[Music] my name is p chakravarti i run product management for Google SEC opson uh and I'm joined by my esteemed colleagues uh Spencer lonstein who is a product manager leading the AI efforts for security operations as well as very excited to have Mark Ruiz join us uh he's the uh head of cyber security analytics at fiser I'm really excited in this session we will uh present some of the AI agents that we have built uh to enhance security operations see on the agenda we will briefly uh discuss Ai and security uh Gemini in security operations we will do demonstrations of a couple of use cases uh related to investigation and hunting and then we will uh learn how fizer is uh you know has just embarked on their journey to uh improve their security operations with chronical and AI so our goal with generative AI is to help uh overcome some of the common security challenges AI truly uh has the ability to transform the sock by solving issues that have plagued the sock for a long time so the first one is about about identifying threats leveraging AI to detect those early unique threats and prevent the patient once before they have widescale impact the second objective is to reduce the toil in this stock right today uh security analysts are spending hours um in repetitive and cumbersome uh workflows and tasks uh AI has the um opportunity to radically shift the time it requires to do some of the these task and hence accelerate the decision making and troubleshooting investigations and third we all know there is a skill shortage in cyber security it's real and how can we use AI to actually help scale expertise so that we can enable professionals to quickly mitigate and uh respond to threats as well as newcomers and U uh newcomers to boost their knowledge so that everybody gets more time uh to higher order problems so at uh next we announced several uh new capabilities of uh Gemini security agents some of them are Gemini and security operations which we will talk about today how can we accelerate response transform investigation and simplify Hunts uh Gemini in security Command Center uh some of the core things that were introduced are explaining multi-stage attack paths um and then in threat Intel Gemini in threat Intel helps tap into Mandan massive Corpus of threat intelligence data and to get insights in a few seconds about their tactics and techniques so um all of our security agents are built off of this powerful uh security language model it's a domain specific language model called sect LM uh we have tuned Gemini's latest and greatest model with data from a multi multitude of security sources so from mandiant from virus total from open source uh from miter and so forth uh and we have then used that data to tune and ground the model to solve specific security use cases um and then this all runs on uh vertex AI you all have heard a lot about vertex AI at next um our NextGen Enterprise grade AI platform and Google is the only uh company that's offering the full stack from the agents to the language model to the um to thex Ai and the infrastructure the tpus uh where the workloads are running and um we take extreme pride in the scale and the security privacy commitment we have to AI so uh moving on let's talk uh specific speically about how we are leveraging Gemini and security operations the three uh core objectives have here are transforming investigation accelerating response and simplifying hunts Google was the first major cloud provider to make gen available for security operations so today uh from a transforming investigation perspective um investig investigation in the sock today has several friction points a there's massive amounts of data then there is the need to connect the dots between the data between the uis between the products the users the tools and also at the end of the day you're still uh ending up spending time analyzing incidents that have happened in the past so that knowledge is lost so by providing a AI trained intelligent conversational chart experience called the investigation assistant we are bringing to you the ability to use Gemini to drive an endtoend investigation from triage to looking into uh to asking questions in natural language asking follow-ups getting suggested recommendations and then finally finding the root cause and taking actions on that the second rating response uh we are presenting summaries uh case summaries of what has happened so far in an incident or a case uh instead of having to look through several hundreds of alerts we give you summaries uh that gives you very clear uh instructions on what to do next and um also allows you to and we're also introducing the ability to create and update playbooks in natural language and then finally on simplifying hunts how do we enable threat hunting by bringing uh threat Intel data uh in the same console with your event data your log data so that we can enable sock analysts to leverage that data to ask open-ended threat questions and even create roots from emerging threats some common use cases on Investigation like you can ask questions like you know how was uh when was the first time this user was seen or how many other alerts share the same IP uh on the response side you can ask Gemini to build a Playbook that triggers on an alert and then has a decision tree to say if x then do a or do B um you can create a detection rule uh from this investigation or potentially close the case and then when you're