Christopher Glyer Profile picture
Jul 6 9 tweets 2 min read Read on X
When I see discussion about AI in security (especially AI agents) - it’s often about how it will replace Tier 1 SOC analysts. It might…but I think the biggest area of opportunity in cyber security is for AI to analyze all the un-triaged alerts from an org’s security products
Most companies can only triage a tiny fraction of their overall alert volume with a human. It’s part of reason why companies put so much emphasis on vendors getting severity ratings “right”

The severity rating is often a major factor in deciding whether a human reviews an alert
This drives 2 behaviors from security vendors

1) Alert severity is often driven by TP/FP ratio
2) Those that don’t have high enough signal to noise ratio (even if they can meaningfully detect severe impact) get dropped altogether if they can’t be improved - which leads to FN’s
AI coupled with agents has the potential to change this

The AI agent can reason over a detection
& take some initial investigative steps. Scale this up for all alerts coming into the SOC - then the ones with most likelihood of being TP can be forwarded for human review/action
I think the first iterations of AI agents in the SOC we’ll see are for very simple repetitive tasks (e.g user reports a malicious email attachment)

The second iteration of AI agents will be for performing mini-investigations into all alerts coming into the SOC
In parallel we’ll see security vendors (those that are still innovating at least) start to build AI & mini-investigations into their detection engines. This should help with TP/FP tradeoff that occurs w/detection logic as it exists today & improve quality of detections/severity
The challenge that will develop for security vendors will be. Their detection engines will turn into a COGs discussion (or at least each net new detection has the potential to massively drive up COGs)

How much can I detect at what price?
Most enterprise intrusions that I’ve analyzed in my career have had alerts generated by some security product along the way. The issue/blocker has been figuring out which ones to get in front of a human to realize importance/significance to mobilize action by an org to mitigate
In theory MDR vendors are best positioned to drive progress. Combination of alerts + follow on investigative data to evaluate effectiveness of AI agents side by side w/human’s currently performing tasks

I’m dubious. Is COGs reduction enough to justify cost? Will it reduce COGs?

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Christopher Glyer

Christopher Glyer Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @cglyer

Jul 19, 2024
🧵on the ongoing outage caused by Crowdstrike content update. Insights here mostly based on my time working on/helping build a competitor product Mandiant Intelligent Response\HX

First & foremost this sucks for both Crowdstrike & their customers - no one wants to see this happen
What happened? A security content update was released that caused the issue

Note: every security company pushes out content updates routinely. Depending on the architecture of software and type of update - each software vendor usually has unique processes for rolling these out
Most security software on Windows has two components a driver/kernel part and a userland part.

At Mandiant we used a driver to generate the realtime events (e.g create file, create process…etc) & for very specific actions like raw disk/memory access for forensic collection.
Read 13 tweets
Sep 17, 2022
One (potentially overlooked) aspect from today’s latest breach news is the recent trend of password stealer malware as the initial vector to gain access to orgs

See those “LOGID-“ files in screenshot? They are output files from password stealers (e.g RedLine, raccoon stealer)
We discussed how DEV-0537/LAPSUS$ used this technique to gain initial access to a low privileged identity at targeted orgs in our ransomware ecosystem compendium
microsoft.com/security/blog/…
Infostealer malware has been around for a long time. What’s changed is focus has shifted consumers (and their bank accounts) to threats to enterprises

An interesting business “innovation” is selling all/most credentials/secrets obtained in bulk for a low monthly fee ($100-$250)
Read 8 tweets
Mar 22, 2022
The LAPSUS$ Group/DEV-0537 was not on my 2022 bingo card - given impact of their activities @MsftSecIntel wanted to detail unique blend of tradecraft. I've personally given dozens of threat briefings in the last few weeks

Here's a 🧵with my highlights
microsoft.com/security/blog/…
They monetize intrusions (some of them) through extorting orgs to prevent public data release. Nowadays we associate that with ransomware gangs but this isn't a new trend

Reminds me of investigation I led at South Carolina Department of Revenue in 2012
oag.ca.gov/system/files/M…
There are multiple DEV-0537 tactics that I haven't observed (outside of red teams):
-Phone based social engineering
-SIM swapping
-Coercing (through 💵) employees at target organizations to divulge creds

Each of these are hard for most orgs to defend against -especially the last
Read 8 tweets
Sep 16, 2021
There’s a lot to unpack in @MsftSecIntel’s latest blog on the CVE-2021-40444 vulnerability. Here’s a thread of some of the details that I think are notable
The volume of initial exploitation was limited. Most security orgs I talked to didn’t observe it directly in their telemetry

“In August…MSTIC identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML”
The attribution behind the various components involved in the campaigns is a little more complicated than I typically see (we’ll unpack that more shortly).

But the end motivation was human-operated ransomware by cyber criminals
Read 12 tweets
Oct 9, 2020
This shouldn’t be news to anyone,but human operated ransomware is a problem that has gotten completely out of control

The reasons are relatively straightforward:
The cost to pay is often significantly less than cost to business impact from downtime

The “supply” of possible targets is significantly higher than traditional financial crime which have to target payment/gift cards, banks (or related orgs)

Monetization is also wayyyyy easier
I don’t think you will see a material change in % of orgs who pay ransom unless governments make payment of ransoms illegal (which will have a lot of other unintended consequences).

Do you think governments should outlaw payment of cyber ransoms?
Read 14 tweets
Jul 25, 2020
One of most undervalued aspects of incident response is incident documentation

In my experience as a consultant step 1 is interviewing client & reviewing whatever scattered notes 🔖📝they have about an incident & organizing it in a logical manner b/c most orgs do this poorly 🙈
Challenge is analysts (due to crisis) move fast to respond quickly & most orgs don’t experience impactful breaches often

This leads to scattered knowledge/understanding & each analyst documenting things in their own way that is efficient for them but not overall investigation
In my experience - here are the most important things to track (a spreadsheet is my preferred tool)

One table for each of the following:
-Timeline of forensic artifacts
-Systems
-Indicators (I prefer separate table for host and network)
-Compromised accounts
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(