{"id":19636,"date":"2022-07-20T05:21:34","date_gmt":"2022-07-20T13:21:34","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/07\/20\/news-13369\/"},"modified":"2022-07-20T05:21:34","modified_gmt":"2022-07-20T13:21:34","slug":"news-13369","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/07\/20\/news-13369\/","title":{"rendered":"Building the AI-Assisted SOC: Sophos\u2019 Five-Year Perspective"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Wed, 20 Jul 2022 11:00:21 +0000<\/strong><\/p>

\t\t

Today there are two kinds of user-facing software products: products that use machine learning and automation to adapt to and help realize users\u2019 intentions, and products that are friction-ridden, requiring carefully memorized and repetitive interactions.\u00a0 Google Search, Siri, and Spotify are in the former category of products. Today’s Security Operations Center (SOC) platforms are in the latter, non-adaptive, friction-ridden category.<\/span>\u00a0<\/span><\/p>

In the next five years, this will change.\u00a0 Successful security products will become as savvy as Google and Facebook in recommending relevant security information, and as precise as Alexa and Siri in anticipating the intent behind security-oriented natural-language requests.\u00a0 They will also combine artificial intelligence technologies with the kinds of system integrations smart-home ecosystems have achieved, updating security policies just as smart homes turn on security cameras and lock doors at user request.<\/span>\u00a0<\/span><\/p>

This new \u201cAI-assisted SOC\u201d will feel as dramatically superior to today\u2019s SOCs as today\u2019s Google search feels compared to 1990s-era Altavista.\u00a0 With AI enhancement distilling the wisdom of a global \u201ccrowd\u201d of SOC analysts into a kind of co-pilot for security workflows, auto-completing SOC analyst workflows and anticipating SOC analyst intent, security personnel will be dramatically more effective.<\/span>\u00a0<\/span><\/p>

Of course, this change will not emerge from a vacuum; it will be the result of the confluence of multiple technology trends occurring today.\u00a0 The first of these is the increasing integration of all relevant security data across entire customer bases by extended detection and response (XDR) vendors providing for the first time the necessary training data for the future AI-assisted SOC\u2019s supporting machine learning models.\u00a0 The second trend is the AI innovation occurring across tech, in which the research community continues to produce better machine learning (ML) algorithms, tools, and cloud AI infrastructure, providing opportunities for the AI-assisted SOC\u2019s ML capabilities.<\/span>\u00a0<\/span><\/p>

The third trend is programmable security posture, in which IT, cloud, and security products increasingly expose robust management APIs.\u00a0 As more of the IT landscape becomes controllable via API, opportunities will continue to emerge for AI-assisted SOC to provide security orchestration, automation, and response (SOAR) capabilities that behave like smart home ecosystems, updating organizations\u2019 security postures and remediating incidents via push-button automation.\u00a0<\/span>\u00a0<\/span><\/p>

How developments in XDR, AI innovation, and programmable security posture will come together to produce the AI-assisted SOC, and what the AI-assisted SOC of the future will look like, is the subject of this whitepaper.\u00a0 We’ve divided the discussion into three sections:<\/span>\u00a0<\/span><\/p>

  1. A vision of the AI-assisted SOC<\/span><\/b>.\u00a0 In this section, we paint a picture of the SOC of the future, walking through concept mock-ups and hypothetical features that will characterize the AI-assisted SOC.<\/span>\u00a0<\/span><\/li>
  2. Sophos\u2019 AI-assisted SOC roadmap<\/span><\/b>.\u00a0 In this section we describe our plan to deliver the AI-assisted SOC over the next 5 years.\u00a0 We discuss our AI innovation roadmap and our plans to leverage data from Sophos\u2019 XDR product to drive AI model accuracy.\u00a0 We also discuss the ways we plan to leverage vendor product APIs, and the \u201cEverything as Code\u201d trend (e.g.,\u00a0 Infrastructure as Code, IT as Code) to automate AI-formulated security posture updates and incident response actions.<\/span>\u00a0<\/span><\/li>
  3. Sophos\u2019 current work towards achieving the AI-assisted SOC<\/span><\/b>.\u00a0 In this section we show the results of three research prototypes built at Sophos, demonstrating that the hard research challenges implicit in our vision are likely to be solvable in a five-year time frame.<\/span>\u00a0<\/span><\/li> <\/ol>