hunting you can hunt for you can ask questions to look for indicators of a threat actor ap43 and find all the devices where that hash was present so these are some of the use cases and we'll put these uh put these uh words into action very soon let's do that and let's jump into how all this comes together and we will walk you through a few simple use cases um in the demo so the first use case case is about a sock analyst who is investigating a case um and responding to it so bear with me so as a sock analyst I come in and I come to my seops platform and I um have a unified experience to look at this wall of cases these are only the most important prioritized cases that are shown to me because there are cases that have automatically been tried because they were false positives or um there was an automated book that ran now this case is automatically grouped and shows me two alerts that are seemingly disconnected so I want to know what's going on so Gemini comes in and tells me more about this case uh that there is ap43 is a tractor there is a file with a certain hash there is a a process was launched on a VM called Lin Miner by a user Chris and it also gives me certain next steps of what I should investigate further now I'm interested in this specific I got a good set of signals I'm interested in this apply threat Intel alert which is automatically enriched with our threat data here I can see the entities that were associated so that validates what I saw in the summary and now there's one critical information here which is um uh there is a malware called hangman V2 which I'm going to go and look for so here I'm going and uh ment uh interface and I'm asking a question about tell me more about this malware called hangman V2 so at this point in time Gemini is going to go in and uh run through the their carpus of data and give me some initial results about hangman V2 right um gives me little bit of detail about that but I want to know as as a malware I the first thing I want to know is how does it persist because that's those are the signals I need to look for in my environment so I I go ahead and ask Gemini how does hangman V2 persist and again um this is looking through the data and was going to give me very specific instructions on persistence that it persists by adding itself to the registry with the following command and the command adds a new registry key name system to run so this is a pretty standard technique that uh attackers use um and uh one thing to note is it also gives gemina also gives me the reference and the inference of how they it has come to this conclusion so I am interested in this uh specific you know regist key modification with this registry key so I'm going to go and see if this exists in my environment and here I invoke the Gemini investigation assistant uh which I just explained before and it gives me a a set of initial things to get started on but I will go ahead and ask uh type in a query in natural language which is um you know find any registry modification events for this registry key which I just copied um from the from the uh other interface in the last two weeks and I'm going to run this query and uh Gemini goes in translates this query into a search query now here I don't have to learn a new syntax a new language it gives me a pretty well constructed search query I run the search and uh while it's running the search as you can see um it automatically switched the context to the search page so one of the things we're doing with Gemini is it's not a standalone Q&A app it's very deeply embedded with your experience in the sock so you can see the dashboard and it tells me that there are 14 events uh related to registry key modification and voila if I hover over the key uh event I can see that specific key um that confirms that uh it is probably related to the malware and then I want to know is this the only host or other hosts are impacted as well so I asked that question how many hosts are impacted and it tells me there's one unique host it's the same Lin Miner host that we saw early on um and uh what I'm going to do is to prevent this from happening in the future I'm going to ask Gemini to create a rule which is a detection Rule and say can you create a rule from this activity Gemini created the rule I opened the rule editor and I see it's created a rule for registry modifications for that specific key and I'm good to go so um in a few clicks I went from learning about a malware learning about its persistence searching for it in my environment ensuring nobody else has that uh no other VM is impacted and then creating a rule that can prevent or detect this in the future so now I want to go create a Playbook because when this when this kind of an alert triggers what should I do to uh automatically uh perhaps enrich and so forth so I'm going to go and uh run uh create uh uh A playbook um going to use uh uh you know this is our uh sore platform which allows you to uh create playbooks it's all integrated into the same user experience and it also lets you run simulations of the playbooks you create so I'm going to invoke Gemini again and again type in a pretty natural language query to um create a Playbook there's some examples given here um but here I'm going to say uh Build A playbook for this uh registry key change alerts and then the Playbook must enrich um all entity types I won't read it out but you can see what it's typing and types with you