AWS re:Inforce 2024
Not Another Chatbot How Trellix Virtual Analyst Automatically Scales Tdr328 S

Title: AWS re:Inforce 2024 - Not another chatbot: How Trellix virtual analyst automatically scales TDR328-S

Insights:

  • Introduction to Trellix: Trellix is the result of a merger between McAfee Enterprise and FireEye, combining their expertise and innovations in cybersecurity.
  • Historical Innovations: Trellix has a history of significant contributions to cybersecurity, including the Impossible Travel Analytic (2014) and guided investigations (2016).
  • Traditional Data Handling: Previously, data from various sources was collected into a data lake, indexed, and analyzed to detect anomalies, but the volume of alerts was overwhelming for human analysts.
  • Generative AI Integration: Trellix has integrated generative AI, named Bedrock, to handle the investigation of alerts automatically, significantly reducing the workload on human analysts.
  • Automated Triage: Bedrock can ask and answer critical questions about alerts in sub-second response times, allowing it to triage alerts effectively and reduce the number of alerts that require human attention.
  • Enhanced Detection: The AI can identify patterns and anomalies that might be missed by humans, such as low-level informational alerts that could indicate advanced threats.
  • Operational Efficiency: By automating the initial investigation, Trellix's AI reduces the number of alerts from thousands to a manageable number, allowing human analysts to focus on the most critical issues.
  • Objective Decision Making: The AI operates without bias, using pre-trained concepts to make objective decisions about whether an alert requires human attention.
  • Real-World Application: The AI's capabilities include understanding the context of alerts, such as recognizing demo environments or identifying suspicious activities like Tor usage.
  • Scalability and Customization: Users can tune the AI to prioritize certain types of alerts or conditions, enhancing its effectiveness in different operational contexts.
  • Strategic Focus: The automation allows security teams to focus on higher-level strategic tasks, such as improving telemetry and making critical business decisions.
  • Industry Evolution: The need for advanced AI in cybersecurity has grown due to increasing threats like ransomware and automated phishing, highlighting the importance of timely and efficient alert investigation.

Quotes:

  • "You guys have probably seen AI in almost every booth in here, and we're going to talk about what we think AI should do for you."
  • "We are the combination of McAfee Enterprise and FireEye. We came together and we formed a lot of new things since the merger back in 22."
  • "Instead of asking the human to go see, hey there's an alert, go look at this, we have Bedrock do the investigation on your behalf for you before you're notified."
  • "We are the only ones that are able to successfully do this auto triage right now."
  • "Advanced threat actors often show up in informational level alerts. Password resets, service accounts being created... when you get the right sequence of them over time, that's actually an indication of a threat actor."
  • "This is where AI comes in. You can trust it because you can see the output and the decision making that it has and is doing the work of that many people in addition."
  • "It's not replacing the analysts entirely, it's letting them scale out so that they are actually looking at the right things because you want them operating at a level two."
  • "You don't want a chat bot. You don't want to log into the system in the morning and say, hey, did I get hacked last night? That's not what you want to do."
  • "You want to have the system work on your behalf and tell you when you need to pay attention. It needs to wake you up in the middle of the night and say, hey, we just checked all this out and this thing's legit, you gotta look at this."
Network Inspection Design Patterns That Scale Nis302Outpacing Threats W Crowdstrike Anthropic Claude Amazon Bedrock Tdr202 S