    A vision of the <\/span>AI-<\/span>assisted<\/span> SOC<\/span><\/span>\u00a0<\/span><\/h4>

    \"The<\/a><\/p>

    Figure 1: The AI-UX value circuit<\/em><\/p>

    The AI-assisted SOC will be powered by a design pattern that\u2019s come to pervade UX work outside security: the <\/span>AI-UX value circuit<\/span><\/i><\/b>,<\/span><\/b> shown in Figure 1. The simplest example of this is in the auto-suggest feature provided by touchscreen keyboards, email clients, and search engines.\u00a0 Here, as users type, AI systems suggest text \u201ccompletions\u201d and correct errors.\u00a0 These AI systems, in turn, learn from users.\u00a0 This circuit is immensely powerful: Imagine touchscreen typing <\/span>without<\/span><\/i> auto-complete and error correction.\u00a0 And the AI-UX value circuit is ubiquitous; it\u2019s used in music, movie, and product recommendation systems; in search results ranking; semi-autonomous driving, and many other contexts.\u00a0<\/span>\u00a0<\/span><\/p>

    In the next five years, successful SOC software providers will instantiate the AI-UX value circuit in security, creating a set of features that function as a kind of <\/span>recommendation engine for security<\/span><\/i> driven by the wisdom of the global SOC analyst crowd.\u00a0 By fusing this AI technology with API integrations with IT products, and by using it to modify code that defines cloud infrastructure topologies and configurations, SOC software will feel like smart home software, updating IT security posture by enacting recommended playbooks with the push of a button.<\/span>\u00a0<\/span><\/p>

    Below we give specifics on how the AI-UX value circuit will impact alert recommendation, security data enrichment, and incident remediation, before discussing enterprise IT and IT security API integration.<\/span>\u00a0<\/span><\/p>

    AI-assisted alert recommendation<\/span><\/span>\u00a0<\/span><\/h4>

    Today\u2019s detection systems are as limited as keyword-based web search engines of the 1990s because they do not contain an AI-UX value circuit.\u00a0 When users across multiple SOCs choose to escalate or dismiss a class of alerts, SOC platforms do not detect this temporal trend and up-rank or down-rank the relevant alerts, just as first-generation search engines did not learn from user interaction.<\/span>\u00a0<\/span><\/p>

    By ignoring the behavior of the SOC analyst \u2018crowd,\u2019 today\u2019s SOC platforms squander the user interaction data that other tech sectors already take robust advantage of.\u00a0 By leveraging the AI-UX value circuit, the AI-assisted SOC will dramatically improve, recommending alerts based on information derived from real-time crowd behavior, customized to individual organizational environments.\u00a0 This will be not unlike the way Google currently ranks search results based on the real-time evolution of current events and crowd behavior, customizing search results based on user profiles.<\/span>\u00a0<\/span><\/p>

    To illustrate this, a future SOC <\/span>alert recommendation system<\/span><\/b> is imagined in Figure 2. <\/span>The panel on the <\/span>figure shows how AI-enabled SOCs will order alerts emitted by arbitrary security detectors based on analyst\/alert interactions across thousands of security operations centers.\u00a0 For example, the mock-up shows how the selected alert (in yellow), labeled \u201cSuspicious PowerShell invocation (ML-based)\u201d, was deemed high-priority because similar cases on similar networks were escalated by analysts in other SOCs.<\/span>\u00a0<\/span><\/p>

    Relatedly, the panel on the right of Figure 2 shows how SOC analyst \u201ccrowd knowledge\u201d could be overlaid on top of the lower-level details of alerts of interest.\u00a0 Here, we see that an analyst who may work at a different customer SOC, but whose organization has chosen to share threat-related information, has noted that an alert similar to the focal alert \u201cled to a ransomware incident.\u201d\u00a0 Because our envisioned crowdsourced AI approach will combine the knowledge and experience of tens of thousands of analysts in its real-time decision-making, it will provide indispensable help in scenarios like these.<\/span>\u00a0<\/span><\/p>

