Can Generative AI be used in cybersecurity?
Admittedly, we were skeptical that Generative AI was ready to help us in our SOC operations for threat detection and response. We’d heard all the vendor hype, but no one had any examples of real success. So, we built out an operational test environment and put Gen AI to the challenge.
For our initial test, we utilized our internal SIEM infrastructure consisting of Elastic v8.14 with their AI Assistant and Attack Discovery modules combined with several variations of Large Language Models (LLMs) to determine the best performance and accuracy for threat detection with response and remediation guidance. (Later we set up similar environments with Splunk and MS Sentinel). We performed testing with analysts of multiple levels on a broad range of real production alert investigations with and without Gen AI. The goal of our testing was to determine if Gen AI would increase our threat detection speed and alert fidelity, as well as effectiveness of our SOC Analysts’ investigative breadth, response guidance, and overall productivity. Our results were both surprising and gratifying.
Key Takeaways
1. 34% Reduction in Investigation Time
The ability of Gen AI to provide expert-level alert summarization, contextualized SIEM queries, and well-crafted response and remediation guidance significantly accelerated the overall threat detection and response process. This time reduction is especially valuable given the volume and complexity of modern-day cyber threats.
2. Benefits to Junior Analysts
Gen AI supports less experienced SOC analysts by providing valuable investigation insights and answering queries that would otherwise need senior analyst involvement. This capability not only fosters faster learning but also reduces the workload on senior team members.
3. Cross-Device Correlation and Situational Awareness
AI-assisted threat hunting with cross-device correlation of up to 100 events in the last 24 hours shows the ability to connect related incidents, which is crucial for building a detailed attack chain analysis. The integration with the MITRE ATT&CK framework further enhances attack comprehension and mitigation strategies.
4. Cost Effectiveness
The low token cost per investigation, ranging from half a cent to 1 cent, demonstrates a financially viable path forward, even at scale.
Future Capabilities
We are working on combining Gen AI with Active Defense Response automation, playbook generation, and predictive analysis. These capabilities have the potential to:
- Enable proactive security responses
- Streamline incident orchestration
- Enhance executive-level reporting, improving communication with stakeholders
Overall Impact
Analyst feedback showcasing reduced alert fatigue and increased situational awareness is a testament to Gen AI’s real-world applicability. Our approach to integrating it into existing SIEM and XDR infrastructure with Elastic, Splunk, and MS Sentinel, as well as serving diverse customer environments, shows a practical path forward for other organizations considering similar directions.
This is a fascinating example of how AI can help not only with automation but also with enhancing the cognitive capabilities of human analysts in a high-pressure, fast-paced cybersecurity environment.
Feedback from all Analysts was extremely positive. Each Analyst was excited for the ability to use this in future investigations as it allowed them to streamline and speedup their normal investigation time. This speed increase came in three major areas; summaries of the alert and its importance, Elastic Queries to more quickly find the contextual logs in Discovery, and remediation and next-steps write-ups. Overall, our migration to using Gen AI in our SOC provided increased productivity, reduced analyst alert fatigue, and increased alert guidance with situational awareness for our client threat responders.
Proficio At A Glance
Proficio is a leading global Managed Detection and Response provider offering SOC-as-a-Service to hundreds of organizations of all sizes and industries. We have three global SOC teams in the US, Europe, and Singapore. We utilize an internal hosted SIEM and XDR technology stack as well as support customer owned Splunk and Microsoft Sentinel environments for our SOC services to provide the most advanced threat detection and response in the MDR industry.