web analytics

RSAC 2024 Innovation Sandbox | Dropzone AI: Automated Investigation and Security Operations – Source: securityboulevard.com

rsac-2024-innovation-sandbox-|-dropzone-ai:-automated-investigation-and-security-operations-–-source:-securityboulevard.com
Rate this post

Source: securityboulevard.com – Author: NSFOCUS

The RSA Conference 2024 will kick off on May 6. Known as the “Oscars of Cybersecurity,” the RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry.

Figure 1: Top 10 Finalists for the RSAC 2024 Innovation Sandbox Contest

Today, let’s get to know the company Dropzone AI.

Introduction to Dropzone AI

Dropzone AI is a company specializing in automated security operations, founded by Edward Wu. With the mission statement “to equip cyber defenders with unlimited intelligence,” the company’s product positioning and core competitiveness are very clear.

Security operations have always required a large number of security experts to work continuously to ensure the normal operation of the entire security system and protect the client’s systems. However, with the advancement of Large Language Models (LLMs), cognitive automation has become a reality. The use of artificial intelligence to automate cybersecurity expertise and tools has become a trend. The company has provided many product examples, with the fundamental goal of using artificial intelligence to empower security operations.

AIE

Techstrong Podcasts

Figure 2: Edward Wu, CEO of Dropzone AI 

Product Capabilities

The company’s product operates in multiple directions of security operations. By using LLMs to simulate SOC analysts, it can achieve automated investigation and response. The product itself cannot run independently but integrates existing security tools, collects and analyzes data through tool calls, and makes automatic investigations to improve the efficiency of security operations. This product model gives it great flexibility. In the current complex security operations environment, it can maximize the use of existing tools according to the current environment, which is not only efficient but also more comprehensive in some cases than human consideration. The product itself has been pre-trained to call many tools, as shown in Figure 3.

Figure 3: Part of Tools for Integration

In the product introduction, an important point is raised: due to the limited efficiency and energy of manual security operations, it is often only possible to perform tier-1 level analysis on most alerts, which is preliminary screening, priority assessment, and other preliminary operations. Only after discovering high-risk alerts can a limited number of alerts be investigated in-depth. However, with automated security operations, the efficiency has been improved, allowing for in-depth analysis of a large number of alerts at tier-2 or tier-3 levels, thus providing a clearer understanding of the alerts and detecting real attacks.

The main competitive advantages of its products are as follows:

  • 100% judgment of all alerts.
  • Fully automated in-depth analysis.
  • Fully automated correlation analysis.
  • Automatic summarization with a good reasoning process, allowing for viewing the source data of reasoning at any time.
  • High environmental adaptability, decoupled from current products, can be used in any security operations environment without changing the original tools and environment.

In the example presentation, a total of nine scenarios are listed, divided into three types of usage methods. The first six scenarios are mainly used to explain the fully automated investigation and analysis capabilities. Contextual knowledge base Q&A and threat hunting are implemented through human-computer interactive dialogue. The final contextual inquiry demonstrates how to improve the efficiency of communication between people in security operations and reduce communication costs. Next, we will introduce the scenario examples, study its functions, and analyze the technical conjectures for implementing these functions.

Fully Automated Investigation System

Fully automated investigation is mainly used for various dangerous alert investigation scenarios. Dropzone AI will automatically call various tools for multi-angle analysis of an alert and automatically generate summaries and conclusions. On the Dropzone AI website, six use cases of automatic investigation are listed, which are:

  • Phishing
  • Endpoint
  • Network
  • Cloud
  • Identity
  • Insider Threat

We will take the endpoint alert as an example to analyze its automatic investigation effect and working principle in detail.

First, it clarifies the application scenario: Microsoft Defender has detected an attempt by an exe to attack and has blocked it. However, as a security operations staff, it is necessary to analyze the details.

Figure 4: An attack Detected by Microsoft Defender

As shown in Figure 4, the alert is generated by Microsoft Defender, and Dropzone AI does not perform underlying alert detection. It focuses on investigating the alerts that have been detected. This achieves the decoupling of upper-level analysis and lower-level alert extraction, making Dropzone AI’s SOC product easier to adapt to the current SOC environment without the need to modify the original SOC infrastructure.

1) List all alerts worth paying attention to

As shown in Figure 5, the first step is to identify the current alerts that are worth paying attention to. This is a simple engineering operation, but it is very necessary for improving user experience.

Figure 5: Critical Alert List

2) Overall Summary and Conclusion

The investigation results of Dropzone AI will be placed at the top for easy user browsing. As observed in Figure 4, the summary is clearly generated by a large model. It is speculated that the template may be similar to: “Write a summary based on the above information,” and the conclusion part is more like an enumerated result. The large model needs to give a “label”: malicious/noise/uncertain, etc. Then, based on the assessed level, a fixed conclusion is given. The conclusion in Figure 5 is “malicious,” so it is recommended to respond to the alert immediately.

