DeepSec 2023 Talk: Automating Incident Response: Exploring the Latest Conversational AI Tools – Hagai Shapira
As security incidents become increasingly complex, it’s crucial for SOC and incident response teams to focus on actual malicious investigations. However, their ability to do so is often limited by time-consuming human interactions with stakeholders.
In this talk, we’ll explore different levels of automation approaches for incident response, culminating in the latest additions of conversational AI tools. These tools enable full investigations with human stakeholders to be performed automatically, with an analyst only as a silent observer/supervisor.
We’ll discuss the benefits and limitations of using conversational AI tools in incident response, as well as real-world examples of how these tools have been used effectively. By the end of the talk, attendees will have a better understanding of how to leverage this technology to streamline their incident response processes and improve their overall security posture.
We asked Hagai a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Most sec ops teams are still immature when it comes to utilizing automation for their detection and response and incident response procedures.
- Powerful automation and efficiency improvements can be achieved without software engineers using modern security automation tools.
- Some of the most time consuming tasks in incident handling are tasks that require interaction with other people (employees or users) and waiting for their responses.
- Simple primitives for asking questions in messaging platforms are key for enabling many automation use cases.
- Recent advancements in LLM models and AI agent architectures have expanded the realm of what is possible to automate, including most Tier-1 level cases in day-to-day SOC operations.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
This talk is based on my experience and work with security teams over the last three years in automating their incident response. However, my exploration into use cases for the latest top-of-the-line LLM models and how AI agent architectures, such as ReAct, can be used for security automation, has driven the most recent and exciting frontiers in this field and are the focus of the talk.
Why do you think this is an important topic?
There are several reasons why this is an important topic. Firstly, the workload of security operations teams has significantly increased over the past few years due to the proliferation of security tools and sensors that they need to monitor, as well as the sheer volume of data and alerts these tools generate. Secondly, it has become increasingly difficult to hire qualified security professionals, exacerbating the problem. Given these challenges, automating security operations is the only rational solution to alleviate the burden on security teams.
Is there something you want everybody to know – some good advice for our readers maybe?
If there is something I’ve learnt from my three years trying to automate the world of security operations is that there is no magic behind it. You cannot expect a magical solution to solve all your problems. However, if you invest resources and prioritize automation, you can achieve returns and efficiencies that would be impossible to achieve otherwise.
A prediction for the future – what do you think will be the next innovations or future downfalls for your field of expertise / the topic of your talk in particular?
I definitely look forward to seeing even more improvement in the performance of LLM models, solving some issues they still suffer from like hallucination, and a reduction in the cost of completions. These changes and improvements will surely be key in seeing even more use of LLMs in automations, in more complicated investigations and at a scale that is required for supporting some of the bigger organizations in the world.
Hagai Shapira is a director of product at Torq, a Hyperautomation company for security teams. Hagai has 12 years of experience through multiple roles in the cybersecurity world ranging from security research and ops, software development to product management.