close
close

Investigation SaaS addresses the complexity of incident response

Investigating a cybersecurity incident requires a great deal of expertise, but it also involves a great deal of routine work – and the resulting task can be difficult to manage.

Meeting the demand requires training hard-to-find cybersecurity experts. But better tools are also needed to speed up each step of an investigation, from initial triage to final report. To that end, Command Zero, a startup launched today, aims to fill that gap by helping companies reduce the workload of log analysis and providing investigators with much-needed expert support.

The goal of Command Zero’s cloud platform is to give analysts and threat hunting teams the ability to conduct more consistent investigations faster and make results more auditable, says Dov Yoran, co-founder and CEO of the Austin, Texas-based company.

Automation and simplicity to reduce routine work

Command Zero’s approach involves a platform that integrates with an organization’s infrastructure, activates various technology modules, and guides the analyst through the investigation, including asking contextual questions and pointing them to data sources that might contain the answers.

It automates many labor-intensive and low-value steps in the investigation process, organizes the log information obtained from an incident, and uses AI to produce consistent investigation reports, so a launch announcement on the company’s website. The approach allows Tier 2 and Tier 3 analysts to be more quantitatively efficient, Yoran tells Dark Reading: One team piloting the platform reduced the average time of an investigation from 4 to 5 hours to 20 to 30 minutes; while another team reduced the time from 15 minutes using six different tools to five minutes using a single platform, he said.

“The whole idea is that we’ve done a lot of this in the past, so if we bring carefully curated expert knowledge and content into the platform, into the investigations and to the investigator, it will dramatically increase their impact,” he says. “These (skilled professionals) are the scarcest resources in the company’s security team.”

Closing an important skills gap

Jon Oltsik, analyst emeritus at market research firm Enterprise Strategy Group, agrees that while the cybersecurity industry repeatedly point to a lack of qualified specialists to fill vacancies in the industry, The real problem is a lack of the right talent – ​​such as analysts who can effectively investigate incidents.

“Investigations often require many internal data sources, threat analysis and a lot of time (and) diligence,” he says. “Investigations and digital forensics are advanced skills that many organizations completely lack or have minimal resources in this area. Given the frequency of data breaches and ransomware, organizations know they need improvements in these areas, but most rely on service providers.”

Allie Mellen, principal researcher in the security and risk group at Forrester, notes, “We actually have a talent gap. There are a lot of people who want to get into cybersecurity, but most lack the knowledge and experience needed to do investigations. They have to learn it on the job.”

To make matters worse, an annual security survey by Forrester Research found that thousands of security managers and leaders cited investigations as the most time-consuming part of the incident response process, Mellen said.

“Incident investigation is undoubtedly a major pain point for companies,” says Mellen. “The industry often overemphasizes the importance of detection and taking countermeasures without considering the big task in between: investigation.”

Going beyond AI for reporting

Generative AI (GenAI) and large language models (LLMs) promise to make automated investigative systems work better as assistants to analysts. For his part, Yoran stresses that investigations will always require human judgment – ​​AI and machine learning can only be automated to a certain extent.

But even as machine learning becomes more widely integrated into products in ways that users may not even be aware of, AI remains a largely overrated feature, says Forrester’s Mellen. LLMs, for example, are really good at “producing a ton of text… rather than a concise and visual description” to explain a bug report, she says.

The future of investigative platforms like Command Zero, Mellen said, lies in the ability to easily pull data from all devices and log files on a network, use machine learning models to find anomalies, and use GenAI to transform natural language queries into searches and actions.