VentureBeat presents: AI Unleashed – An exclusive executive event for enterprise data leaders. Network and learn with industry peers. Learn More
Socially engineered attacks are sidestepping millions of dollars worth of cybersecurity systems. Simple phone calls help attackers steal access credentials and impersonate identities at will across networks.
The tradecraft behind the attacks on Clorox, MGM and many others prove that crunching real-time telemetry data faster isn’t the answer alone. Attackers simply studied MGM employee profiles on LinkedIn, then impersonated them to the gambling giant’s IT helpdesk. Shutting these attempts down requires a balance between the contextual intelligence humans provide and AI-based data analysis and risk prediction.
A key takeaway from CrowdStrike’s Fal.Con 2023 conference is the importance of integrating AI and human insights at scale to battle breach attempts that are accelerating faster than cyber defenses.
“The speed at which these threat actors operate is unparalleled,” CrowdStrike president, CEO and cofounder George Kurtz told VentureBeat during Fal.Con 2023 last week. “The ability to leverage social engineering, the ability to get, in the ability to move out laterally — I think [attackers] know the network better than the system administrators know the network.”
An exclusive invite-only evening of insights and networking, designed for senior enterprise executives overseeing data stacks and strategies.
How combining human insight and AI prevented one city from being breached
Experiencing a breach attempt and having it thwarted using AI-based predictive analysis and human insight makes CIOs and CISOs believers.
Case in point: A human in the loop recently stopped a breach of one of the fastest-growing municipalities in the southwestern U.S. after attackers obtained administrative-level privileged access credentials and attempted to breach the city’s infrastructure.
The city’s CIO explained to VentureBeat on the basis of anonymity that they had just implemented CrowdStrike’s Falcon XDR platform with Overwatch Elite to monitor all systems and endpoints. Threat hunters working on the Overwatch Elite teams identified suspicious activity around 9 p.m. one evening and sent an alert to CrowdStrike. The team continued to monitor the attempted hands-on-keyboard breach activity until the CIO could be reached.
Within four hours, the CIO, IT and security teams had investigated and resolved the issue. In stopping what could have been a debilitating cyberattack, the city’s CIO said the Overwatch Elite team is force-multiplying his small team by providing real-time monitoring, reporting and interpretation of threats quickly detected by AI and ML techniques. Threat hunters continually tracked the breach attempt and saved the city’s infrastructure from a breach by providing their insight and contextual intelligence.
Generative AI cyber defenses must be learned
Training the large language models (LLMs) that gen AI relies on takes time, and it is expensive. That’s why getting it right first and integrating human and machine data is critically important.
Combining human insight with AI and machine learning (ML) models catches attack patterns, nuances and anomalies in behavior that elude numerical analysis alone. Training models both reduces noise and extraneous data to provide greater accuracy and speed in responding to breaches.
Leading cybersecurity providers developing and delivering gen AI-based apps and tools include CrowdStrike, Cybereason, Darktrace, Fortinet, Microsoft, Palo Alto Networks, SparkCognition and Tessian.
“Based on behaviors and insights, AI and ML allow us to predict [that] something will happen before it does,” said Monique Shivanandan, CISO at global bank HSBC. “It allows us to take the noise away, focus on the real issues happening, and correlate data at a pace and a speed unheard of even a few years ago.”
Kurtz’s demonstration of Charlotte AI Investigator during his keynote illustrated how powerful gen AI can be when continually learning and assimilating new knowledge into its LLMs. CrowdStrike is well known for its large library of human-written reports (including an extensive adversary library), the depth of its data on hundreds of incident response engagements and ongoing experiences gained by the Falcon OverWatch Threat Hunting teams. All telemetry and experimental data is being captured into LLMs to help customers get the insights and knowledge they need in minutes.
Demand for external threat intelligence service providers
The Charlotte AI Investigator summarized thousands of pages from CrowdStrike intelligence reports. Included in the assessment were inactive licenses, non-compliant assets, a comprehensive list of all assets on the network and an in-depth analysis by CVE of suspicious activity and lateral movements on the network.
Forrester found that enterprises hve, on average, seven commercial threat feeds, one of the factors driving demand for external threat intelligence service providers (ETISPs).
The twelve leading providers competing in this market are fast-tracking gen AI and ML algorithms to improve their speed at aggregating, analyzing and customizing threat intelligence in human and machine-readable formats and improving APIs for integration. Forrester identifies leading ETISPs companies as CybelAngel, Flashpoint, Fortinet, Google, IBM, Microsoft, Rapid7, Recorded Future, ReliaQuest, Trelix and ZeroFox.
AI is table stakes for Managed Detection and Response (MDR)
VentureBeat continues to see strong adoption of managed detection and response (MDR) services across short-staffed mid-tier financial services, government, healthcare and manufacturing organizations.
CISOs have long told VentureBeat that reduced security operations costs, improved threat detection and faster investigation and response, along with increased security expertise, make partnering with an MDR a solid business case. Additionally, service level agreements (SLAs) that include 24/7 monitoring and response, guaranteed uptime, real-time analysis of security outcomes and continued improvements in AI techniques further increase MDR value.
Integrating AI, ML and human intelligence as a service is one of the fastest-growing categories in enterprise cybersecurity. MDR spending reached $3.24 billion in 2022, achieving a 26.2% growth rate. Gartner predicts MDR will continue to see above-average market growth, achieving a compound annual growth rate (CAGR) of 25% through 2026.
Based on conversations with CrowdStrike customers at Fal.Con 2023, AI is now considered the DNA or core of an effective MDR partnership. One CISO went as far as to say that AI is table stakes for how they are evaluating MDR providers. By 2025, 50% of organizations will use MDR services that provide threat monitoring, detection and response functions on AI and ML-based platforms. By 2025, services such as prebreach cybersecurity validation assessments and security posture advisory will be offered by 35% or more of MDR service providers.
More than 60 MDR providers compete today, with more adjacent cybersecurity services firms entering the market monthly. Each differentiates primarily on incident response capabilities and track record of stopping breaches in a specific industry.
Others differentiate themselves based on how quickly they can adopt gen AI tools and ML models to improve threat detection and response. Advisory services including OT/IoT monitoring are common, as are unique underlying threat detection technologies. Leading MDR vendors include Accenture, Binary Defense, Deepwatch, Forescout, Kudelski Security, Pondurance, ReliaQuest, Sophos, Trustwave and WithSecure.
Cyber fighting stronger when combining human insight, generative AI, speed
Cyber fighting with data alone leaves CISOs, CIOs and the organizations they serve at a disadvantage against adversaries who are sharpening their tradecraft to deliver devastating attacks at extremely fast speed. It’s not enough to rely on real-time data telemetry-based warnings of anomalous behavior or breaches.
Cybersecurity needs human insight from experienced threat hunters. While cybersecurity professionals express concern over AI taking their jobs, there’s paradoxically never been a time when they have been more necessary. Sophisticated social engineering attacks focusing on an organization’s most vulnerable threat vector — people — will continue to grow.
When a phone call can bring down a casino for days, there’s much more work to be done to combine human insight and AI.