AI-Powered Automation Takes Center Stage in SOC Operations

Enhancing Cybersecurity Automation with Natural Language Queries

Introduction

The use of large language model (LLM) applications, such as ChatGPT, has been a topic of debate. While some hail them as revolutionary, others fear their potential negative impact on the economy. However, a new technology called Nexusflow, developed by two University of California, Berkeley professors and an AI developer, is using LLM technology to improve cybersecurity automation. Nexusflow combines natural language queries and databases to enhance decision-making and automate workflows in security operations centers (SOCs). This report delves into the details of Nexusflow’s approach and its potential implications.

The Nexusflow Approach

Nexusflow, founded by UC Berkeley professors Jiantao Jiao and Kurt Keutzer from the Berkeley AI Research (BAIR) Lab, along with Jian Zhang, formerly of the Stanford AI Lab, leverages LLM technology to enhance cybersecurity automation. The technology integrates natural language queries and databases to identify solutions to network and security operations challenges.

Traditionally, AI applications were limited in their responses to new data because they relied solely on existing knowledge. However, the Nexusflow approach allows the decision-making function to identify unfamiliar situations and either query external databases for answers or flag human experts to seek instructions on how to proceed. This means that the software can now make intuitive decisions based on examples and postulation, rather than relying solely on known data.

Training the AI Application

A key aspect of Nexusflow’s software is its ability to learn about various APIs and applications by synthesizing fragmented information from different sources. Analysts can also demonstrate to the software how to solve a problem, and the application learns from these examples. Multiple samples of solutions are given to the application, enabling it to learn how to solve new problems based on how similar problems were resolved in the past. This iterative learning process equips the program to take natural language requests from security analysts and perform extensive analytics across multiple networks.

Success Rate and Comparison to GPT-4

Nexusflow is powered by its own open-source LLM called NexusRaven-13B. According to Jiantao Jiao, the success rate achieved by NexusRaven-13B on CVE/CPE search tools and VirusTotal is an impressive 95%. In comparison, GPT-4 only achieves a 64% success rate. These statistics highlight the effectiveness of Nexusflow in addressing security operations challenges.

Augmenting SOAR

The Nexusflow approach aims to augment existing security orchestration and automation (SOAR) tools used in SOC environments. While current SOAR applications have been successful in gathering additional context about events, their decision-making capabilities are limited. This often requires SOC analysts to address mundane functions, which contributes to hidden costs. Nexusflow goes beyond the limitations of SOAR platforms by further automating responses, supported by human experts when necessary for clarification or training the application on proper responses.

Ken Westin, field CISO at Panther Labs, comments on the importance of automation, AI, and other technologies in empowering analysts to make quick decisions. He acknowledges that current SOAR applications fall short in decision-making, emphasizing the need for solutions like Nexusflow to enhance and expand analyst capabilities.

Security and Deployment Flexibility

From a cybersecurity perspective, Nexusflow offers a distinct advantage over consumer-class ChatGPT products. Unlike those products, Nexusflow does not require a public cloud, mitigating the risk of exposing confidential data to potential competitors or the public. It is a self-contained solution that can run in either a local data center or a private cloud. This flexibility allows organizations with strict confidentiality requirements to keep highly sensitive data within their on-premises data centers. Additionally, for smaller organizations or remote facilities that require advanced AI functionality but are far from the corporate data center, Nexusflow can be deployed in self-contained modular data centers.

Funding and Future Development

Nexusflow recently emerged from stealth mode, announcing $10.6 million in seed funding led by Point72 Ventures, with participation from Fusion Fund and several AI industry executives from Silicon Valley. The funds will be allocated towards software development, acquisition of test equipment, software testing infrastructure, and facilitating the company’s growth.

Conclusion

Nexusflow’s innovative approach to cybersecurity automation using natural language queries and enhanced decision-making capabilities promises to revolutionize security operations centers. By harnessing the power of LLM technology and incorporating human expertise when needed, Nexusflow aims to improve efficiency in responding to security threats while reducing the burden on SOC analysts. Its deployment flexibility and focus on data confidentiality make it an attractive option for organizations with diverse cybersecurity needs. As Nexusflow continues to develop and refine its software, it has the potential to enhance the cybersecurity landscape and pave the way for further advancements in AI-powered automation.

Keywords: AI-Powered Automation, AI, automation, SOC operations