Can Defenders ever focus on What Matters?

In the realm of cybersecurity, an open secret looms large over our collective endeavor to safeguard our company assets: the persistent shadow of inevitability. "At some point, attackers will breach our defenses," echoes as a grim mantra among those of us on the frontline. This isn't merely a reflection of the asymmetric warfare we engage in—where the attackers need only find one crack in our vast protective armory—it's indicative of a more profound quandary. There is a huge asymmetry in focus and cognitive overload between attackers and defenders.  

The lion's share of an attacker's resources is invested in crafting the means of intrusion and ensuring their malicious presence remains undetected. Conversely, defenders find themselves ensnared in a labyrinth of ancillary tasks and operational overhead, a predicament that dilutes our focus and diverts our efforts from what truly matters.

Let’s look at day-in-the-life of each type of security engineer and investigate what is occupying majority portion of their brains.

Detection Engineer

How do I formulate a detection rule using multiple frameworks available out there to recognize a particular event type in multiple cloud environments and ensuring its integration with multiple SIEM systems?  

The initial set of detection rules appear straightforward for a minimal set of patterns. However, this task becomes considerably more complex as the volume of attack patterns escalates to several hundred each week.

Vulnerability Engineer

How do I effectively prioritize patches for the engineering team's implementation

That decision-making process involves a thorough examination of several key factors for each Common Vulnerabilities and Exposures (CVE) item. It is essential to verify the operational status of the software package implicated in each CVE, determine whether the associated process is active on the designated port, and establish the public exposure of the asset. Furthermore, the connection of the asset to a database containing Personally Identifiable Information (PII) necessitates additional scrutiny. In instances where a decision is made against applying a patch, it becomes imperative to meticulously document the rationale, encompassing all considerations, for each CVE.

Threat Intelligence Engineer

How do I monitor a multitude of mostly textual information feeds of different, and correlating their relevance to my specific operational environment, industry sector, and critical assets ?

This task involves the diligent collection of IOCs pertinent to our security posture, alongside the development of detection and prevention rules for deployment across various WAFs and firewall systems. This rigorous process is compounded by the dynamic nature of IOCs, which may alter or evolve shortly after identification and after the laborious rule writing process that happens inside SIEMs.

Compliance Engineer

How do I navigate the evolving landscape of compliance requirements across different industries and geographic regions, and align the ever changing technology landscape to the standards ?

This task requires an ongoing assessment to ensure adherence to diverse regulatory frameworks and standards that vary not only by industry but also by location.

SOC Analyst

How can I auto teach the alert stream the contextual, environmental and external information so I only deal with alerts that need human stakeholder thinking ?

We also have experienced first-hand the never-ending problem of alert fatigue with operations teams, constant rescoring of vulnerabilities with CVSS scoring systems by application security engineers etc.  As CISOs, getting an accurate assessment of risk in my environment with changing asset configurations, and changing threats continues to be a challenge. 

Our Hypothesis

The reason why security engineers could not automate the tasks above is because the task workflows cannot be 'codified', the above 'tier 2' tasks require synthesis of knowledge and reason with that knowledge. Enter LLMs.  The recent advance in generative AI agent technologies makes it possible to remove the cognitive overload from Defender's brains.

Our Vision

We imagine a world where security engineers don’t have to worry about vendor documentation or APIs, don’t have to read through vulnerability reports to figure out whether a vulnerability is applicable to them and what the priority should be to patch, don’t have to worry about which path to take to investigate an incident.  

Our Mission

We want to empower defenders to apply the security knowledge to improve security posture of their companies and call open their LLM agents to do the grunt work. 

It is tall order mission, but the initial results are promising enough for us to take the leap.  We made a few security GPTs for the security community to use and already are working with customers to productize them.  If you are interested in what we are doing and want to help us build, feel free to give us a shout, or join our GPT slack community.