given that happened, um, it was extremely sophisticated and there is evidence that that was because of the attackers being able to use the AI tools to be more sophisticated with their language, to look through all of these emails and generate the right sort of attack, not just do, um, a Nigerian print scheme or, or something similar to that, but be very sophisticated with how they convinced the third party.

And then we have a supply chain type attack, which is the move at data breach.

So this is an attack which started in 2023, and at the time, 161 schools were impacted by it.

It was a third party file, uh, access tool file server tool that was, uh, compromised with a zero day.

And once the attackers got access to this, they had footholds into the environments, and they were able to wage, uh, further attacks.

So originally it was 161, but after about a year, the attackers had so many footholds into the network and they just did not know what to do with it.

They attacked more and more organizations and more and more schools with those same footholds.

So the number for schools ended up being closer to 9,000, uh, sorry, 900 and the original thousand company, uh, companies that were breached, uh, was on the order of thousands.

So that all being said, there's all different sorts of attacks that once they start, um, we have to keep an eye on the risks and what that really means.

So one important thing is that education, even though, um, most schools might be mid-size organizations, they are the third most targeted industry.

Partly that could be because of the resources that they have, the resource limitations, uh, a lot of schools will only have anywhere from one to five full-time IT staff on and, and no full-time security staff.

So that metric there is from the Microsoft Threat Intelligence report.

But the graphic that I have here is from the Verizon data breach report, which they put out on a yearly basis.

And, uh, those, those reports say the same thing.

If you look across any reports, education is, is one of the highest hit, uh, markets.

So ransomware and extortion is one of the primary reasons why they're attacking schools, and they're finding different ways to do it.

So whether it's email business compromise or supply chain, attackers are finding ways in.

So I wanna step back and ask a few fundamental questions that will answer throughout the rest of the presentation.

So, a, what's led to all of these attacks? You know, why are all these attacks happening and being successful? How do you use your res resources wisely? Because schools, again, have limited resources.

And cybersecurity is a resource management game, knowing where to put your resources to stop an attack that's happening this year versus what was happening a few years ago.

And will AI help with these attacks and will it result in more attacks? People are worried about attackers using AI to their advantage, but also we have the opportunity to use AI to our advantage.

And also, you can try to see which parts of this presentation where AI generated to try to get yourself more used to spotting these sort of attacks and these sort of patterns that attackers are using when generating content.

But that being said, um, we can't really do that on our own.

So, uh, I have a case study here from a vendor called Pindrop, and it's not the vendor that's necessarily important, but the tactics they use.

So Pindrop works in, uh, the banking industry and call center industry to help spot deep fake audio from people calling in, attackers, calling in and changing account numbers, um, something that's extremely hard for people to do.

So even when I'm browsing YouTube or the internet, a lot of the times you'll find a video that, that you get fooled by, that I get fooled by.

Oftentimes, it's easy to spot things.

Oftentimes it it's not that easy to spot things.

So what Pindrop does and what other AI vendors do, which are trying to spot when there are deep fakes or are generative AI tools being used in communication is they'll sign, they'll, they'll use signatures and they'll use their own algorithms or own AI and machine learning algorithms to detect when generative AI is being used or when deepfake audio is being used in a machine versus machine sort of scenario.

Um, and they're able to do this because at the end of the, at the end of the day, it's all bits that are going across the wire.

And these algorithms can spot specific ways that different generative AI algorithms are producing that audio where a human might not really hear it, they might hear inflections are different, but this company is able to do, say, once it sees, uh, evidence of a generative AI tool being used, they'll develop a signature with 99.9% accuracy on that specific generative AI tool.

The reason this is important for schools is because DeepFakes are actually impacting schools in different ways.

And there's really two categories of risks.

So one is attacks on schools from attackers, and the other is incidents within schools.

So there's some examples like the Pikes School, the Pikesville High School in Maryland, where the athletic director must have had a vendetta against the principal and created Deepfake audio, having the principal saying racially charged remarks, which led to a lot of backlash against the principal and the athletic director once they found out it was him, ended up being charged.

And it was the second US criminal case, uh, for using Deepfake audio.

Then there was also the Beverly Hills Middle School, where five students were expelled because they generated DeepFakes of students, female students with graphic imagery.

Um, and that was another criminal charge.

And there's other examples here as well.

And according to the RAND survey, there was a survey of over a thousand principals at schools.

Um, 22% of those principals said that there were deepfake bullying incidents, and 20% of middle school principals said the same.