know virus total information mandant information um Google am information um all of that and I'm going to um also uh ask it to do certain things like if it is um if it is if if this if they does if it does detect this then um you should update the tags or release the severity of the alert so I'm going to give it some specific in instructions so it's saying decide if there is anything suspicious and create um case tags and prioritize the case accordingly so when I hit generate plook this takes a little bit um but it's um you know running in the background to create a Playbook this is our uh you know in in the absence of this what you would be doing is using the drag and drop capabilities so you'd be dragging and dropping configuring every single box the triggers the decision trees all of that in a manual way to test it um but with this capability now uh it gives me the trigger the actions and I create the Playbook and there you go uh A playbook is generated it shows me the alert type that triggers the different types of enrichment that is done uh and then also the uh decision tree to say okay if it is malicious then what tags do you need to add or whether you need to escalate this alert or not so having said that so we went through um an entire I guess uh I think I have to pause this okay so we went through an entire use case to start from a sock analyst looking at at a case looking at alerts correlated automatically for the analyst in the case finding the threat information directly finding what the uh persistence methods were searching for it isolating the host creating a rule and creating even a response Playbook all powered by Gemini and with natural language how amazing is that with that I'm going to hand over to Spencer to walk through the next set of you SK awesome uh great to see folks so maybe before I get into this use case it'd be great to understand how many security practitioners do we have in the audience okay so great I will be criticized for any mistakes uh in this demo which is awesome um so not to confuse folks further but we're going to flip from AP 43 to AP 34 um this was very unintentional when we created this but the interesting piece that I'm going to walk through here is just extending gize power into uh a use case that's more focused on sort of emerging threats or hunting through larger amounts of data and one thing to keep in mind as I go through this is that we automatically at Google are taking the latest FR Frontline intelligence and threats and we're applying it natively in your environment we're doing indicator matching we're giving you rules that you can deploy um so you don't necessarily have to do this through Gemini all the time but as most folks know here there's a lot of threat indicators out in the wild uh and so we may apply things that could be noisy or we may not apply things because we don't want to uh create a lot of noise in your environment and so this gives you a great example of a use case where you are looking to siphon through a lot of information um in order to maybe create a rule in this case at the end so I'm going to let this play and start to talk through um what I've been asked here to sort of start my Hunt mission so in this scenario really I am looking to understand hey what is ap34 first of all um what thread indicators might you know be attributed to this actor is this applicable in my environment and normally to do this I need to go open a number of different tools right I might need to go look in Mandan threat intelligence look at those reports uh and I need to figure out how to operationalize this information so that is very sort of toysome there's a lot of manual process involved um and what we've done here is not just plugged into those data sources but we're also intersecting that data with your unique environment uh which is why it's it's taking a little bit of time to do this today admittedly um but you get back this really rich summary around this threat actor right an Iranian backed um cyber Espionage group little bit of information about the techniques and tactics and more importantly static indicators to start to go look at so I'm going to take this next step go look for these indicators and we can see pretty quickly that there's a lot of noise in this data I'm not surprised by this because static indicator matching can create a lot of noise and what I'm going to use Gemini for here is starting to sort of den noise and understand what might actually be happening that could Merit my attention or how might I pivot this and get back to my manager who's saying is there something to be concerned about so I've gone and filtered out a bit more and sort of D noise to focus on this host that I was alerted to um now I'm I'm getting a little bit more interesting because I'm down to two events right these are two network connection events um there's a specific host that was obviously that's called out in this and there's an external IP address and before I determine hey do I want to expand this scope further um I'm going to go back to Gemini and get some more information around this thread actor group so is this technique or tactic something that they're known for we're in the process right now of um adding some more capabilities to get more explicit answers leveraging grounded miter data which would be really valuable for this use case uh and in this case we're sort of leveraging the data from mandiant in order to do