close
close

Generative AI for Security: Using Amazon Bedrock to Increase Customer Impact


By Martin Holste and Mark Weiss

Cybercriminals have more powerful tools than ever to compromise environments and threaten organizations, leveraging generative AI (GenAI) to install ransomware faster, deep fake social engineering, cheap but advanced spear phishing attacks, sophisticated coding skills, and even turnkey underground ransomware storefronts.

Such an array of AI-powered weapons can lead to despair among security forces. Security teams are often underfunded and understaffed, and must defend against all attacks from all directions at all times. They must investigate every alert, no matter how insignificant it may seem, as a threat. To keep up, you have to fight back with the same weapons: GenAI allows you to respond quickly and scale a small workforce to a big challenge.

To investigate each alert, organizations can now use GenAI-powered tools to automate the investigation process by asking the right questions and achieving sub-second data retrieval times for answers. The potential to improve security with GenAI is high: According to a recent study by Trellix, 91% of CISOs are excited about the prospects and opportunities that GenAI and AI will offer their organization.

The first step to combating GenAI cybercrime with GenAI security is to create a defensible environment: an instrumented infrastructure that provides visibility into all critical areas to detect significant threats such as ransomware.

Building this environment includes three lines of defense: detection, investigation and response.

recognition

Detection and prevention tools alert security teams to attacks or breaches and provide endpoint protection, network detection, phishing protection, event anomaly detection, and more.

While such security controls can stop an attack before it happens, a motivated or lucky threat actor can bypass such initial preventative measures, so it is critical to use a broad range of security tools that cover as many paths into an environment as possible.

At a minimum, defenders must be able to block malicious files, URLs and emails. These protections often prevent 99% of all attacks. But the other 1% remains a huge problem.

Investigation

After the triggering event, defenders need the right context to prove what happened, but it can be difficult to know in advance what will be of value when investigating a security incident.

Defenders need as much data from as many sources as possible, including:

• User authentication audit records

• Audit logs for changes to account authorization

• Network connections

• Proxy and URL entries

• Telemetry of business-critical applications

• Cloud infrastructure audit logs

• Directory and personnel information

• Security warnings from all available tools

Access to this information is not enough. This data must be centralized and indexed so that it is understandable by detection tools and immediately and programmatically available. Preparing this data infrastructure can be daunting, but it is critical to creating a defensible environment.

Answer

Detection must be followed by action – remediation – to prevent the spread of ransomware. This means programmatically modifying the environment to quarantine, lock down, or otherwise contain a threat actor, such as through network firewall policies, endpoint containment measures, disabling login, or changes to identity and access permissions.

Automated investigations with generative AI

To keep up with the speed of ransomware, detection, investigation and response must be automated, with GenAI doing the majority of the investigation work.

How can defenders use this powerful technology to link these strategic defense components together?

The answer lies in using a pre-built investigation framework to ensure that GenAI is informed in its investigations. This includes a predefined list of key questions to ask after a particular security alert occurs.

The answers these questions provide are only as good as the questions themselves. That’s why it’s so important to have a comprehensive range of security telemetry data that can quickly and accurately provide the necessary context for the AI-driven investigation. Without these questions and answers, the AI ​​can do little more than investigate the original alarm.

A junior AI analyst

Suppose a security information and event management (SIEM) creates an alert for a brute-force attack from an identifiable IP address on an application’s login system:

ALARM: BRUTE FORCE ATTACK DETECTED AGAINST 192.168.0.1

A standard SIEM could identify a login after the brute-force attempt and raise an alarm. However, an AI-driven investigation can go further and tactically act as a virtual junior analyst, asking questions about the environment based on billions of events:

• What access level does this user have?

• How often does this user access this environment?

• Have any other suspicious accounts been created during this time?

• Was this user out of the office at the time of the attack?

Even more impressive is that this “junior AI analyst” can draw conclusions just like a human. It recognizes that the hostname “prod-iowa-dc” is likely a production domain controller in Iowa, and can use that information to consider other data: login patterns, which URLs were accessed, or other alerts from other security tools.

Using AI to increase customer impact

Cyberuptive, a cybersecurity consulting firm, wanted to scale its Managed Security Service Provider (MSSP) program to acquire more customers with the same number of employees. To do so, the company needed to expand its existing human-focused security program to more efficiently detect and respond to threats.

Recognizing the need for advanced automation in investigations, Cyberuptive sought to streamline the process and achieve faster, more effective responses to emerging threats.

By leveraging Trellix Wise’s GenAI – hyperautomation delivered through the Trellix XDR platform and built on Amazon Bedrock – in the investigation process, the company reduced response times, increased incident resolution efficiency, and improved overall security posture. GenAI enabled Cyberuptive to provide its customers with superior support, efficient response times, and cutting-edge threat intelligence, helping them stand out in a competitive market.

Equipped with a GenAI-augmented staff to investigate every alert, organizational defenders can catch threat actors with the same sophistication – and avoid falling victim to cybercrime.


Martin Holste is Field CTO, Cloud & AI at Trellix.

Mark Weiss is Head of Strategic Initiatives, DevSecOps at Amazon Web Services.

To learn more, please register to attend the webinar “Gen AI for Security: Adoption strategies with Amazon Bedrock”.

Amazon Bedrock is a fully managed service that provides a selection of powerful Foundation Models (FMs) from leading AI companies such as AI21 Labs, Anthropic, Cohere, Meta, Mistral AI, Stability AI, and Amazon through a single API, along with a broad range of features you need to build generative AI applications with security, privacy, and responsible AI.