So, while this isn't cybersecurity attackers, this is where we have to start thinking about do we need to put some sort of protection in place for detecting when generative AI is used detecting DeepFakes, because the same could apply to, uh, your accounting team when somebody is impersonating the CFO trying to get account numbers changed or being sophisticated in some other way.

But all this being said, we don't have just generative AI and AI threats to worry about.

And there's a lot of different drivers in cybersecurity over the years.

There have been many different concerns, whether it's cybersecurity, insurance, putting out new requirements or audit requirements from the finance team laying out controls that had to be followed, or just general risk management, best practices or laws as the laws are changing.

There's different privacy laws within your own state, within your industry, um, in different countries like GDPR.

And those are all things, including the other things on this slide that are impacting what we do for cybersecurity defense.

We can't just be single-minded and focus on one single threat and where we put our budget for that to defend against that threat.

There's also internal policies that we have to worry about.

Maybe it's just the way that we want technology used in our schools, how, um, how much access students get to certain information or certain websites or AI tools or anything like that.

And all of those feed into the overall cybersecurity posture, which is not un directional.

So we, we wanna look at metrics when we, when we think about what's out there and where do we put our resources.

So, um, I have some metrics here from the Verizon data breach report again, where it says that extortion is the primary motivation for these attackers.

So there's all different attacker types, um, and all different ways that they're attacking.

But if we want to start defending against, uh, the most probable attacks, we wanna know, we want to defend against extortion attacks where they're trying to steal money from the school, from the organization.

The ways that they're doing that are through all different means, malware, where something is installed directly on a computer or a server hacking where they're hacking websites or something exposed, or social engineering attacks.

Oftentimes you'll hear that social engineering is the number one way that attackers are getting in.

But you know, you can see on the graph on the bottom right that that's just not necessarily the case.

It's all different types of attacks that change year over year.

So social engineering may be a bigger attack vector one year, uh, whereas system intrusion will be bigger other years between 2024 and 2025 at least.

Um, from the metrics I've seen and from our experience in the field, I saw VPNs being attacked much more in web applications being attacked.

Um, and attackers were very successful with automated attacks and brute forces, brute force attacks, and that's ways that they were getting it.

And so we need to track all of these different attacks and these threats and build our defenses around those, not just, again, one single type of attack.

Um, and an important metric here is that the, the threat actors that you are all are up against, that we're up against are financially motivated.

So it's not, it's not necessarily just the data that they're after, they're after your data so that they can make money from that data, whether that's through a ransomware attack or an extortion based ransomware attack where they steal your data and threaten to release it if you don't pay them or some other means to get money out of you.

But it's not necessarily data for data's sake, but they are extremely motivated and continue to make money doing this so they get even more powerful, um, for every attack that they're successful with.

And if we just break it down to the type of attackers out there, um, we have our organized crime groups, which is probably the biggest group that you all will face.

Um, this is really a, a group.

This is really the group that is organized and, um, global and presence, and they run like businesses.

So what they're doing is they will form syndicates, they will find people that have skills in different areas.

They will develop resources, whether it's knowledge on different networks or ways to hack, um, and they'll get automated attack types and they will find ways to breach customers of any size or sorry, uh, breach companies of any size.

Um, and they're sophisticated in doing so.

And because every attack that's successful gives them more money, they can grow their own resources.

Oftentimes you'll hear that there's a lot of nation state actors that are very sophisticated in attacks and sophisticated in hacking.

But to be fair, those are really not the attackers that we are all up against as mid-size organizations.

It's not to say that we shouldn't try to defend against those, but if you're under the crosshairs of a nation state actor that has advanced zero day malware, like a Pegasus, where it would be a text message going to your phone and it takes over your entire phone, um, we're really limited in what we can do in those scenarios.

And, you know, again, we still try to defend against those, but we wanna look at putting our resources to defending the higher, uh, probability attacks, which are those organized crime groups.

But we also have the other groups like end users and just other ways that we're having data breaches.

So we look at how we can design policies to, to meet those sort of attacks.

So ransomware, even though it might not be the number one way or the only way that attackers are attacking us, but it is growing year over year.

So this is a chart from that Verizon data breach report that shows ransomware is continually on the rise as of this year.

I think the metric was something about 30% rise in ransomware year over year.

So we, we do have to continue to be aware of this as people are moving more infrastructure off premises and into the cloud, attackers are realizing that and are adapting the way they're doing things.

So ransomware really is evolving here.

There's phases of ransomware that have occurred.

