IBM study reveals how AI, automation protect enterprises against data breaches

The more integrated AI, automation and threat intelligence are across tech stacks and SecOps teams, the stronger they make an enterprise against breaches. Follow-on benefits include greater cyber-resilience, and spending less on data breaches than enterprises with no AI or automation defenses at all.

IBM Security’s 2023 Cost of a Data Breach Report provides compelling evidence that investing in AI, automation and threat intelligence delivers shorter breach lifecycles, lower breach costs and a stronger, more resilient security posture company-wide. The report is based on analysis of 553 actual breaches between March 2022 and March 2023.

The findings are good news for CISOs and their teams, many of whom are short-staffed and juggling multiple priorities, balancing support for new business initiatives while protecting virtual workforces. As IBM found, the average total cost of a data breach reached an all-time high of $4.45 million globally, representing a 15% increase over the last three years. There’s the added pressure to identify and contain a breach faster.  

IBM’s Institute for Business Value study of AI and automation in cybersecurity also finds that enterprises using AI as part of their broader cybersecurity strategy concentrate on gaining a more holistic view of their digital landscapes. Thirty-five percent are applying AI and automation to discover endpoints and improve how they manage assets, a use case they predict will increase by 50% in three years. Endpoints are the perfect use case for applying AI to breaches because of the proliferating number of new identities on every endpoint.

Why AI needs to be cybersecurity’s new DNA 

Scanning public cloud instances for gaps in cloud security (including misconfigurations), inventing new malware and ransomware strains and using generative AI and ChatGPT to fine-tune social engineering and pretexting attacks are just a few of the ways attackers try to evade being detected.

Cybercrime gangs and sophisticated advanced persistent threat (APT) groups actively recruit AI and machine learning (ML) specialists to design their Large Language Models (LLM) while also looking for new ways to corrupt model data and invent malware capable of evading the current generation of threat detection and response systems starting with endpoints.

CISOs need AI, ML, automation and threat intelligence tools if they’re going to have a chance of staying at competitive parity with attackers. IBM’s report provides compelling evidence that AI is delivering results and needs to be the new DNA of cybersecurity.  

Integrating AI and automation reduced the breach lifecycle by 33% or 108 days

IBM found that enterprises that advanced their integration of AI and automation into SecOps teams to the platform level are reducing breach lifecycles by one-third, or 108 days. That’s a significant drop from an average of 214 days. The average breach lasts 322 days when an organization isn’t using AI or automation to improve detection and response. 

Extensive use of AI and automation resulted in 33.6% cost savings for the average data breach.

Integrating AI and automation across a tech stack to gain visibility, detection and achieve real-time response to potential intrusions and breaches pays off. Organizations with no AI or automation in place to identify and act on intrusions and beaches had an average breach cost of $5.36 million.

Enterprises with extensive AI and automation integration supporting their SecOps teams, tech stack and cyber-resilience strategies experienced far less expensive breaches. The average cost of a breach with extensive AI and automation in place averaged $3.6 million. That’s a compelling enough cost savings to build a business case around.

Despite the advantages, just 28% of enterprises are extensively integrating AI and automation

Given the gains AI and automation deliver, it’s surprising that nearly one-third of enterprises surveyed have adopted these new technologies. IBM’s team also found that 33% had limited use across just one or two security operations. That leaves 4 in 10 enterprises relying on current and legacy generation systems that attackers have fine-tuned their tradecraft to evade.

In another study, 71% of all intrusions indexed by CrowdStrike Threat Graph were malware-free. Attackers quickly capitalize on any gap or weakness they discover, with privileged access credentials and identities being a primary target, a key research finding from CrowdStrike’s Falcon OverWatch Threat Hunting Report. Attackers increasingly use AI to evade detection and are focused on stealing cloud identities, credentials and data, according to the report. This further shows the need for intelligent AI-driven cybersecurity tools.

Gartner’s 2022 Innovation Insight for Attack Surface Management report predicts that by 2026, 20% of companies (versus 1% in 2022) will have a high level of visibility (95% or more) of all their assets, prioritized by risk and control coverage. Gartner contends that cyber asset attack surface management (CAASM) is necessary to bring an integrated, more unified view of cyber assets to SecOps and IT teams, CAASM stresses the need for integration at scale with secured APIs.

IBM’s study shows that SecOps teams are still losing the AI war.

The majority of SecOps teams are still relying on manual processes and have yet to adopt automation or AI significantly, according to the report. There is a major disconnect between executives’ intentions for adopting AI to improve cybersecurity and what’s happening.

Ninety-three percent of IT executives say they are already using or considering implementing AI and ML to strengthen their cybersecurity tech stacks, while 28% have adopted these technologies. Meanwhile, attackers are successfully recruiting AI, ML and generative AI experts who can overwhelm an attack surface at machine speed and scale, launching everything from DDOS to using living-off-the-land (LOTL) techniques that rely on Powershell, PsExec, Windows Management Interface (WMI) and other common tools to avoid detection while launching attacks. 

“While extortion has mostly been associated with ransomware, campaigns have included a variety of other methods to apply pressure on their targets,” writes Chris Caridi, cyber threat analyst for IBM Security Threat Intelligence. “And these include DDoS attacks, encrypting data, and more recently, some double and triple extortion threats, combining several of the previously seen elements.”

This should also be considered with the proliferation of deepfakes. Zscaler CEO Jay Chaudhry was the recent target of a deep fake attack. Chaudhry told the audience at Zenith Live 2023 about one recent incident in which an attacker used a deepfake of his voice to extort funds from the company’s India-based operations.

In a recent interview, Chaudhry said, “This was an example of where they [the attackers] actually simulated my voice, my sound … more and more impersonation of sound is happening, but you will [also] see more and more impersonation of looks and feels.” Deepfakes have become so commonplace that the Department of Homeland Security has issued the guide Increasing Threats of Deepfake Identities. 

AI discovers anomalies at scale and machine-level speeds

AI and automation deliver measurable results in improving security personalization while enforcing least privileged access. SecOps teams with an integrated AI and automation tech stack are faster at identifying and taking action on anomalies that could indicate an intrusion or breach.

AI and ML excel at analyzing massive volumes of system and user activity data that power threat intelligence systems. IBM found that when a threat intelligence system has real-time data analyzed by AI and ML algorithms, the time to identify a breach is reduced by 28 days on average.

Breaches cost less if SecOps teams find them first

AI also pays off by helping SecOps teams identify the breach themselves versus waiting for an attacker to announce the break or having law enforcement inform them. When SecOps teams can identify the breach, they save nearly $1 million. The study also compared mean-time-to-identify (MTTI) and mean-time-to-contain (MTTC), finding that extensive integration of AI and automation reduced both. 

Keep AI, automation, and threat intelligence in the context of zero trust

Zero trust assumes a breach has already happened, and every threat surface needs to be continually monitored and secured. As the IBM study shows, AI, ML and automation are proving effective in providing real-time threat intelligence. 

During a recent interview with VentureBeat, zero trust creator John Kindervag advised that “you start with a protect surface. I have, and if you haven’t seen it, it’s called the zero-trust learning curve. You don’t start with technology, and that’s the misunderstanding of this. Of course, the vendors want to sell the technology, so [they say] you need to start with our technology. None of that is true. You start with a protect surface, and then you figure out [the technology].” 

Kindervag’s advice is well taken and reflects how effective AI, ML, automation and threat intelligence can be deployed and deliver results at scale. Kept in a zero trust context of protecting one threat surface at a time, as Kindervag advises, these technologies deliver value.