By Imperva Executives: Karl Triebes, Lebin Cheng, Peter Klimek, Lynn Marks, and Terry Ray
The emergence of generative AI has put new resources in the hands of both attackers and defenders, and in 2024, Imperva believes the technology will have an even greater impact. Understanding how attackers are leveraging the technology will be critical for organizations seeking to keep themselves—and their data—protected.
In this piece, our experts and thought leaders will explore the ways in which organizations will evolve to address the emerging challenges associated with generative AI, API vulnerabilities, and the ever-changing security market.
Generative AI Disrupts the Cyber Threat Landscape
Karl Triebes, Imperva SVP and General Manager, Application Security, says it’s easy to envision a future where 70% or even 80% of all web traffic comes from bots. He notes that one of the biggest factors driving that growth will be generative AI solutions, which operate by using automated web crawlers to scrape websites and collect information from across the internet.
As both businesses and individual users grow more comfortable using generative AI, there will be a significant spike in activity associated with those crawlers. Imperva Senior Product Manager Lynn Marks agrees, noting that data scraping is “becoming more of an issue for organizations” as their data is used to train the large learning models (LLMs) that inform generative AI tools.
Triebes points out that generative AI will make its presence felt in other areas, as well—including a shift toward AI-based coding in the future. Director of Technology within the Office of the CTO Peter Klimek agrees and says that “new and/or junior developers will benefit greatly” from AI-enabled development tools, increasing productivity and output by automating routine tasks. However, he acknowledges that those same tools will “help script kiddies graduate into skilled hackers capable of carrying out more complex exploits.” In the near term, Triebes believes generative AI will primarily be used to perpetrate fraud.
“It will be much easier for fraudsters to masquerade as somebody else—at least online,” explains Triebes. “AI will lead to a new breed of fraud and social engineering attacks. A fraudster could scrape the internet for information about you and then weaponize a voice recording of you. Through generative AI, they can create a pseudo version of you. If they package that effectively, they could contact your bank and request a password reset.”
Ron Bennatan, Imperva Fellow, Data Security agrees. He expects to see an increase in attacks as attackers leverage AI to fool their victims, noting, “because LLMs are so good at both understanding humans and creating text communications that really look like they were created by humans, attackers will be able to target and ‘hack’ individuals far better than before.”
Alan Ryan, AVP, UK & Ireland, notes that as attackers invest in AI, so too must defenders. Bad actors are investing heavily in AI in an attempt to gain an upper hand over defenders, which means organizations need to ensure they are investing in these solutions as well. Ryan says AI doesn’t necessarily “change the balance of ‘good vs. evil,’” but instead just represents the next evolution of the ongoing cat and mouse game between attackers and defenders.
API Security Will Take on Greater Prominence
As attackers target APIs with greater regularity, organizations will be forced to take a more proactive approach toward identifying, classifying, and protecting all API endpoints in production. This is particularly true for large organizations: enterprises with a revenue of at least $100 billion USD are between three and four times more likely to experience API insecurity than small or midsize businesses.
Unfortunately, while API ecosystems are expanding rapidly, most organizations are still in the early stages of understanding how to effectively protect them. Although it’s common for today’s businesses to have between 50 and 500 APIs in production, many don’t know where they are deployed or what data they are accessing. That put the organization, and their valuable data, at extreme risk.
Peter Klimek says “most organizations are still in the early stages of understanding API security and don’t yet have a nuanced strategy for protecting their APIs”. Further, he believes organizations “haven’t implemented the right defenses or controls in place to manage identity and access management.”
Lebin Cheng, VP, API Security, Imperva, believes that will start to change this year. “In 2024, as pressure to mitigate API-related security incidents continues to grow, security leaders will look for, and invest in, solutions that integrate seamlessly into their existing Application Security technology stack,” says Cheng. “This approach will give organizations a more coordinated and unified view of automated threats that target APIs and critical applications—all of which connects to data stores where the businesses’ data is located.”
