GenerativeAI is proving highly disruptive in the security space as it accelerates the arms race between attacker and defender. According to the Mission Critical: Unlocking the UK AI Opportunity Through Cybersecurity report, just over a quarter of organisations (27%) are using AI to strengthen their security which means it’s a nascent sector, presenting the Managed Security Service Provider (MSSP) with a golden opportunity to seed the market. In fact, the report states that in order to keep systems secure, most businesses will need to invest in innovative AI-enabled solutions from external partners.
But for the MSSP, integrating AI challenges the business model. Until Language Learning Models (LLMs) such as ChatGPT, Google PaLM and Gemini, and Meta’s LLaMA burst onto the scene, most MSSPs were focused on consolidating the cyber stack to make their operations more streamlined and efficient. There’s a tendency for point solutions to duplicate functionality and multiple solutions can result in swivel chair operations as the security analyst needs to consult each of these different systems when investigating an incident. All of this adds up to wasted resource.
Consolidate or expand?
Now, instead of consolidating their operations, MSSPs are faced with the problem of having to expand the portfolio and the headaches this brings. New AI-enabled cybersecurity solutions will need to be integrated and their output understood in conjunction with the rest of the stack. The security analyst, too, will need to adapt to new ways of working, using prompts to interrogate data. The AI solution itself will also need to be properly configured to ensure there is no danger of misinformation or data leakage from the organisation or its customers. And, with AI swelling the stack still further, there is the potential for opportunities to be missed. For example, if the information being made available by the AI is not understood it won’t be utilised and so becomes a wasted opportunity.
It's this ability to understand the output from AI solutions that is going to be fundamental to MSSPs monetising these services. If there is output that is ignored, the value of the offering cannot be realised and this is something we’ve seen before. When MSSPs began to invest in Security Orchestration Automation and Response (SOAR), there was a great deal of excitement over the ability of the technology to automate threat detection and incident response (TDIR). SOAR utilises playbooks that can then see processes kick-in to deal with specific incidents without the need to involve the security analyst and so it can effectively fill any expertise gap the MSSP may have. But it has not always been fully exploited.
The reality is that SOAR has only partially been utilised by some MSSPs despite its game changing abilities. These providers are primarily using it for data consolidation, enrichment and normalisation, which while valuable in its own right is only a fragment of what the solution can do. What’s more, these processes all happen behind the scenes so are not customer-facing. So, whereas SOAR could be a differentiator, providing concrete proof to the customer that the MSSP is able to dramatically reduce Meant Time to Detection (MTTD) and Mean Time to Response (MTTR), that’s not happening. Instead, MSSPs are only scratching the surface of what it can do.
Where AI will add value
Similarly, AI-powered cybersecurity solutions have the power to dramatically increase the abilities of the MSSP to manage security processes. The technology lends itself to numerous scenarios because it can be used to analyse large tracts of data and detect anomalies through the use of machine learning. GenAI now takes this a step further because of its ability to not just interpret and predict but generate text and images.
In a cybersecurity context, GenAI can be used in TDIR to increase the speed and accuracy of response. Early research by a team at the Technology Innovation Institute in the UAE has shown that the technology was able to identify 14 attack types with 98% accuracy, for instance, and the expectation is that this will equip SOC teams to respond instantaneously.
Gen AI can also be used to augment endpoint detection and response (EDR) and log analysis. One of the problems many encounter with using a Security and Incident Event Management (SIEM) solution is a high false positive rate due to their success at detecting suspicious or anomalous activity so the challenge that remains is to qualify these alerts.
Looking for correlations of events or observations using contextual threat prioritisation (CTP) can significantly reduce false positive rates. This is where the SIEM uses its detection logic to target tactics, techniques, and procedures (TTPs) in line with a framework such as MITRE ATT&CK. Observations are enriched with the tactics, techniques and procedures (TTPs) identified in the framework but using GenAI these can be further refined by extracting relevant observation rules from threat intelligence or threat reports.
We can also expect GenAI to be used in other security practices. To help with attack simulations, for example, by mining information from multiple sources to create convincing attack scenarios. To rapidly reverse engineer code and look for vulnerabilities. And it will prove highly effective in a governance, risk and compliance (GRC) context by enabling information to be distilled and reports created and summarised.
A call to arms for MSSPs
What this means for the MSSP is that they will need to find ways of working with technology partners to develop suitable AI solutions, enabling them to maximise current investment in machine learning and automation solutions. Bringing these elements together will then enable them to offer an end service greater than the sum of its parts because of its abilities to supplement and enhance outputs that give almost intuitive results at speed.
For the MSSP, expanding the portfolio with AI will therefore generate value but it will also enable it to expand its multi-tenant SOC without compromising on service delivery. While it can ingest high data volumes from endpoints and alerts which can be analysed in the SIEM it can also provide detailed customised investigation and remediation advice so that the service is both more efficient and more tuned to the customer.
Looking to the future, Gartner predicts that over 80% of enterprises will be using GenAI technology by 2026, suggesting it’s going to become an essential part of operations. During that same time frame, the NCSC predicts the UK will ‘almost certainly’ see AI increase the volume and impact of cyber attacks and see an evolution in TTPs. Therefore, not only is there a clear demand from the market but MSSPs simply cannot ignore the threat posed by AI attacks. It may seem to go against the grain to look at expanding the portfolio but the reality is that those that fail to do so are liable to be left behind.