December 1, 2023

Introducing AirMDR

Total Article Read Time: 6 min

Group of AI powered robots as a concept for virtual security analysts

TL;DR - We’ve built a new kind of MDR by augmenting every one of our analysts with an intelligent virtual analyst that makes every single one of them as powerful and productive as 10. This for the first time makes fast, high-quality detection and response affordable for small and medium enterprises. If you are interested in a faster, better and affordable MDR, let’s talk.

What is AirMDR

AirMDR is a new approach to managed detection and response that augments security analyst capabilities by combining recent developments in AI, automation and decades of cybersecurity expertise. We’ve made one analyst as productive and efficient as ten to deliver high quality and affordable threat investigation, triage and response. 

Biggest Threat Investigation and Response Challenges

Over the course of my career, I’ve come to the core realization that achieving good cybersecurity is hindered by a few key factors:

  1. 1. The last mile gap in detection and response
    2. The scarcity of human expertise in cybersecurity
    3. Budget constraints in cybersecurity
    4. Low ROI of automation

The Last Mile Gap in Detection and Response

A typical medium sized enterprise (roughly 1000 employees) has 10-20 security tools to protect their enterprises and very often less than 5 people on the security operations team. Each one of these tools require constant care and feeding. Each one of these tools generates alerts - at volumes that would require a 5-10x larger team than what they have. 

90%+ of these alerts simply get ignored.

Ignoring these alerts is not a great idea. 2-10% of the alerts that fire need a response, and some of them if not responded to immediately can turn into breaches over time (this is exactly what happened at Target 10 years ago - and unfortunately 95%+ small/medium enterprise would fare much worse 10 years later)

The Cybersecurity Skills Gap

Every security team wishes they could detect, investigate and respond to alerts in minutes to minimize the impact of security threats on business operations. However, the reality is that every security team suffers from talent shortage and cybersecurity skills gap continues to grow.

CISOs Struggle with Tight Budgets

All CISOs wish they could just hire every headcount they feel is needed to get the job done right, but that isn’t the reality security teams live with. Maybe, if someone had an unlimited security budget, the talent gap wouldn’t be an issue for them, but for 99.99% of SOC teams budget constraints and the talent gap also go hand in hand. 

While most cybersecurity budgets have grown year-over-year for the last few years, they continue to be underfunded by CISO standards. That has compounded the problem in recent economic conditions that have led to flat or reduced cybersecurity budgets for many according to an IANS study. It isn’t hard to see how the equation isn’t adding up to an optimistic outlook for Cybersecurity leaders.

 

cybersecurity alert warning overload

Increased Threats x Less Available Talent x Tight Budgets = Unacceptably high risk for the enterprise

Cybersecurity leaders and boards are being held more accountable than ever with big legal ramifications. Recently, the SEC charged the CISO of SolarWinds, Tim Brown, with fraud and internal control failures stemming from a 2020 cyberattack. The stakes and stresses for CISOs everywhere are at an all time high causing many to leave the field. In fact, Gartner predicts nearly 50% of Cybersecurity leaders will change jobs by 2025 or leave the role entirely due to work-related stress making the talent gap issue even worse.

Flawed Automation Isn’t The Answer

Many SOC teams then turned to automation in an attempt to solve these issues, and we saw a slew of companies deploying automation tools and services. In theory, this should have made a big dent, but in practice automation only solves about 10% of the issues for about 10% of the largest companies - the ones that have very large teams and large budgets - big enough to hire dedicated automation engineers. 99% of small and medium enterprises - simply do not have this skill set in house.

Building SOC Automation Is Expensive

On average, it takes around $4,000 - $6,000 USD to build a playbook. That is still quite expensive for many security teams out there and that is only one single playbook. I’d estimate that most security teams would need around 50 or more playbooks to address just the basics. That is $250,000 on automation to just get started. 

50 Playbooks x $5,000 per playbook = $250,000

Not to mention, you’d still need the right talent to be able to structure and build those playbooks so you are still back to square one with being able to find and hire the right people to do that. Not to mention, that is just the one time cost and doesn’t take into account updates and maintenance. 

