RSAC 2024 Innovation Sandbox | Dropzone AI: Research and Judgment of Automated Security Operations

May 6th

RSA Conference 2024

will officially open

As the “Oscar of Safety”

RSAC Innovation Sandbox (Innovation Sandbox）

Has become an innovation benchmark in the network security industry

under innovation

Together with Mr. Green Alliance

Focus on new hot spots in network security

Insight into new trends in security development

walk intoDropzone AI

company background

Dropzon AI is an automated security operations company founded by Edward Wu. “Our mission is to provide unlimited intelligence to network defenders” as the company's goal, and also very clearly describes their product positioning and core competencies. Security operations have always required the continuous work of a large number of security experts to ensure the normal operation of the entire security system and protect customer systems. However, with the advancement of LLM (Large Language Model), cognitive automation has been achieved. Leveraging artificial intelligence to automate cybersecurity expertise and tools has become a trend. The company gave many product examples with the fundamental goal of using artificial intelligence to empower security operations.

Product capability introduction

The company's product functions and security operations are in multiple directions. By using LLM to simulate SOC analysis experts, automated research and judgment and even response can be achieved. The product itself cannot run independently. Instead, it integrates existing security tools and uses tool calls to collect and analyze data and conduct automatic research and judgment. This improves safety operation efficiency. Such a product model gives it strong flexibility. In the current complex security operation environment, existing tools can be utilized to the maximum extent according to the current environment. Not only is it highly efficient, but in some cases it can be more comprehensive than humans can think of. . The product itself has been pre-trained to call many tools, as shown in Figure 2.

In the product introduction, it puts forward a very important point: Because human efficiency and energy are limited in security operations, most alarms can often only be analyzed at the tier-1 level, that is, preliminary screening, priority assessment, etc. Wait for preliminary operations. Only after high risks are discovered can limited alarms be investigated in depth. However, after automating security operations, the efficiency is improved, and a large number of alarms can be analyzed in depth at the tier-2 or tier-3 level, so as to understand the alarms more clearly and discover real attacks.

The main competitiveness of its products are as follows:

100% evaluation of all alarms.

Fully automated in-depth analysis.

Fully automated correlation analysis.

Automatic summary and good inference process, the inference source data can be viewed at any time.

High environmental adaptability, decoupled from current products, and can be used in any safe operating environment without changing the original tools and environment.

In the example display, a total of nine scenarios are listed, divided into three usage methods. The first six scenarios are mainly used to explain fully automated research and analysis capabilities. Contextual knowledge base question answering and threat hunting are implemented through human-computer interactive dialogue. The final contextual inquiry shows how it can improve the efficiency of communication between people in security operations and reduce communication costs. Next, we introduce the scene examples, study its functions, and analyze the technical inferences to achieve this function.

Fully automatic research and judgment system

Fully automatic research and judgment is mainly used for the research and judgment of various dangerous alarm scenarios. Dropzone AI will automatically call various tools to analyze an alarm from multiple angles and automatically generate summaries and conclusions. On its official website, it provides six scenarios for automatic analysis, namely: phishing email analysis, terminal alarm analysis, network traffic alarm analysis, cloud service alarm analysis, identity authentication alarm analysis and internal threat alarm analysis. Let’s take terminal alarms as an example to analyze in detail the effect and working principle of its automatic analysis and judgment. First of all, it clarifies the application scenario: Microsoft defender has discovered an exe trying to attack and blocked it. But as a security operator, you need to analyze the details.

As shown in Figure 3, this alarm was generated by Microsoft defender. Dropzone AI does not perform underlying alarm discovery, but focuses on the research and judgment of discovered alarms. This realizes the decoupling of upper-level analysis and lower-level alarm extraction, making it easier for Dropzone AI's SOC products to adapt to the current SOC environment without modifying the original SOC infrastructure.

1) List all alarms worthy of attention

As shown in Figure 4, the first step is to discover alarm information that is currently worthy of attention. This is a simple engineering operation, but it is very necessary to improve the user experience.

