Integrating Large Language Models (LLMs) into your Security Stack

Thanks everyone for actually spending your lunch hour uh with me. I I saw when that came up I was like ah I got the lunch crowd. Let me see how many people actually show up. So with that being said um part of this is an uh is it did you get how many saw the keynote this morning and saw the whole thing? We're going to kind of touch on almost a lot of things he did, but go a little bit deeper. But some of this research came from the fact that I'm doing instant response for other companies. I have to go into them and they they're like, "We've got ransomware. We've got insider threat. We've got whatever the the IR of

the day is, but they're also starting to ask questions about how can I possibly maybe can I use these AI tools to maybe help me or maybe do that? Can I integrate this with Sentinel 1? Can I integrate it with my Forinet appliance? Can I can I help my people not have to call you? Basically is what that kind of comes down to. So what we're going to do is kind of talk about some traditional approaches to security that we we all see every day and then kind of what LLMs can do for you or what kind of would might make that a different where those approaches might work which includes these kind of key areas some reporting

some alerting researching instant response and a little bit more. So, I'm going to throw a little bit of use case, a little bit of how you might do it, a couple tools, just a a smag, a bunch of stuff. We'll just put it that way. Um, I if you have any questions, I'd like to make sure that I get all the content because I think I'm right at about time, but if you have questions afterwards or I pause, um, that'd be the great time to do that. So, let's go into it. Traditional security areas and approaches. We have the security operations center. Those guys are the front lines. They're getting all that stuff dayto-day. Most of the time

they're alert, fatigued, they get too much stuff, they don't know how to handle, there's just so much going on. Can we make their lives better? Maybe. Security, architecture, and engineering. Everything from setting up servers to cloud infrastructure to all the pieces that go along with making sure that you have your users who are MFA compliant, who are if you're using zero trust, whatever those things might be. the security analysts, the guys who are doing the auditing, threat intel, administration, and finally where I live in the incident response. We also have like the report generation and review. Every almost every team there has to generate reports in one form or another. Is it a port scan report? Is it an

instant response report? What does it look like for my general posture of my organization from dayto day? many of the things that we see at least what I see from an IR and I've actually played most of those roles minus a security operations guy um you are dealing with tools that are limited in coverage they do the one thing and they might do that well which is which works but things like with anti virus it's signaturebased it's it may have some heruristics but it does one thing it may produce some reports but do you action on those reports do you roll them into anything else what about edrs rule-based systems that turn around they alert they

they are based on signatures as well. What are the activities or behaviors that are going on on your network? Then you have like you said uh XDR and UBA for user uh entity behavior analytics. When are people logging in? When are people logging out? Things like that. And then finally you get down to the sim and manual analysis. Like I said, all these approaches kind of work, but are we working together as a complete team? Uh I have on more than one occasion as an IR guy going, "Well, the sock analysts missed it. The security engineers are blaming the sock. The socks going, the security engineers aren't giving me the telemetry. I need to be able to pick up what I need. I

can't do this. The CEO is yelling at one person. It it's it can become kind of messy." How many of you guys kind of experienced some form of that in one form or another? as one of those key components within that organization. So now let's take a look at that. So what can the LLM do for you? So some things that it could do is and we'll talk a little bit more detail is like some first level triage and analysis and kind of help you out and I'll like I said I'll go into some more details. It can enhance investigations by allowing you to actually kind of pick the brain of an engineer so to speak for whatever it is

that you're looking for. Um it can help with identification and with um understanding the context by which you're actually working. It can also do with the research and enhance reporting. Sometimes we might take a report that's written for the technical side and you might load it into an LLM and so can you generate um maybe an executive overview of this for non-technical people and it might produce something that's more so you don't necessarily have to write it or you can take the whole thing and have you distill it into other types of things. Um additionally uh they they're going to continue to learn and adapt. the LLMs are going to get better and better and better and they're going to

be able to help you. Remember, you don't want the LLMs to do your work for you. You want them to be a tool. Much like, you know, at the turn of the century when you had construction workers who got power tools, they got better. It didn't replace them. It just made them better at what they were doing. Use them as a tool. That's what they're for. Don't use them to do your work. It's one of the caveats I'll keep kind of putting up there. Um, and the last thing there or down a couple is everyone else is doing it. Why shouldn't you? Why shouldn't you guys try it at least in one form or another? This stuff's not