The first phase was the endpoint era, let's call it, um, in 2010, around really around 2014 or 2015 is when this started to take off.

Ransomware was on individual computers and computer networks on Windows systems primarily, and they would encrypt computers and file servers.

Um, but they would just encrypt that data.

They would not exfiltrate the data.

They would, um, scare people because nobody was really aware of what ransomware was at the time, and it was really hard to defend against, and people often didn't have good backups to defend against it.

But the defenses that worked were antivirus and backups that worked, uh, you know, backups that were functioning.

Um, but attackers got wise to that.

And as they started not being able to make as much money as they first were, they moved to the infrastructure error where they started attacking VMware ESXI hosts as well, and being more sophisticated with, uh, double extortion ransomware, which is where they exfiltrate data and then threaten to release that data, uh, like we had already spoken about.

So that's how it evolved.

And previously where we only, where it was only Windows servers that were affected, now it's VMware hosts, it's the Linux appliances that are on those hosts like vendor, uh, managed systems, whether it's building management systems or anything like that.

And it was much harder to recover from because you are not necessarily backing up your VMware configurations and your VMware hosts.

So it evolved and, uh, attackers started making money, um, on those sort of attacks again.

And now we're in phase three where we're at the cloud air.

As the years have gone by, organizations have changed to hybrid models, possibly, whether it's running servers in the cloud or just using all SaaS.

Um, but those organizations that do run servers and cloud infrastructure like Azure and AWS are subject to these sort of attacks.

Storm 0 5 0 1 was an interesting one that Microsoft did a writeup on, and it showed that ransomware, um, could be fully deployed and executed in an Azure environment using just the APIs and scripts that are available, given that the attacker elevated their privileges.

So what they were able to do was elevate their privileges remotely using these credentials, delete backups in those cloud environments, um, lock the organization out of their own account or out of their own cloud and make it so there was no good way for them to recover.

So this is one advancement and you know, we'll see ransomware advance over the years because it is still one of the number one ways these attackers make money.

So even though we're moving more off of premise and into the cloud, they want to find ways to make money off of us.

There's also different types of attacks that attackers are finding in just default configurations.

Um, they're attacking ubiquitous platforms.

So even though we move everything to, say the Office 365 World or the Google Workspace world, attackers are still targeting those systems and finding ways to impact organizations.

So the one I have here is one that happened this year a few months ago.

Microsoft Direct Send is a feature of Microsoft where it allows, say, a printer or anybody on a network to send email from an account.

So from that domain, uh, if you were trying to send an email to, um, yourself from your scanner, you would use a feature like this, and this was a default feature that was on and actually had no way to be turned off on the Microsoft side.

And attacker saw that and used that to their advantage.

So they would run remote scripts, do direct send and send internal commun communication within your organization.

So it looked like it was coming from say, your CFO or somebody similar, but it was really coming from the attacker.

How AI feed is feeds into this is that they are able to be sophisticated with the language they use.

Um, anything they can learn about you from the internet or from previous data breaches where they collected email, they can use that to have more sophisticated communication and it looks like it's coming from within.

So it bypasses all the email security that you set up with SPF records and DM records, um, and all your training where you tell people to look for a different domain name, um, of an attacker.

And because of this, you know, Microsoft had to issue a quick fix for this.

They created a feature where you can reject.

These direct sends have default to off.

So if you're still, if you're using a Microsoft 365 tenant, you should definitely make sure this is off.

You may have been affected at the time that you were noticing a lot more phishing and mal uh, phishing and, um, email-based attacks, so you would've turned it off at the time.

But if you have not, um, it's our strong recommendation to go look at that setting today and to talk about generative ai, AI more and how it's being used by attackers.

Um, we could definitely see on the email side that they're using it more and more over time, so year over year they're finding ways to use this to their advantage.

But then we also look internal in the organizations and see how people are using it to their own advantage, but also how people are using it in unsanctioned ways.

So this graphic shows that of all the generative AI accounts that they surveyed, the ones in green here are ones that people registered on their own with their own personal accounts.

So say within your organization, people are signing up for chat GPT with their personal accounts and putting corporate data in there, putting all sorts of information into those systems with no controls.

The orange bubbles, the orange robot faces are the ones where, um, they registered with a corporate email, but it's not tied to your corporate account or corporate policies.

So you run into the same issue.

And then the ones that are in light gray are the ones where are tru, those are accounts that are truly controlled by an organization's policy with content guardrails, with monitoring and all of those things.