    Figure 2: A concept mockup for an AI-assisted alert triage system<\/em><\/p>

    AI-assisted security data enrichment<\/span>\u00a0<\/span><\/h4>

    AI-<\/span>assisted<\/span> SOCs will<\/span> go beyond alert recommendation<\/span>; they will <\/span>anticipate what data analysts will need to follow up <\/span>on alerts<\/span> and <\/span>retrieve it<\/span> proactively.\u00a0 They will also <\/span>automate \u201clow-hanging fruit\u201d reverse engineering and data analysis tasks<\/span>.<\/span><\/span>\u00a0<\/span><\/p>

    \"A<\/a><\/p>

    Figure 3: An AI malware-description system designed by the Sophos AI team<\/em><\/p>

    The malware description generation ML model shown in Figure 3 gives an example of AI-assisted automation of low-hanging-fruit reverse engineering.\u00a0 This technology, developed by a team at Sophos, <\/span>automatically describes malware functionality based on its low-level binary features<\/span><\/i>, enhancing analyst decision making.\u00a0 The model is trained on millions of malware samples paired with malware descriptions contributed by the entire ecosystem of antivirus vendors.\u00a0 In the future, such systems will be trained on textual malware descriptions given by actual analyst reverse engineers.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>

    We give more examples of enrichments in the table below. All of these would dramatically accelerate SOC reverse engineering and threat intelligence, and would also alert follow-up workflows.<\/span>\u00a0<\/span><\/p>

    Table 1: Examples of use cases for various AI-assisted data enrichments<\/em><\/p>

    AI-assisted incident remediation<\/span> recommendation<\/span><\/span>\u00a0<\/span><\/p>

    The AI-assisted SOC will recommend crowdsourced recipes for addressing security alerts, incidents, and posture updates as analysts execute their workflows.\u00a0 In Table 2, we give a schema for how this capability will emerge, and we have shown a concept mock-up for this feature in Figure 2 (above).\u00a0 The figure shows how by taking analyst notes on past incidents and propagating them to new, relevant incidents, we can arm analysts with a crowd \u201cco-pilot.\u201d<\/span>\u00a0<\/span><\/p>

    It would be hard to overstate the impact this capability will have.\u00a0 As the size of the SOC analyst user \u201ccrowd\u201d grows, and information is aggregated at an increasing rate, AI-assisted incident remediation recommendations could become as indispensable to SOC analysts as StackOverflow is to programmers. Feedback mechanisms built natively into SOC workflow will continuously recalibrate recipe recommendations based on the preferences demonstrated by analysts.<\/span>\u00a0<\/span><\/p>

    We imagine AI-assisted incident remediation evolving in stages.\u00a0 In the first phase, textual incident comments will be recommended, as shown in Table 2.\u00a0 In the next phase, we foresee XDR tools automatically distilling course-of-action summaries based on analyst activity so that analysts don\u2019t have to write up after-action reports manually.\u00a0 This will increase the breadth of experience encoded in the \u201csecurity recipe recommendation system,\u201d reduce the labor invested in writing reports, and increase their accuracy.<\/span>\u00a0<\/span><\/p>

    In the final stage of course-of-action recommendation development, AI systems will <\/span>automatically <\/span>translate <\/span>previously exercised courses of action to new <\/span>scenarios and <\/span>operating<\/span> contexts, allowing for \u201cpush-button\u201d automation of these recommended courses of action<\/span> via <\/span>security and IT product APIs<\/span>.<\/span>\u00a0 Our perspective is summarized in <\/span>Table 2<\/span>, below.<\/span><\/p>
    \u00a0ML incident remediation maturity stage<\/th> Capability description<\/th> <\/tr>
    Remediation recipe recommendation<\/td> As crowd analysts handle incidents and write reports about their actions, AI recommends these reports to other analysts handling similar incidents, creating a flywheel for accumulating a real-time Wikipedia of incident-response knowledge<\/td> <\/tr>
    Remediation recipe generation and recommendation<\/td> As crowd analysts take incident response actions, XDR software records these actions, and then recommends considering taking them in new, relevant contexts, increasing the throughput of the crowdsourced incident response knowledge base. This same process can be used to improve the generation of documentation, which is frequently either underperformed or overly time consuming<\/td> <\/tr>
    Push-button execution of automatically generated remediations<\/td> As crowd analysts take remedial action, XDR learns action templates and offers to automatically apply them in new, relevant contexts, decreasing incident response time as the system accumulates knowledge<\/td> <\/tr> <\/tbody> <\/table>

