Combining threat intelligence, data at scale, and AI to fortify cyber defenses

By Microsoft Security

Cybersecurity can be a thankless battle at times, demanding constant vigilance to thwart malicious attacks. But while bad news tends to grab headlines, we do see cybersecurity success stories emerging.

Every day, our defenders quietly share information that helps raise the cost of crime for attackers and their vast criminal syndicates. Security professionals are constantly leveraging their considerable skill and talent to find criminals faster and evict them sooner. Current dwell times have hit a 20-day level on average low, whereas previously, attackers could lurk undetected for months.

We can thank better threat intelligence for the decrease in dwell times. However, there are additional factors at play that are helping to further fortify cyber defenses. Read on to learn how you can leverage threat intelligence, data at scale, and AI to amplify your impact as a cyber defender.

The growth of data and threat intelligence

Targeted, well-indexed data is what enables defenders to see and thanks to recent advances, our vision has never been better. Competition amongst cloud providers has dramatically driven down the cost of storing and querying data, allowing for huge leaps in innovation and the ability to deploy higher-resolution sensors across the digital estate. The rise of extended detection and response (XDR), in concert with security information and event management (SIEM), has helped further unify threat signals across endpoints, apps, identities, and cloud platforms.

More signals mean a greater surface area for threat intelligence to be gathered. This then feeds AI, acting as the labels and training data that enables AI models to predict the next attack. And what threat intelligence can find, AI can help scale.

When cyber defenders leverage threat intelligence to successfully thwart or quickly resolve a cyber attack, AI models can use the knowledge gained to digitally model the experience against other security signals. At Microsoft, we take an adversary-centric approach to threat intelligence. We actively track more than 300 unique threat actors, including more than 160 groups linked to nation-states and more than 50 ransomware gangs.

But threat intelligence is most effective when it pulls from the contributions of many multidisciplinary contributors. Good threat intelligence should bring people together—with cybersecurity experts and applied scientists working together alongside authorities in geopolitics and disinformation. This creates a more complete picture of adversaries, enabling cyber defenders to better understand the what of an attack when it’s happening and intuit the why and where of what might happen next.

AI helps enable defense at speed

With AI, we can better scale defense at the rate of attack. For example, AI enables us to disrupt human-operated ransomware attacks even sooner, turning low-confidence signals into an early warning system.

Human investigators piece together individual clues to realize an attack is happening. That takes time. But in situations where time is scarce, the process for determining malicious intent can be done at AI speed—linking context together to more quickly detect and respond to threats.

Just like how human investigators think on multiple levels, we can combine three kinds of AI-informed inputs to find ransomware attacks at the beginning of escalation.

1. At the organizational level, AI employs a time series and statistical analysis of anomalies.
2. At the network level, it constructs a graph view to identify malicious activity across devices.
3. At the device level, it uses monitoring across behavior and threat intelligence to identify high-confidence activity.

Today, we’re entering a new era in AI-enhanced security. Machine learning is commonplace in current defensive technology. But to date, AI has primarily been embedded deep inside the tech. Customers benefited from its role in protection but could not manipulate the AI or interact with it directly. That has changed.

We are moving from a world of task-based AI, which is good at detecting phishing or password spray, to a world of generative AI that is built on foundation models that upskill defenders.

Ultimately, when threat intelligence, data at scale, and AI come together, it helps cyber defenders as a whole move faster than ever before. For more information on the latest in threat intelligence and cybersecurity trends, visit Microsoft Security Insider.