So this is just the reality of how people are using generative ai.

So we understand that's a vector where, you know, information can be leaked and you know, policies can be violated.

So to step back a little bit and just talk about risk in general, uh, risk in cybersecurity is this combination of the attackers who are the threats out there? They're these external forces that we cannot control.

It might be that government entities can shut down ransomware gangs or organize crime groups, but we have very little control over that.

And then we have all the vulnerabilities.

There's hundreds of vulnerabilities on say, systems every day that come out.

But we also have human vulnerabilities, things that like where how we can be social engineered, and those are things we can control.

But if we had hundreds of threats and zero vulnerabilities, our risk would be extremely low.

If we had one threat out there, but thousands and thousands of vulnerabilities, our risk would be high still because we have so many ways for that one attacker to take advantage of us.

But that being said, we have tons and tons of threats and tons and tons of vulnerabilities.

So our risk is elevated and we need to control that risk.

Zero day vulnerabilities are one type of risk that's very hard to control.

They're sort of the black swan, they're sort of the unknown unknown when it comes to vulnerabilities.

We all use systems, whether it's a firewall or a software system that does have patches, does have good vendor support, but software inevitably has vulnerabilities in it that attackers are looking for, especially with generative AI and how they're able to scrape websites and look at every single piece of code.

They're able, they're able to find zero day exploits quicker and quicker, and that means that they're able to take advantage of vulnerabilities that the vendor has no patch for, and you have no real mitigations for.

So that being said, schools suffer more because there's a lot of different applications in use.

Some of them are legacy, which maybe have either less vendor support to patch vulnerabilities, um, and do good security practices to avoid more of these zero days.

Um, and they have small security teams.

So even if, um, say a system was compromised and there were some indicators that it was compromised, the security team would be slow to detect it.

Ways to reduce the impact of that is to use things like endpoint detection technology or extended, uh, detection technology.

And that's integrating all of these different signals, all of this different telemetry to find if something was compromised, um, is it starting to act maliciously? We'd also want to still segment to contain the, the spread of these attacks.

So if something is compromised, can we limit the blast radius of that attack? And I would say most importantly, as the MDR, the managed detection and response market is growing, this is where you have an, uh, an opportunity.

Um, schools again, often have zero cybersecurity personnel on staff.

An MDR provider is somebody who has a team of SOC analysts, security operation center analysts who are looking at alerts on a 24 7 basis trying to find whether there's an attack happening and alerting you and having your IT team step in and act on those things.

The good thing is too, AI is helping those sorts of teams.

So what, where you might have had to pay a large fee for MDR services in the past, they're able to do things more efficiently.

They can look at every single alert that's coming into their system through your feeds using AI tools and only pop the most relevant ones to their analysts.

So it makes that service be, uh, even more cost effective than it previously was and makes them even more effective.

So if we look at this whole picture, we want to take into account that we really are trying to do risk management in cybersecurity.

So we have all our assets and we need to make sure we know about those.

We have the safeguards and controls that we're putting in place, and we have those threats and vulnerabilities who are constantly trying to, the threats, the attackers who are constantly trying to attack as the vulnerabilities that are constantly present.

And we also have like our values and the ways that we're designing policies and our systems and how our users are using things and all of these factor into that risk.

So that being said, it becomes a complicated picture if we don't follow, say, frameworks and guidance and look at what's actually happening out there and put our budget, um, in, in places that will actually lower our risk.

So I could just say from our experience working with schools and working with other organizations, these are some of the bare minimum things that I would want to see in every environment.

So the first is some sort of managed security.

So prominent does not do managed security services like a managed soc.

So it's not why we're promoting it, we're we're promoting it because every organization really needs somebody to be looking at alerts on a 24 7 basis.

If something happens in the middle of the night, um, you need an analyst to look at it.

And also there's just unlimited, an unlimited amount of alerts to go through.

So you really need a team that's capable of, of handling that and alerting you when there are things to look at.

Then you also have endpoint protection technology, your CrowdStrike or your Sentinel ones, your EDR, which is protecting against, uh, advanced and oftentimes, um, malware that cannot be detected with a signature.

So it's doing it in an advanced way.

And you also have encryption in case somebody loses a device.

Then you have modern remote access, whereas I said VPNs were being attacked really heavily over the past few years.

Modern remote access tools like a Zscaler or a Netskope or something similar allows you to not have anything exposed to the internet, but still have your, uh, remote users access your internal environment.

Then it comes to identity.

