RSAC 2024 Innovation Sandbox | Dropzone AI: Automated Investigation and Security Operations

RSAC 2024 Innovation Sandbox | Dropzone AI: Automated Investigation and Security Operations

May 4, 2024 | NSFOCUS

The RSA Conference 2024 will kick off on May 6. Known as the “Oscars of Cybersecurity,” the RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry.

Figure 1: Top 10 Finalists for the RSAC 2024 Innovation Sandbox Contest

Today, let’s get to know the company Dropzone AI.

Introduction to Dropzone AI

Dropzone AI is a company specializing in automated security operations, founded by Edward Wu. With the mission statement “to equip cyber defenders with unlimited intelligence,” the company’s product positioning and core competitiveness are very clear.

Security operations have always required a large number of security experts to work continuously to ensure the normal operation of the entire security system and protect the client’s systems. However, with the advancement of Large Language Models (LLMs), cognitive automation has become a reality. The use of artificial intelligence to automate cybersecurity expertise and tools has become a trend. The company has provided many product examples, with the fundamental goal of using artificial intelligence to empower security operations.

Figure 2: Edward Wu, CEO of Dropzone AI 

Product Capabilities

The company’s product operates in multiple directions of security operations. By using LLMs to simulate SOC analysts, it can achieve automated investigation and response. The product itself cannot run independently but integrates existing security tools, collects and analyzes data through tool calls, and makes automatic investigations to improve the efficiency of security operations. This product model gives it great flexibility. In the current complex security operations environment, it can maximize the use of existing tools according to the current environment, which is not only efficient but also more comprehensive in some cases than human consideration. The product itself has been pre-trained to call many tools, as shown in Figure 3.

Figure 3: Part of Tools for Integration

In the product introduction, an important point is raised: due to the limited efficiency and energy of manual security operations, it is often only possible to perform tier-1 level analysis on most alerts, which is preliminary screening, priority assessment, and other preliminary operations. Only after discovering high-risk alerts can a limited number of alerts be investigated in-depth. However, with automated security operations, the efficiency has been improved, allowing for in-depth analysis of a large number of alerts at tier-2 or tier-3 levels, thus providing a clearer understanding of the alerts and detecting real attacks.

The main competitive advantages of its products are as follows:

  • 100% judgment of all alerts.
  • Fully automated in-depth analysis.
  • Fully automated correlation analysis.
  • Automatic summarization with a good reasoning process, allowing for viewing the source data of reasoning at any time.
  • High environmental adaptability, decoupled from current products, can be used in any security operations environment without changing the original tools and environment.

In the example presentation, a total of nine scenarios are listed, divided into three types of usage methods. The first six scenarios are mainly used to explain the fully automated investigation and analysis capabilities. Contextual knowledge base Q&A and threat hunting are implemented through human-computer interactive dialogue. The final contextual inquiry demonstrates how to improve the efficiency of communication between people in security operations and reduce communication costs. Next, we will introduce the scenario examples, study its functions, and analyze the technical conjectures for implementing these functions.

Fully Automated Investigation System

Fully automated investigation is mainly used for various dangerous alert investigation scenarios. Dropzone AI will automatically call various tools for multi-angle analysis of an alert and automatically generate summaries and conclusions. On the Dropzone AI website, six use cases of automatic investigation are listed, which are:

  • Phishing
  • Endpoint
  • Network
  • Cloud
  • Identity
  • Insider Threat

We will take the endpoint alert as an example to analyze its automatic investigation effect and working principle in detail.

First, it clarifies the application scenario: Microsoft Defender has detected an attempt by an exe to attack and has blocked it. However, as a security operations staff, it is necessary to analyze the details.

Figure 4: An attack Detected by Microsoft Defender

As shown in Figure 4, the alert is generated by Microsoft Defender, and Dropzone AI does not perform underlying alert detection. It focuses on investigating the alerts that have been detected. This achieves the decoupling of upper-level analysis and lower-level alert extraction, making Dropzone AI’s SOC product easier to adapt to the current SOC environment without the need to modify the original SOC infrastructure.

1) List all alerts worth paying attention to

As shown in Figure 5, the first step is to identify the current alerts that are worth paying attention to. This is a simple engineering operation, but it is very necessary for improving user experience.

