How combining human expertise and AI can stop cyberattacks

Chief information security officers’ (CISOs) greatest challenge going into 2022 is countering the speed and severity of cyberattacks. The latest real-time monitoring and detection technologies improve the odds of thwarting an attack but aren’t foolproof. CISOs tell VentureBeat that bad actors avoid detection with first-line monitoring systems by modifying attacks on the fly. That’s cause for concern, especially with CISOs in financial services and health care.

Enterprises are in react mode

Enterprises fail to get the most value from threat monitoring, detection, and response cybersecurity strategies because they’re too focused on data collection and security monitoring alone. CISOs tell VentureBeat they’re capturing more telemetry (i.e., remote) data than ever, yet are short-staffed when it comes to deciphering it, which means they’re often in react mode.

Enterprises need to be more aggressive about disrupting threats before they impact operations. To do that, CISOs, and the CEOs and boards they report to, need to see cybersecurity spending as a business investment, not just a cost center. VentureBeat spoke with CISOs who say the challenges to becoming preemptive in disrupting potential threats include budget constraints, recruiting experienced cybersecurity analysts with expertise in threat analysis tools, and scaling zero trust across new machine identities and endpoints. These factors, combined with the severity and speed of cyberattacks, lead enterprises to integrate Managed Detection & Response (MDR) into their broader cybersecurity and IT strategies. In addition, CISOs and cybersecurity teams are prioritizing MDRs that can integrate immediately with their technology stacks using APIs to extend and broaden current IT tech stacks and infrastructure.

Threat learning needs to scale faster

Even the most advanced AI and machine learning-based threat monitoring and response systems need time to interpret, learn, and defend against new attack patterns. Structured machine learning algorithms that rely on convolutional neural networks help reduce the latencies. However, bad actors are improvising attack techniques faster than AI and ML techniques can react.

MDRs see a market opportunity to close the detection and visibility gaps growing in enterprises by providing experienced threat analysts as a service. They’re recruiting these analysts to strengthen real-time monitoring and detection with human expertise to quickly identify complex anomalies. The rapidly growing number of MDRs targeting this problem in enterprises suggests that human analytics identifies anomalies and nonlinear interlinks in data with greater accuracy, preventing breaches, complex cyberattacks, sophisticated ransomware attacks, and automated attacks by gaining privileged access credentials.

In its recent Market Guide for Managed Detection and Response Services, Gartner defined the role of MDRs as providing “detection and response services, providing customers with remotely delivered modern security operations center (MSOC) functions. These functions allow organizations to rapidly detect, analyze, investigate, and actively respond through threat mitigation and containment. MDR service providers offer a turnkey experience, using a predefined technology stack (covering areas such as endpoint, network and cloud services) to collect relevant logs, data, and contextual information.” Gartner’s definition of MDR and adjacent services prioritize getting data and analytics, threat intelligence, and reporting right in real-time to avert attacks on a 24/7 basis, as its diagram below illustrates.

Above: At a minimum, MDRs need to provide and manage an extensible (ideally API-based) secured tech stack their customers can integrate with to achieve real-time threat monitoring, detection, and attack deterrence.

Image Credit: Gartner

Cybersecurity gaps fuel a growing market

Gartner’s study on emerging technologies predicts the worldwide MDR market will reach $2.15 billion by 2025, up from $1.03 billion in 2021 – a compound annual growth rate of 20.2%. Gartner says inquiries from clients grew 95% between 2019 and 2020, with larger enterprises leading evaluation and adoption. Gartner’s emerging technologies report also cites the growing sophistication of cyberattacks, shortages of skilled personnel, and growing regulatory requirements driving the market growth. These factors contribute to the widening cybersecurity gaps enterprises face today because they can’t react fast enough to threats.

451 Research’s Market Insight Report, Coverage Initiation: Pondurance Takes a Risk-Based Approach to MDR, predicts the security services market to exceed $24.3 billion by 2025. MDR is one of the fastest-growing security service markets, attracting o providers such as Alert Logic, Arctic Wolf, Armor, AT&T, Atos, Binary Defense, Blackpoint Cyber, BlueVoyant, Booz Allen Hamilton, Critical Insight, CrowdStrike, CSIS, Cybereason, F-Secure, Fidelis Cybersecurity, IBM, Kudelski Security, Mnemonic, NCC Group, NTT, Open Systems, Orange Cyberdefense, Pondurance, Secureworks, SentinelOne, Sophos, Trustwave, Verizon, Viking Cloud, VMware, and many others.

Stopping attacks with human insight and AI

MDRs differentiate themselves on their committed service levels and the extensibility and scale of their tech stacks. However, Pondurance, a noteworthy competitor, recently announced a new cyber risk assessment solution that combines insights from cyber experts and an innovative technology platform to reduce the risk of a breach and improve cyber resilience. Pondurance claims that its Cyber Risk Assessments tool identifies gaps in cybersecurity coverage on integrated dashboards enterprises can use to reduce the risks of breaches and ransomware attempts. Based on their track record of identifying threats across cloud platforms, networks, users, applications, endpoints, and traditional log data, Pondurance says this new solution combined with its foundational MDR services will help organizations take both a proactive, offensive approach and a reactive, defensive approach to improve their security posture and stop cyberattacks. Last June, Pondurance acquired Bearing Cybersecurity, an advisory and assessment services provider. As a result, their flagship cloud-based platform, MyCyberScorecard, is now integrated into Pondurance solutions to help achieve its mission to enable every organization to detect and respond to cyber threats – regardless of size, industry or current in-house capabilities – with people and technology.

Above: The Scope platform enables the Pondurance MDR team of analysts and its clients to detect and respond to threats and take action on remediation recommendations.

Image Credit: Pondurance

Lyndon Brown, chief strategy officer at Pondurance, said that “as organizations rapidly move towards a largely remote distribution model, and are increasingly adopting cloud services, visibility has become tough to maintain and gain.” The need to not just look at logs, but also across various vantage points and understand what’s happening in the enterprise is a big challenge. Lyndon also says that organizations have realized that looking across their networks and endpoints and looking for threats that may already be in the environment is also an increasingly important requirement.

Pondurance says its Cyber Risk Assessments powered by MyCyberScorecard also enable collaboration between business and system owners to bridge the gap between policies, controls, and operations. In addition, Pondurance cyber risk experts can communicate recommendations directly in MyCyberScorecard, helping clients prove to regulators and insurance providers that they are making real progress in mitigating their cyber risks. Their approach also lays the groundwork for more comprehensive assessments, such as NIST Cybersecurity Framework (CSF), NIST 800-53, NIST 800-171, Cybersecurity Maturity Model Certification (CMMC), New York State Department of Financial Services (NYDFS), National Association of Insurance Commissioners (NAIC) data law, third-party risk, and others in the future.

Eliminating the source of an attack

Identifying and eliminating the source of an attack at scale requires rethinking how automation dominates the MDR landscape today. Even the best AI and ML-based real-time monitoring and detection technologies can’t keep up with how quickly bad actors reinvent attack strategies on the fly. Instead, CISOs the intuitive insight of cybersecurity analysts combined with the best possible insights AI and ML-based real-time monitoring tools and technologies can provide. As the MDR competitive landscape matures, look for hybrid approaches that combine human expertise and AI to become more prevalent.