So you have things like single sign-on providers, like integrating your Google Workspace identity into your other cloud and SaaS apps and multifactor authentication on top of that.

And by doing that, although you're putting everything into one identity source, you're able to shore up that identity source with say, risk-based detection and multifactor authentication and alerting around that identity for how it's being used or misused.

And then email security is one of the number one concerns because attackers have access to email.

That's one of those systems that they just have sort of unfettered access to.

So having good tools on top of your email platform is extremely important.

And then we have some things that are just true.

And over the years, you know, firewalls are still important, even though, you know, there's not necessarily just one network anymore to protect.

You have a ton of remote users, firewalls and content filters and endpoint firewalls are important to stop known malicious, um, traffic from leaving your network and entering your network and protecting your, your, your staff and your students from websites that you, you have policies against them going to.

And then training is really important as well, because as all these threats are changing and as attackers are able to trick us more in what they're doing, training on the new types of threats becomes important because we need our end users, we need the people using the systems to be able to do their work, but to be able to spot those new attacks.

And then finally, we have mobile device management, which again, as we are moving more to a remote only or, you know, remote heavy world, um, the ability to control every device, push patches to those devices, understand our asset inventory and where the vulnerabilities live is more important than ever.

And to wrap that all in, in one, um, you know, new technology, anything that can integrate AI-based protection tools is going to be a leader here because these attacks that we're facing will have to be spotted by behavioral engines and be spotted by AI tools to really protect us.

So even if we have everything deployed, have everything properly configured, we need things, we need technology that can spot the new types of attacks on a continual basis.

So this slide I'll just cover super quickly.

Um, this is really the picture of the cybersecurity landscape.

Um, we have our mission critical assets and our data we're trying to protect, and there's a whole industry and sets of technology built around protecting that.

We need our end users to be able to do their work.

So they need to be able to use their systems dynamically, go to websites that they've never been to before, work from a country that never worked from before, um, download data on their computers.

So there's all sorts of tools, whether that's at the data security layer or the application layer or the perimeter or cloud layer that need to be in place so that we can monitor what's happening from a security standpoint, stop the attackers from accessing those systems in a malicious way, but allow our end users to continue to to access those systems.

So I'll give a few case studies here of vendors that are integrating AI well into their technology.

Um, I think we see AI being integrated into almost every platform.

Now, A lot of SaaS platforms have some sort of generative AI say chat function, but there are some security vendors that have been doing this for a long time and are using the new parts of say, generative AI to do what they were already doing even better.

So darktrace is a good example where they were an AI first company.

Um, they used machine learning, they would sit on your network, they would spot all of the traffic on your network and develop a baseline in a model of what was normal on your network.

So that when an attacker got on your network and they were doing something that looked slightly similar to say the CFO because they were running from his computer or slightly similar to an IT person, this system would say no, there were slight deviations in what that person was doing, and it was say 90%, um, likely that it was malicious.

So this sort of tool expanded in scope.

And what they did was they trained their own AI model in the way their analysts were handling alerts.

So then it developed, they developed a cyber AI analyst, which would do automatic analysis on the alerts that were coming in based off what their human analyst used to do.

So they continued to advance it in that way, and it became more important than ever because they expanded to email and to SaaS and there were so many feeds that they needed to monitor.

So the reason this is important is because internal teams, they may be monitoring their security, but they need the most high fidelity alerts to be popped to their attention.

So it's not to say any of these tools that I mentioned will only give you the things that are truly malicious.

You still might need a human on the other side to do that, but they'll pop the alerts to your attention that need your attention, that you need to determine, you need to help determine if that really was truly malicious or not, or if it was just say, an IT person copying data to a flash drive because they needed to do a backup or installing software that has never been seen before.

CrowdStrike is another example.

This is an endpoint protection product that is also expanding their scope.

But one thing they integrated was generative AI to their platform.

So you can chat with your security tool.

So let's say you had a malware alert on a computer, you can chat about that and say, I saw this malware alert on a computer.

Was any other device in our network affected by the same thing or something similar? Can you tell me, you know, how long this attack hap uh, took to take place? You know, how many different people were involved in this and all sorts of other queries, and you have a natural language interface to do so.

So CrowdStrike is a good example.

Again, they, they have ways to plug into different telemetry, whether it's the identity through your Google workspace or something else, uh, through your logs, all your network devices on premise, sending your logs to that and have a way that A, their analysts can analyze it, b their systems can analyze it and then, or, and then c your your own team can analyze it using the tools that enable them to do it, um, in a more efficient way.

