Cyber threats continue to evolve and aren't decreasing in volume, which in turn places more demand on the defenders of corporate networks to monitor organisations' digital real estate in more detail.
However, doing so risks creating "alert fatigue" as there are simply too many signals to pay attention to and investigate for security staffers, who might miss important ones and act on them.
In infosec speak, keeping an eye on what's happening across IT systems and networks, and planning what to do if alerts pop up, is called Security Information and Event Management or SIEM. Getting SIEM right is critical for a large organisation like telco One NZ which recently implemented Google Security Operations (SecOps) with its local cyber security partner DEFEND.
The telco is moving from a "well-known competitor in the SIEM space," One NZ head of cyber security and strategy, Laura Ross, told interest.co.nz. One NZ thoroughly evaluated what Google had to offer, saying SecOps provided a notable improvement in the efficiency of its Security Operations Centre (SOC).
This included being able to increase the amount of telemetry One NZ could ingest, which provides better visibility of systems and insights for the telco, across its digital real restate, along with cost reductions.
"One of the benefits of Googles SecOps is the inclusion of data at a competitive price so there are no surprises," Ross said.
Google SecOps also provides an extended duration of log storage. The ease of creating a security logging strategy for multiple tiers also enabled One NZ to achieve economies of scale," she added.
Then there's Google's Gemini AI to assist with making sense of the data in the increased number of large logs. Ross said Google's machine learning (ML) and AI offering fine tunes incoming alerts so One NZ analysts are not swamped by them.
Gemini provides generative AI (GenAI), and Ross shared some of the simple prompts analysts can use with the system to query logs.
- Show failed logon attempts coming from outside NZ and AU in the past day
- Find events about outbound network traffic to 8.8.8.8
- Any activities from hack-tool.exe recently
- Find emails sent from mr.phishing@example.com
- Find emails with an attachment named "sensitive.pdf" from the past 3 hours.
Other Gemini GenAI use cases includes summarising security alerts and search results. The technology can also extract key insights to assist analysts in their investigations, helping them understand security events quicker - and in the process, take on more and more log sources without significantly increasing headcount, Ross said.
"GenAI also assists our analysts in formulating search queries and detection rules for correlating and alerting security events," Ross said.
Google SecOps also incorporates curated threat intelligence on top of GenAI. Leveraging that information means Google SecOps can filter out false positives, which enhances the speed and accuracy of threat detection by analysts.
4 Comments
The other day I googled something to the effect of 'what do ants eat', to come up with a plan to bait an ant infestation I was dealing with. Gemini decided I wanted to eat the ants, and helpfully provided the nutritional information for 100g of ants.
I really can't imagine a SOC relying on GenAI to query and analyze logs, maybe it's something that'll go over well in customer demos but in the SOC the analysts will be running the google equivalent of SPL queries
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.