Introducing AI-powered insights in Threat Intelligence

Google announced today at RSA Conference in San Francisco, uses the recent advancement in Large Language Models (LLMs) to address three of the biggest challenges in cybersecurity: threat overload, toilsome tools, and the talent gap. Threat intelligence is an area that suffers from all three problems, and LLMs have the capability to transform how it is operationalized to help secure businesses. 

At Google Cloud, our threat intelligence offerings are grounded in three core principles:

  1. Trusted: Our customers can trust Mandiant Threat Intelligence to have industry-leading breadth, depth, and timeliness to deliver information that matters.
  2. Relevant: We personalize the threat landscape so it’s relevant for each customer, enabling them to prioritize threats that are likely to affect them.
  3. Actionable: Our threat intelligence is more actionable because we automate the end-to-end pipeline from raw data to security controls.

Deliver the most trusted threat intel

AI is as valuable as the data it operates on. Using LLMs to summarize irrelevant, open-source intelligence provides no more value to a customer than a manual review of that data. Doing so can even add more noise to an already-overwhelming flood of information.

That’s why the combination of Mandiant’s frontline intelligence, garnered from a team of expert researchers and over 1,000 breaches each year, and Google’s exceptional visibility on internet-wide threats, provides a powerful foundation for our AI solutions. Google have been applying many natural language processing (NLP) and machine learning (ML) approaches to convert raw threat data into actionable intel for years. Recent developments in LLMs allow us to significantly improve our already market-leading intel operations. Some of the areas we are working on include:

Personalizing the threat landscape to focus on the most relevant threats

The vast majority of the threat landscape is irrelevant to most organizations. Therefore, it’s vital for every customer to focus on the threat landscape that is relevant for them. Personalizing the threat landscape is made possible in two ways: 

  1. Automatically creating a personalized threat profile 
  2. Simplifying augmentation of that threat profile by giving analysts AI based natural language search

Imagine automatically deriving a personalized and detailed threat landscape for your organization that evolves as new internal and external information becomes available. With the power of LLMs, this is becoming a reality:

In the past, this kind of personalization was only available to the largest and most sophisticated organizations. LLMs will enable Mandiant to make this level of personalization available to all our customers, at scale.

LLMs can make search significantly more efficient. While there is a plethora of information available about threats, sorting through it and making those insights actionable requires a lot of work. The summarization capabilities of LLMs make obtaining a complete understanding of a threat topic an issue of the past. Figure 1 illustrates LLM-based summarization of various threat intelligence artifacts relevant to a query. Note that the flexibility of LLMs allow us to provide a summary of the finished intel reports alongside structured intelligence, and customize the scope and technical depth of the summary to different audiences.

Figure 1: LLM-based summarization capabilities in action on the Mandiant Threat Intelligence platform.

As Google continue to leverage LLMs in search, Google will be supporting a conversational interface to reduce the toil and lower the skills bar for exploring the threat landscape. These iterative searches will be stateful and shareable, making it easier to collaborate with other analysts. 

Make threat intelligence more actionable

Traditionally, taking action on threat intelligence has been a burdensome manual task, limiting the value of the threat intelligence to any business. A recent global survey on threat intelligence showed that nearly half of respondents cited applying threat intelligence as their greatest challenge. At Mandiant, we have been focused on making it easier for customers to act on personalized threat intelligence in their security products and workflows.

One of the most powerful combinations we offer is our ability to apply our world-class threat intelligence to event data in Chronicle Security Operations, using AI-based models to curate and prioritize indicators of compromise (IOCs) that Mandiant tracks through active breach investigations. Mandiant Breach Analytics for Chronicle provides a prioritized set of undiscovered events that could be indicative of an active breach, as seen in Figure 2. 

Breach Analytics for Chronicle allows customers to readily find bad actors using novel techniques and contain them before becoming the next victim. The AI based models curate and prioritize the matches to assign an Indicator Confidence Score (IC-Score), which indicates our confidence in their use in malicious activity.

Recently, Google have leveraged the power of LLMs to summarize indicator/actor/malware context pulled from our vast repository of proprietary research to provide trusted threat intel to the security analysts in the SOC. This reduces toil and the reliance on expertise, eliminating the need to scour through hundreds of reports and structured data sources to understand the context of the IOC. Mandiant plans to release this feature soon.

Figure 2: LLMs providing AI summary of malware and threat actors used in a current breach 

The road ahead 

Taken together, applying LLMs to the trusted, relevant, and actionable pillars will help our customers reduce threat overload, eliminate manual and tiresome toil, and close the talent gap in security. We are at the beginning of a massive transformation of how threat intel delivers value to businesses of all sizes. The examples above span capabilities we will add in the short-, medium-, and long-term, and we will continue to have our product, AI research, and engineering teams collaborate to transform security for our customers. 

Related posts

Introducing Google Cloud and Google Workspace support for multiple Identity providers with Single Sign-On

by Cloud Ace Indonesia
2 years ago

Build your own generative AI chatbot directly from BigQuery

by Cloud Ace Indonesia
5 months ago

Enhancing LLM quality and interpretability with the Vertex Gen AI Evaluation Service

by Cloud Ace Indonesia
4 months ago