Nexusflow Slots GenAI Into SOC Automation

While ChatGPT and other large language model (LLM) applications are either praised as the next "greatest thing since sliced bread" or vilified as the potential destructor of the economy, two University of California, Berkeley, professors and an AI developer are putting the technology to practical use by enhancing cybersecurity automation with natural language queries and improving automated responses.

Nexusflow was founded by UC Berkeley professors Jiantao Jiao and Kurt Keutzer from the Berkeley AI Research (BAIR) Lab — along with Jian Zhang, formerly of the Stanford AI Lab, who had been the machine learning director at AI startup SambaNova Systems. The newly launched technology appears to be slotting itself into the security operations center (SOC) as a way to further identify and automate decision-making and workflows, incorporating both natural language and databases to aid in identifying solutions to network and security operations challenges.

While in the past an AI application was limited by what information it already knew in responding to new data, the Nexusflow approach allows the decision-making function to identify situations where it has no existing experience and to either query external databases to find answers or to flag human experts to request instructions on how to proceed, Jiao says. Essentially, the software is beginning to make the leap from only using known data to making decisions more intuitively based on examples and postulation, he adds.

Training the AI Application

Part of the software's learning process is to learn about various APIs and applications by effectively reading the manuals to "synthesize fragmented information from different sources," Jiao says. Also, analysts can show the software how to solve a problem and the application will learn from that example. But because every fix can be demonstrated, Jiao explains, the application is given multiple samples of solutions to problems, and it incorporates that data and learns on its own how to solve new problems as they occur based on how similar problems were resolved.

Ultimately, Jiao says, the program will be able to take a simple request from a security analyst and carry out extensive analytic work across multiple networks. For example, the program will be able to accept a natural language request from a security analyst, such as, "Review my cloud configuration and make sure I have no bit buckets exposed," and carry out that function.

The company is using its own open source LLM, dubbed NexusRaven-13B, that it says is able to achieve a 95% success rate on CVE/CPE search tools and VirusTotal. Jiao notes that GPT-4 achieves only a 64% success rate.

Augmenting SOAR

Security orchestration and automation (SOAR) tools currently in use today improve decision response in the SOC, but often the tools are limited by their inability to handle unknown situations, requiring SOC analysts to address many mundane functions. As a result, the time of these often highly paid personnel becomes a hidden cost of implementing SOAR.

"SOAR platforms have been used successfully to gather additional context about an event; however, they lack the decision-making capabilities a human analyst has in assessing the risk of the threat and the corresponding responses that need to be taken," says Ken Westin, field CISO at Panther Labs. "The solution for this has been to gather the data in the SOAR playbook and then present it to an analyst, who can then run automated playbooks for the response. This process needs to be taken into account where automation, AI, and other technologies are used to enhance, empower, and expand an analyst's capabilities to quickly make decisions."

Jiao agrees that while current SOAR applications promise to automate the response fully, they are limited in their decision-making capability. The Nexusflow approach further automates those responses, supported by human experts when needed to clarify a response or to train the application how to respond.

From a cybersecurity perspective, Nexusflow does not require a public cloud like consumer-class ChatGPT products do. Because it is self-contained, corporations can ensure confidential data will not be exposed to potential competitors or otherwise released to the public.

Some organizations require highly confidential data to remain in on-premises data centers, so Nexusflow allows its software to run in either a local data center or a private cloud. For smaller organizations or perhaps a remote facility that requires this advanced AI functionality but is far from the corporate data center, a company can deploy a self-contained, prefabricated modular data center to run the application locally.

Nexusflow, which came out of stealth mode at the end of September, raised $10.6 million in seed funding led by Point72 Ventures, with participation from Fusion Fund and several AI industry executives from Silicon Valley, the company said. The funds will be used for software development and acquisition of test equipment, software testing infrastructure, and financing the company's growth.