    Table 2: How machine learning incident remediation recommendation will mature<\/em><\/p>

    AI-assisted automation of security workflows<\/h4>

    \"A<\/a><\/p>

    Figure 4: The growing importance of APIs across the tech landscape (https:\/\/blogs.informatica.com\/2020\/02\/28\/how-to-win-with-apis-part-3\/)<\/em><\/p>

    The AI-assisted SOC will not only infer user intent; it will also automate previously laborious actions, just as smart home systems automate a wide variety of previously manually performed actions. Smart home ecosystems automate instantaneous actions (\u201cturn on the downstairs lights\u201d), scheduled actions (\u201cturn the lights on every evening at 6:00PM\u201d), and complex, conditional actions (\u201copen the garage door every day when I\u2019m a quarter mile from home\u201d).\u00a0 Behind the scenes, these ecosystems translate ambiguous natural signals (spoken natural-language input) to deterministic API requests addressing products from multiple vendors.<\/span>\u00a0<\/span><\/p>

    Analogously, AI-assisted SOC software will enable fluid natural-language control over diverse IT\u00a0 infrastructure spanning multiple vendors (accommodating commands such as \u201cset firewall rules to restrict \u2018ssh\u2019 access in my AWS infrastructure to only in-office IP addresses starting next Monday at 8:00AM\u201d).\u00a0 Additionally, and as discussed above, AI-assisted SOC software will often recommend courses of action to analysts, which it will then implement with their confirmation (for example, recommending that HTTP servers filter incoming connections from addresses in a given IP range, based on threat intelligence data, and then implementing this policy automatically upon analyst confirmation).<\/span>\u00a0<\/span><\/p>

    These automation features will rely on the rapid and accelerating implementation of management APIs across the enterprise IT and IT security landscape. Figure 4 dramatizes this, showing the growth in API consumption across the tech landscape over the past few years.\u00a0 Charts like these suggest that over the next five years, APIs in IT and IT security will become so ubiquitous that very little won\u2019t be possible to achieve through automated, programmatic means with respect to gathering data, updating security posture, and taking remedial actions in an IT security context.<\/span>\u00a0<\/span><\/p>

    Sophos\u2019 <\/span>roadmap for<\/span> achieving the AI-<\/span>assisted<\/span> SOC<\/span><\/span>\u00a0<\/span><\/h4>

    Table 3 gives our roadmap for delivering our vision of the AI-<\/span>assisted<\/span> SOC during the period 2021-25; note that we are in the second year of this five-year plan<\/span>.\u00a0 The top row of the chart gives the headline capabilities we <\/span>will, or already,<\/span> deliver<\/span>.\u00a0 T<\/span>he next rows give the enablement deliverables required to support them, along the three technical tracks: XDR platform innovation, security AI innovation, and programmable security posture.\u00a0 A few points are especially salient in the <\/span>roadmap and<\/span> are worth highlighting.<\/span><\/span>\u00a0<\/span><\/p>

     <\/p>
    Capability<\/th> 2021<\/em><\/th> 2022<\/th> 2023<\/th> 2024<\/th> 2025<\/th> <\/tr>
    AI-driven SOC feature<\/strong><\/td> AI alert recommendation engine based on crowd training data – done<\/em><\/td> AI-recommended, crowdsourced incident response reports;\u00a0AI alert enrichment<\/td> AI-recommended incident response action suggestions automatically generated based on analyst behavior<\/td> Push-button implementation of AI-suggested actions via Saas\/IaaS APIs<\/td> Automation of routine SOC work by AI-suggested actions via AI models and SaaS\/IaaS APIs<\/td> <\/tr>
    XDR platform development<\/strong><\/td> AI \/ analyst feedback loop for AI alert recommendations – done<\/em><\/td> AI \/ analyst feedback loop for incident response playbook recommendation<\/td> Instrumentation of analyst actions to feed ML incident response models<\/td> Integration with SaaS\/IaaS and security product APIs to support pushbutton AI-recommended actions<\/td> Further integration with third-party APIs to support semi-autonomous security posture and incident response actions<\/td> <\/tr>
    Security AI innovation<\/strong><\/td> ML models for AI \/ analyst alert recommendation feedback loop – done<\/em><\/td> ML models for incident response recipe recommendation<\/td> ML models for auto-generation of incident-response recipes<\/td> ML models for auto-suggesting incident response actions<\/td> ML models for automating rote ML security work<\/td> <\/tr>
    API-based automated response innovation<\/strong><\/td> \u00a0<\/td> \u00a0<\/td> Tracking of user-driven security posture update API requests to support ML auto-action models<\/td> Auto-translation of ML model suggestions to network security posture API requests<\/td> Implementation of semi-autonomous security posture actions via security posture API requests<\/td> <\/tr> <\/tbody> <\/table>