going away and it's going to be no different than any other type of technology change that we've had over the years. You're going to have to embrace it in one form or another. So, will they make you better? Will they make you faster? Let's take a look. So let's start with the enhanced reporting because this one everybody has to do at what um you can query existing documents to answer some questions such as maybe you summarize a document's contents. You have some report that you got maybe you got something online some other uh uh uh crowd strike or something puts out a report and you need to summarize that or distill it because it's it's a 27page

white paper and you don't want to do that anymore. So or generate new documents and answers through your questions. So you can use a document to generate say a PowerPoint presentation on that particular thing. Make sure you don't miss anything. Or you can enhance or augment existing documents based on the questions and desired outputs. That's kind of like what I was talking about just a minute ago with the uh executive overview. You take a document, give me an executive overview or a summary of this. All right, everybody good with that? Cool beans. All right. So, I'm going to talk this the first caveat. LM are smart, but they aren't knowledgeable. That's the one thing. How

many of you ever hired a new employee or been a new employee? I suspect everybody raised their hand. Do you know everything about the company you're going into? What do they have to do? They have to onboard you, right? And what do they do? They they you go through the HR process. You go through all that. This is what I do. This is how I set up my 401k. This is how all that type of stuff. Just like a new employee, an LLM for you is like just the same thing. So, one way to onboard or one way to do this, which is where we're going to get into some more details, is to do

that with embeddings and rag. And embeddings and rag is kind of like giving them the HR manual, giving you the technical manual, giving you the process manual for how we do things. And then it knows the context by which you're working. So, what does that kind of look like? What is an embedding? Has anybody ever heard that term before? Good. All right. So, this is when you take a file and you actually upload it into an LLM. Once you upload it, and there's a couple different ways you can go about doing that. I'll explain it here in a minute. Uh, once you add that, it's reads the document and then it becomes aware of what's going on. You

can ask it questions based on that document. If you try to ask those questions before you upload, it's not going to know what you're talking about. And then that file when you upload it, it's broken down into tokens that represent that are represented as numbers. It's called a vector. And then these tokens are stored as a vector. And then this is where kind of rag comes in. So this is where we actually can pull the data back. So this is what it looks like in a kind of a non a bigger form. So rag operates in two parts to produce its results. First, it's going to take the user query and break it down into

vector tokens just like the embedding. And then it's going to perform kind of like a pattern match. Anybody ever done like password cracking with like uh with uh rainbow trains rainbow tools? This is like a rainbow tool to it to a certain degree. It finds the tokens that match and it goes it makes that assumption. This must be what you're asking me about. And that's why you'll see sometimes with LM I think you're asking me this. It's because it's matched up enough tokens to do that. But it doesn't have enough. So that's why it kind of puts that otherwise it'll just this is what I think. So this is kind of what that looks like under the hood. So it's

a long-winded way of saying you can ask a question of the file that might be might not be directly written in. So how does it kind of do that? Here's one of the ways you can do. Um some you guys use like claude or perplexity or gro or any of those. Uh you'll notice that there's a item where you can upload a file. When you do that, this is going to be a session context upload. It has some limitations. It's usually about 10 megs. Some of them will actually tell you right as you do that that this is the biggest file I'm going to be able to accept. And then um the one of the

caveats to that besides is may not understand the actual document context. Sometimes it will have trouble reading. It'll read the document but it doesn't know what it actually is about. It hasn't been trained specifically in what it is. Especially if you get something very very detailed or nuanced. Um I find this sometimes with it when you get into deep security issues. it might not know what that means. So you can ask it a question and it's like I don't I don't understand that. But outside of that when you upload the file it becomes part of the session. So as soon as you close clawed or whatever it will go away. It just disappears. It's not part of the

it's not uploaded anywhere. It's not it doesn't stay. It's in your memory. So that's one of the things you first time I saw that I was like well are they taking all the files that I upload and keeping them forever? It doesn't work like that because I was afraid I was uploading something I didn't want to. Um, so that's one way to actually do this. It works if you try to upload more than one document or several. I found that it can kind of get a little clooji unless they're the same type of document. So like report one, report two, report three, and they're all kind of the same. It can kind of work with