Automations Are Inflexible & Insufficient

The world is dynamic, automations aren’t. Even if a security team has the resources to build out all the automations they need, those automations cease to work properly as systems and processes evolve and change— unless you are willing to invest additional engineering resources to continuously maintain and update them. But to maintain them requires both development skills and security expertise, leaving you right back at square one blocked by the widening cybersecurity skills gap. Even then, all this headache for something that only addresses a small percentage of the threat landscape.

If we seriously look at the effectiveness of automations, the reality is they only solve about 5-10% of the total cases encountered because most cases still require a certain level of human intervention and oversight to correlate and consider the details available.

The question remains, how do we address this constantly growing issue when we will never have all the resources (people and budget) needed to stay ahead or even adequately address SOC needs.

How Can Human Cybersecurity Expertise Cost Effectively

When it comes down to it, the fundamental constraint is that human expertise is simply too expensive and it's getting in the way of every team being able to implement effective detection and response. We need a way to easily and cost effectively scale that human expertise. 

For example, just 13 years ago, the average global broadband speed was 7.6 Mbps hard to imagine all of our apps and streaming services if we were still on speeds like that. Now, speeds have exponentially increased with the global average being around 100 Mbps and many providers offering 1 GBits or faster in many places, and all for around the same price we used to pay back in the day for that measly 7.6 Mbps.

Looking at how this has evolved over years, how do we similarly take the bottleneck of human expertise in cybersecurity and make those human skills similarly abundant, or at least 10 times more efficient so that we are able to do so much more with the same amount of budget and people we have available.

How Do We Scale Human SecOps Intelligence?

Automation was a great first step in trying to address the scale problem, but it needs to go a bit further. We need automation that is inexpensive, adaptable, and that's actually freaking easy to use. And I mean REALLY freaking easy to use because if it isn’t, it will get bottlenecked by the same cyber skill shortage. You can't solve one skill shortage problem with a solution that also suffers from the same skill shortage problem. We have to be able to augment our existing skills in a way that compensates for the skills shortage.

LLMs Help OvercomeThe Skills Shortage

Luckily, LLMs (large language models) have provided a glimmer of hope in what they bring to the table.  LLMs provide a very nice UX for ease of use and make it accessible to the masses. This provides the opportunity to build flexible automations easily because you don’t have to have engineering skills and can just interact in normal human language.

If we can take and apply the right set of security skills we make it very capable of doing all the work that bogs down analysts and allow them to focus on more advanced stuff that requires real human critical thinking and creative problem solving. 

Augmenting Human Cybersecurity Analyst Capability with AI

This is the approach AirMDR has taken to Managed Detection and Response (MDR). Instead of continuing to throw bodies at the problem, because we know that it is too expensive and not a solution that works for anyone on a limited budget, we aim to augment human capacity and give one person the power and efficiency of 10. This creates a solution that works for everyone teams big and small and allows them to do more with their existing budgets and make a substantial dent in cyber skill shortage, which is the biggest bottleneck for achieving good detection and response.

An Intelligent Virtual Analyst

But how are we doing that? We’ve built an intelligent virtual analyst. It can do 80-90% of the work of an L1 or L2 analyst, and can easily create automations without the need for expensive coding. This brings down the cost of building very adaptable and flexible playbooks for our customers substantially and provides an MDR solution that is accessible and affordable to SOC teams of all sizes. 

Better Managed Detection and Response

By leveraging our Virtual Security Analyst, we are able to provide a more consistent, efficient and affordable MDR solution. There is an immediate time to value, as it eliminates the need of hiring five, seven, ten more analysts because you are getting the same productivity for the price of one. The investigation reports can be produced at an exponentially faster rate than having a human analyst perform them manually, and there is a level of depth and consistency to the reports that is seldom achieved with a human analyst having to juggle multiple priorities at once.

We are super excited to bring faster, better and affordable detection and response to every enterprise (especially those without millions of dollars in cyber budgets)!

Kumar Saurabh
AUTHOR: Kumar Saurabh

Kumar Saurabh is the CEO and co-founder of AirMDR. He's leveraged his 20+ years of experience in enterprise security to develop an AI-powered virtual assistant for security operations to help address shortages in cybersecurity talent resources. Kumar's expertise spans from his engineering leadership at ArcSight to co-founding a company that offers cloud SIEM services and his role as CEO of LogicHub, where he focuses on SOAR/MDR.


Let's Talk

Ready to supercharge your incident
investigation capabilities?