    Table 3: Sophos’ five-year plan for achieving the AI-assisted SOC<\/em><\/p>

    First, delivering the AI-assisted SOC will require substantial innovation along multiple fronts, but won\u2019t require research miracles.\u00a0 Indeed, there are mature existence proofs outside of security for every technology that we are developing.\u00a0 Security alert recommendation, as we have discussed, is analogous to the kinds of ranking problems solved by existing media recommendation systems (e.g., Spotify) and product recommendation systems (e.g., Amazon).<\/span>\u00a0<\/span><\/p>

    Incident response report recommendation, which will help analysts leverage organizational knowledge when responding to new incidents, is analogous to question answering functionality supported by personal voice assistants like Siri, Alexa, and Google Assistant, which pull crowdsourced snippets of text from the web to answer questions (e.g., \u201cwhat are common symptoms of strep throat?\u201d).\u00a0 Automatic incident response action suggestions are analogous to modern AI-assisted help dialogues that have recently appeared in Microsoft Office.\u00a0 The major work captured in our roadmap, then, is around transposing and adapting technologies and ideas from these adjacent disciplines into the security domain.\u00a0 No small task, but not an insurmountable one.<\/span>\u00a0<\/span><\/p>

    The second salient point in our roadmap is that by 2025, the affordances of the modern SOC will have fundamentally transformed.\u00a0 Cutting-edge SOCs will leverage real-time feeds of data from the behavior of the SOC analyst \u201ccrowd,\u201d distilled by AI models, to dramatically accelerate their workflows.\u00a0 Indeed, the AI-assisted SOC will arm SOC analysts with a kind of \u201cauto-complete\u201d for their workflows, coupled with the predictive surfacing of relevant information, and this will transform security workflows.<\/span>\u00a0<\/span><\/p>

    A final point is that from a science and engineering perspective, our roadmap represents a big bet on the possibility of transformational, AI-assisted change within the security industry, and as such, will require a change in habits of mind and a questioning of long-held assumptions within our industry.\u00a0 It will require trial and error and getting comfortable with the uncertainty that comes with trying out new approaches over existing ones.\u00a0 We are committed to this journey and believe that our industry must adapt if we are to succeed in breaking through longstanding barriers to better defensive cybersecurity.<\/span>\u00a0<\/span><\/p>

    Sophos’ AI-assisted SOC research and development efforts<\/h4>

    Is the AI-<\/span>assisted<\/span> SOC really within reach<\/span>, o<\/span>r will it continue to be<\/span> \u201cjust <\/span>five<\/span> years away<\/span>?<\/span>\u201d<\/span>\u00a0 <\/span>In this <\/span>section<\/span>, <\/span>we show that our vision is tractable, <\/span>by describing <\/span>current <\/span>research by <\/span>Sophos<\/span> AI<\/span>, Sophos\u2019 dedicated security machine learning and artificial intelligence research team.\u00a0 We describe our work <\/span>in three areas: <\/span>ML<\/span> alert <\/span>recommendation<\/span>, <\/span>ML<\/span> security data enrichment<\/span>, and<\/span> AI-UX value circuit-based<\/span> behavioral detection<\/span>.<\/span> Table 4 summarizes the purpose and maturity of each of <\/span>Sophos\u2019<\/span> research thread<\/span>s<\/span>, and how each contributes to our overall vision for the AI-<\/span>assisted<\/span> SOC.<\/span>\u00a0<\/span><\/span>\u00a0<\/span><\/p>

