Endpoint
1/20/2017
01:12 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Security Chatbots Aim To Simplify Incident Detection And Response

Emerging intelligent assistants help analyze and automate response to attacks.

Security analysts soon may get extra help from intelligent assistants that help automate incident detection and response across endpoints.

Firms including Endgame and Demisto are building security chatbots to address the lack of resources and automated solutions available to today's security analysts. 

"Security teams are faced with two major challenges: insufficient resources to stop attacks in-progress and lack of automated solutions to uncover malicious behavior in time to prevent information theft," said Endgame CTO Jamie Butler in a statement.

Endgame today rolled out Artemis, an intelligent assistant integrated with its endpoint detection and response (EDR) platform. Artemis detects malicious behavior and pulls from user data to suggest responses and ultimately help save time.

Security analysts interact with Artemis via chat interface; communication is typed (not spoken). They can ask questions like "What anomalies were seen in the past 12 hours?" Artemis will present any relevant data and based on that, analysts may ask what can be done. The assistant will offer recommendations to address the problem before it escalates.

One of the goals behind Artemis was to help businesses struggling with a lack of security talent, explains Endgame data scientist Bobby Filar. Customers had expressed frustration with their lack of employees to comb through data and decide how threats should be addressed.

"We see that a lot with organizations setting up their own SOC teams or threat hunting teams," says Filar. "There just aren't enough resources to do that effectively."

Tier-one analysts don't need to understand another query language or how the data is structured, he continues. The tool helps them find anomalies, conduct investigations, and eliminate threats akin to a tier-three analyst.

Endgame consulted a range of security pros including threat hunters, forensics experts, and SOC analysts during development, adds data scientist Richard Seymour. They helped formulate questions that analysts should ask while searching for threats.

Artemis was built with natural language processing and machine learning so it will eventually be able to anticipate priorities and recognize patterns. As people start to ask questions, the tool will understand their individual habits and be able to better formulate responses, says Filar. Analysts can also write their own workflow scripts to customize it over time.

Both data scientists acknowledge Artemis has room for improvement, however. Right now the greatest shortcoming is a lack of use cases, says Filar. He hopes the tool will get better at understanding typos and diversity in vocabulary; for example, how businesses refer to different events.

Artemis is not the first nor the only chatbot for endpoint security. Demisto offers a similar tool called Demisto Enterprise, an automation and ChatOps platform for SOCs. It was recently adopted by mapping platform Esri.

ChatOps, like Artemis, is powered by intelligence. It's also designed to automate security operations and incident management so analysts can cut down on investigation and response time.

The tool is powered by DBot, a security chatbot that communicates with teams via ChatOps in the Demisto Enterprise platform. Analysts can share information, order DBot to perform actions, and learn the results it reports back.

ChatOps was created upon learning large enterprise customers struggled with documenting and sharing their actions with their teams, explains Demisto co-founder and marketing vice president Rishi Bhargava. The tool integrates with about 100 security products; analysts can use these integrations to build common workflows, which save time when alerts occur.

This tool is different from Artemis in the sense that it pulls data from a range of products, relying on them for information, he says. "It's really a security orchestration layer; it's not really a security product by itself," he explains.

Demisto's tool was also built to address the talent gap, Bhargava notes. Analysts in the same chatroom can communicate across geographies, which is necessary for teams who hire remote analysts because they can't find talent nearby. The bot learns over time to identify common actions that analysts learn. New and future analysts can be instructed on these actions, helping them develop expertise.

In the future, Demisto plans to evolve its tool to give a more analytical and deconstructed view of data to analysts, says Bhargava. It also plans to expand the amount of integrations available.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.