The MSSP as an AI and ML Source

MSSPs have always had an inherent advantage when it comes to security: rather than protecting a single organization from attacks, the MSSP is protecting hundreds or thousands of clients from all types of attacks. The security operations center (SOC) analysts who work for MSSPs are presented with thousands of different attacks at any time, and they work with organizations ranging from sprawling government agencies to small businesses. This means that the SOC analysts not only need to be able to quickly pivot from one attack type to another, they also need to be able to pivot from one environment, including the level of experience of the security person or team in that environment, to another.

That is why, over the years, MSSPs have developed the use of independent layers of threat detection techniques. Many of these MSSPs have had to build AI and ML solutions in-house to process billions of security events across thousands of different security solutions every hour. The results of that AI and ML becomes operational, tactical, and strategic threat intelligence that gets fed back into monitoring systems for all customers and allows MSSPs to quickly respond to a customer threat and alert that customer in a manner in which the customer can process and act on the event.

Technologies such as anti-DDoS systems, web application firewalls (WAFs), and bot management solutions are fully capable of consuming operational and even tactical threat intelligence and can be used not only to detect threat actors, but also to stop their activity. This allows MSSPs to share information garnered from monitoring one customer’s systems with all other customers, irrespective of whether the other customers have the same system. Almost all of this is invisible to the customer, unless an alert is triggered.

More importantly, MSSPs are often incentivized to share what they have learned (without attribution, of course) not just with their customers, but with the broader internet. Through blogs, conference presentations, and white papers, MSSPs are helping customers and noncustomers alike better protect themselves against the most advanced bots.

MSSPs have been taking advantage of AI-enabled log management systems and tools to find the critical events that are of the highest importance. Some of the events could indicate that attackers are probing targeted victims in search of ways to get in. Other events could suggest that an attack is currently underway or indicate that an attack has already occurred, and the attacker has achieved a foothold.

Time is of the essence when it comes to identifying and halting malicious activity. Believe it or not, according to a report by Trustwave, “the median number of days from the first intrusion to detection of the compromise decreased to 49 days in 2016 from 80.5 days in 2015, with values ranging from zero days to almost 2,000 days (more than five years).”¹

What this means is that the time from a system being taken over to the time it’s detected is currently being measured in months, not minutes. Most organizations that have been breached allow an attacker to remain resident in their networks for days, weeks, months, or even longer. Again, the promise of AI and ML enable advanced persistent threat (APT) detection technologies that are likely to help reduce the attacker dwell time to days, hours, or even seconds. That is another advantage that an MSSP brings. The MSSP SOC monitors its customers’ security stack 24/7/365 and is constantly on the lookout for new types of intrusions. The MSSP SOC staff knows about new tactics long before most in-house SOCs do, and they apply that knowledge, using AI and ML, to all of their customers.

Cloud-Based WAFs Using AI and ML

WAF appliances installed within the data center were, for the longest time, a standard requirement for many enterprises to combat malicious traffic at the network layers. In recent years the static, appliance-based WAF has been replaced by cloud-based WAF offerings. Cloud-based WAFs provide additional scalability, cost-effectiveness due to a lack of hardware spend, and the flexibility of real-time updates from the threat intelligence team that operates the cloud-based WAF. Because of the proliferation of malicious application layer attacks, such as volumetric DDoS and content scraping, cloud-based WAFs have almost become a requirement. Their ease of deployment, flexibility, expandability, and ability to rapidly deploy protections against newly discovered threats has made them an indispensable tool for any organization looking to protect their web applications.

As the frequency and breadth of application layer data breaches continue to increase throughout 2018, the use of cloud-based WAFs is likely to surge in lockstep. Investments from cloud providers to expand the functionality of their respective WAF offerings should drive a shift away from deploying third-party virtual machines (VMs) toward adopting proprietary alternatives. That will still be able to take advantage of well-recognized rule sets from pure-play security vendors such as Alert Logic, Fortinet, and F5. The use of ML and AI to bolster WAF rule sets and reputation feeds will increase, ensuring that applications are up to date with the most recent patches to better defend against previously unknown threats.