this and as I'm looking at these events I'm just trying to understand is this noisy indicator matching do I want to expand maybe and look at these hosts more uh and I get an answer back more more indicators I could look for but more importantly I get an answer back talking about hey ap34 does have some known techniques in this sort of network related World here's some threat campaigns um that are associated with it so the next step that I'm taking in this sort of data Discovery regime that I'm operating in is I'm starting to adjust my scope and I'm saying let's kind of pivot here and go and look more for the host and the external IP that have been called out because less focused on these domains and hashes that might be a little noisy in my environment and I'm more focused on uh what what else might this have affected right do I want to craft a detection Rule and as I work through this and and you can sort of watch this workflow I think a few pieces to call out here is from my experience you know 10 years ago uh sitting in a seat doing this hunting is a really iterative process right there's it's subject to a lot of interpretation a lot of opinion you're looking to create something you speak to your environment that detects specifically uh and doesn't distract you and so I'm expanding and iterating naturally through Gemini so I don't need to go understand my syntax and I'm ultimately going and looking and saying bring me back a bunch more data on a host and and IPS so I can start to understand what else might be affected here ideally Gemini is is able to really tell me hey this looks bad or this looks good but I think in reality for most practitioners we know that is subject to a lot of nuance and what might be bad in one person's environment might be normal in another and so this is helping me analyze and I'm seeing here that I have a subset of events 40,000 or so um and a user called out getting a little bit more interesting right a few alerts not many so I'm refining down on this user and I'm looking more now to see what what might I want to do like do I want to craft a rule do I want to interrogate the file creation events and more importantly let's just imagine I'm I'm a little rusty here in my analysis what are file creation events from crowd strike right do I need to go open up a crowd strike console and look at those events um I'm I'm just asking Gemini in this case what are these file creation events can you give me a little bit more information we get back a a fairly clean response and the next step in my head is all right I've pivoted from this AP group right I've I've gotten a lot of indicator matching that's noisy I'm now adjusting my scope and I've looked for host events and a user that was that was interesting I want to create a rule out of this to at least start my next process of let's set up a detection in the future that might be specific around some file creation activity and probably more importantly and this is where in the course of this demo I um I actually when I was recording this didn't realize this was going to work kind of as well as it did I messed up and didn't add my IP address to this rule originally and I went back and iterated and said actually can you go add this IP in uh and it worked very well um and it actually went and updated and you'll see it kind of updates the rule logic and the rule naming giving me this connective tissue right we're we're keeping track of this and we're just trying to drive a process where there you as a user can focus a lot more on the outcome I've crafted this rule I've gone from hunting for an AP group I've adjusted my scope and now I have a detection that I could test uh I could adjust the logic I could say hey this is for possible ap34 threat activity um and I've done this natively with the help of Gemini without moving anywhere else and in you know probably five minutes um and I think that used to take 20 minutes right 30 minutes and a number of different screens so that that's the takeaway of this is I think there's a lot of Toil and manual activity and thinking that goes into these hunting and investigation processes we're trying to move that forward with Gemini to really help you get to a decision much faster and leverage all of the Power of security operations the applied Intel um the other data that we have available to us through secm to just accelerate that entire process uh and that's the piece that from a practitioner point I think is very exciting to think about so I'm gonna get markk on stage to uh talk from a um point of view of a customer and give you some some cool examples I think of this in the real [Applause] world and I will caveat this with thank you very much with the uh you know we're just getting started right we um we're fairly mature cyber organization we've made lots of investments in different Technologies as many of your organizations have um but we did see the value in generative Ai and in this particular case Gemini and what it can provide us so to to start off I just want to level set a little bit start off with some of the pain points that are really not unique to us right it's you know speed and volume of uh the and variety of cyber attacks right there is the every day there's increased you know volume the speed of the velocity of the attacks coming at us and the variety is probably the most interesting part you know we have ransomware you know fishing and advanced fishing