In the daily operations of traditional Security Operations Centers (SOCs), operators often face two major challenges:
- Massive alerts which are often too many for SOC operators: critical security incident may hide in daily massive alerts, as too many alerts can easily distract and exhaust the limited SOC resource, preventing SOC operators to concentrate on the most valuable alerts and give a response in a reasonable timescale.
- Complexity of attack incident analysis: Pinpointing attack characteristics and determining attack outcomes in lengthy attack messages requires Advanced SOC operators with proper know-how and experience, and it costs significant time effort.
NSFOCUS ISOP leverages AI and LLM technologies include NSFGPT and Deepseek to build a autonomous security operations system covering all stage of SOC operations: detection – analysis – response – monitoring. Our aim is:
SOC Engineers + SecLLM = Senior Security Experts
The major AI-powered functions in ISOP include:
| ISOP Functions | AI-Driven Functions & Features |
| Alert Noise Reduction and Triage | AI prioritizes alerts by risk level, the most urgent and valuable ones first. |
| Analysis and Outcome Deduction | Presents attack process and analysis in natural language, showing if attack is true and successful. |
| Extended Investigation and Tracing | In-depth investigations from both attacker and asset perspectives, uncovering attack roots and attack methods, asset vulnerabilities, etc. |
| Disposal Recommendations and Automated Response | Generates optimal disposal suggestions, policy and automated executes. |
| Automatic Incident Report Generation | Uses data visualization and automated reporting technology to create cybersecurity incident analysis reports. |
| AI Agent Autonomous Operation | Automates the entire workflow, from investigation to disposal, without manual intervention. |
AI-Driven Functions & Features in Details
1. Situation Analysis and Intelligent Prediction
- A dedicated AI dashboard for risk overview and simply talking with LLM to receive latest situation analysis and predictions.
2. AI Risk Scoring System and Prioritize
- AI Risk Scoring System: Integrating best practices in security operations with AI noise reduction and AI analysis, it conducts comprehensive risk assessments for all incidents, enabling intelligent triage and allowing SOC operators to focus on the most pressing threats.
- Priority Recommendation for Full-Volume Incidents: Sorts incidents by risk score to ensure high-risk incidents are addressed first.
3. Intelligent Analysis and Alert Interpretation
- Multi-Dimensional Correlation Analysis: Automatically analyzes alert context and correlates with logs and threat intelligence to deeply dissect incidents. For example, it can identify attack intent by matching historical attack patterns and known threat signatures.
- Natural Language Output: Translates complex technical analyses into easy-to-understand natural language, clearly presenting alert details and attack characteristics to significantly improve analysis efficiency. For instance, it might state, “The attacker attempted to gain control of the target host via Vulnerability X.”
4. Automated Disposal and Response
- Intelligent Disposal Recommendations: Generates targeted disposal suggestions (e.g., isolating compromised assets, patching vulnerabilities) based on threat analysis results.
- Automated Plan Execution: Recommends and executes optimal automated plans (e.g., blocking malicious IPs) to ensure fast and accurate responses, reducing operational burdens.
5. In-Depth Investigation and Tracing
- Attack Path Mining: Uncovers hidden attack paths and related incidents to help operators understand the full scope of an attack.
- Comprehensive Intelligence Output: Provides integrated insights into attackers, asset vulnerabilities, attack methods, impact assessments, and countermeasures to enhance threat investigation efficiency.
5. Agentic AI Autonomous Operation
- AI Agent autonomously expands investigation clues, judges attack outcomes, and visually displays results (e.g., session connections, intelligence data, asset vulnerabilities) in graph. With authorization, it can also automatically execute disposal actions, enabling unattended security operations.
- Traditional Operations vs. AI Autonomous Operation
- Scenario: Detection of an attacker attempting to control a target host via malicious program callback.
| Stage | Traditional Operations | AI Autonomous Operation |
| 1. Payload Analysis | Engineer read the payload line-by-line to identify the callback URL: http://135.148.104.21/hiddenbin/boatnet.mipsel | Full Autonomous in a page 1. Payload analysis |
| 2. Session Connection Check | Jump to query page for session logs between the target host and 135.148.104.21 | 2. Detect session connections 3. Confirm attack success 4. Display connection status graphically. |
| 3. Intelligence Tracing | Jump to IP intelligence page to confirm if it belongs to some attack groups | 5. Correlate with threat intelligence to label the IP as belonging to an attack group. |
| 4. Asset Vulnerability Check | Engineer verify if the asset has the Realtek Jungle SDK OS command injection vulnerability | 6. Scan for asset vulnerabilities and match against known vulnerabilities. |
| 5. Disposal Execution | Engineer apply strategies (e.g., block IP, patch vulnerabilities) | 7. Generate disposal strategies and execute automated plans (e.g., one-click ip blocking, trigger vulnerability repair workflows). |
| 6. Report Generation | Engineer compile the above steps and write reports | 8. Generate visual reports with attack processes, investigation results, and disposal records. |
Summary
NSFOCUS ISOP transforms security operations from a “passive response” model reliant on manual experience to an active defense model of “automated detection – intelligent decision-making – autonomous disposal” through AI. Its core values include:
- Efficiency Improvement: Greatly reduces threat detection and response time, compressing processes that previously took hours into minutes.
- Cost Reduction: Reduces dependence on senior security experts, allowing junior operators to handle complex analyses and disposals with AI assistance.
- Enhanced Accuracy: Reduces false positives and negatives through AI’s multi-dimensional correlation analysis, improving security decision accuracy.
- Continuous Optimization: AI continuously learns from security data to adapt to evolving cyber threats and enhance defense capabilities.
AI-Powered Autonomous ISOP allows enterprises to build smarter and more efficient security operations systems to address the emerging cybersecurity challenges.