And then a final AI tool that I'll mention is, um, it's really not the vendor in particular, even though this is a great vendor, but it's the concept that we need AI based protection on email security.

Because as these attacks get more sophisticated where the language looks so much like another person, we did an AI tool to help us develop those signatures and find, was this really that person sending that email or was it an attacker impersonating that? So abnormal security is a layer that sits on top of your email system and it uses, uh, the mach, it uses the machine learning and generative AI tools to spot when there are these sort of attacks.

They've expanded their scope as well to plug into different SaaS products.

So not just email, but following the same principles of looking for behavior that is not standard in the environment and possibly malicious.

So if I could simplify that even, um, a little bit more, these are things that we find that are important to do in every environment.

You want to have real time threat intelligence and detection.

So whether that comes from an MDR provider or something that you are managing, that's extremely important to know what's really happening, who's attacking and how are these threats evolving? We need logs to do that.

So that's the logging and alerting.

We need to patch systems when they have vulnerabilities, have good endpoint protection and have encryption for that data that even if an attacker got access to it, they would not be able to see that data.

And then we have just the fundamentals, network security with segmentation to stop the blast radius if an attack happened and user rights and restricting people to only the data that they need to have access to.

And then things like firewalls, next generation firewalls and network access control to prevent certain people from being on the network, um, following a zero trust model.

So this is like one model of how to do cybersecurity well, I think in the Google workspace, um, world, which a lot of schools use, we should also look at it from say, what are the basics that we need to do, um, for every tenant? And what are the more advanced things that we can do in each tenant? So at a basic level, you need multifactor authentication, which has been beaten over our heads for years and years that we need multifactor authentication on at least faculty accounts, admin accounts.

We need basic monitoring of the workspace to see what's happening.

Um, we need to limit third party apps that are connecting to that environment and do basic DLP where possible data loss protection of say, social security numbers and things that you don't want leaving.

Then you have the more advanced tier, which would be making sure you have backups of your Google workspace.

So even though you go to a cloud vendor and expect maybe not to have the backup that data, it's good to have your own backups.

So have their native feature vault or have a third party backup in conjunction with that.

So in case anything happens, somebody does delete all the data, an attacker gets in, you have a way to recover from that.

And then turning on some of the more advanced features like the security center, um, advanced investigations context aware access, meaning if somebody accesses something from one location or does something with data from, in a rare way that Google is able to alert you or stop that.

And then also I would say an enhanced control really just on the second tier is this, uh, email security.

So Google has great email security out of the box, but these attacks are getting extremely advanced.

So having some sort of third party tool on top of that is gonna help prevent those.

And then having some sort of cloud access security broker for the shadow and IT SaaS discovery.

So all these different tools that we're not aware of our organization using, maybe they're not sanctioned by it, somebody signed up for a third party service, we want an ability to discover those, um, SaaS services that are being used so we can bring them under security monitoring and security control.

And then we can get into the more advanced tier, which would be truly having a managed detection and response unit, whether that's a third party or your own team for Google Workspace.

So having somebody look at these alerts on a real-time basis and developing automated response workflows, so in case something does happen that there's an immediate response to lock an attacker out or reset accounts or recover data or anything like that.

And to do that, you would need something like threat intelligence and, and hunting capabilities through a sim.

So Google has Google Chronicle, which is their sim, their security information event management system, and that's where all the logs could go to so that somebody could run those detections on it, understand what's going on in the environment.

And then finally data loss protection at a higher level.

Because even at financial services organizations that I work with, this is a hard thing to achieve, but having true data loss protection capabilities is a goal to, uh, aspire to.

So across the world, this cybersecurity problem is really, um, plaguing everybody.

And because of that, there's different organizations that help develop good best practices or good standards.

Um, so it's government entities that provide services to either public businesses or, um, just businesses operating in the us And there's also nonprofits like CIS, which publishes baselines or sands, which publishes templates and training for cybersecurity professionals.

Um, and this is all guidance that we want to continue to look to, um, and that includes industry leading cybersecurity vendors because those vendors often see a lot of the different attacks and, and know what kind of attacks are coming out.

So if we look to say Microsoft, Microsoft published that article about the cloud ransomware in great detail and gave people recommendations for how to shore up their defenses.

If we look to something like Arctic Wolf, they published an article about the FortiGate zero day vulnerability and how to defend against it.

So these vendors also help.

Um, so there's lots of different avenues and just having a, so a strong supply chain is also important because we're only as strong as our weakest link often.

