How AI can improve the future of incident response

Cybersecurity software providers must step up their efforts to deliver self-healing software and solutions, according to Adam Zoller, CISO for healthcare leader Providence. Speaking at VentureBeat Transform 2023 last week, Zoller pointed out that there is white space in the market where vendors need to step up and fund self-healing initiatives. 

Zoller joins a growing group of CISOs calling for greater cyber-resilience and self-healing in apps and platforms. Zoller spoke at length at Transform on why having an incident response plan is critical and how taking an identity-centric view of cybersecurity is core to how healthcare providers reduce risks. Zoller is a strong supporter of zero trust focusing on identity-centric security.    

“I think the future is self-healing software; the future is applying these models to our code bases to discover vulnerabilities and fix them before our attackers can find them,” Zoller told the Transform audience. “Because I can tell you, as a human running a human team, we are not equipped to operate at the velocity of what our attackers are going to bring to us in the next two to three years.”

>>Follow all our VentureBeat Transform 2023 coverage<<

Providence operates 53 hospitals and 1100 clinics with about a quarter million full-time employees and contract employees.

“Our cybersecurity needs to travel with our caregivers, no matter where they are in the world because we have people going to Guatemala on trips to provide health care to people who couldn’t afford health care in South America and Central America,” Zoller says. 

More cyber resilience needed

Zoller explained that the CISO role is becoming more multidimensional, anchored with a strong focus on the human aspect of cybersecurity.

“Human error or involvement plays a role in almost every cybersecurity event,” said Zoller. “Whether it’s someone forgetting to patch an internet-facing application or choosing an insecure password, the human factor is inescapable. This underscores the need for a human-centric approach to cybersecurity, focusing on behavioral change and effective communication strategies.”

Implicit in the insightful observations Zoller made is the need for vendors to improve their software’s self-healing capabilities. “Cybersecurity is a risk problem; it’s a risk equation,” he said.

Cyber-resilience reduces a data breach’s impact on an organization’s IT, financial and customer-facing systems and operations. Realizing that not all intrusion attempts are predictable or easily contained helps enterprises adopt the right mindset and prepare. 

National priority defined by the White House

Zoller’s strong focus on self-healing software — which can catch potential incidents, intrusions and breach attempts on every endpoint, identity and throughout the software development lifecycle (SDLC) — reflects the high priority of cyber-resilience today. Continually improving self-healing software is table stakes to achieving cyber-resilience and zero trust and has is an industry issue that needs to be resolved with improved software reliability. 

In March, The White House announced key elements of its cybersecurity strategy, prioritizing cyber-resilience and holding software companies more accountable for product security. CNN reports that the administration and Congress are drafting legislation to address software liability and inadequate cyber defenses.

“When we’re talking to organizations, what we’re hearing a lot is: How can we continue to increase resiliency, increase the way we’re protecting ourselves, even in the face of potentially either lower headcount or tight budgets?” Christy Wyatt, CEO of Absolute Software, said in a BNN Bloomberg interview earlier this year. “And so it makes what we do around cyber-resiliency even more important. One of the unique things we do is help people reinstall or repair their cybersecurity assets or other cybersecurity applications. So a quote from one of my customers was: ‘It’s like having another IT person in the building.”

Self-healing endpoints are the cornerstone of many organizations’ cyber-resilience strategies and key to consolidating tech stacks, all part of their long-term commitment to zero trust security. Self-healing endpoints can shut down, check OS and application versions and reset to a secure, optimized configuration. These actions require no human input.

AI-enabled incident response growing

Zoller said at Transform: “I think we’re at the early stages of potential security risks presented by AI. We were also at the early stages of potential security benefits being presented by AI. In the future, we’re going to see all sorts of applications of AI technology, whether it’s expansions of these copilot technologies that we see or expansions into the space of data loss prevention, data loss detection, potentially vulnerability, discovery and vulnerability, patching applications and self-healing software.”

Zoller and his team are seeing more applications of AI in security today, including Microsoft’s Security Copilot. In describing Copilot, Zoller said, “It acts as a copilot for incident responders, suggesting events to look at in their security event and incident management system (SIEM).” Zoller believes the latest cybersecurity apps and solutions are just the beginning.

Zoller says that having an incident response plan is essential. He recommends basing the plan on the best available data and tools to identify threats and take immediate steps to restore operations quickly. One of the foundational points he made was the importance of keeping continual communication with stakeholders about how current and anticipated threats are being monitored and how incident plans will take preemptive action in the detection of a potential risk or threat.

Providence thwarts a cyberattack

Attackers were quick to capitalize on the opportunity created by the fast-growing base of Providence employees working remotely. 

“By April 2020, ransomware attackers, mostly eastern European cybercrime gangs, had taken notice that… there was a real large window of exploitation that they could take advantage of to deploy ransomware to potentially get big payouts from organizations that weren’t prepared to deal with ransomware,” said Zoller.

The CISO explained that Providence began to see an unprecedented rise in attacks by the REvil, an Eastern European cybercrime group that specializes in Ransomware-as-a-Service.

“REvil came after us on two occasions with targeted ransomware attacks,” said Zoller. “And I’ll tell you, we were able to fend them off because of my team’s dedication and the preparation we put in ahead of time. But had we not put that preparation in ahead of time and had our team and our people current on training or had the tools their disposal they needed to fend those attackers off, we could have had a really serious case on our hands. We were simultaneously dealing with the ramp-up of the pandemic and ransomware [attacks].” 

Zoller says that when he first joined Providence in 2019, he saw the immediate need to move away from connecting to data centers for security services and adopting a more cloud-native security architecture. That decision proved prescient.

“We have to push our defenses out to the endpoints,” Zoller explained. “Our cybersecurity needs to travel with our caregivers.”

Key insights on incident response

Healthcare is one of the most attacked industries because medical records command high prices on the dark web and are used to create synthetic identities to defraud everyone, from insurance companies to mortgage lenders. It’s also an industry known for relying on perimeter-based systems that don’t enforce least-privileged access or protect identities. Zoller offered a valuable set of recommendations for anyone looking to improve incident response:

Keep incident response plans current and add them to playbooks

Too often, healthcare providers get caught in a breach and have to define their response as they’re trying to stop it. CIOs and CISOs tell VentureBeat that they have drafted articles and press releases for their company board to show the impact if a massive breach did occur. This helps increase support.

Weave security into every stage of product development

Having cybersecurity designed into every phase of the SDLC and employing a shift-left strategy to reduce security gaps while preventing defects is critical. 

Consider using self-healing software and AI

Consistent with the White House directive, Zoller stressed the importance of self-healing software, especially endpoints to harden cybersecurity today.