attacks leveraging AI now lots of tool Suites are leveraging and thread actors are leveraging a lot of generative AI tools to accelerate their attacks even more so so that's one of the key points that I want to talk through um I guess in terms of the next point was the ever evolving kind of like you know as our digital footprint continues to increase there's more volumes of data that is really putting pressure on us to kind of think through how do we sift through it how do we tune how do we kind of do some engineering to kind of sift through that and understand what potential threats lie within it and then the third one is maximizing our technology stack we're being asked to do much more with less always and often right is my budget hasn't increased with the increased the tax hasn't increase with the increase in terms of volume of data three years ago uh in the the last three years we've increased about 300% in terms of security Telemetry data and daily volume all right so that's a lot of pressure for us to sift through that and understand where potential threats are within our environment where are we today so I alluded to this earlier we made some Investments one of the key Investments is sore right and I won't go through the acronym I think you've been in many sessions that c talk through that and it was alluded to earlier but it really was a GameChanger and pivotal for us to invest in this solution to help us be able to get through the vast amounts of data the the a variety of different alerts um that we had to deal with um but I don't think that's going to be enough with the Advent of generative AI potential attacks coming at us so there's what do we do next uh the next one is where we focus on tuning right my team is really tasked with bringing all this data in it's to filter out weed through the to identify those needles in that hay stack so to speak um prioritize our tuning the vast amounts of alerts and how do we deal with that we've made a really focused effort there this is really table Stakes I think anyone that's bringing vast amounts of data in they kind of go through leverage store they do tuning and data engineering and kind of try to sift through the volume volumes of data and then the the second one is we you know you know I think it's one of the things that I eluded as a pain point but I I I'm a True Believer then that is more logs is more better um the certainly as our footprint increased we bring in aw logs and Azure logs and all all sorts of different areas in terms of telemetry data we need to be able to bring that in scale up quickly and we've scaled up uh quite a bit and we're going to continue on this journey moving forward where are we headed um while I mentioned that we were very very early in in the gerini um we were a you know an adopter of Chronicle and we're probably one year into that Journey um more most recently with the Gemini piece you know we've identified some you know areas where there are capabilities that today would help us accelerate in our triage process one of the examples that we just talked about most recently was the the investigation assistant ability to you know synthesize and and combine all the contextual information into an easy thing that could be ported into a sore for instance for um portability in terms of the investigator handoff um just to be able to simplify and accelerate kind of that entire process the second point where we were focusing on advancing sore you I think generative AI in particular Gemini offers us a lot of different opportunities to accelerate the initial triage process uh initial uh the the summarization of that in the the context around the investigation all that chat information being ported over um helps us accelerate creating incident response kind of um workflows and things of that nature um so I think it's going to be the next Evolution for us is to kind of go through and in enhance sore and then go beyond sore what does that look like and I think G Gemini is going to be a game changer for us adaptive learning a little more forward-looking this is where I'm Keen to understand you know and Spencer and team on how they're going to innovate and have the models learn so the the prompts refined and kind of understand fizer uh so as we search we go through these chats and search through the data um does the model start to learn for us and refine right in terms of refine those responses so we can further accelerate our responses and then the last one is I I'm a a True Believer while I have a a team that's very very advanced in terms of incident responders and threat Hunters detection engineering what have you I think the Warford Talent is not going to end across cyber anytime soon so the democratization of advanced an analyst analysis techniques is going to be crucial as you you saw earlier in the demos is that the the assistant piece can help us create rules help create playbooks it can help kind of you know uh synthesize lots of different information very quickly and be able to cut through all that noise a lot more swiftly so that's where we're we're headed today um I'm looking forward to what this conference is going to look like a year from now um you know you've heard G ji all over the place Gemini this and vertex and all of that I think the the next next no pun intended we'll have lots of folks talking about hey we've done this we've built this in using Gemini and across security [Music] operations