So if we use a SaaS product or an on-premise system that is weak, um, that could be the way that attackers get in.

So the New York State Department of Finance, N-Y-S-D-F-S, uh, published a few years ago, some guidance around ai, um, and risk management with AI and other organizations have done the same since.

But there's some things to look at with using AI and, and how to monitor it and reduce the risk of it.

So ai, social engineering attacks, as we've already talked to, are becoming more convincing.

AI powered attacks are operating much quicker.

So again, things like zero day vulnerabilities, which were hard to find in the past, are becoming easier to find.

And, um, the attack speed that when the attacker starts an attack to ends an attack is becoming even faster.

And then there's data risks.

More data's out there, um, more data's being put into these systems.

Again, especially around unsanctioned access to generative AI tools.

People are putting data in that they should not be.

And then we have supply chain gaps when vendors introduce this new technology, which is honestly totally new.

And um, it introduces new vulnerabilities into the product.

One good example of that is, um, is prompt injection attacks where, uh, you might have say copilot on your computer or something similar running, and an attacker's able to send an email that gets processed by that AI algorithm and it breaks out of the, um, guardrails of the system and is able to infect the system.

So those kind of things are rare right now, but those are, um, in principle true and will likely manifest as, um, this technology and these attackers become more mature.

And then we have the mitigations that they recommend.

So regular risk assessments, strong access controls are more important than ever.

Um, identity again is one of the number one ways that attackers are getting in.

So having MFA on helps with that AI focused cybersecurity training so people are aware of these risks and that realtime monitoring.

So I think in the end it comes down to that we really have machine versus machine here.

Um, attackers are definitely using AI to attack us.

So what are they doing? We want to understand that.

But what are our defenses that we, we can put in place through attack detection response, scripting, looking at data, um, you know, we couldn't do this by ourselves without using AI when they have AI on the other side.

And then there's also the productivity driver elements of generative AI students are learning about how to use this.

Um, there's lots of classes that teach students how to use this.

People are using it to do their work more effectively.

So we're not looking to limit the use of AI by any means, but figure out how to integrate it into the overall posture.

And overall in it we have entropy of the environment.

So if you go into a wiring closet, a lot of the times you'll see spaghetti like this.

Um, and this happens across an entire IT estate where you introduce new technology.

Um, either things become misconfigured or people leave the organization and people forget how things were configured.

And that introduces holes say in the example of the Microsoft Direct send vulnerability, even though there's a control now on that, somebody might not be aware that that control was introduced and not know to, um, make that change or things become out of date and nobody's there to patch it.

So this entropy continues to build and attackers find more vulnerabilities and are able to exploit those.

So an important thing is whether it you're fully SaaS, you know, you have a campus location, you have servers on premise, off-premise is to really understand your environment so you know where your holes are.

So that's always our strong recommendation that you have that full assessment of your environment, you understand what's out there and that, sorry, my phone was ringing there.

And that you can gimme one second and then you can, um, really understand your risks that are present in your environment.

So that being said, you want to do your own assessment of security.

Um, our recommendation would be that you have some sort of audit of your environment done by a third party that's seeing things that you don't necessarily see.

A lot of boards are requiring the same, but you know, you can ask yourself these, these questions so you can start your own assessment.

Do you have a complete asset inventory of your environment? Have you ever performed a vulnerability scan? Have you performed assessments of those vulnerabilities to see if they're true vulnerabilities or not? Have you tested your backups? Would you be able to recover from a ransomware incident? Um, have you performed an overall gap analysis of what parts of say a framework in cybersecurity you're weakened and strong in? Do you have any sort of alerting and auditing of these key events? And again, do you have multifactor authentication on your public interfaces? So important things to protect your school are to, um, really think about what are the most important functions of your school? What do you have to protect first and put the mo most resources on? How can we reduce the vulnerabilities that you have and strengthen your defenses? Um, and importantly, you know, how can you alter the environment so that you can protect your environment and maybe that you're doing things in a way.

Say you have an open network for everybody to use an open wifi network, or you have an open file share where too many people have access to how, what are the ways that you can change your environment so there's less threats of attackers that are looking at that environment or that data? And what level of control and uncertainty can your school run on under? Because cybersecurity is just a risk management practice.

Just like in finance, you have risk management and running a business you have risk management.

So, um, we don't have unlimited resources, so we have to understand what risks is my school truly willing to operate under, and which ones do we have to develop controls for.

