Lasso Security Unveils Innovative Solutions for Securing Large Language Models (LLMs)

The Naivety of Large Language Models in Cybersecurity

Despite their complexity, large language models (LLMs) often demonstrate surprising naivety in cybersecurity matters. With a clever series of prompts, they can inadvertently reveal sensitive information, generate malicious code, or develop biased outputs, raising serious ethical concerns.

Elad Schulman, cofounder and CEO of Lasso Security, emphasizes this danger: “As powerful as they are, LLMs should not be trusted uncritically. Their advanced capabilities make them susceptible to numerous security vulnerabilities.” Lasso Security, which recently launched with $6 million in seed funding from Entrée Capital and Samsung Next, aims to tackle these challenges. “The LLM revolution may surpass both the cloud and internet revolutions combined. With significant advancement comes substantial risk.”

Security Concerns: Jailbreaking, Data Leaks, and Poisoning

LLMs have quickly become essential for businesses seeking a competitive edge. However, their conversational and unstructured nature makes them easy targets for exploitation. By manipulating prompts through techniques like prompt injection or jailbreaking, these models can disclose their training data and sensitive organizational information.

The risks are not limited to deliberate attacks. Misuse by employees, as seen with Samsung's decision to ban generative AI tools after data leaks, underscores the potential for accidental data exposures. Schulman notes, “Since LLM-generated content can be influenced by prompt input, users may gain unintentional access to additional functionalities of the model.”

Data poisoning presents another major issue; tampered training data can introduce biases that jeopardize security and ethical standards. Furthermore, insufficient validation of LLM outputs can lead to critical vulnerabilities. According to OWASP, unmonitored outputs can expose systems to serious threats like cross-site scripting (XSS), cross-site request forgery (CSRF), and remote code execution.

OWASP highlights additional concerns, such as model denial of service attacks, where attackers overload LLMs with requests, causing service disruptions, and vulnerabilities stemming from third-party components within the software supply chain.

Caution Against Over-Reliance

Experts stress the dangers of relying solely on LLMs for information, which can lead to misinformation and security breaches. For instance, during a process called “package hallucination,” a developer might ask an LLM to suggest a specific code package, potentially receiving a fictitious recommendation. Malicious actors can then create harmful code to exploit that hallucination, granting them access to company systems.

“This misuse exploits the trust developers place in AI-driven recommendations,” Schulman warns.

Monitoring LLM Interactions for Security

Lasso’s technology intercepts interactions between employees and LLMs like Bard and ChatGPT, as well as integrations with tools such as Grammarly and IDE plugins. By establishing an observability layer, Lasso captures and analyzes data sent to and from LLMs, employing advanced threat detection techniques to identify anomalies.

Schulman advises organizations to first identify what LLM tools are in use, then analyze their applications and purposes. “These actions will prompt critical discussions about necessary protections,” he states.

Key Features of Lasso Security

- Shadow AI Discovery: Identify active tools, users, and insights.

- LLM Data-Flow Monitoring: Track and log all data transmissions in and out of the organization.

- Real-Time Detection and Alerting: Immediate insights into potential threats.

- Blocking and Protection: Ensure that all prompts and generated outputs align with security policies.

- User-Friendly Dashboard: Simplify monitoring and management of LLM interactions.

Harnessing Technology Safely

Lasso distinguishes itself by offering a comprehensive suite focused specifically on LLM security rather than a single feature. Schulman notes, “Security teams gain control over every LLM interaction, enabling them to create and enforce tailored policies.”

Organizations must embrace LLM technologies securely, as outright bans are unsustainable. “Without a dedicated risk management strategy, enterprises that fail to adopt generative AI will be at a disadvantage,” Schulman explains. Ultimately, Lasso seeks to provide the necessary security tools for organizations to leverage cutting-edge technology without compromising their security posture.