See for yourself how Prophet AI can supercharge your security operations, accelerating alert investigation and response
Key benefits:
Lowers MTTR with AI-driven automated alert triage & investigation
Lowers risk by prioritizing critical alerts for analyst review
Eliminates manual effort, freeing analysts to focus on high-impact security tasks
We’ve arrived at a point where it’s unreasonable for security operations centers (SOCS) to be entirely human-powered. IT infrastructure is sprawling with the prevalence of SaaS apps and public cloud usage. Security incidents are more common than ever; ransomware is being deployed within days, not weeks, of vulnerability exploitation, and cybersecurity devices continue to expand their telemetry—and, as a side effect, inundate analysts with loads of alert data, which can result in alert fatigue.
Large language models (LLMs) like GPT4 have been posited as a potential solution to manual efforts (we believe there’s merit there as well), but artificial intelligence (AI) isn’t going to magically solve all of your problems.
This blog focuses on what you can do today to incorporate a more automated approach to incident response and incident management in your environment. We’ll also interject where we think machine learning and LLMs can be used today or in the future to accelerate the process.
Everyone’s incident response process, security tools, and ability/willingness to code vary dramatically when addressing these issues, so we’re illustrating high-level concepts that may require some massaging for your specific environment.
Plainly, incident response automation involves going from threat or cyber attack identification to eradication and remediation with as few humans in the loop as possible. This fits into three (3) primary buckets of activity:
Generally there are two types of activities that teams want to automate:
In recent years, generated detection content has been surprisingly less of an ask from security teams. Generally, native security tools come with their own rules that are out of the box and cover a broader set of use cases that are typically MITRE ATT&CK focused. While having reasonable coverage of MITRE ATT&CK tactics is a great place to start, if you’re looking for additional rule coverage, LLMs are quite good at building rule content given a guided prompt, which we discussed in a previous blog.
Tuning is generally the greater challenge. So many out-of-the-box rules from different security products create too much of a signal for security teams to handle. We’ve discussed how to build a strong process to address tuning, and with some clever scripting and periodic automation, there’s no reason you can’t automate this process.
This may be the hardest of the bunch to automate successfully. There’s no shortage of workflow, Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools you may have in your tool belt to help with this problem, but there are some challenges.
We believe building investigations and dynamic plans is one of the areas that LLMs will help with most in the future, but today, focus on enriching your alert with as much threat intelligence and contextual data as possible to minimize false positives and reduce the cycles it takes for your team to interpret what’s happening.
Ultimately, you won’t be hands-off with an off-the-shelf approach to investigation, but you may significantly reduce the effort of manual data collection for incident responders and, hence, improve your response capabilities.
Seconds matter when it comes to active threat activity, like active malware or security breaches, and real-time mitigation is essential. This means that building incident response playbooks that automatically contain assets, block process execution or IP traffic, and ban malicious binaries identified across the environment are solid wins.
For extremely high-confidence detections, you may want to automate a subset of these response actions on detection triggers to create an automated response strategy.
Unfortunately, teams are saddled with the responsibility of building automation prior to threat identification to manage inbound alert notification queues and respond fast enough to contain modern cyber threats. Using native API integrations with your existing security tools and a good bit of elbow grease, you can reduce the amount of energy needed to manage detections, enrich alerts, and respond effectively to known threats. Ultimately, this will reduce response times and accelerate threat remediation.
The challenge is that incident response automation requires its own development cycle, with each alert requiring its own type of planning, integrations, and automation that puts a different strain on your team. Creating an automated incident response plan is no mean feat.
At Prophet Security, we’re building a different security future for teams with our AI-powered, out-of-the-box automation for alert triage and investigation for any security alert (including custom detections), so your teams can respond effectively without the cycle of prep work. Try out Prophet Security today to streamline your security operations.