that, but if you upload a report about your travel, vacation, and an IR report, it gets really confused because it doesn't know what you're actually trying to do with it. >> Excuse me. Is that a function of clawed? >> This one's a This one's right from the claw desktop. >> Yeah. So it wouldn't be chat GPT throw it out. So throw the file out afterwards. >> It's supposed to for session for for the upload if you >> Is that Claude though? >> This is Claude. That's a claude screen. And >> wouldn't do that. >> I don't believe so. >> Okay. >> And and perplexity. Those are both with the desktop function of it. I don't know

specifically about the web version, >> but it's not supposed to. It's supposed to be only for your session that you have currently going on. Um, so here's one that I uploaded. So I uploaded a ransomware playbook PDF and I said, "Tell me what this document is about. It's real simple. I need kind of like So what it did was it read the document and it's like, hey, this is a detailed ransomware playbook. This is some of the key indicators." So it's reading all the headers and it gly spit out a thing, but it did sort of hallucinate a little bit. If you look over the thing labeled O2, ransomware playbook, it did screw up. So

be aware that just because it produces something doesn't mean that it's actually completely accurate. Make sure you validate what you would. It's a tool. Remember that. Doesn't do your work for you. It works with you. So that's one of the reasons why I put this one up here is because it messed up even though it's a straight up word doc or PDF. Any question on that one? >> Is it the difference between the free or the premium version to get this kind of results? >> No, it's just the from what I understand the premium version just you get to ask much more. you get more questions, you can ask it. If you keep asking questions, eventually it will say you've

reached your time limit and you have to wait before you're allowed to ask any more questions of it again. >> But amount of documents or quality is correct. >> Not that I know of. I don't have the paid versions just to put that out there. Um, here's another use case. So, we've talked about one document. We talked a little bit about multiple documents, but what if you wanted to have it a little bit more semi-permanent, if you will? How would you interact with multiple security reports? Let's say you produce a monthly report. Every month you produce a specific security report and you want to be able to contextualize like a whole year at once. Maybe your

even your senior management does. So you can load those security reports into LLM and ask questions. But how do you go about doing that? So you would do that by connecting the LLM to a database. Remember how I told you when you uploaded it, it creates a vector, those numbers? There is a thing called a vector database. and such as um uh postgrade does it and I think I can't think of the other one off the top of my head. There's a couple you just look up vector databases and you'll be able to see what uh which ones support vector vectorzation and then what you do is you run it through a converter and it will

turn those all those documents into vectors and then it will store them and it's it's local. It's just like a SQL database. It's just a different type and then you can query it. So you could do stuff like how much how much of my static IP address was used this year. If you're doing that kind of report like a like a darknet trace. Uh I used to do this all the time. We had in our server space we had a certain amount of dark space that wasn't supposed to be used and every month we ran a report going how much of that space is being used. And then we could also start to calculate from there uh do we need to

buy new servers? Do we need to do this? What why are we using up so much space or why are we not because we'll give it up. Uh maybe generate a graph of ports in operation. You should do network scans for what what are my ports in use? Um how many web servers are being stood up? Where where are they at? Those kind of things. Or maybe you could generate a IOC list from the past year's incident reports as a whole and then turn that into a Splunk alert query. You can do all those kind of things. I have a question in the back. um when you get or when you ask kind of queries, how can

you kind of prevent or like be aware of like if the data that you're out is >> I'm gonna I'm going to quote Ronald Reagan there for a second. Trust but verify. When it comes back, you got to look and see if does this kind of fit the mold. You already saw that kind of sort of hallucinated on that previous one by giving me a giving me something I didn't want. It had nothing that was in there. It will also produce other an other answers. Uh there's also like a heat score that you can go in and configure how much latitude you give the LLM for whether or not what it wants to put out. The tighter you make that

control. I think it's from 0 to 10. Uh the tighter the control, the more it it has to actually answer the question or it won't. All right. So when you get to this part of it, this is where lang chain can kind of come into assistance. You heard lang chain used a little bit this morning, right? So what exactly is lang chain? So, lang chain itself is provides a framework and an interface for connecting LLMs to other tools and sources. So, what it does is it allows you to create this framework for connecting things together. And it becomes kind of like that um for lack of a better phrase kind of like I'm going to go this way. I'm going to go this

way. And then it'll load up whatever tools that it needs to do. and we'll talk a little bit about agents here in a minute, but it'll call other tools to assist it for what it needs needs. Um, the chain is a multi-step plan of execution. Um, but it's also capable of somewhat reasoning. So, what it can do is it can call an agent, which I'll talk about an agent here in a minute. And based on that information, it will read it and then do something else, which is something a little bit more unique versus if you've ever done like old school coding with the if then else kind of stuff. you have to encompass everything that comes in or else your if

statement just drops out. Right? This doesn't have to do that. It will read that and it can make some other types of reasoning assumptions. Some of this is beyond the scope of what I even understand as far as science and that, but I that's how it kind of technically works. Um, so this is how that framework kind of is set up. So you can see you have external data, APIs, user interface, and it's got all these different pieces that it can put in and then it can create these different types of chains. A sequential chain, a router change, a QA change. It's basically what that means is it based on the information it gets back, it can go in different directions.