Figure 6: Executive Summary and Conclusion

3) Reasoning and Evidence

The conclusions of Dropzone AI are not made out of thin air but are supported by complete reasoning details and conclusions. Figure 7 begins to present all its findings and details, combined with the reasoning given by the large model for the discovered details. Together, they form a chain of evidence. Through this part of the content, users can easily understand the source of the conclusion, observe its credibility, and even if there are errors in its reasoning, they can be easily discovered by operational experts.

Figure 7: Findings and Evidence
Figure 8: Microsoft 365 Defender Advanced Hunting API Calling Parameters and Return Results

Based on the displayed functions, it is speculated that it has called various different tools to analyze the alert. These results will be returned to the large model, and the large model will provide a summary based on the returned results. This achieves the combination of “evidence” and “reasoning,” ensuring that every piece of reasoning can be traced back to its source. In Figure 8, Dropzone AI called the Microsoft API, and the result was used to confirm that setup.exe is an executable file with an execution environment. In Figure 9, the large model received the result from the Microsoft 365 Defender Advanced hunting API and made the next move: running the exe file in a sandbox to analyze its behavior. In the analysis results, Dropzone AI discovered a detail that it attempted to establish a connection with an external IP.

Figure 9: Automatic Analysis and Summary
Figure 10: Part of Sandbox Analysis Result

4) Correlation Analysis

Up to this point, in-depth analysis by security experts can still be completed. However, correlation analysis requires experts to have a high sensitivity to data. Dropzone AI can achieve “sensitivity” to data through a large number of query statements. Figure 11 shows that based on the current dangerous IP, it discovered that other related devices in the system also attempted to connect to this IP.

Figure 11: Correlation Analysis

Human-Computer Interaction Mode

Dropzone AI provides different interaction methods for different application scenarios, different from the fully automated scenarios mentioned above. For threat hunting and knowledge bases, it adopts a natural language dialogue interaction method. As shown in Figures 12 and 13, it provides an interactive interface similar to ChatGPT, which can understand natural language, call tools to obtain results, and then return the results to the user in natural language.

Figure 12: Interface for Threat Hunting
Figure 13: Retrieve Results after Calling the Backend Database

AI Enhances Interpersonal Interaction Efficiency

The last scenario is to achieve rapid interaction through its SOC platform. In the example shown in Figure 14, the investigation personnel found a phishing email and needed to confirm whether the file had been executed, so they inquired with the employee who received the email. Dropzone AI can automatically generate an inquiry email, and the user only needs to click to send it.

Figure 14: Efficiency Improvement Between People

Conclusion

Dropzone AI is a company specializing in automated security operations. Its core product uses Large Language Models (LLMs) and artificial intelligence technology to greatly enhance the efficiency and accuracy of security operations. The company integrates existing security tools, automatically collects and analyzes data, and realizes in-depth investigation and response to various security alerts. This automation not only improves the ability to handle alerts but also allows for more complex and in-depth analysis (such as tier-2 and tier-3 levels). It can also generate detailed reasoning and evidence chains to help users better understand the nature of the alerts.

The features of Dropzone AI products include:

  • Fully automated investigation: The system can automatically call tools for multi-angle analysis of alerts and generate summaries and conclusions.
  • High flexibility and environmental adaptability: The product can easily adapt to the current security operations environment without changing the existing infrastructure.
  • Human-computer interaction mode:  Through a natural language interaction interface, the system can understand natural language, obtain and return data, providing a user experience similar to ChatGPT.
  • Enhancing interpersonal interaction efficiency: The system can automatically generate necessary inquiry emails, simplify the communication process, and accelerate the speed of problem resolution.

The applications of Dropzone AI are not limited to traditional security operations scenarios but also include phishing analysis, endpoint and network traffic alert analysis, cloud service and identity authentication alert analysis, etc., greatly expanding the application range of automated security operations. This comprehensive automated investigation system not only improves the efficiency of handling alerts but also enhances the response capability to complex security threats, representing an important advancement in modern network security defense.

More RSAC 2024 Innovation Sandbox Finalist Introduction:

The post RSAC 2024 Innovation Sandbox | Dropzone AI: Automated Investigation and Security Operations appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/rsac-2024-innovation-sandbox-dropzone-ai-automated-investigation-and-security-operations/

Original Post URL: https://securityboulevard.com/2024/05/rsac-2024-innovation-sandbox-dropzone-ai-automated-investigation-and-security-operations/

Category & Tags: Security Bloggers Network,Blog,RSAC 2024; – Security Bloggers Network,Blog,RSAC 2024;

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
CISO2CISO Notepad Series
The sqreen DevSecOps Security Checklist
The sqreen DevSecOps Security Checklist
HADESS
DevSecOps Guides – Comprehensive resource for integrating security into the software development by HADESS
DevSecOps Guides – Comprehensive resource...
Splunk
81 Siem Very important Use Cases for your SOC by SPLUNK
81 Siem Very important Use...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...
Forrester - Allie Mellen
Adapt Or Die: XDR Is On A Collision Course With SIEM And SOAR – EDR Is Dead, Long Live XDR by Allie Mellen – Forrester
Adapt Or Die: XDR Is...
CYBER LEADERSHIP INTITUTE
CISO PLAYBOOK: FIRST 100 DAYS Setting the CISO up for success
CISO PLAYBOOK: FIRST 100 DAYS...