So part of that is doing your own network assessment or having a third party look at your environment and find where are the risks, what is actually the risk that we're talking about in that case, and what are the recommendations to fix that and doing that on a continual basis.

And there's some things that are just, uh, good cybersecurity practice overall.

So I would say using frameworks for strong guidance is very important.

Um, again, organizations like CIS and nist, they publish frameworks for how to do cybersecurity, whether you have certain controls and access control or network security or physical security.

Um, and you don't have to match that control perfectly, but you have to know how you're butting up against that framework and, and how are you designing your environment.

Um, in reference to that framework, you do asset management so you understand really what's out there.

Um, having this overall risk management practice to say, you know, you are aware of these risks and you may accept those risks, mitigate those risks, or, you know, put budget in place to, um, reduce that risk.

Having detection and response tools and strong IT practices is extremely important because it's again, often that, not that you don't necessarily have the technology in place, but maybe it's misconfigured, maybe those tools are not doing exactly what they should be doing and having cultural shifts in the environment, because I could say when multifactor authentication started getting pushed out to more organizations, there was definitely resistance from the end user.

But the amount that that saved, uh, those end users and the organizations in terms of, uh, reducing the number of attacks was, uh, worth that, that cultural shift in in how people access their, their, you know, systems and data.

And then education and skill development, especially with these new tools, having people understand how to use them safely.

So if they will be continuing to use, um, say generative AI platforms that the school does not control, how do those people use those securely? Um, and finding and matching the skills needs.

So if you don't have those skills internally, or if you do have, um, additional cycles on your IT team, training them up and getting them to understand more about cybersecurity and how to detect these new threats and understanding your user base and your business, because it may be for some schools and some businesses, uh, one risk is, is acceptable, whereas another it's not.

So we have to have vigilance.

All these new threats that are out there.

The AI tools, um, are really one main focus to, to put our attention on, but also looking at how the attackers are changing over time.

There's more and more data that's breached.

And because of that, the attackers have these databases of information, databases of credentials that they're using to target you.

So every time there's a data breach, they have more and more information at their disposal to wage a better attack.

But that being said, there are similar attack patterns over time, as I showed from the Verizon data breach report in the beginning.

Um, similar attack patterns are, are used, they may change in frequency and, and how much they're being used over the years, but they're similar attack patterns.

So if we don't have a good way to defend against those now and we put those in place, then we'll be the, we'll be, um, better situated in the future.

And these attackers are constantly adapting to our improved defenses.

There's more money involved, um, for these attackers.

So they're constantly looking for ways to, um, you know, improve what they're doing.

And if we look at just generative AI and how attackers are truly using it, um, this metric here shows that as of 2024, there were a lot of mentions of generative AI in, uh, cybersecurity, or sorry, in attacker forums where they were talking about attacks, but not necessarily for how to use it alongside attacks.

But that being said, that can change anytime where attackers will start to use generative AI more and more as we've seen over the past year.

So one point is that phishing and pretexting was already pretty successful and already is still successful without all these advanced techniques.

They're still bypassing companies' controls, um, even without these tools and ransomware and malware is still bringing them a lot of money and is still effective even without these advanced techniques.

But as we continue to shore up our defenses, they'll find new ways to to breach them.

And if I can leave you with, um, one more graphic here is that this really shows here how attackers are getting in.

So this is from 2025 phishing, um, exploiting vulnerabilities on websites, credential harvesting and using credentials are the ways that attackers are most frequently getting in the size of the bar.

There on the door is the frequency which whi with which that's occurring.

And then on the bottom is the, the vectors, the ways they're getting and using desktop sharing tools or VPNs or email.

And this changes again year over year, but by understanding that, we can know where should we put our budget this year? Where should we shore up our defenses or where should we put our tech teams' attention? Should we have them be monitoring our email system more? This year or changing the way that we're getting, um, users remote access to in our environment and really understanding that will help, um, adapt to those risks.

So that's really everything that we have.

Um, I appreciate everybody's time and attention.

Um, I know we went through a lot of information, so we'll be here for the next 10 minutes if anybody has any questions.

And if you have any future questions, you can always contact me via email, um, or your account manager directly.

We had Nick on today, um, who is one of our head account managers and you can contact sales@prominent.com if, if you don't have your own account manager.

I thank you so much.

You guys did a really great job.

A lot of very meaty content in this hour.

Participants, any questions for them? Feel free to come off mute or to drop it in the chat.

Alright, with that we're gonna go ahead and stop the record..