     <\/p>
    Research thread<\/th> Purpose<\/th> Maturity<\/th> Contribution to overall AI-assisted SOC vision<\/th> <\/tr>
    ML alert recommendation<\/strong><\/td> Prioritize high-value alerts to SOC analysts based on analyst-crowd feedback<\/td> Currently in “beta” use within Sophos’ managed SOC service<\/td> Realizes the AI-UX value circuit with respect to multi-product alerts<\/td> <\/tr>
    ML security data enrichment<\/strong><\/td> Leverage crowd data to provide analysts with decision-relevant information<\/td> Multiple mature prototypes, some of which are in Sophos’ products<\/td> Realizes first steps toward anticipating data needed by SOC analysts<\/td> <\/tr>
    AI-UX value circuit-based living-off-the-land detection<\/strong><\/td> Create a feedback loop between analysts and ML-based detectors to iteratively improve living-off-the-land detection accuracy<\/td> Currently in early prototype and under development within the Sophos AI team<\/td> By grouping similar low-level events, we’ll make analyst note recommendation possible<\/td> <\/tr> <\/tbody> <\/table>

    Table 4: Three Sophos research threads operating in support of the AI-assisted SOC roadmap<\/em><\/p>

    Machine learning alert recommendation<\/span>\u00a0<\/span><\/h4>

    Sophos AI is building and iteratively improving a prototype for predicting which alerts analysts will deem relevant.\u00a0 The setup for alert escalation prediction is given in Figure 5.\u00a0 The panel on the left of the figure shows the workflow SOC analysts engage as they triage alerts, deciding which alerts to discard as false positives and which to escalate as worthy of follow-up.\u00a0 The panel on the right shows how machine learning, in our experiments, learns to mimic and predict analysts\u2019 decisions such that we prioritize alerts that they are most likely to escalate, so they can address them first.<\/span>\u00a0<\/span><\/p>

    \"The<\/a><\/p>

    Figure 5: Sophos AI’s prototype alert recommendation engine<\/em><\/p>

    We built our prototype using internal data from Sophos\u2019 MTR (Managed Threat Response) service operating across (at the time) approximately 4,000 unique customer environments.\u00a0 Our evaluation results are shown in Table 5, which shows a simulated bake-off between a scenario in which we don\u2019t use ML alert ranking (i.e., randomly presenting alerts exceeding a certain severity threshold to analysts) and one in which we do use ML.<\/span>\u00a0<\/span><\/p>

    The impact of machine learning here is dramatic.\u00a0 Of the first fifty cases the analysts who do use ML ordering examined, they escalated 41; whereas of the first 50 cases the analysts who didn\u2019t use ML ordering examined, they escalated only four.\u00a0 The results are clear: a machine learning alert ranking engine trained on a feed of SOC analyst decision making data can substantially improve SOC analysts\u2019 efficacy, even on alerts produced by a mature traditional generation logic.<\/span>\u00a0<\/span><\/p>
    Random sorting (similar to real world, today)<\/th> Percent of escalated cases reached by sorting on ML suspicion score<\/th> <\/tr>
    Examine 50 cases to discover 4 escalations<\/td> Examine 50 cases to discover 41 escalations<\/td> <\/tr>
    Examine 184 cases to discover 13 escalations<\/td> Examine 184 cases to discover 92 escalations<\/td> <\/tr>
    Examine 731 cases to discover 51 escalations<\/td> Examine 731 cases to discover 146 escalations<\/td> <\/tr> <\/tbody> <\/table>

    Table 5: Results from Sophos AI’s case escalation prototype<\/em><\/p>

    Figure 6 <\/span>shows<\/span> the results of an experiment designed to show how the accuracy of our alert escalation prediction prototype increases as a function of training data volume.\u00a0 <\/span>In the experiment, we randomly sampled training data, increasing the sample size until we reached 7500<\/span> data points, and running 500 experiments in total.\u00a0 As the figure shows, as our training data volume increased, the accuracy of our system also increased.\u00a0 These results suggest that as we scale alert escalation prediction, our results will continue to improve.<\/span><\/span>\u00a0<\/span><\/p>

    \"Scatter<\/a><\/p>

    Figure 6: Accuracy improvements in case escalation prediction as training data size increases<\/em><\/p>

