AI Tool Introduced to Assist Cybersecurity Alert Triage
/ 4 min read
Quick take - The article discusses the challenge of alert fatigue in Security Operations Centers (SOCs) and introduces the AI SOC Analyst, an AI-driven tool designed to assist in triaging alerts, which has led to a reduction in triage time and improved efficiency for IT departments, while also outlining potential future developments for further enhancing SOC operations.
Fast Facts
- Alert fatigue in Security Operations Centers (SOCs) leads to approximately 70% of alerts being ignored or inadequately addressed, overwhelming small teams.
- The AI SOC Analyst has been introduced to assist in triaging alerts, providing analysis and recommendations to human analysts.
- The AI model, trained on Jira ticket data, utilizes a custom Security Orchestration, Automation, and Response (SOAR) solution built with AWS technologies.
- A feedback mechanism categorizes model responses, improving triage efficiency and reducing ticket triage time by about 12%.
- Future developments may include a Software as a Service (SaaS) product for SOC operations, with potential implementations for API-accessible modules and standalone systems.
Addressing Alert Fatigue in Cybersecurity
In the realm of cybersecurity, alert fatigue has emerged as a significant challenge within Security Operations Centers (SOCs). Approximately 70% of alerts are either ignored or inadequately addressed during the triage process. This overwhelming volume of alerts can hinder a small team’s capacity to focus on other critical projects. Low-level analysts or other IT department members are often tasked with triaging these alerts, leading to feelings of discomfort and overwhelm among the staff.
Introduction of the AI SOC Analyst
To address this issue, an innovative solution has been introduced: the AI SOC Analyst. This tool is designed to assist in triaging alerts while providing analysis and recommendations to human analysts. The implementation of this AI-driven tool involves several key steps, including model setup, training, testing, and final implementation. The author of this initiative has secured a contract with OpenAI, providing access to the advanced gpt-4o model, which has been trained on data derived from Jira tickets.
Additionally, a custom Security Orchestration, Automation, and Response (SOAR) solution was built with AWS Step Functions and Lambdas. Analysts have been documenting their triage processes in Jira, facilitating the creation of a Data Driven Detection Lifecycle and contributing valuable data for training the AI model. The training data encompasses various classifications, including True/False Positive and Confirmed/Expected Activity, along with resources utilized and written explanations for decisions made during the triage process.
Enhancing the Training Process
To enhance the training process, a script was developed to merge Jira data with SOAR workflow data, improving the model’s training efficiency. Post-training, the model undergoes a calibration phase to ensure it delivers concise and relevant outputs. Depending on the existing infrastructure, the implementation of the AI SOC Analyst can be executed using AWS Lambda or a Flask App. This process includes setting up prompts, constructing alert-based content, and making API calls to the OpenAI Assistant.
Recognizing the need for more tailored outputs for specific detections, the author adjusted the script to dynamically configure triage instructions based on the LogType and Detection. A feedback mechanism was also integrated into the model, categorizing responses into three groups: Unrelated, Needs Improvement, and Almost There. This feedback has proven beneficial, with IT departments reporting feeling more equipped to handle ticket triage following the AI implementation. Since the AI Assistant’s introduction, the triage time for tickets has seen a reduction of approximately 12%.
Future Developments
Looking ahead, the author proposes several potential next steps, including the development of a Software as a Service (SaaS) product aimed at further streamlining SOC operations. Two specific product implementations have been suggested: an API-accessible module designed for SOAR workflows and a standalone system capable of managing triage independently. While the current implementation of the AI SOC Analyst is functional and yielding positive results, the author acknowledges that there remains significant potential for improvement and further development in this area.
Original Source: Read the Full Article Here
