IBM leans into AI for managed security services

IBM is rolling out AI-based managed services that promise to help network and security operations teams more quickly and effectively respond to enterprise cyber threats.

Managed by the IBM Consulting group, the Threat Detection and Response (TDR) Services offering promises 24×7 monitoring, investigation, and automated remediation of security alerts from existing security tools as well as cloud, on-premises, and operational technology systems utilizing the enterprise network. The services can integrate information from more than 15 security event and incident management (SIEM) tools and multiple third-party endpoint and network detection and response packages, for example.

The idea is to help enterprise customers get a handle on the myriad vulnerabilities, alerts and security tools they have to deal with on a daily basis. By using AI and other analytics capabilities, the new managed services can automate away the noise and let IT teams focus on escalating critical threats to the business, IBM stated.

IBM’s new TDR Services, available now, typically work without requiring agents to gather information from customers’ enterprise environment, such as servers, endpoints and other devices. Combined with information from IBM X-Force’s global network of sensors and intelligence analysis, the services use AI models and tools to filter out client-defined, non-critical problems and false positives to automatically generate high-risk alerts that require immediate action by security teams while offering investigation context, according to IBM.

“IBM [managed detection and response (MDR)] is able to detect threats across the entire IT estate, do network-based detections including full packet capture and inspection, as well as detect a wide range of malicious activity, including ransomware and evasive malware. The service also includes attacker behavior analytics,” according to a recent MDR report from KuppingerCole.

“IBM MDR is able to execute predefined containment actions automatically, including terminating processes and network sessions, isolating hosts, blocking communications by port and IP, quarantining files, carrying out sinkholing, and preventing registry changes,” KuppingerCole stated.

IBM’s MDR services compete in a broad market that includes similar services from Arctic Wolf, eSentire, Fortinet, Proficio, ReliaQuest, and Sophos, according to KuppingerCole.

Managed security services are driving an uptick in the broader IT managed services market, according to a recent study done by Canalys and commissioned by Cisco. The study found that while total IT spending is forecast to grow 3.5% globally in 2023, IT managed services revenue is expected to grow 12.7%.

Cybersecurity and cyber-resilience services, in particular, are helping drive this increase. “In response to evolving threats, we’ll see growth in networking and endpoint management along with a rise in detection and response. Demand for compliance will also expand due to new regulations,” Canalys wrote. “In a move toward increased specialization, areas of focus include data analytics and AI to optimize processes and systems, making services more predictive and proactive.”

The adoption of MDR is typically in response to a security breach, regulatory requirements, mergers and acquisitions, and increased demand by the organization’s board for improved cyber security status reporting, according to KuppingerCole analysts. There are a number of other drivers as well, including the rapidly increasing adoption of cloud services and the need to secure critical data in the cloud; the recognition of ransomware as a major cybersecurity threat; the expansion of IT environments to include mobile, edge, and cloud computing; the adoption of home working/hybrid working post pandemic; and the rapid increase in the amount of data that organizations are producing, the analyst group found.

“For many organizations, MDR is the only way they are able to consolidate all of their security threats, tools, and systems into a single point of control to address and resolve all alerts, monitor and respond to all indicators of potential compromise by analyzing all security data, and evaluate the effectiveness of existing controls to identify where and how this can be improved,” KuppingerCole stated.