    Google-like natural language questions and answering using GPT-3 scale language models<\/h4>

    In addition to building a recommendation engine for security alerts, Sophos AI has taken important steps towards building a natural-language question answering system for security.\u00a0 The strategy we have found gives the best results leverages very large language models, pretrained on web-scale text datasets.\u00a0 We\u2019ve found that we can \u201cfine tune\u201d such large models to handle the problem of translating from diverse natural languages (such as English, French, and Chinese) to a domain-specific security search language we\u2019ve developed.<\/span>\u00a0<\/span><\/p>

    Figure 7 demonstrates how our prototype, called AIQuery, translates between unstructured, free-form queries like \u201cshow me usb devices developed by the company that developed the iphone,\u201d and a domain specific search language we\u2019ve defined for querying a database of security-relevant data (query_usb_devices(vendor=\u2019apple\u2019)).\u00a0 Remarkably, AIQuery has learned that a reference to \u201cdevices developed by the company that developed the iphone\u201d should be translated to \u201capple\u201d in the context of a structured database query, and that a reference to \u201cdeveloped by the company that owns windows\u201d should be translated to Microsoft.<\/span>\u00a0<\/span><\/p>

    \"A<\/a><\/p>

    Figure 7: Examples of translations from Sophos’ natural language query interface<\/em><\/p>

    We expect that technologies like our <\/span>AIQuery<\/span> natural language interface will make answering security-relevant questions about complex network topologies <\/span>dramatically easier by answering <\/span>the majority of<\/span> user questions without requiring that they navigate complicated <\/span>menuing<\/span> systems or write complex <\/span>queries in languages like SQL.\u00a0 This will free users up so that they can focus on the truly hard information retrieval problems in security that <\/span><\/span>will<\/span><\/span> require writing custom query code.<\/span><\/span><\/p>

    AI-UX value circuit-based living-off-the-land detection<\/h4>

    A third prong of Sophos\u2019 research investments in building the AI-assisted SOC focuses on detecting living-off-the-land (also known as \u2018fileless\u2019) adversary behavior based on a real-time human\/ML feedback loop.\u00a0 In this research, we present novel, suspicious clusters to SOC analysts, who label clusters as either benign or suspicious.<\/span>\u00a0<\/span><\/p>

    When new behaviors appear that match clusters previously labeled benign by a quorum of analysts, we dismiss them, whereas when new behaviors form new clusters, or appear suspicious to our machine learning model, we present them to analysts for a decision.\u00a0 As quora of analysts label clusters \u2018malicious\u2019, new behaviors that match these clusters are prioritized for review above all other behaviors.<\/span>\u00a0<\/span><\/p>

    \"\"<\/a><\/p>

    Figure 8: The architecture diagram for our AI-UX value circuit living-off-the-land detection model<\/em><\/p>

    Figure <\/span>8<\/span> depicts our prototype\u2019s workflow.\u00a0 <\/span>While a complete description of this prototype is beyond <\/span>our present scope<\/span>, of note is the reduction of 13<\/span>2 million unique behavioral observations to <\/span>334 <\/span>high<\/span>–<\/span>priority escalations.<\/span>\u00a0 By combining clustering<\/span> with suspicion scoring and anomaly detection, <\/span>and<\/span> then<\/span> incorporating analyst <\/span>feedback to improve detection accuracy<\/span>, our prototype dramatically reduces analyst workload and allows <\/span>analysts<\/span> to <\/span>hone in on<\/span> truly interesting events<\/span> amidst an intractable data deluge<\/span>.<\/span>\u00a0<\/span><\/span>\u00a0<\/span><\/p>

    Conclusion<\/h4>

    This whitepaper argues that the evolution of user interfaces points towards a seamless and sophisticated integration of AI-models with user intent, that the most sophisticated areas of tech have already achieved this, and that in the next 5 years, SOC software product vendors will either achieve this within security or become increasingly irrelevant.\u00a0 In effect, we will achieve a \u201csecurity operations recommendation engine\u201d that rivals the utility we\u2019ve come to expect from Google, Amazon, and Netflix. We\u2019ve shown the following:<\/span>\u00a0<\/span><\/p>

    \"A<\/a><\/p>