It's like a person in that sense because it's going to be able to make some decisions, if you will. And then there's some agents that it can do like these are just some generic ones like you know calculators and search and tools but that you I wanted to give you kind of a general kind of overview of context of what a a lang lang chain can do for you. It basically is that biguler and kind of put that all together. So now I talked about an agent. So what is exactly is an agent itself? This is a system that can make it can also make decisions and activives based on specific goals. So where agents uh come

in is it does one thing. It's kind of like a tool but unlike lang chain it can't it can't go necessarily and access other ones. There is an agent to agent. I'll talk about that maybe a little bit later but you can think about like trading agents. They sit there and they're watching something and they're waiting for specific activity. Maybe a stock goes down a certain price makes a buy order. It's an agent. It's that's what it does. uh content moderation for for uh online platforms. Maybe you've got uh like a Discord server and you've got this agent that's looking for reserved words that it doesn't want to be in that particular forum. It will pull those out. That's

kind of how that works. IT infrastructure and problem resolution. Maybe when something's escalated to a certain point, the agent picks up and starts to activate. And then like security, surveillance, and threat detection. All right. So now how would we use that for say enhanced alerting and identification? So this is kind of like the next level. So we got like things like first level alert triage which would be your sock sock people. Uh anomaly detection, malware detection. So the next level of of things that might be you might be doing network monitoring that maybe a sock wouldn't pick up because there's no alert for it. Um fishing detection and exploitation. I I'll talk about these here in a second.

Insider threat. um user contractor that's compromised that comes into your office, you might be able to detect some things that are going on there. Zero day vulnerabilities and supply chain attack prevention. These are all types of things where that these agents are sitting there monitoring your network looking for things that are out of place, but you don't have alert functions necessarily on them. So, how would that work? Like for anomaly detection, how would you actually detect an anomaly in your network? So in the past you'd have to manually monitor network, collect all of them. You relied on rules, thresholding, detects um using hypothesis. What would what would be anomalous in my network? You'd have to kind of think about it.

Would you know an FTP transfer at 2 o'clock in the morning on a Saturday be anomalous? More than likely, you might have an alert for that. You might have alert for FTP. You might have that. But what about an FTP at the end of the month during the normal cycle when you're actually doing uh people are doing their normal activity? That might be where it might slip under the under the cover so to speak. But what after AI what it can do is it can ingest and process all that information from say like your sofos appliance or your your uh forinet or your sim. it can actually tag that through API calls and bring that in and

actually do analysis on its own and find things you'll never be able to find. It's too much data. I mean there have you ever looked at sometime these logs? They're thousands thousands of lines long. You're going to miss something. Um it'll process, index, and categorize that into something that's human queryable and then quickly apply some statistical methods. And I'll talk about predictive analysis here in just a little bit. Any question on that one? All right, cool. So, how about malware detection? So, most of the time malware is detected just by kind of happen stance. It's something activates that's behavioral in the network. Uh like ransomware, it's like, wow, there's a lot of files being accessed. Wonder

what's going on or um why is this particular process going outbound? Uh what's this SSH tunnel about? These are pretty nebulous, but what you can do with um LLMs is if you're monitoring your network for behavioral type of activity, you can see those things that don't match up necessarily with what normal user behavior might look like. Um an unusual amount of loginins and uh login to systems that they don't belong to. like if you have a salesperson, why are they logging into the executive uh servers or something of that nature? So, here's some use cases for that. So, an agent monitors your Splunk or other security alerting tool. It doesn't matter what it might be. The alert is

