AI and the Autonomous SOC – Separating Hype from Reality – Justin Beals, Itai Tevet – ESW #384
Full Audio
View Show IndexSegments
1. AI and the Autonomous SOC – Separating Hype from Reality – Itai Tevet – ESW #384
There have been a lot of bold claims about how generative AI and machine learning will transform the SOC. Ironically, the SOC was (arguably) invented only because security products failed to make good on bold claims. The cybersecurity market is full of products that exist only to solve the problems created by other security products (Security Analytics, SOC Automation, Risk-Based Vulnerability Management).
Other products are natural evolutions and pick up where others leave off. In this interview, we'll explore what AI can and can't do, particularly when it comes to alert triage and other common SOC tasks.
Segment Resources:
Guest
Itai Tevet is the CEO of Intezer, a leading provider of AI-powered technology for autonomous security operations. He previously led a government Computer Emergency Response Team of elite specialists in incident response, digital forensics, malware analysis, and reverse engineering. His experience led him to co-found Intezer in 2016, with a mission to research and develop technologies to transform the way we investigate and respond to cybersecurity incidents.
Hosts
2. The Top-Down Approach in Cybersecurity and Compliance Isn’t Working – What’s Next? – Justin Beals – ESW #384
Naturally, the next approach to try is a federated one. How do we break down cybersecurity into more bite-sized components? How do we alleviate all this CISO stress we've heard about, and make their job seem less impossible than it does today?
This will be a more standards and GRC focused discussion, covering:
- the reasons why cross-walking doesn't work
- the reasons why traditional TPRM approaches (e.g. questionnaires) don't work
- opportunities for AI to help
- risk management or sales support?
Guest
Justin Beals, with a background in AI, cybersecurity, and governance, founded Strike Graph to simplify cybersecurity audits and certifications. He likes making arcane cybersecurity standards plain and simple to achieve.
Hosts
3. Funding, Trustwave/Cybereason, NVIDIA Morpheus AI SOC, and the job situation is bad – ESW #384
This week in the enterprise security news,
- Upwind Security gets a massive $100M Series B
- Trustwave and Cybereason merge
- NVIDIA wants to force SOC analyst millennials to socialize with AI agents
- Has the cybersecurity workforce peaked?
- Why incident response is essential for resilience
- an example of good product marketing
- who is Salvatore Verini, Jr. and why does he have all my data?
All that and more, on this episode of Enterprise Security Weekly.
Hosts
- 1. FUNDING: This week’s interesting funding from Security, Funded #169 – Pastels de Cyber
Not a lot of funding this week - only 2 of 6 that I found interesting:
- $100M Series B for Upwind Security, an Israel-based CNAPP. I don't know this area terribly well, but I'm immediately wondering if there's enough cheddar to go around to support another cloud security unicorn alongside Wiz, Orca, Palo Alto, Crowdstrike, and everyone else already here and more mature at this point.
- $6M Seed for Embed Security, funded by Paladin Capital Group. This is another GenAI powered SecOps platform, aiming to "enhance, not replace" analysts. I find it interesting that GenAI SecOps startups are split on this with some saying straight up that they're replacing lower level SOC analysts, while others are quick to say that they're not looking to replace anyone. I wonder which approach finds the most traction with customers (or if any of these products are actually working for early adopters).
- 2. MERGERS: Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value
This shouldn't be a big surprise, as:
- we knew Cybereason was in trouble - we've talked about their massive valuation loss in the past (~90% loss in valuation, leaving them upside down on money invested)
- Singtel sold their majority stake in Trustwave to a growth equity firm in October 2023 (which we also reported on)
Trustwave, in their heyday (mid-2010s) was an interesting services company to study. Instead of whitelabeling the products they'd use in their MSSP services, they acquired or built the technology. This was long before it became common for companies to build both product and services in house. Even folks like Red Canary, who built a lot of valuable IP, were still fundamentally built on top of a whitelabeled EDR tool.
What does the future hold for TrustReason? My crystal ball is murky. If Cyberwave prices things right, they could find a niche, or perhaps their niche is a geography - we already know Cybereason has a solid foothold in Japan. Perhaps select geography is where the combined company doubles down and builds from.
