- AI agents are moving from on-prem and in the cloud to on-device, creating more traffic and a larger attack surface
- F5’s Jimmy White said AI can help identify complex vulnerabilities faster, but human experts are still essential to validate fixes
- As enterprises use AI more heavily for coding and operations, White argues they’ll need layered defenses
Two things subtle things happened this week that drastically changed the AI threat landscape. Did you catch them?
One of the shifts in question came out of Computex Taipei where Nvidia announced a new RTX Spark chip that will allow AI to run directly on Windows laptops. The other was Cloudflare’s revelation that agentic AI usage of the internet has now surpassed human traffic for the first time.
Put them together and these mean that not only will AI be running in more places – on-prem, in the cloud and on countless laptops, thus generating more traffic as data flows between those environments – but there are also more agents that can be used for nefarious purposes. Living in a post-Mythos world where AI can be used to find critical security vulnerabilities in hours rather than weeks, you can see why those two things might cause a problem, especially for the telcos ferrying sensitive data across their networks.
“I’m confident telcos will deal with the scale [problem],”F5 VP of AI Jimmy White told Fierce, pointing to their previous response to spikes in traffic during the Covid-19 pandemic. “Where that scale gets tricky is it’s not just dealing with the volume of traffic, it’s dealing with all of that traffic being a target for attack…That’s where it gets really challenging.”
Fighting AI with AI and human oversight
But there is hope. White noted that while AI models like Mythos and OpenAI’s Cyber are allowing attackers to move faster, they’ve also given defenders a powerful new weapon.
Models like Mythos are good at spotting two types of vulnerabilities: bad coding practices and chained events. The latter refers to attacks that can be launched by following a certain series of steps in a certain order. These, White said, are incredibly hard for humans to detect.
The good news is that enterprises can use AI to find these vulnerabilities before attackers do. But White said the biggest misconception in the market is that AI is a cure-all and that humans aren’t needed.
You still need a human being to understand the fix,” White said. “So, what attack’s happening, how to fix it, if that fix causes other vulnerabilities or damages how the application works or breaks the business logic, because your AI system won’t understand” the usage and the patterns of issues users have since it’s only looking at the code.
He continued: “If you were to lay off a bunch of people and then your AI found a vulnerability and it suggested a fix. To deploy that without an expert, an SME, looking at it, you could actually be making the problem worse.”
Is AI coding helping or hurting security?
One of the most common use cases for AI is coding, with enterprises across the board turning to AI to speed development. But White warned blindly using AI for this purpose can increase the risk of introducing chained event vulnerabilities.
Why? Well, traditionally, code would be written by one engineer and then reviewed and improved by one or two others to produce a stronger end result. Now, AI is being used to not only write but also review code. And while the quality of the resulting code is usually quite good, it can actually end up being rather complicated. And that’s a problem.
“Sometimes the complexity of that code is such that an engineer doesn’t understand it or doesn’t understand the ramifications downstream to other code,” White said. “And that’s where the chained events come in, and humans are really bad at finding chained security causes.”
In the end, “by creating products with AI, you are increasing the need to secure them with AI.”
Building a new stronghold
So, what does a modern security lineup need to include? White said there are three key elements.
First, they need a solid web application and API protection (WAAP) layer to guard against traditional attacks. Second, they also need DDoS protection, especially since agentic attacks operating at scale can mimic DDoS threats. And third, you need a layer of AI protection.
“Once you’ve got those three things in place, you now have a situation where you can run at scale, your customers can use your products at scale, and you’re protecting against those threat actors who unfortunately now have the ability to attack asymmetrically,” he concluded.