See for yourself how Prophet AI can supercharge your security operations, accelerating alert investigation and response
Key benefits:
Lowers MTTR with AI-driven automated alert triage & investigation
Lowers risk by prioritizing critical alerts for analyst review
Eliminates manual effort, freeing analysts to focus on high-impact security tasks
We’ve arrived at a point where it’s unreasonable for security operations to be entirely human powered. IT infrastructure is sprawling with the prevalence of SaaS apps and public cloud usage, ransomware is being deployed within days, not weeks of a vulnerability exploitation, and security devices continue to expand their telemetry – and as a side effect, inundate analysts with loads of alert data.
Large language models (LLMs) like GPT4 have been posited as a potential solution to the manual efforts (we believe there’s merit there as well) – but AI isn’t going to magically solve all of your problems.
This blog focuses on what you can be doing today to incorporate a more automated approach to incident response in your environment. We’ll also interject where we think LLMs can be used today or in the future to accelerate the process.
Everyone’s incident response process, security tools, and ability/willingness to code vary dramatically when addressing these issues – so we’re illustrating high level concepts that may require some massaging for your specific environment.
Plainly, it’s going from threat identification to eradication and remediation with as few humans in the loop as possible. This fits into three (3) primary buckets of activity:
Generally there are two types of activities that teams want to automate:
In recent years, generated detection content is surprisingly less of an ask from security teams. Generally, native security tools come with their own rules out of the box that cover a broader set of use cases that are typically MITRE ATT&CK focused. While a having reasonable coverage of MITRE ATT&CK tactics is a great place to start, if you’re looking for additional rule coverage, LLMs are quite good at building rule content given a guided prompt, which we discussed in a previous blog.
Tuning is generally the greater challenge. With so many out-of-the-box rules from different security products, they create too much signal for security teams to handle. We’ve discussed how to build a strong process to address tuning – and with some clever scripting and periodic automation, there’s no reason you couldn’t automate this process.
This may be the hardest of the bunch to automate successfully. There’s no shortage of workflow and Security Automation, Orchestration, and Response (SOAR) tools you may have in your toolbelt to help with this problem, but there are some challenges.
We believe building investigations and dynamic plans is one of the areas that LLMs will help with most in the future, but today, focus on enriching your alert as much as possible to reduce the cycles it takes for your team to interpret what’s happening.
Ultimately, you won’t be hands off with an off-the-shelf approach for investigation, but you may significantly reduce the effort of a manual data collection.
Seconds matter when it comes to active threat activity, so building playbooks that automatically contain assets, block process execution or IP traffic, and ban malicious binaries identified across the environment are solid wins. At a minimum, have simple scripts that can be used in your SOAR platform or manually executed by analysts in the event that malicious activity is identified. Generally you’ll want to use API calls against your security stack to perform the following base actions:
For extremely high confidence detections, you may want to automate a subset of these actions on detection triggers.
Unfortunately, teams are saddled with the responsibility of building automation prior to threat identification to manage inbound alert queues and respond fast enough to contain modern threats. Using native API integrations with your existing security tools and a good bit of elbow grease, you can reduce the amount of energy needed to manage detections, enrich alerts, and respond effectively to known threats. The challenge is that the need for automation is its own development cycle – with each alert requiring its own type of planning, integrations, and automation that put a different strain on your team.
At Prophet Security, we’re building a different security future for teams with our AI-powered, out-of-the-box automation for triage and investigation for any security alert (including custom rules), so your teams can respond effectively without the cycle of prep work. Try out Prophet Security today to streamline your security operations.
What is MFA fatigue attack?
Investigating geo-impossible travel alert
Top 3 scenarios for auto remediation
Alert tuning best practices
SOC metrics that matter
Key SOC tools every security operations needs
Demystifying SOC automation
Alert triage and investigation in cybersecurity: best practices
SOC analyst challenges vs SOC manager challenges
AI SOC: Key to solving persistent SOC challenges
AI SOC Analyst: A comprehensive guide