LASTEST PUBLISHED POSTS

National Security Agency
CSI Cloud Top10 Key Management
CSI Cloud Top10 Key Management
CSA Cloud Security Alliance
Defining the Zero TrustProtect Surface
Defining the Zero TrustProtect Surface
HANIM EKEN
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CONTAINER SECURITY INTERVIEW QUESTIONS ANSWERS
CNIL
PRACTICE GUIDE GDPR – SECURITY OF PERSONAL DATA Version 2024
PRACTICE GUIDE GDPR – SECURITY...
PWNED LABS
Cloud Security Engineer Roadmap
Cloud Security Engineer Roadmap
tutorialspoint.com
Cloud Computing Tutorial Simply Easy Learning
Cloud Computing Tutorial Simply Easy...
SMITHA SRIHARSHA
CISSP Preparation Notes
CISSP Preparation Notes
CISSP Mind Map: All Domains
CISSP Mind Map: All Domains
Lansweeper
CIS 18 CRITICAL SECURITY CONTROLS CHECKLIST
CIS 18 CRITICAL SECURITY CONTROLS...
Semaphore
CI-CD with Docker and Kubernetes
CI-CD with Docker and Kubernetes
EC-MSP
BUSINESS CONTINUITY PLAN & DISASTER RECOVERY PLAN TEMPLATE
BUSINESS CONTINUITY PLAN & DISASTER...
PWC
Building a risk-resilient organisation
Building a risk-resilient organisation

More Latest Published Posts

40 under 40
40 under 40 in CyberSecurity 2024
40 under 40 in CyberSecurity 2024
HADESS
40 Days in DeepDark Web About Crypto Scam
40 Days in DeepDark Web About Crypto Scam
Everbridge
8 Principles of Supply Chain Risk Management
8 Principles of Supply Chain Risk Management
CHAOSSEARCH
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
Threat Hunter’s Handbook – Using Log Analytics to Find and Neutralize Hidden Threats in Your Environment
ENDGAME
The Hunters Handbook Endgame’s Guide to Adversary Hunting
The Hunters Handbook Endgame’s Guide to Adversary Hunting
THE EU’S MOST THREATENING by EUROPOL
THE EU’S MOST THREATENING by EUROPOL
National Cyber Security Centre
Responding to a cyber incident – a guide for CEOs
Responding to a cyber incident – a guide for CEOs
IGNITE Technologies
CREDENTIAL DUMPING
CREDENTIAL DUMPING
HADESS
Pwning the Domain Lateral Movement
Pwning the Domain Lateral Movement
Jorgen Lanesskog
PING Basic IP Network Troubleshooting
PING Basic IP Network Troubleshooting
TELESOFT
Layer 7 Visibility What are the Benefits?
Layer 7 Visibility What are the Benefits?
TIGERA
Introduction to Kubernetes Networking and Security
Introduction to Kubernetes Networking and Security
Department of Defense's (DoD)
Defense Industrial Base Cybersecurity Strategy 2024
Defense Industrial Base Cybersecurity Strategy 2024
Dummies
Zero Trust Access for Dummies Fortinet
Zero Trust Access for Dummies Fortinet
Homeland Security
Zero Trust Implementation Strategy
Zero Trust Implementation Strategy
National Australia Bank Limited
Your Business and Cyber Security
Your Business and Cyber Security
CYFIRMA
Xeno RAT- A New Remote Access Trojan
Xeno RAT- A New Remote Access Trojan
IGNITE Technologies
Windows Persistence COM Hijacking MITRE T1546 015
Windows Persistence COM Hijacking MITRE T1546 015
IGNITE Technologies
Windows Exploitation Rundll32
Windows Exploitation Rundll32
IGNITE Technologies
Windows Exploitation Msbuild
Windows Exploitation Msbuild
HADESS
Web LLM Attacks
Web LLM Attacks
HADESS
Trended Protocols for Security Stuff
Trended Protocols for Security Stuff
Red Iberoamericana de Protección de Datos
Transferencia Internacional de Datos Personales – Guia de Implementación
Transferencia Internacional de Datos Personales – Guia de Implementación
CYFIRMA
TRACKING RANSOMWARE January 2024
TRACKING RANSOMWARE January 2024
https://www.linkedin.com/in/harunseker/
TOP Cyber Attacks Detected by SIEM Solutions
TOP Cyber Attacks Detected by SIEM Solutions
TRAVARSA
Top 100 Cyber Threats and Solutions 2024
Top 100 Cyber Threats and Solutions 2024
Top 50 Cybersecurity Threats
Top 50 Cybersecurity Threats
OWASP
Top 10 Considerations for Incident Response
Top 10 Considerations for Incident Response