AI’s effect on technology and cybersecurity has seen a tremendous acceleration in recent months thanks to ChatGPT, deep learning and their ilk.
This has forced security leaders to grapple with AI’s security effect on their organizations. Recent research from TechTarget’s Enterprise Strategy Group indicated security leaders have developed a strong preference for using AI as part of network detection and response (NDR) tools. For example, 46% of survey respondents said strong AI capabilities are a critical attribute for NDR tools, while an additional 45% said strong AI is an important attribute.
To this point, much of the focus on AI in network security has been on improving detection. That certainly holds true in Enterprise Strategy Group’s research, with 61% of respondents looking to AI as part of NDR to improve detection accuracy and 59% anticipating improved detection speed.
Additional benefits of NDR with AI attributes could arguably have even more impact, including improving the efficiency of security operations center (SOC) analysts. Benefits with the most agreement among Enterprise Strategy Group research respondents included the following:
- Accurately prioritizing alerts (47%). Even if detections become more accurate, the fact remains that many organizations remain short staffed. They must understand the relative importance of every alert and work through the most critical ones before addressing lower-priority issues. AI has the potential to add greater intelligence to this prioritization by assessing massive amounts of data, including vulnerabilities, threat intelligence and attacker tactics, techniques and procedures. AI could also more accurately discern which alerts have the potential to lead to catastrophic harm if left unaddressed and which to elevate to SOC analysts, potentially reducing alert fatigue.
- Informing and directing analyst workflows (45%). Even when security teams have enough staff to fill the roles, it is common for those personnel to be asked to do more than they have been trained to do. Level 1 SOC analysts may have to perform Level 2 functions, for example, and Level 2 analysts often backfill Level 3 responsibilities. While this can represent an opportunity to learn and grow for some, it can be stressful and lead to employee burnout and departure. Due to the high cost of replacing employees who leave, this is less than ideal. AI can help offset the skills gap and improve overall efficiency by directing analysts during an investigation. Based on the type of threat detected, what it affected, where in the environment it occurred and any number of other factors, an AI-supported NDR tool can help analysts move from one step in the investigation to the next to quickly identify the scope of the incident and respond accordingly.
- Supporting automated response capabilities (42%). Some organizations have shown interest in taking the next step with AI by enabling NDR tools to operate and respond to an attack on their own without human intervention. This could involve closing an open port, revoking access to applications or fully quarantining devices. Yet most organizations are not ready for this much AI freedom. Interrupting the business and potentially reacting to a false positive can be too high a risk for many companies. There will likely be a progression toward AI-supported tools identifying and recommending response options but still requiring analysts to approve them before implementation. This would enable organizations to see how well AI handles response options and potentially lead to broader use of AI capabilities over time.
NDR vendors will continue to build out AI attributes, likely with more focus on supporting analysts and enhancing efficiency. Some vendors have already introduced integrations with AI offerings to support natural language models and to help security teams better communicate with business leaders in terms the latter would understand. With this space evolving as quickly as it is, network security leaders and practitioners should start establishing their goals for AI-supported NDR and identifying vendors best positioned to meet them.
Editor’s note: Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.
This was last published in June 2023
Dig Deeper on Security analytics and automation