2) Overall summary and conclusion

The research and judgment results of Dropzone AI will be placed at the top for users to browse easily. As shown in Figure 4, observing the summary, it is obvious that its content is generated through a large model. It is speculated that the template may be similar to: “Write me a summary based on the above information”, while the conclusion part is more like the result of an enumeration. Large models need to be given a “label”: malicious/noisy/uncertain, etc. A fixed conclusion is then given based on its rated rating. The conclusion in Figure 4 is “malicious”, so it is recommended to respond to the alarm immediately.

3) reasoning and evidence

The conclusion of Dropzone AI is not made out of thin air, but has complete reasoning details and conclusions. Figure 6 begins to show all its findings and details, combined with the reasoning given by the large model for the discovered details. Together they form a chain of evidence. Through the content of this part, users can easily understand the source of the conclusion and observe its credibility. Even if the inference is wrong, it can be easily discovered by operational experts.

Based on the functions it displays, it is inferred that it uses a variety of different tools to analyze alarms. These results will be returned to the big model, which will give a summary based on the returned results. In this way, the combination of “evidence” and “reasoning” is achieved. The source can be found for every inference. In Figure 7, dropzone AI calls Microsoft's API, and the result is used to confirm that setup.exe is an executable file with an execution environment. In Figure 8, the large model receives the results from the Microsoft 365 Defender Advanced hunting API and takes the next step: actually running the exe file using the sandbox to analyze its behavior. In the analysis results, dropzone AI found a detail that it was trying to establish a link with an external IP.

As before, every step of the inference is supported by evidence. Raw data from evidence sources is available with a click. As shown in Figure 9, when the user questions the correctness of his reasoning, he enters the sandbox analysis results and finds that he is indeed trying to establish a link with the outside.

4)Correlation Analysis

As of now, it can still be completed through in-depth analysis by security experts. However, correlation analysis requires research and judgment experts to have extremely high sensitivity to data. Dropzone AI can achieve “sensitivity” to data through a large number of query statements. Figure 10 shows that based on the current dangerous IP, it discovered that other related devices in the system are also trying to connect to this IP.

Human-computer interaction mode

Dropzone AI provides different interaction methods for different application scenarios. Different from the fully automated scenarios mentioned above, it adopts natural language dialog box interaction for threat hunting and knowledge base. As shown in Figure 11 and Figure 12, it provides an interactive interface like chatgpt, which can understand natural language, call tools to obtain results, and then return it to the user in natural language.

AIImprove the efficiency of human-to-human interaction

The last scenario is to achieve fast interaction through its SOC platform. In the example in Figure 13, the researcher found the phishing email and needed to confirm whether the file was executed, so he needed to ask the employee who received the email. Dropzone AI can automatically generate inquiry emails, and users only need to click send.

Summary

Dropzone AI is a company focused on automated security operations. Its core products utilize large language models (LLM) and artificial intelligence technology to greatly improve the efficiency and accuracy of security operations. The company integrates existing security tools to automatically collect and analyze data to achieve in-depth analysis and response to various security alerts. This automation not only improves alarm processing capabilities, allowing for more complex and in-depth analysis (such as tier-2 and tier-3 levels), but also generates detailed reasoning and evidence chains to help users understand alarms more clearly. the essence of.

Dropzone AI product features include:

Fully automated research and judgment

The system can automatically call tools to analyze alarms from multiple angles and generate summaries and conclusions.

High flexibility and environmental adaptability

Products can be easily adapted to current security operating environments without requiring changes to existing infrastructure.

Human-computer interaction mode

Through the natural language interactive interface, the system can understand natural language, obtain and return data, and provide a user experience similar to chatgpt.

Improve the efficiency of human-to-human interaction

The system can automatically generate required inquiry emails, simplify the communication process, and speed up problem resolution.

The technical applications of Dropzone AI are not limited to traditional security operation scenarios, but also include phishing email analysis, terminal and network traffic alarm analysis, cloud service and identity authentication alarm analysis, etc., which greatly broadens the application scope of automated security operations. This comprehensive automated research and judgment system not only improves the efficiency of alarm processing, but also enhances the response ability to complex security threats. It is an important advancement in modern network security defense.

references

(1)  www.dropzone.ai