Figure 5: Critical Alert List

2) Overall Summary and Conclusion

The investigation results of Dropzone AI will be placed at the top for easy user browsing. As observed in Figure 4, the summary is clearly generated by a large model. It is speculated that the template may be similar to: “Write a summary based on the above information,” and the conclusion part is more like an enumerated result. The large model needs to give a “label”: malicious/noise/uncertain, etc. Then, based on the assessed level, a fixed conclusion is given. The conclusion in Figure 5 is “malicious,” so it is recommended to respond to the alert immediately.

Figure 6: Executive Summary and Conclusion

3) Reasoning and Evidence

The conclusions of Dropzone AI are not made out of thin air but are supported by complete reasoning details and conclusions. Figure 7 begins to present all its findings and details, combined with the reasoning given by the large model for the discovered details. Together, they form a chain of evidence. Through this part of the content, users can easily understand the source of the conclusion, observe its credibility, and even if there are errors in its reasoning, they can be easily discovered by operational experts.

Figure 7: Findings and Evidence
Figure 8: Microsoft 365 Defender Advanced Hunting API Calling Parameters and Return Results

Based on the displayed functions, it is speculated that it has called various different tools to analyze the alert. These results will be returned to the large model, and the large model will provide a summary based on the returned results. This achieves the combination of “evidence” and “reasoning,” ensuring that every piece of reasoning can be traced back to its source. In Figure 8, Dropzone AI called the Microsoft API, and the result was used to confirm that setup.exe is an executable file with an execution environment. In Figure 9, the large model received the result from the Microsoft 365 Defender Advanced hunting API and made the next move: running the exe file in a sandbox to analyze its behavior. In the analysis results, Dropzone AI discovered a detail that it attempted to establish a connection with an external IP.

Figure 9: Automatic Analysis and Summary

Figure 10: Part of Sandbox Analysis Result

4) Correlation Analysis

Up to this point, in-depth analysis by security experts can still be completed. However, correlation analysis requires experts to have a high sensitivity to data. Dropzone AI can achieve “sensitivity” to data through a large number of query statements. Figure 11 shows that based on the current dangerous IP, it discovered that other related devices in the system also attempted to connect to this IP.

Figure 11: Correlation Analysis

Human-Computer Interaction Mode

Dropzone AI provides different interaction methods for different application scenarios, different from the fully automated scenarios mentioned above. For threat hunting and knowledge bases, it adopts a natural language dialogue interaction method. As shown in Figures 12 and 13, it provides an interactive interface similar to ChatGPT, which can understand natural language, call tools to obtain results, and then return the results to the user in natural language.

Figure 12: Interface for Threat Hunting

Figure 13: Retrieve Results after Calling the Backend Database

AI Enhances Interpersonal Interaction Efficiency

The last scenario is to achieve rapid interaction through its SOC platform. In the example shown in Figure 14, the investigation personnel found a phishing email and needed to confirm whether the file had been executed, so they inquired with the employee who received the email. Dropzone AI can automatically generate an inquiry email, and the user only needs to click to send it.

Figure 14: Efficiency Improvement Between People

Conclusion

Dropzone AI is a company specializing in automated security operations. Its core product uses Large Language Models (LLMs) and artificial intelligence technology to greatly enhance the efficiency and accuracy of security operations. The company integrates existing security tools, automatically collects and analyzes data, and realizes in-depth investigation and response to various security alerts. This automation not only improves the ability to handle alerts but also allows for more complex and in-depth analysis (such as tier-2 and tier-3 levels). It can also generate detailed reasoning and evidence chains to help users better understand the nature of the alerts.

The features of Dropzone AI products include:

  • Fully automated investigation: The system can automatically call tools for multi-angle analysis of alerts and generate summaries and conclusions.
  • High flexibility and environmental adaptability: The product can easily adapt to the current security operations environment without changing the existing infrastructure.
  • Human-computer interaction mode:  Through a natural language interaction interface, the system can understand natural language, obtain and return data, providing a user experience similar to ChatGPT.
  • Enhancing interpersonal interaction efficiency: The system can automatically generate necessary inquiry emails, simplify the communication process, and accelerate the speed of problem resolution.

The applications of Dropzone AI are not limited to traditional security operations scenarios but also include phishing analysis, endpoint and network traffic alert analysis, cloud service and identity authentication alert analysis, etc., greatly expanding the application range of automated security operations. This comprehensive automated investigation system not only improves the efficiency of handling alerts but also enhances the response capability to complex security threats, representing an important advancement in modern network security defense.

More RSAC 2024 Innovation Sandbox Finalist Introduction: