GENERATIVE AI ENABLED ACTIONABLE DECISION SUPPORT IN CYBER SECURITY
                                   OPERATIONS FOR ENTERPRISE SECURITY


                      Saurabh, Basu; Utkrisht, Singh; Sandeep, Sharma; Pankaj Kumar, Dalela; Rajkumar, Upadhyay
                                           Centre for Development of Telematics, India




                              ABSTRACT                        platforms establish baselines of normal user and system
                                                              behavior, using machine learning to detect anomalies that
           In the evolving cyber threat landscape,  enterprises  may indicate insider threats or compromised accounts. They
           employ multiple security solutions such as Endpoint  provide enhanced visibility into how users interact with
           Detection and Response (EDR), Security Information and  data and systems.  DLP tools monitor and control the
           Event Management (SIEM), and Security Orchestration,  flow of sensitive data, preventing its unauthorized transfer
           Automation, and Response (SOAR). Security analysts are  or exfiltration outside the corporate network.  Security
           inundated with millions of security event logs from such  Operations Center (SOC) analysts use such security solutions
           security tools that makes it increasingly complex to manage  to monitor and analyze dynamic big data.  Managing
           and analyze these huge data effectively. Further, there is  such massive amounts of data is a challenging task for
           unavailability of dedicated as well as skilled manpower who  SOC analysts.  The traditional threat analysis process in
           can understand and analyse such security events. This paper  SOC is highly manual and time-consuming.  It involves
           proposes a novel approach based on generative AI using  reviewing logs, comparing them against threat intelligence,
           the state-of-the-art Mistral-7B language model to generate  correlating events, gathering context, constructing timelines,
           clear and actionable security response messages from these  coordinating with team members and evaluating whether to
           event logs. We demonstrate that this cutting-edge language  escalate alerts. Analysts can only triage the highest-priority
           model can translate complex logs into human-understandable  alerts due to this laborious process and many lower-priority
           security insights which can enhance analysts’ ability to  ones go unaddressed. Skilled SOC analysts in the domain
           prioritize and respond to threats.                 of threat hunting, incident response, forensics, and malware
                                                              analysis are very less, mostly are regular IT employees
           Keywords - Enterprise Security, Cyber Security Operations,  who have less understanding of security logs and incident
           Generative AI, Security Information and Event Management  response. Further, advanced detection is not linked to more
                                (SIEM)                        number of alerts, rather alerts should be more actionable [1].
                                                              Figure 1 shows the complexity of security alerts generated
                         1.  INTRODUCTION                     from multiple security tools.

           The cybersecurity threat landscape for enterprises is
           becoming more complicated and complex.  Considering
           the growth of sophisticated cyber attacks such as advanced
           persistent threats (APTs), ransomware and supply chain
           attacks, it has become imperative for enterprises to implement
           cyber security measures to protect their critical assets
           and sensitive data.  Enterprises employ a multitude of
           security solutions like Endpoint Detection and Response
           (EDR), Network Detection and Response (NDR), Security
           Information and Event Management (SIEM), Security
           Orchestration, Automation, and Response (SOAR), User
           and Entity Behavior Analytics (UEBA), and Data Loss
           Prevention (DLP) platforms, etc. for ensuring security. SIEM
           systems collect and analyze security event logs from various  Figure 1 – Security alerts generated from multiple
           sources, such as firewalls, antivirus software, and intrusion  security tools requiring human understandable and actionable
           detection systems to identify potential security breaches.  decision support for effective response due to lack of skilled
           EDR solutions provide enhanced visibility into endpoint  cyber security experts in organizations
           activities, enabling the detection and response to advanced  This study proposes a novel approach to alleviate this
           threats targeting endpoints.  SOAR platforms integrate  challenge and make the analysis process more efficient for
           with other security tools, automating and orchestrating  analysts. The goal is to enable Mistral-7B to generate clear,
           security operations processes and reducing the workload on  concise, understandable, and actionable information from
           security analysts and improving overall efficiency. UEBA




           978-92-61-39091-4/CFP2268P @ITU 2024           – 169 –                                     Kaleidoscope