AI-Powered MXDR Gains Three New Skills 

Recent years have brought meaningful advances in security. The advent of EDR and XDR have dramatically improved the tooling for detection, investigation, and triage.  Vendors such as Microsoft have introduced a much richer and wider set of controls and instrumentation, enabling retirement and consolidation of legacy controls. And the rise of MDRs have made meaningful advances in operationalizing this technology, particularly in detecting threats.

The Challenge with Traditional MSSPs and MDRs

But several key challenges remain. Organizations are employing MDR providers in record numbers to augment their internal teams with additional security expertise and experience with operating EDR and XDR solutions 24/7. But it’s very hard for these external service providers to deliver advanced triage, investigation, response, or even prevention — without an in-depth understanding of the environment being protected. Even the best MDR players lack a deep enough understanding of the environment they are charged with defending. They lack insight into which applications are critical, the assets that compose those applications and are integral to their function, the underlying architecture, the operational constraints within the organization, the changes that occur in the environment on a frequent basis — the list goes on. Without this deeper environmental context, providers will continue to fall short in delivering real value in incident investigation, resolution, and prevention — even with all their advanced security expertise – resulting in more work being placed back on the customers’ shoulders.

Using AI to Understand Environments and Defenders

We’ve seen the rise of AI in security over the last several years, and the use of large language models most recently. The main application of AI in security has been to better understand threat behavior for the purpose of improving detection, which has worked well and has made defenders more effective.

However, AI has not been widely used to address the challenge of tailoring, or “localizing,” MDR services to customer environments. This application of AI can significantly improve incident investigation, response, and prevention.

For the last three years, we have been building ION IQ, the AI at the core of our ION MXDR service. ION IQ is designed to:

  1. Better understand the environments that we protect (“structural context”) Which include the underlying assets, applications, and infrastructure within our customers’ organizations; and
  2. Better understand defender behavior (“operational context”) How both our defenders and our customers’ security teams address individual use cases, including the day-to-day processes involved in security operations.

These insights are integrated into nearly every aspect of our ION MXDR service, from helping us prioritize and define new automation workflows to empowering us to tailor the service to each customer’s unique risk profile, operational constraints and environmental realities.

ION IQ Gains Three New Skills

Today, we are excited to announce the upcoming general availability of three new AI-powered capabilities in Ontinue ION MXDR. These new AI “skills” of ION MXDR enable us to better localize insights and protection to our customers’ unique environments. The result is faster, more accurate prevention, detection, and response, while continuing to reduce the burden on our customers’ security teams.

Critical Asset Intelligence

Challenge: In modern IT environments, assets are changed, added, and removed faster than security teams can keep up. While there are a variety of asset management tools for IT teams, security teams lack simple tools to help identify assets that may have become critical. But an asset’s role can directly impact the business if that asset is compromised. Without a comprehensive, accurate and organized view of assets, security risk is greatly increased.

Solution: Critical Asset Intelligence in ION MXDR surfaces overlooked critical assets on behalf of security teams. ION uses semi-supervised machine learning to build an expert ML model that examines an asset’s features and determines its level of criticality to the business — with a high degree of confidence. Newly discovered assets are categorized and confirmed by the customer within ION for Microsoft Teams, providing a feedback loop that ensures the model continuously improves.

Benefits: This new level of insight is used by the ION Cyber Defense Center to drive two key customer benefits:

  1. Prioritized Detection and Response Cyber Defenders spend time on the incidents that represent the most risk and can tailor responses to minimize business impact while ensuring proper protection.
  2. Focused Risk Reduction Cyber Advisors focus their prevention recommendations — including vulnerability mitigation efforts — to ensure that security teams are spending their time on the tactics that yield the greatest security value.

Azure OpenAI-integrated ION Chatbot

Challenge: Every day, security teams need answers to a variety of questions on topics ranging from incidents, service performance, data costs, etc. – and they need accurate answers fast. The legacy approach of dashboards and static reports are fine for the recurring questions you review all the time – but they are often not a great solution for the nuanced questions we all need to tackle every day. Organizations expect their service provider to be able to answer such questions, but often struggle with getting fast and accurate answers when they need them.

Solution: ION MXDR’s one-of-a-kind collaboration model uses Microsoft Teams as the main interface customers use to interact with our service, allowing us to operate as a true extension of their team. By integrating Azure OpenAI into our existing ION Chatbot, customers can now ask questions using natural language to get the information they need from ION in a matter of seconds — all within ION for Microsoft Teams. The ION Chatbot uses the power of the generative Azure OpenAI large language model (LLM), sequenced with our proprietary environment AI models, to derive highly localized answers to questions. Insights that previously required a phone call or an email — such as details on the latest incidents that have been detected or tailored guidance on SIEM ingestion and cost optimization — can now be discovered on-demand.

Benefit: The Azure OpenAI-integrated ION Chatbot improves communication and collaboration in two key ways:

  1. Fast, Simple Access to Information Using natural language, you can now get answers to questions in seconds that used to require hours or even days.
  2. Insights Specific to You Insights generated in real-time by the ION Chatbot are localized to your environment, making them highly actionable without the need for further interpretation by your team.

Incident Conviction

Challenge: One of the biggest challenges for any SOC is rapidly distinguishing between benign and true positives. Doing this effectively and efficiently means faster time to resolve real incidents, and lower risk of missing incidents dismissed as benign (false negatives). Solving this is a challenge because distinguishing the two requires a proper understanding of the environment, itself. One company’s true positive is another’s benign.

Solution: With our new Incident Conviction AI models in ION MXDR, our Cyber Defenders will now be able to prioritize and triage detected incidents with increased accuracy and confidence. Incident Conviction ratings are generated from a combination of expert models trained on our collective repository of historical closed incidents and expert models trained on your specific environment. Together, the combination of these models generate highly localized conviction ratings on a given incident’s categorization for the Cyber Defense Center.

Benefits: Incident Conviction in ION MXDR empowers our Cyber Defenders to focus on what matters most, yielding the following benefits to our customers:

  1. Fewer Customer Escalations Fewer false positives mean fewer instances of our customers having to waste time on alerts that turn out to be benign.
  2. Faster Time to Resolve Because our Cyber Defenders is not wasting time on benign positives, they are able to focus more time and energy on true incidents.

We believe that AI is a critical element of delivering high quality managed protection, which is why ION IQ is included in our core ION MXDR service. ION MXDR customers will begin to see the benefits from these new AI skills starting in July 2023 at no additional charge. Read more about Ontinue ION IQ and its foundational role in our Ontinue ION MXDR service.

Article By

Tom Corn
Chief Product Officer

As Chief Product Officer for Ontinue, Tom drives the vision and development of Ontinue solutions. He oversees product management, product marketing, engineering, our security operations center (SOC), and our advisory and Technical Account Managers.