The AI evolution in cyber defense: from detection to prediction with Machine Learning

Managed Prediction and Response (MPR)

AI has never been more prevalent in the news, with solutions akin to ChatGPT enabling us to pose questions and generate content from vast amounts of knowledge. While this is indeed revolutionary and thrilling, it doesn’t render other forms of AI, such as natural language processing and, specifically in cybersecurity, machine deep learning, obsolete.

On the contrary, when reliable results are required, Machine Learning (ML) offers the most practical use cases in cybersecurity, designed to enhance efficiency and provide actionable predictions.

The role of co-pilots and ML

For instance, Microsoft Copilot can significantly streamline the process for analysts working with large volumes of data in a Microsoft Sentinel SIEM. It can expedite tasks such as summarizing devices susceptible to a threat, or collecting and analyzing incident-specific data, like system access situations. This is particularly beneficial as it reduces the need for analysts to have extensive knowledge of the KQL language for creating threat hunting and other queries. Instead, they can simply pose their questions to Copilot.

The utilization of ML in predictive analytics within the realm of cybersecurity is an established fact. This form of deep learning offers advantages, particularly in assisting security analysts to adopt a more methodical approach in situations where a playbook does not provide explicit guidance for decisions that deviate from standard predictions. Furthermore, ML can facilitate automated decision-making to a certain degree.

Shifting from breach response to prevention

The future of innovation lies in our capacity to avert a security breach before it occurs. Typical Managed Detection and Response (MDR) services have concentrated on breach prevention by responding swiftly and effectively when one occurs, a process where ML is extensively employed. However, the next step forward will be our ability to scrutinize alert trends to pinpoint weaknesses in a client’s cybersecurity posture. This will enable us to proactively alert them and suggest improvements to their configurations and security controls. This approach is significantly more proactive, as clients will receive alerts with actionable recommendations to harden their organization and mitigate risk, rather than alerts about an ongoing attack.

The service known as Managed Prediction and Response (MPR) represents the next stage in the evolution of MDR. It embodies the concept of continuous enhancement in cybersecurity, where an organization learns from its weaknesses to prevent future alerts. This approach enables cybersecurity experts to focus on critical issues rather than being overwhelmed with alert triage, thereby reducing the risk of fatigue. The most significant challenge for MPR will be its capacity to proactively enhance the security posture. This could be achieved through modifications in cybersecurity controls, improvements in playbooks and use cases, and the implementation of new controls throughout the organization.