Generative AI (GenAI) technologies have had a transformative impact on businesses, significantly improving efficiency and reducing overhead. However, as reliance on these technologies grows, they introduce their own set of complex cybersecurity challenges.
Security leaders are now tasked with understanding how these advancements impact cyber risks, business risks, and regulatory compliance, particularly with evolving guidance from bodies like the U.S. Securities and Exchange Commission (SEC).
While GenAI is being applied on both offensive and defensive cybersecurity fronts, its true value lies in its ability to help security teams do more with less — a critical factor as many organizations face budget constraints and resource limitations.
Although threat actors are using GenAI technologies for offensive purposes, Managed Detection and Response (MDR) providers are also using it on the defense to counter these tactics by automating threat detection, accelerating incident response, and enabling continuous monitoring.
By analyzing large data volumes in real-time, MDR providers can use Generative AI and Large Language Models (LLMs) for proactive threat detection, enhancing the efficiency of SOC operations, and streamline reporting.
In this blog, we explore some ways that GenAI and LLMs can be used by your MDR security provider to enable better security outcomes:
Threat Hunting: Gaining an Edge Against Evolving TTPs
Threat actors are constantly evolving their tactics, techniques, and procedures (TTPs), posing a constant challenge to organizations. From traditional phishing and social engineering to advanced disinformation campaigns, data poisoning, and deepfakes, the threat landscape is evolving rapidly. As these TTPs evolve, so must our approach to cybersecurity.
GenAI technologies can enhance threat-hunting capabilities by:
-
Automating Threat Detection: By analyzing vast volumes of unstructured data from sources like news outlets, social media, and even the Dark Web, GenAI helps to extract actionable threat intelligence quickly and at scale.
-
Intelligent Triage: By automating the triage process, GenAI can prioritize incidents based on their severity, potential impact, and the confidence level so that the SOC Cyber Analysts and Threat Hunters can focus on the most critical issues.
-
Resource Optimization: By automating routine tasks and reducing false positives, GenAI enables SOC Cyber Analysts to concentrate on higher-value activities, thereby improving efficiency.
Improving SOC Operations: Empowering Analysts with AI-Driven Insights
There has been a surge in AI-driven Security Operations Centers (SOCs) that are enhancing efficiency by leveraging AI to summarize large amounts of data more effectively. SOC Analysts are often overwhelmed by the sheer volume of alerts that need to be addressed and distinguishing between true positives and false positives.
Moreover, they may also benefit from using LLMs to conduct deep threat investigations into the true positives. With GenAI, these processes can be significantly streamlined:
-
Advanced Alert Analysis: SOC Analysts can leverage GenAI to receive nuanced insights about alerts, empowering them to make informed decisions faster and reduce threat investigation times.
-
Human-Like Querying for Deep Investigation: Instead of navigating traditional dashboards, GenAI enables SOC Analysts to use natural language queries, receiving comprehensive answers and uncovering deeper context on potential threats. This enhances the investigative process, making it more efficient and intuitive.
At eSentire, the use of GenAI for our team of 24/7 SOC Cyber Analysts to conduct their investigations. In fact, the eSentire Labs team created an LLM Gateway, an open-source implementation framework to help security teams globally improve how they govern and monitor the use of LLMs internally.
Our SOC Analysts currently use the LLM Gateway to run complex queries, receive answers quickly, and summarize findings to reduce investigation times. Our SOC Analysts can automate the preliminary analysis is automated, allowing them to dive directly into validation and further investigation.
Our goal is to scale subject-matter expertise within the SOC and use GenAI to empower even junior analysts to understand complex scenarios rapidly and make confident decisions. This leads to faster, more informed responses, minimizing threat impact across our customers' attack surfaces.
Additional applications of using GenAI to improve SOC operations include:
-
Natural Language Data Queries: eSentire MDR customers can take advantage of the eSentire AI Investigator tool in the Insight Portal and use natural language to conduct complex data searches, improving their ability to understand and address internal security threats.
