Generative AI Takes on SIEM

With more vendors adding support for generative AI to their platforms and products, life for security analysts seems to be getting deceptively easier. While adding generative AI capabilities to security information and event management is still in its early stages, several providers are taking steps to let security analysts interact with their platforms using natural language processing. Generative AI For IBM QRadar SIEM Take IBM, for one: Big Blue recently announced plans to upgrade its QRadar SIEM platform to a cloud-native architecture and to bring its watsonx technology to the new platform. The new QRadar SIEM is set for release in the coming weeks as a software-as-a-service offering, with the watsonx models and an on-premises version based on Red Hat OpenShift poised to roll out in 2024. The plan is to add generative AI to the revamped platform next year. The modernized QRadar SIEM offering will become part of the QRadar Suite, originally launched in April 2023, which brings IBM's endpoint detection and response, extended detection and response, security orchestration, automation, and response, and SIEM offerings and a new log management tool onto a common platform designed to give SOC analysts a unified interface and controls. Analysts say QRadar SIEM was overdue for a significant upgrade, as rivals such as Splunk, Palo Alto Networks, Microsoft, CrowdStrike, and Elastic have emerged with cloud-native alternatives. In recent months, leading security providers have released technical previews of managed detection and response platforms with SIEM that can tap generative AI. "They had essentially taken their legacy platform as far as they could have in terms of capabilities and performance, and the need to modernize the platform and migrate to cloud-native, which is becoming table stakes in the next-generation SIEM segment, was an imperative," says Eric Parizo, Omdia managing principal analyst. "Fortunately, it coincided with IBM's companywide shift to the Red Hat OpenShift platform." Moving QRadar to OpenShift and emphasizing standards-based integration could make its security offerings more appealing beyond the core IBM base, Parizo says. "However, it must overcome having a relatively unproven endpoint security solution, a years-long effort to convert its on-prem SIEM/SOAR customers to the new cloud-native SIEM, and growing competition, particularly from Microsoft, which topped $20 billion in annual security revenue earlier this year and has stated its commitment to own the SecOps market," he says. IBM's forthcoming generative AI capabilities aim to make security operations teams more efficient by automating repetitive and tedious tasks, allowing them to focus on more critical issues. Among them include generating reports on common incidents, threat hunting by generating searches based on natural language explanations of attack patterns, interpreting machine-generated data with nontechnical explanations of events, and curating threat intelligence and determining what is most relevant. Charlotte AI Coming to Falcon Raptor CrowdStrike is another company shaking up SIEM with generative AI: Charlotte AI will be part of a new release of Raptor, a rearchitected release of CrowdStrike's Falcon XDR platform. Raptor adds generative AI-powered incident investigation capabilities and XDR features. At its recent Fal.Con 2023 conference in Las Vegas, CrowdStrike demonstrated the new Falcon Raptor XDR platform with Charlotte AI, which correlates threat telemetry and functions and has a bot-like interface that functions as an automated security analyst. It lets users, ranging from executives with little technical experience to advanced security professionals, ask questions and receive natural language responses. Kurtz said CrowdStrike's threat graph identifies combinations of events that would lead to a threat indicator. As Falcon Raptor shifts the XDR functions to the cloud, Kurtz promised it will not lose context of activity on the endpoint, thanks to CrowdStrike's new threat and asset graphs, which provide detailed views of an organization's assets and state. While customers at the CrowdStrike conference said they were intrigued by the Charlotte AI demo, many said they aren't going to rush into it. Prabhath Karanth, VP and global head of security and trust at travel expense management SaaS provider Navan, also plans to evaluate Charlotte for his SOC and IR analysts. Microsoft Security Copilot Released to Early Access Customers Notably, Microsoft last month released a preview of Security Copilot for early-access customers. Microsoft says a more restricted preview launched in March 2023 has reduced the time spent on everyday security operations tasks by as much as 40% when security analysts enter complex queries with natural language text. "Security Copilot can effectively up-skill a security team, regardless of its expertise, save them time, enable them to find what previously they might have missed, and free them to focus on the most impactful projects," noted Microsoft corporate VP for security, compliance, security and management in last month's announcement. Microsoft's updated preview release is now embedded with Microsoft 365 Defender XDR. Also included with Security Copilot is Microsoft Defender Threat Intelligence, which provides direct access to Microsoft's cleansed threat intelligence telemetry. "There's a lot of interest in Security Copilot, but it assumes you are a Microsoft customer," says Jon Olstik, Enterprise Strategy Group principal analyst and fellow. "If you have an E5 license and you're using Microsoft tooling, infrastructure, and security. It's a great fit. It will really help. If you have a heterogeneous environment, it won't be nearly as effective. At least not now. They say they'll support those things over time. Maybe they will. But for now, it's really Microsoft-centric." Time for AI to Shine IBM Security VP of product management Chris Meenan says IBM has been leading the way with AI for years, noting that QRadar SIEM used traditional machine learning to provide alert prioritization and adaptive detection. "We've been embedding AI in our products, including the existing QRadar, and we leverage it a lot in our own MSS SOCs around the globe," Meenan says. Olstik recalls IBM's first attempt to bring generative AI capabilities to Watson in 2017 with the release of Watson Cognitive.

This Cyber News was published on www.darkreading.com. Publication date: Thu, 30 Nov 2023 20:25:02 +0000