Hagai Shapira, Torq’s Director of Product spoke at DeepSec 2023 about different levels of automation approaches for incident response, culminating in the latest additions of conversational AI tools. In this interview (originally posted on DeepSec) Hagai answers questions about his talk and provides key insights on how to leverage AI to streamline incident response processes and improve their overall security posture.
Interview:
Please tell us the top 5 facts about your talk.
- Most sec ops teams are still immature when it comes to utilizing automation for their detection and response and incident response procedures.
- Powerful automation and efficiency improvements can be achieved without software engineers using modern security automation tools.
- Some of the most time consuming tasks in incident handling are tasks that require interaction with other people (employees or users) and waiting for their responses.
- Simple primitives for asking questions in messaging platforms are key for enabling many automation use cases.
- Recent advancements in LLM models and AI agent architectures have expanded the realm of what is possible to automate, including most Tier-1 level cases in day-to-day SOC operations.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
This talk is based on my experience and work with security teams over the last three years in automating their incident response. However, my exploration into use cases for the latest top-of-the-line LLM models and how AI agent architectures, such as ReAct, can be used for security automation, has driven the most recent and exciting frontiers in this field and are the focus of the talk.
Why do you think this is an important topic?
There are several reasons why this is an important topic. Firstly, the workload of security operations teams has significantly increased over the past few years due to the proliferation of security tools and sensors that they need to monitor, as well as the sheer volume of data and alerts these tools generate. Secondly, it has become increasingly difficult to hire qualified security professionals, exacerbating the problem. Given these challenges, automating security operations is the only rational solution to alleviate the burden on security teams.
Is there something you want everybody to know – some good advice for our readers maybe?
If there is something I’ve learnt from my three years trying to automate the world of security operations is that there is no magic behind it. You cannot expect a magical solution to solve all your problems. However, if you invest resources and prioritize automation, you can achieve returns and efficiencies that would be impossible to achieve otherwise.
A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?
I definitely look forward to seeing even more improvement in the performance of LLM models, solving some issues they still suffer from like hallucination, and a reduction in the cost of completions. These changes and improvements will surely be key in seeing even more use of LLMs in automations, in more complicated investigations and at a scale that is required for supporting some of the bigger organizations in the world.