-
AI Investigator Insights: eSentire’s AI Investigator harnesses data from a multitude of security telemetry sources, leveraging a robust data lake to scale and enhance multi-telemetry investigations, ultimately improving response times and efficacy.
Creating Tailored Insights with GenAI for Automated Reporting and Customer Communication
Clear and timely communication is a critical component of threat detection and response. For MDR providers, this means alerting their customers immediately, with relevant information, so they understand the risks they face, and the actions being taken to protect their assets.
Unfortunately, many low-level MDR providers take too long to communicate with their customers, or don’t provide contextually relevant information required for informed decision-making.
Here's how GenAI tools can be used to communicate effectively with customers:
-
Automated Reporting: Generative AI can generate detailed incident reports and summaries for customers, providing clear insights into what happened, how it was handled, and what steps were taken to prevent future occurrences.
-
Customizable Alerts: Customers can receive tailored alerts and updates generated by AI, which ensures that they are informed in a way that is both transparent and aligned with their specific business needs.
Driving Continuous Learning and Adaptation
GenAI models thrive on continuous learning, allowing them to adapt and respond to emerging threats as they parse new data. This adaptability enables security teams to use the advanced analytics to improve their response strategies and defense frameworks.
By combining the continuous adaptation of GenAI models’ detection capabilities and the security team’s proactive responses, MDR providers can provide significantly better security outcomes for their customers and help them stay resilient against emerging cyber threats. Some examples of this include:
-
Real-Time Threat Intelligence Updates: GenAI can continuously ingest and analyze new threat data from various sources, such as threat intelligence feeds, vulnerability databases, and global incident reports. This ensures that the AI model stays current with emerging TTPs and can help proactively identify patterns or anomalies before they escalate into significant threats.
-
Automated Security Policy Refinement: As GenAI models detect new attack patterns or vulnerabilities, they can automatically recommend or implement security policy updates to strengthen defenses. For example, if a new malware strain is identified, GenAI can adjust endpoint security configurations, firewall rules, or access controls in real-time, ensuring adaptive and up-to-date protection.
The Limits of GenAI in Cybersecurity: Why Human Expertise is Still Essential
While it’s important to find new ways in which GenAI tools can be adopted to enhance your cybersecurity, we would be remiss if we didn’t acknowledge its limitations.
While excellent at summarizing and synthesizing existing information, current GenAI technologies still lag in identifying and understanding emerging threats. Human intelligence is crucial for context, interpretation, and innovation in the face of new or evolving threat vectors. Here are some limitations of current GenAI models:
-
Lacks Contextual Awareness: GenAI may misinterpret threats without understanding the broader context, potentially missing nuances that a human would catch.
-
False Positives & Negatives: While GenAI can reduce alert fatigue, it may still generate false positives or fail to detect complex threats, requiring human validation.
-
Limited in Emerging Threats: GenAI is based on historical data and may struggle to identify novel or zero-day threats that do not match known patterns.
-
Challenges with Bias and Inaccuracies: GenAI’s outputs can be influenced by biases or incomplete data in its training set, leading to inaccurate conclusions that need human correction.
-
Requires Human Oversight for Decision-Making: Critical security decisions still demand human judgment, especially for high-stakes incidents where strategic response and nuanced understanding are crucial.
Therefore, we believe that GenAI is best utilized as a support tool, enhancing the capabilities of SOC teams rather than replacing them altogether. Outputs from these AI systems require scrutiny and validation to ensure accuracy and relevance in the ever-changing cybersecurity environment.
Generative AI and LLMs have the potential to revolutionize cybersecurity operations, providing enhanced efficiency, better threat detection, and improved customer communication. By adopting GenAI, security teams can not only optimize resources and reduce costs but also significantly enhance their ability to protect against evolving threats.
To learn how eSentire is helping our MDR customers enable better security outcomes and drive efficiency with Generative AI, contact an eSentire cybersecurity specialist.