Alan Ryan predicts that relying on homegrown, in-house API and bot management will be a “risky strategy” as automated attacks become more sophisticated and adept at evading simple defenses. According to Ryan, global vendors have an opportunity to leverage the vast amount of data they collect from millions of endpoints around the world to provide customers with the actionable insights they need to effectively defend themselves against modern threats.
How Organizations Approach Data Security Will Change
In 2024, businesses won’t just continue to invest in the same old solutions—they will increasingly look to innovate in ways that help them stand out from their competitors. Many will invest in new analytics capabilities or leverage new or expanded cloud workloads—and they will assume the risk that comes along with them.
Dan Neault, SVP and GM of Data Security, believes organizations will need to explore new data security technologies that can “help them understand and manage their data risk and actually make their overall IT more secure.” Neault also points out that the rise of hybrid and multicloud environments makes it even more imperative for customers to have effective data security protection, insights, and risk mitigation across all of these systems.
There will also be a shift toward consolidation. Moshe Lipsker, SVP, Product Development, states that industry consolidation will lead to a rise in comprehensive solutions, creating end-to-end solutions that empower CISOs to “deliver a layered model of protection.”
Terry Ray, SVP, Data Security GTM and Field CTO, agrees, pointing out that “niche and single solution products and vendors find themselves increasingly in demand for acquisition and partnerships as consumers look to answer data security and regulatory requirements while minimizing necessary expertise, costs, and effort.” Ray expects consumers to see “rapid increases in enterprise data asset coverage, decreased skill requirements, and better collaboration between technologies that were traditionally segmented.” For most businesses, that’s good news—consolidation will allow them to streamline their security solutions and rely on fewer vendors.
Adapting for a Continued Change
The continued rise of generative AI and increased focus on API security will be trends to watch in 2024, as will the consolidation of the security market and shift in the way organizations approach data security. We look forward to having further discussions with our partners and customers to see what their biggest concerns and priorities are as we move into 2024.
About the Authors
Lebin Cheng is a technologist and serial entrepreneur with more than 20 years of experience in cybersecurity. Cheng cofounded Netskope and later cofounded CloudVector, acquired by Imperva. He was awarded 15 patents in areas such as network security, application infrastructure and API inspection. He holds an MBA degree from the Haas School of Business at the University of California Berkeley and a MS in Computer Science from Purdue University. Lebin can be reached online at LinkedIn.
Karl Triebes is a technology leader that has helped some of the world’s largest organizations conceive and build products, services, and businesses for networking, application software, storage, and cloud. As Senior Vice President and General Manager, Application Security, he oversees product roadmap and go-to-market strategy for the Imperva Application Security portfolio Prior, he was Executive Vice President of Product Development and CTO at F5. Triebes has held senior leadership positions with Amazon Web Services, Foundry Networks, and Alcatel. Karl can be reached online at LinkedIn.
Peter Klimek is a Director of Technology within the Office of the CTO at Imperva. Peter works closely with customers around the world, helping them protect their applications and data from complex and emerging security threats. Prior to Imperva, Klimek held roles at Kaspersky, TransUnion, and Zebra Technologies as a solutions architect, security analyst, and engineer. Peter holds a Bachelor of Science in Computer Engineering from the University of Illinois at Chicago. Peter can be reached online at LinkedIn.
Lynn Marks is Senior Product Manager at Imperva, overseeing the product and innovation roadmap for Imperva Advanced Bot Protection and Imperva Client-Side Protection. With more than 10 years of B2B security product experience, Marks helps customers protect their applications and websites from online fraud and other security threats. Prior to Imperva she was product manager at Model N and Distil Networks (acquired by Imperva). She holds a Bachelor’s Degree in Economics from UC Santa Barbara. Lynn can be reached online at LinkedIn.
Terry Ray is SVP Data Security GTM, Field CTO and Imperva Fellow at Imperva Inc. As a technology fellow, Terry supports all of Imperva’s business functions with his years of industry experience and expertise. Previously he served as Chief Technology Officer where he was responsible for developing and articulating the company’s technical vision and strategy, as well as, maintaining a deep knowledge of the Application and Data Security Solution and Threats Landscape. Terry can be reached online at LinkedIn.