Cyber GenAI – Another Chatbot? - Trellix
sbc-vn
3,448 views
16 slides
Oct 03, 2024
Slide 1 of 16
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
About This Presentation
Cyber GenAI –Another Chatbot?
Slide Content
Cyber GenAI – Another Chatbot? 1
Security Operations Challenges Talent Gaps: 59% cybersecurity teams are understaffed Hidden threats 10% average percentage of alerts can be triaged Alert Fatigue: 4-10K per day 2
The requirements 3 We don’t have enough people 2 but we don’t need more alerts! 1 We don’t want to miss cyber threats,
Does Cyber GenAI help?
Create thousands of connectors and parsers to normalize event data from anywhere. Store all of the data on S3 and OpenSearch. Analyze the data for anomalies with Amazon EMR and ML models. Report findings back to the customer. Customer investigates. Our pre- GenAI approach Search Service Anomaly Data Lake Human ML Models Data Sources
Effective, but hard to scale Didn’t have time to investigate all findings Ingesting Data Analyzing and Matching Searching obscene data volumes What Worked What Didn’t
How do we find time to investigate everything that is “weird?” Detecting anomalies was not enough. We needed to focus on the right signals. We needed gen AI. 7
Why Prompt Engineering is important
Trellix WISE – link human knowledge with GenAI engine 100% coverage of all alerts Anomaly Data Lake Human ML Models Rules Threat Intel Data Sources Amazon Bedrock Questions about this anomaly: Hypothesis from Human Expertise Guided Investigation Investigation Tips Trellix human expertise and their knowledge makes Trellix WISE asks the RIGHT questions Accelerate time to detect, investigate and respond Allow your IT/Security staff focus on more important things
Alert created Lateral movement Initial compromise Trellix XDR Investigative Tips Retro Searching Phishing Email AWS Alert Service Account Created Did the user receive any phishing emails? Yes. Were any service accounts created by the user? Yes. What other alerts happened in this AWS account? X,Y,Z “User received phishing emails, created service accounts, and had multiple AWS alerts, so raise the severity to critical .” Trellix XDR Auto Investigation Amazon Bedrock AI Case created New alert
Real-world examples of GenAI auto-investigations GenAI ANALYSIS: Based on the information provided, there are a few factors to consider: The IOC detected relates to use of named pipes for command and control, which is inherently suspicious activity. The same IOC was triggered by 2 other hosts in the last 24 hours. The source IP has communicated with several external IPs, some of which appear to be cloud hosting providers. The source hostname and user are tied to other recent alerts , indicating repeated suspicious activity. The affected asset is the 'system' account, which has high privileges on the host. While none of these are definitive signs of compromise on their own, together they paint a picture of potentially malicious activity that warrants further investigation. The source system and user should be examined more closely through additional logging and monitoring. I would recommend raising the severity of this alert to High, to escalate the response . The clustering of related activity and criticality of the affected asset justify treating this with increased urgency. However, more conclusive evidence would likely be needed to declare this a verified incident. Continued monitoring and gathering of forensic data should be prioritized. [file write to named pipe (methodology)]
What it takes to make Trellix WISE work Initial findings to investigate Sub-second data retrieval times for all answers Pre-built investigations for generative AI to ask the right questions
Find me the Top Ten Things I need to look at 10 Alerts GenAI 1,000 Anomalies Analytics, Rules, and Intel 1,000,000,000 Events
Tuning across the entire ecosystem Helix Connect allows Trellix Wise to be given specific instructions and guidance for its decision making. This can be anything. Examples: 14 Always escalate endpoint alerts when the user has access to AWS. Only escalate alerts from endpoints belonging to sales on weekends. Be more suspicious of phishing emails near the end of the fiscal quarter. Translate everything into Vietnamese
SecOps evolution 15 Before After Analyst overwhelmed by alerts Focus on top 1% without penalty Waste time tuning tools to reduce alerts Turn on all available alert sources Only investigate alerts that are clear/obvious Deep investigations on most valuable alerts Reduce alert aperture to known-bad Spend time on innovation and threat hunting Ignore most alerts No alerts ignored
What makes a robust cyber security infrastructure Data Lake Human Expertise AI Architecture Platform Sensor Sensor Sensor Sensor Sensor Sensor Sensor Sensor
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 3,448
- Slides 16
- Age 424 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views