Artificial Intelligence (AI) is one of our greatest and most important tech innovations, projected to reach $38.2 billion by 2026. As security service providers focus on beefing up their solutions with AI, criminals are employing AI to remain one step ahead, devising ways to outsmart cybersecurity tools and enabling malware to evade detection. To truly combat the threat of bad actors exploiting AI, enterprises must ensure that their cyber defenses combine human knowledge with AI, rather than rely on AI alone.
It is crucial to keep traditional cybersecurity models in place to complement AI as hackers still resort to the tried-and-true tricks that have proven successful in the past – while security professionals are busy thinking of newer methods these attackers might employ. Ensuring that cybersecurity is top-notch for all types of threats is key to fighting AI-based attacks.
Advanced Speed and Scale, Pivoting
The major advantage that AI-based attacks have over traditional attacks – like phishing, login credential theft through password spraying, and adding malicious code to vendor software – is speed. Threat actors have started to use AI because it allows them to change tactics more quickly to avoid detection and to pivot from one tactic to another once they breach a system and establish their foothold on a network.
With the introduction of AI to a threat actor’s playbook, the world of attacks, especially due to remote work models where perimeters are impossible to secure and critical assets are easier to breach, has evolved in the last few years. AI-based attacks can therefore be carried out at a vast scale with detrimental effects on an organization. Security service providers have rushed to keep up with these attacks by employing AI, but the insights and intuition of veteran security analysts remain essential as the machines in “machine learning” (ML) are far from infallible. AI may yield false-positive alerts and it is not advanced enough to account for what is highly specific to an organization’s environment, which is what human engineers can determine.
An Approach That Ups the Security Ante
Many organizations have discovered that by partnering with service providers that help them detect and respond to threats and handle multiple approaches to security simultaneously, they can stress less about potential breaches. This approach combines human engineer expertise with AI, continually refining methods to combat cybercriminals. Managed detection and response can also ensure that there is 24/7 support from a team of seasoned professionals on the lookout for threats that are both AI-based and more traditional. The round-the-clock aspect is majorly beneficial as hackers know when to attack and do so when most of the world is asleep or on an “off day” when no one is looking (i.e., Christmas Eve).
Managed detection and response works optimally with a mission-driven approach to cybersecurity. This means that because the stakes are high, security should run like a space mission with repeatable measures, bridging the silos of IT and security and going beyond detection and alerting, to mitigation, prevention, and resilience – delivering true cybersecurity maturity improvements. It also involves a step-by-step process with every action in service of the outcome, addressing critical security challenges rather than drowning customers in an abundance of distracting alerts.
The tactics for defense against an AI-based attack are like those necessary for other types of attacks, but with the crucial added component of keeping up with the pace of threat actors and figuring out how to remain one step ahead. This requires a continual evolution of methods to match the attacker’s ways of outsmarting and bypassing security, developing a single source of truth in the environment for sensing suspicious behavior, and focusing on data enrichment for meaningful insights and information about attacks.
A Vicious Cycle That Involves Measure for Countermeasure
The biggest challenge with AI attacks is their vicious cycle; cyber criminals continuously devise faster methods to attack in response to a security provider figuring out faster ways to detect and respond. And so on. Cybersecurity complemented with managed detection and response consists of devising the best countermeasures to attacks and breach attempts at the highest levels.
To fully account for all types of breaches – from the most traditional to those that involve AI – the security provider should go beyond detection and response to operate like NASA’s Mission Control, with everything focused on the outcome.
Fully Operationalizing Cybersecurity with Five Steps
To fully operationalize cybersecurity, protecting organizations from AI-based attacks and traditional attacks simultaneously, an approach that integrates managed detection and response should consist of five key factors:
The first is having a mission in service of the outcome. While it is easy to get buried in the details and tactics, everything needs to tie back to that higher-level objective – the result.
As mentioned earlier, knowing the environment is key and it is the next step because one cannot secure what one does not understand. With each organization, there are different points where an unauthorized user can try to enter or extract data (attack surfaces). An analyst needs to be aware of where these points are to create a strategic protection plan aimed at decreasing them. The analyst must also be familiar with where critical assets are located and know what is considered normal (versus abnormal) activity for that specific organization to flag any suspicious activity. As mentioned earlier, the danger of fighting AI solely with AI is that a machine doesn’t understand the specific environment of an organization the way a human does and that’s why it’s so important to have the most skilled engineers complementing AI and always on the lookout.
The third step is collaboration. Protecting an organization, mitigating threats -especially those that can happen with intense speed and at a vast scale due to AI – and reducing risk takes active collaboration between teams. Security needs to keep on top of vulnerabilities, working with IT to get them patched. IT needs to enable the business to partner with the security team to ensure that users and resources are safe. But to deliver on the mission, it takes executives to prioritize efforts. It takes finance to allocate budgets and third parties to deliver specialized incident response (IR) services.
Next, there needs to be a system. This entails developing a process that ties everything together to achieve the outcome, knowing exactly where people and technology fit in, and implementing tools strategically as the final piece of the puzzle. Wherever possible, organizations and their cybersecurity service providers should leverage the built-in security capabilities of their infrastructure (i.e., Microsoft Defender, Azure Firewall, Active Directory), lessening the need for excess tools that can overwhelm an organization and distract them from the mission. InfoSec teams need to start thinking about how to develop systems that allow them to focus on only the most important incidents.
The final step is measurements, which should not only consist of backward-facing metrics but predictive ones indicating preparedness to defend against future attacks. To measure the effectiveness of security posture, the scope of measurement should go beyond mean time to detect and mean time to respond (MTTD/MTTR) to include metrics like how many critical assets are not covered with endpoint detection and response (EDR) technologies and how long it takes to identify and patch critical systems. These metrics require a deep understanding of the attack surface and the organization’s operational realities.
For most organizations, executing cybersecurity strategies in a time of evolving risks that include AI-based attacks is difficult due to a lack of resources and time. This is where the five-step approach to fully operationalized cybersecurity makes an incredible impact, helping to deliver high-speed cyber defense matching the craftiest and most evolved attacks. By arming an organization with technology, people, and processes to always remain one step ahead of attackers, an organization’s security posture can be transformed. This will ensure that it’s equipped to handle any type of threat, from the most traditional to the newest and most sophisticated.
Attackers will continue to employ all types of attacks and a team that combines its security efforts with this approach operates by keeping that important fact in mind.
