Generative AI Takes on SIEM

With more vendors adding support for generative AI to their platforms and products, life for security analysts seems to be getting deceptively easier. While adding generative AI capabilities to security information and event management (SIEM) is still in its early stages, several providers are taking steps to let security analysts interact with their platforms using natural language processing.

Generative AI For IBM QRadar SIEM

Take IBM, for one: Big Blue recently announced plans to upgrade its QRadar SIEM platform to a cloud-native architecture and to bring its watsonx technology to the new platform. The new QRadar SIEM is set for release in the coming weeks as a software-as-a-service (SaaS) offering, with the watsonx models and an on-premises version based on Red Hat OpenShift poised to roll out in 2024. The plan is to add generative AI to the revamped platform next year.

The modernized QRadar SIEM offering will become part of the QRadar Suite, originally launched in April 2023, which brings IBM's endpoint detection and response (EDR), extended detection and response (XDR), security orchestration, automation, and response (SOAR), and SIEM offerings and a new log management tool onto a common platform designed to give SOC analysts a unified interface and controls.

Analysts say QRadar SIEM was overdue for a significant upgrade, as rivals such as Splunk, Palo Alto Networks, Microsoft, CrowdStrike, and Elastic have emerged with cloud-native alternatives. In recent months, leading security providers have released technical previews of managed detection and response (MDR) platforms with SIEM that can tap generative AI.

"They had essentially taken their legacy platform as far as they could have in terms of capabilities and performance, and the need to modernize the platform and migrate to cloud-native, which is becoming table stakes in the next-generation SIEM segment, was an imperative," says Eric Parizo, Omdia managing principal analyst. "Fortunately, it coincided with IBM's companywide shift to the Red Hat OpenShift platform."

Moving QRadar to OpenShift and emphasizing standards-based integration could make its security offerings more appealing beyond the core IBM base, Parizo says.

"However, it must overcome having a relatively unproven endpoint security solution, a years-long effort to convert its on-prem SIEM/SOAR customers to the new cloud-native SIEM, and growing competition, particularly from Microsoft, which topped $20 billion in annual security revenue earlier this year and has stated its commitment to own the SecOps market," he says.

IBM's forthcoming generative AI capabilities aim to make security operations teams more efficient by automating repetitive and tedious tasks, allowing them to focus on more critical issues. Among them include generating reports on common incidents, threat hunting by generating searches based on natural language explanations of attack patterns, interpreting machine-generated data with nontechnical explanations of events, and curating threat intelligence and determining what is most relevant.

Charlotte AI Coming to Falcon Raptor

CrowdStrike is another company shaking up SIEM with generative AI: Charlotte AI will be part of a new release of Raptor, a rearchitected release of CrowdStrike's Falcon XDR platform. Raptor adds generative AI-powered incident investigation capabilities and XDR features.

At its recent Fal.Con 2023 conference in Las Vegas, CrowdStrike demonstrated the new Falcon Raptor XDR platform with Charlotte AI, which correlates threat telemetry and functions and has a bot-like interface that functions as an automated security analyst. It lets users, ranging from executives with little technical experience to advanced security professionals, ask questions and receive natural language responses.

"With our Raptor release, we now have the ability to ingest third-party data natively," said founder and CEO George Kurtz during the keynote session at the Fal.Con event. Kurtz said CrowdStrike's threat graph identifies combinations of events that would lead to a threat indicator.

As Falcon Raptor shifts the XDR functions to the cloud, Kurtz promised it will not lose context of activity on the endpoint, thanks to CrowdStrike's new threat and asset graphs, which provide detailed views of an organization's assets and state. The intelligence graph is designed to understand threats and adversaries, he said.

While customers at the CrowdStrike conference said they were intrigued by the Charlotte AI demo, many said they aren't going to rush into it.

"I'm going to wait and see on it," says Jason Strohbehn, the state of Wyoming's deputy CISO. "But if it comes out and works as well as promised, it could let me and my team do things much more quickly."

Prabhath Karanth, VP and global head of security and trust at travel expense management SaaS provider Navan (formerly Trip Actions), also plans to evaluate Charlotte for his SOC and IR analysts.

"We will definitely test it," Karanth says. "If we can reduce cycle times for triaging alerts, that's a huge play from an efficiency perspective."

Microsoft Security Copilot Released to Early Access Customers

Notably, Microsoft last month released a preview of Security Copilot for early-access customers. Microsoft says a more restricted preview launched in March 2023 has reduced the time spent on everyday security operations tasks by as much as 40% when security analysts enter complex queries with natural language text.

"Security Copilot can effectively up-skill a security team, regardless of its expertise, save them time, enable them to find what previously they might have missed, and free them to focus on the most impactful projects," noted Microsoft corporate VP for security, compliance, security and management in last month's announcement.

Microsoft's updated preview release is now embedded with Microsoft 365 Defender XDR. Also included with Security Copilot is Microsoft Defender Threat Intelligence, which provides direct access to Microsoft's cleansed threat intelligence telemetry.

"There's a lot of interest in Security Copilot, but it assumes you are a Microsoft customer," says Jon Olstik, Enterprise Strategy Group principal analyst and fellow. "If you have an E5 license and you're using Microsoft tooling, infrastructure, and security. It's a great fit. It will really help. If you have a heterogeneous environment, it won't be nearly as effective. At least not now. They say they'll support those things over time. Maybe they will. But for now, it's really Microsoft-centric."

Time for AI to Shine

IBM Security VP of product management Chris Meenan says IBM has been leading the way with AI for years, noting that QRadar SIEM used traditional machine learning to provide alert prioritization and adaptive detection.

"We've been embedding AI in our products, including the existing QRadar, and we leverage it a lot in our own MSS SOCs around the globe," Meenan says. 

Olstik recalls IBM's first attempt to bring generative AI capabilities to Watson in 2017 with the release of Watson Cognitive. Despite heavily promoting it, Olstik says few customers implemented it for various reasons.

"I think they charged too much for it, and I don't think people got what it did," he says. "To some extent, they were ahead of their time."