How AI can change the face of incident response - SmartBrief

Living near Washington’s Puget Sound, I’ve spent a lot of time in the water, either scuba diving or kayaking. While doing those activities, I have to manage quite a few risks. When I kayak, I spend time thinking about the risks associated with weather, currents and waves. While scuba diving, I evaluate and respond to risks related to air availability and other possible minor emergencies. But I also think about other things – including disasters that might affect this beautiful area. For example, I worry about what flows into the Puget Sound. I worry about some of the slow-moving, imperceptible micro-incidents that degrade the health of the water here. These thoughts often lead down other paths, like I can’t help but start thinking about how these issues are somewhat analogous to those facing cybersecurity professionals in incident response. Let me explain. Puget Sound (James Stanger) We all know the typical oil-and-water horror stories: the massive spill, the photographs of oil-blackened shorelines, the frantic cleanup crews. Those are the disasters that make headlines. But ask any environmental scientist about the Puget Sound’s most persistent threat, and they’ll tell you it isn’t the next catastrophic spill. It’s the slow, invisible accumulation of oil droplets falling from the hundreds of thousands of non-EV vehicles crossing our roads every day. Each drop is tiny. Each drop is harmless in isolation. Each drop, driven by rain, makes its quiet journey to the Sound — until, collectively, they create something toxic. Oil has greatly impacted wildlife in the Sound, affecting the health of virtually every element, from seals to octopi and from to crabs to nudibranchs. From a cybersecurity perspective, I can’t stop thinking about how perfectly this mirrors what’s happening inside our organizations every day. Problems with how we frame incident response For decades, our thinking about and subsequently our approaches to incident response have been organized around two persistent fears. The first is the fear of the dreaded “3 a.m. phone call.” The second is the fear of the dreaded communication from a regulatory body informing your organization it has received a substantial fine for violating privacy or cybersecurity policy. Both represent realized, visible, catastrophic failure. Both are versions of the catastrophic oil spill. But, what about the slow-moving micro-incidents – what I call “cybersecurity micro-aggressions” that accumulate to real risk? I see these smaller incidents as a slow-moving, unseen oil slick that affects the technical health of organizations and impairs their cybersecurity maturity. The conditions that enable those disasters almost never occur in a single moment. They’re built drop by drop — through these cybersecurity micro-aggressions. These are the small, silent, incremental mistakes made by DevOps engineers, automation teams and IT professionals who are moving fast, under pressure, while doing their best. A developer hardcodes a credential “just for testing.” An automation script runs with administrator rights because it was faster to configure that way. A dependency doesn’t get updated because the sprint was full. A cloud storage bucket gets a permission that’s slightly too broad. None of these trips an alarm. None of them, individually, represents a security incident. Together, they erode an organization’s security posture the same way those oil droplets erode the Puget Sound — quietly, persistently and at a scale that’s invisible until it isn’t. Why traditional trigger-based incident response can’t see this coming The fundamental design of traditional incident response is reactive. Like your over-politicized friend, traditional incident response just waits to be triggered. It waits for a threshold to be crossed — an alert fires, a trigger event occurs, a system falls over, a known-bad signature is matched. The problem is, micro-aggressions, by definition, never cross that threshold individually. They live below the waterline of our detection capabilities, accumulating in silence. What’s needed isn’t greater sensitivity in our existing instruments. It’s a fundamentally different kind of perception — one capable of recognizing patterns across low-signal events at scale, over time, in context. This is precisely where AI changes the equation. AI as the stormwater filter If micro-aggressions are the oil droplets, AI, if done right, can be the filtration system that intercepts them before they reach the “Sound.” Specifically, AI-powered tools can maintain a living baseline of an organization’s environment — configurations, dependencies, access patterns, infrastructure-as-code, pipeline behaviors — and surface deviation from intent, not just deviation from known-bad signatures. The difference is significant. A SIEM looks for bad things. An AI-powered drift detector asks: Is this still the system we meant to build? Applied at the developer layer, AI can introduce intelligent guardrails at the exact moment micro-aggressions are born: before a merge, before a deployment, before a dependency is added. Done well, this feels less like surveillance and more like a knowledgeable colleague who has read every post-mortem ever written. One who can say, “This pattern appears in 70% of privilege escalation incidents in systems like yours,” before the code ever ships. Beyond the developer layer, AI can connect the dots that humans miss. Three unremarkable configuration changes, one unpatched dependency, one overprivileged service account — separately, each is a tiny drop of oil. Together, they form a credible attack path. AI is the first tool capable of reasoning across that combination at the speed and scale modern IT environments require. These all represent cybersecurity micro-aggressions; if we put AI and humans in the proper loop with each other, we can handle these issues all in the name of better incident response. A meaningful shift We need to shift our thinking from purely acute-based incident response. Chronic incidents are critical to recognize and address. Traditionally, we’ve struggled as an industry to have the capacity to even recognize such incidents. But, as with all technology, time gives us something: Democratization. That’s the phenomenon where technology and capability becomes available to everyone; this is happening with AI. First, we need to recognize that incident response must be truly proactive, and not just based on checkbox security. Second, we need to realize that incident response is a chronic activity. Our industry often talks about how AI is creating a “shift left” world, where workers need to bring more skills to the table to remain relevant. I’m convinced that helping organizations shift to include chronic incident response is one of the most important shifts we can implement. The transformation I’m hoping AI can help us achieve isn’t just better acute incident response. It’s the move from managing realized risk to managing accumulated, latent risk — the slow-building oil slick that nobody has named yet. That means treating technical debt as a security metric, mapping regulatory exposure in real time, and giving security leaders a way to argue for maintenance work in the language of risk rather than engineering hygiene. Chronic incidents are critical to recognize and address. The technology to do much of this exists today. In the same way, zero-trust technology has begun to democratize and AI-based proactive incident response is happening, too. The harder challenge is cultural: leadership must treat micro-aggression risk as real risk, and organizations must build the remediation capacity to act on what AI surfaces. Few debate whether or not to clean up a major oil spill. But right now, no one is addressing the larger, chronic accumulation of micro-aggressions involving natural or cybersecurity “runoff.” From a cybersecurity perspective, AI finally gives us the instrument to see and react to that runoff clearly — and the opportunity to stop it before it reaches the water.   If you like these insights on technology, sign up for the CompTIA SmartBrief, a daily look at the top news and trends in IT.