🔒

AI Agents Revolutionizing Security Operations

May 12, 2025

Lecture Notes: AI Agents in Security Operations

Speakers

  • P. Chakravarti: Manages product for Google SEC Ops
  • Spencer Lonstein: Product manager for AI efforts in security operations
  • Mark Ruiz: Head of cybersecurity analytics at Fiser

Session Overview

  • Presentation of AI agents enhancing security operations
  • Discussion on AI and security
  • Introduction to Gemini in security operations
  • Demonstration of use cases in investigation and hunting
  • Insight into Fiser's journey with Chronicle and AI for improved security ops

Objectives of Generative AI in Security

  1. Identify Threats
    • Use AI to detect early threats and prevent widespread impact.
  2. Reduce Toil
    • Minimize repetitive tasks for security analysts through AI.
  3. Address Skill Shortage
    • Scale expertise and aid newcomers in cybersecurity.

Gemini Security Capabilities

  • Transform Investigation: End-to-end investigation through AI-powered conversational chat experience.
  • Accelerate Response: Provide incident summaries and create/update playbooks in natural language.
  • Simplify Hunts: Integrate threat intel data with event and log data for threat hunting.

Security Language Model

  • Sect LM: Domain-specific language model tuned with security data sources like Mandiant, VirusTotal, etc.
  • Vertex AI: Google’s next-gen enterprise-grade AI platform.

Key Use Cases

  • Investigation
    • Natural language queries to investigate incidents.
    • Example: "When was the first time this user was seen?"
  • Response
    • Build playbooks for alerts using decision trees.
  • Hunting
    • Ask questions to identify threat indicators and create detection rules.

Demonstrations

  1. Investigation Use Case

    • Unified view of prioritized cases.
    • Gemini helps identify threats and suggests next steps.
    • Use of natural language queries for registry key modifications and hunting malware.
    • Creation of rules and playbooks for future detection.

  2. Hunting Use Case

    • Extend Gemini’s power for emerging threat analysis.
    • Use of static indicators for threat detection.
    • In-depth analysis using Gemini for intelligent threat detection.
    • Creation of custom detection rules.

Fiser's Perspective

  • Challenges: Speed, volume, and variety of cyber attacks.
  • Current State: Use of sore (Security Orchestration, Automation, and Response) for data management and tuning.
  • Future Plans:
    • Enhance sore with AI for quicker responses.
    • Implement adaptive learning and refined model prompts.
    • Democratize advanced analysis techniques for broader talent use.

Conclusion

  • Gemini and AI present a transformative opportunity in security operations.
  • Expect significant advancements and implementation in cybersecurity in the near future.

Full transcript