Artificial intelligence (AI) is the simulation of human intelligence in machines, enabling systems to learn from data, recognize patterns, and make decisions. These decisions can include predicting outcomes, automating processes, and detecting anomalies. Large Language Models (LLMs) are specialized AI models designed to process, understand, and generate human-like text.
Large Language Models (LLMs) are trained on diverse and extensive textual data. They are designed to understand language and apply knowledge across numerous domains. LLMs such as GPT-4 and the Claude 3.5 Haiku are designed to understand, generate, and manipulate human language.
In this article, we explore the benefits and capabilities that security professionals can gain by implementing an LLM-powered security assistant. LLMs can enrich security data within a Security Information and Event Management (SIEM) or Extended Detection and Response (XDR) platform. Such integration can support professionals in handling tasks such as log analysis, incident triage, custom rule creation, and improving overall security insights.
LLMs in Security Operations
Security Operations (SecOps) involves identifying, addressing, and overseeing the reduction of cybersecurity risks within an organization’s IT systems. This practice combines people, processes, and technology to defend against cyber threats.
These activities are managed within a Security Operations Center (SOC), where a dedicated team analyzes security alerts, investigates possible incidents, and responds to threats in real-time. Security analysts use various tools, including SIEM and XDR, to assist with these tasks.
LLMs are used for text generation, translation, summarization, and question-answering tasks. Their versatility has made them valuable across various industries, including cybersecurity, enabling faster threat detection, automated analysis, and intelligent decision-making.
Several LLMs are available, each with unique strengths ranging from chatbot interactions to enterprise automation and creative content generation. Some popular examples of LLMs include:
- OpenAI GPT
- Claude (Anthropic)
- Google Gemini
- Meta Llama
- Mistral AI
- Bloom (BigScience)
- DeepSeek
Leveraging LLMs as assistants for security professionals
Traditionally, security operations analysts rely on their teams’ research, experience, and collective knowledge to detect and respond to cyber threats. However, with the constant changes in the threat landscape, professionals are seeking to balance their expertise with the augmentation offered by AI.
We explore some ways LLMs are applied in the daily tasks of a security analyst:
1. Log analysis and data enrichment: Trained LLMs like ChatGPT can interpret the output of other security solutions after they detect patterns or signatures of malicious activities. They can also enrich security alerts and analyze text descriptions to help analysts triage and summarize incidents. While LLMs may not yet handle large-scale log analysis or complex event correlation, they are highly effective for smaller tasks that support an analyst’s workflow.
2. Threat intelligence integration: LLMs can assist by processing and summarizing external reports or correlating Tactics, Techniques, and Procedures (TTPs) from threat feeds. They can provide summarized contextual insights by translating unstructured data from forums and dark web chatter, making threat intelligence data more digestible to security teams. It can also enhance an analyst’s understanding of emerging threats and suggest rule-creation strategies. For example, Claude Haiku is a model specifically fine-tuned for creative and concise language generation. This makes it particularly effective at powering user-facing applications.
3. Contextual remediation recommendations: Given its ability to understand security-related queries, LLMs could suggest remediation steps based on the context of security incidents. This will make it easier for security analysts to understand and act on remediation steps without deep expertise.
4. Phishing detection: LLMs can read and understand email text like humans, unlike traditional keyword-based filters. They analyze tone, grammar, and context, which are important factors in identifying phishing emails. Integration with email security solutions can help prevent sophisticated Business Email Compromise (BEC) and spear-phishing attacks in real-time.
It is important to note that all responses generated by any LLM should be reviewed, as they may sometimes be inaccurate. Despite certain limitations, LLMs provide value to security operations by reducing manual effort and offering valuable assistance to security analysts.
Integrating LLMs as cybersecurity assistants using Wazuh
Wazuh is an open source security platform that helps organizations detect and respond to security threats by monitoring system activities. Wazuh can integrate with various LLMs to assist security operations in building a cybersecurity assistant for security professionals.
The use cases below illustrate how such integrations would be implemented in practice.
Threat detection and alert enrichment
LLMs can enrich alerts generated by other threat detection solutions, such as YARA, an open source tool for identifying and classifying malware.
In this proof of concept, the Wazuh Active Response module uses ChatGPT to enrich the YARA scan results, providing additional information about the detected threat. To achieve this, Wazuh File integrity monitoring continuously monitors specific directories on an endpoint for any additions or modifications.
If a malicious file is downloaded into one of the monitored folders, the FIM module detects the change and triggers the Wazuh Active response module. This module then runs a YARA scan to analyze the file for potential threats.
Once YARA identifies a malicious file, ChatGPT enriches the alert with details about the detected threat, helping security teams better understand and respond to the incident. The identified malicious files are then deleted by Wazuh Active Response.
In the image below, ChatGPT provides more context to the malicious file detected by YARA.
The blog post Nmap and ChatGPT security auditing with Wazuh shows another use case for improving an organization’s security posture by enriching security alerts.
In this blog post, ChatGPT is used to provide more insight into scan reports from Nmap (Network mapper).
Security operations virtual assistants
In this use case, the Claude Haiku LLM is integrated with Wazuh to provide a chat interface within the Wazuh dashboard. This allows users to query the model on security-related questions, providing contextual insights and accelerating the decision-making process during threat investigation.
These integrations leverage Natural Language Processing (NLP) to provide intelligence assistance.
The image below shows a response generated by the Claude Haiku LLM integrated with the Wazuh dashboard. It shows the response to the query, “What is the MITRE ID for obfuscation?”
Conclusion
Integrating LLMs with security operation processes and solutions will increase the value offered by the security team by reducing analyst workload and accelerating decision-making during threat investigation.
This will also improve the organization’s security posture and operational efficiency by empowering proactive defense mechanisms.
Sponsored and written by Wazuh.
Source link
-
-
-
-
-
-
-
-
