How hybrid cybersecurity is strengthened by AI, machine learning and human intelligence
By Louis Columbus
Human intelligence and intuition are vital to training artificial intelligence (AI) and machine learning (ML) models to provide enterprises with hybrid cybersecurity at scale. Combining human intelligence and intuition with AI and ML models helps catch the nuances of attack patterns that elude numerical analysis alone.
Experienced threat hunters, security analysts and data scientists help ensure that the data used to train AI and ML models enables a model to accurately identify threats and reduce false positives. Combining human expertise and AI and ML models with a real-time stream of telemetry data from enterprises’ many systems and apps defines the future of hybrid cybersecurity.
“Based on behaviors and insights, AI and ML allow us to predict [that] something will happen before it does,” says Monique Shivanandan, CISO at HSBC, a global bank. “It allows us to take the noise away and focus on the real issues that are happening, and correlate data at a pace and at a speed that was unheard of even a few years ago.”
Hybrid cybersecurity is becoming a service that enterprises need
Integrating AI, ML and human intelligence as a service is one of the fastest-growing categories in enterprise cybersecurity. Managed detection and response (MDR) is the service category that capitalizes most on enterprises needing hybrid cybersecurity as part of their broader risk management strategies. Gartner fielded a 35% increase in related inquiries from its clients. Moreover, it projects that the MDR market will reach $2.2 billion in revenue in 2025, up from $1 billion in 2021, attaining a compound annual growth rate (CAGR) of 20.2%.
Gartner also predicts that by 2025, 50% of organizations will use MDR services that rely on AI and ML for threat monitoring, detection and response functions. These MDR systems will increasingly rely on ML-based threat containment and mitigation capabilities, strengthened by the skills of experienced threat hunters, analysts and data scientists, to identify threats and stop breaches for clients.
Effective against AI and ML attacks
Hybrid cybersecurity continues to escalate in priority in organizations that don’t have enough AI and ML modeling specialists, data scientists and analysts. From small, fast-growing businesses to mid-tier and large-scale enterprises, CISOs whom VentureBeat interviewed pointed to the need to defend themselves against faster-moving, lethal cybercriminal gangs that are gaining AI and ML skills faster than they are. “We champion a hybrid approach of AI to gain [the] trust of users and executives, as it is very important to have explainable answers,” said AJ Abdallat, CEO of Beyond Limits.
Cybercriminal gangs with AI and ML expertise have shown they can move from the initial entry point to an internal system within one hour and 24 minutes of the initial time of compromise. The CrowdStrike 2022 Global Threat Report noted more than 180 tracked adversaries and a 45% increase in interactive intrusions. In this environment, staying ahead of threats is not a human-scale problem. It demands the potent combination of machine learning and human expertise.
AI- and ML-based endpoint protection platforms (EPPs), endpoint detection and response (EDR), and extended detection and response (XDR) are proving effective at quickly identifying and defending against new attack patterns. However, they still require time to process and learn about new threats. AI- and ML-based cybersecurity platforms use convolutional neural networks and deep learning to help reduce this latency, but cyberattackers still develop new techniques faster than AI and ML systems can adapt.ADVERTISEMENT
That means even the most advanced threat monitoring and response systems on which enterprises and MDR providers rely struggle to keep up with cybercriminal gangs’ constantly evolving tactics.
For MDRs and CISOs to manage hybrid cybersecurity well, finding the right talent is the key to success. “It’s not just about building models but [about] maintaining, growing, evolving and understanding them to avoid bias or other risks,” says HSBC’s Shivanandan
MITRE’s first-ever closed-book MITRE ATT&CK Evaluations for Security Service Providers validates MDRs’ effectiveness at providing hybrid cybersecurity protection using AI and Ml models. The goal of the ATT&CK evaluation is to test a provider’s ability, accuracy and readiness to identify and stop a breach attempt without the provider knowing when and how it will occur. Stress-testing MDR platforms with no warning to participants can provide CISOs with real-world guidance on how MDR systems perform in actual attack situations.
Leading MDR providers that offer AI and ML modeling and have a large base of expert threat hunters, analysts and data scientists include Darktrace, CrowdStrike, McAfee and Broadcom/Symantec. CrowdStrike combines its Falcon OverWatch Service with a series of AI- and ML-based modeling and reporting services, including its agent-based ML, cloud-native ML and AI-Powered Indicators of Attack (IOAs).
Human intelligence improves AI and ML model performance
Combining human intelligence with supervised, unsupervised and semi-supervised machine learning algorithms improves model accuracy, reducing the probability of false positives and closing gaps hidden in the massive amount of data that models are trained with. “We don’t let the machine learning algorithms run without humans,” says Shivanandan. “We still need that human presence to evaluate and adjust our model based on actual things happening.”
MDR providers’ experienced threat hunters, analysts and data scientists regularly provide labeled data for training supervised AI and ML algorithms. This ensures that a model can accurately classify different types of network traffic and identify malicious activity. These threat hunters also provide guidance and oversight to ensure that the model learns the correct patterns and accurately distinguishes among different types of threats.
“Supervised learning is a powerful way to create highly accurate classification systems — systems that have high true-positive rates (detecting threats reliably) and low false-positive rates (rarely causing alarms on benign behavior),” CrowdStrike’s Sven Kresser wrote in a recent blog post.
Unsupervised algorithms are also fine-tuned with human intelligence by managed detection and response professionals, who regularly review and label the patterns and relationships discovered by each algorithm. This helps improve each predictive model’s accuracy and ensures it can identify unusual or anomalous behavior that may indicate a threat.
Similarly, semi-supervised algorithms are being trained using a combination of labeled data provided by threat hunters and unlabeled data. This enables analysts and data scientists to provide guidance to and oversight of the model, while gaining the advantage of using larger datasets.
Reducing the risk of business disruption
Faced with the risk of a devastating cyberattack impacting their ongoing business operations, boards of directors, CEOs and CISOs are speaking more often about risk management and how hybrid cybersecurity is a business investment. CISOs tell VentureBeat that hybrid cybersecurity is now part of 2023 board-level initiatives for cybersecurity to protect and drive more revenue.
Hybrid cybersecurity is here to stay. It helps enterprises solve their fundamental challenges in protecting themselves against increasingly sophisticated AI- and ML-driven cyberattacks. CISOs who don’t have the budget or staff to ramp up AI and ML modeling rely on MDR providers that use AI- and ML-based EPP, EDR and XDR platforms as part of their services.
MDRs enable CISOs to implement hybrid cybersecurity at scale, alleviating the challenge of finding experienced AL and ML model builders with experience on their core platforms. CISOs see hybrid cybersecurity as core to their organizations’ future growth.