- 3. NEW PRODUCTS: NVIDIA’s Morpheus AI SOC Analyst (via TLDRSec’s Clint Gibler)
I'm not going to sugarcoat my thoughts here. I love the idea of AI automating mundane tasks for us, but I hate everything about this demo (I'm referring to the video demo here)
- I hate the avatar and his stupid face
- I hate the terrible synthesized speech model they used. This cannot be the best that NVIDIA has on offer, can it?
- I hate that they included an avatar at all - the last thing security analysts want is to have to talk to a computer to investigate an incident
- I hate that they used an example that can and should be automated by a 3-line python script if your SIEM doesn't already automatically do all this, which it should. Worst case, it's a fully automated SOAR playbook.
No security analyst should be talking to a discount Grand Theft Auto villain to figure out if an employee clicked a link to a known malicious webpage.
- 4. JOBS: Has the Cybersecurity Workforce Peaked?
We're not done talking about this one yet. We covered cyberisfull.com a while back and discussed it with a few folks who specialize in providing career assistance, especially to newcomers.
Here, I want to focus a bit more on the reason for what solidly looks like stagnation in the cybersecurity job market.
- Companies that know what they want can't find it.
- Most companies don't know what they need
- Hiring more security people wasn't solving any problems - if anything it was creating them
- The regulatory environment is busy scaring off security leaders with legal threats and personal liability
- This trend of layoffs has been going on since June 1st 2022, when it was coincidentally kicked off by Cybereason
- Everyone in tech is doing layoffs, with AMD the latest to let go 1000 employees - so some portion of this is just the state of the larger job market in general
Coming out of this (whenever that happens), we need a better idea of who we need, what skills they should have, how we're going to use them, how to retain them, and a LOT more folks need to be willing to hire junior folks and build those talent pipelines.
Or not? But then we end up in a weird place - with a bunch of cybersecurity degree holders doing something outside the industry. What an odd future that would be.
- 5. ESSAYS: Why Incident Response is Essential for Resilience
This is largely an unremarkable writeup that looks like someone asked AI, "write a generic article about cyber incident response". The reason I included it is that it leans in hard on resilience, which is a buzzword I'm going to be using until people are sick of it.
The author here leans in HARD on training and testing incident response. I think this is something we lack throughout our security programs: confidence that we're ready for the incident. That we can handle the breach and survive it, largely unscathed.
I don't think tabletops are enough. I think they're necessary starting out, but they don't get you even close to what I could consider "confidence" in an IR capability.
- 6. RESOURCES: runZero’s excellent “Rapid Response” blog posts help you find stuff better
I'm a general fan of runZero, but for a while now, I noticed they've been posting stuff with repetitive headlines. Headlines like:
- How to find Fortimanager instances on your network
- How to find Palo Alto Network firewalls running PAN-OS
- How to find Citrix Virtuall Apps and Desktops software on your network
- How to find Rockwell Automation devices
- How to find SolarWinds Web Help Desk services on your network
- How to find SuperMicro BMCs
- How to find OpenPrinting CUPS services on your network
I was intrigued to see what these posts were like. Each one is dead simple, but SO useful. Like many asset management or CAASM platforms, runZero has a query language you can use to find stuff. The formula is basically:- Take the latest 0day everyone is worried about
- List the relevant CVEs
- summarize the impact
- share the query to find it in runZero
- Want to find CUPS?
protocol:ipp-browse has:ippBrowse.userAgent - Want to find SuperMicro BMCs?
(hw:"Super%micro" or os:"Super%micro) - Want to find Rockwell Automation devices?
vendor:"Rockwell Automation" AND tcp:2031 - Want to find Palo Alto Networks' Expedition migration tool?
html.title:="Expedition Project"
The really nice thing here is that a lot of these queries can be easily adapted to other asset management systems. The hard part is to actually find one of these devices and figure out a handy way to identify them. Maybe it's the HTML Title, a certain protocol in use on a specific port - but it also highlights how good a job runZero does with asset identification. Want to find Fortimanager? You just queryhw:FortiManager. - 7. DUMPSTER FIRES: Florida man gets hacked, loses data on billions of consumers
This story is wild. WILD.
