Commonwealth Bank has built two AI agents that support its cyber security teams in threat hunting and collating context to inform potential actions and responses.
Speaking at the Gartner Security & Risk Management Summit, general manager of cyber defence operations and security integration Andrew Pade said the first AI agent, for threat hunting, entered production about a year ago.
While generally preferring to procure ready-made solutions and capabilities from vendors - “because then I don’t need to water it and feed it” - Pade highlighted the “gap between an emerging threat” and the ability to use off-the-shelf products to defend or mitigate against it.
“That gap is the area of our greatest risk … we don’t want to encounter an issue that we have to wait for a vendor to provide a solution for,” Pade said, adding “I’m not waiting for someone to solve our problems. We are the ones to solve our own problems.”
Pade said he identified “a couple of areas in how we do security that would help improve our fidelity and our speed.”
“They’re the two things we’re looking for when we’re protecting our staff and customers - how can we get to the emerging threat quickly and how do we not waste time looking through the noise to find it?” he said.
“They’re the two goals for our operational work. Any improvements need to improve speed or fidelity, and ideally both.”
The result of this is two AI agents, built in collaboration with the bank’s data scientists.
The first of these is a “threat hunt agent” which takes care of up to 70 percent of the work that previously would have fallen to the bank’s security analysts.
Pade said the agent is capable of taking threat intelligence, such as published research findings, creating a hypothesis to trigger a proactive investigation, assessing applications or environments and returning findings “for peer review” by the analyst.
“Then we’d come up with some actions,” Pade said.
The work performed by the AI agent previously took an analyst “a couple of days”, in part owing to the complexity of the bank’s environment.
“Threat hunting across [a large organisation] is quite difficult because it’s across different platforms, it can be on-premises, in the cloud. There’s multiple layers that form an application. And so when we’re threat hunting, we used to take a couple of days to go and get all of these pieces of data … and then to form a hypothesis about how a threat actor might attack that, and then go off and then assess where we’re vulnerable or where we may have built something not in a perfect way,” Pade said.
The AI agent does all of that in about 30 minutes, Pade said. Additionally, it is able to kick off a threat hunting activity automatically.
“Our intel automatically comes in and it kicks off a hunt. It can happen overnight,” Pade said.
“Whenever the intel comes in we can then kick off a hunt and then we [the defensive team] can just deal with the actions.
“So the substantive nature of a threat hunt is now the part the team now focuses on, which is the actions - how we remediate or who. That piece of work has sped up that team’s ability to go and focus on what the findings may be.”
Pade said that while most threat hunts result in no actions, the agent-analyst combination ensured that “when we do find something, [we can] action that, not spend our time finding out who owns what system and what platform it is on and where it sits.”
CBA is using a second AI agent called the response agent that collects context to help determine whether signals represent a malicious activity or are an indicator of compromise.
“When you think about your blue teams there’s a general flow of detection, triage, analysis and response,” Pade said.
“I don’t know if people have seen what analysts do, but it’s quite monotonous and it’s not just packaged beautifully for them to go and do the triage. They have to actually work it out and build that context.
“Our AI response agent builds that for them, and … lays it out for them.”
Pade said that using AI in cyber operations has produced material reductions in mean time to detect a potential issue.
“Our mean time to detect has dropped by a couple of hours, just purely by our AI agent seeing what’s coming in, going back and looking at the history of the same kinds of events that we’ve seen,” he said.
“The AI agent’s interrogating what it’s seen in the past, not just what’s happening now, builds that story, [predicts] where it’s going to go next and puts it in front of the analyst.”
Pade said that building the agents meant having senior security responders from the bank work closely with the data science team.
“I had to take our most senior security responders to work with [data science] to get the two worlds coming together. That is when the magic happened,” he said.
“They knew how to get the AI to ingest and to do certain things and we knew what the outcome would look like if we were doing that work ourselves.
“It was that marriage.”
He added that over time, all cyber security staff were becoming more skilled in working with AI directly.
This, he suggested, would lead to deeper use of AI in cyber operations and improved working conditions for staff.
“We’re learning how to integrate and use AI to take the monotony away from our day and focus on the more substantive work,” he said.
Pade said he wanted to retain security staff, both at the bank and to keep them in the profession, despite its pressures.
“How do I ensure all of our analysts are still working in cyber in 20 years time, not regretting joining a 24x7 always-on function?” he said.
“To do that we have to introduce a different way of working and to leverage some AI capabilities.”
_(33).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
.jpg&h=271&w=480&c=1&s=1)
_(1).jpg&h=140&w=231&c=1&s=0)