generated and the agent performs level one triage. So, what's level one triage? When you get into a sock, you might be doing stuff like look up and geollocate an IP address. That's something an agent can do for you. perform some OSENT lookups on the domain. You can go to virus total. You can go to other stuff. There's all open source ability to do that. Look up look for previous alerts or resolutions. Maybe just if how many of you ever got an alert and you just go on to Google and start doing a query for whatever keyword tools you're doing. That's this. Now apply resolution if there is one or escalate it to level two with all these details wrapped up into

it. Now, wouldn't that be so convenient by the time you actually have eyeballs on the alert that they're like, "Hey, this is geoloccated in Russia, Osent says this is part of uh Bad Panda or whatever it might be." And it looked up previous alerts and it says, "Hey, they've been targeting your spec specific uh vertical, which maybe gas and oil or whatever it may be that you're actually working in." Uh the the resolution to that is block SSH to this particular port. um we've escalated to level two because we didn't do that. But that that could be all wrapped up into several agents that do these particular things and lang chain can control that agency. Does that make sense? Now this

is what we didn't talk about this morning in the keynote is how all these kind of things kind of put together. But lang chain will grab this could be an agent in itself look up IP addresses and geoloccate it. That's all it does. This could also be another agent and then it can orchestrate all those and then look for previous alerts and resolutions. Maybe there is no resolutions. It'll then it would go I need to escalate this sooner or do a deeper search or whatnot. Uh let's see. We also have something called MCP. I know that was also brought up earlier today. MCP is a model context protocol. And notice that it's a protocol. This is

not necessarily a tool per se. So what this does is this is brought in by Anthropic and what it does is it creates a protocol or a way to communicate between APIs and other agents that's consistent. So when you load in when you import MCPs, uh the tools can actually talk to each other on a common protocol. And that way they're they can they know how to talk to each other instead of just like having to create um like somebody's trying to talk SSH but another person is talking um net buoy or whatever. It's they they can talk to each other. So it's an is interesting protocol. So I kind of put a little quick code snippet up here just so that

you can kind of see. This is from Pyantic. um you import an agent and you import the server studio and that allows you to have access to their their MCPs that are up on their net and then all you have to do is just say hey I'm using this particular LLM which in that case it's their their clawed um LLM and then it says MCP servers and then there's one called fetch. Now fetch is one of their MCP servers and what it does is it it basically allows an LLM or their LLM to have internet access. So when you ask it a question, if it doesn't have it in its base, it will go search the net for it.

So um you could say, for instance, if you didn't have that and you say, "What was the hockey score last night?" It'll come back and it'll go, "I have no idea. I've been trained in 2020. I can't do that." But if you do fetch or you have fetch as part of that front end, so you lo you run this, it loads the LLM into memory and it says, "Hey, I don't know what it is, but I have this tool that can go do it for me." And it actually generates a query, goes out to the internet and tries to find that information for you. Now, it can sometimes fail, but it will try to do

basically a Google search for you and pull back that information. It'll be like, "Hey, you know, the the the um uh what do I want to say? The Panthers won last night and they're actually going to game seven against Toronto and it's in two days. That might be what you might get for those hockey fans here were watching last night. So, here's another use case. Looking up the security recommend recommendations after a vault scan. So, this is like a Nessus scan. Everybody's seen these before. It's got a bunch of vulnerabilities that are behind it or whatever. There's APIs. You can pull data out of Nessus, the Nessus server. You don't have to go to the front end.

If you have an API, you can plug your LLM and your agents against it. You can tell the agent to go to the API and pull information out of it. And then you can use another agent to go, hey, it says that CVE such and such, what what do I do to actually remediate this? And it will give you that information without you having to go do it. So those are where again, you're using it as a tool. You're not using it to do your job. Using to make it more efficient because otherwise, what are you going to do? You're going to look up CVE2876 or whatever it might be for the day. Read through the thing and it's like,

"Oh, that's how I mitigate that. Let me go ahead and create a project. Let me go ahead and do all the pieces and create the ticket." You can automate all that and make it do some of that stuff for you. Um, this is just another I just wanted to show you other it'll interface with anything that has APIs. So you have an API for it, you can interface with it as long as the that organization gives you enough APIs to be able to actually do what it is that you're trying to do. Um some other things. So it can enhance investigations. We talked about this with the agents where it can build other types of knowledge graphs. Um remember I

was talking about the vector database before, right? You can continue to write with it. You don't have to upload documents to it. when you do other queries, you can tell it to write back to the database and build your own sort of knowledge tree threatscape type of thing as an overarching for your organization going, "Hey, you know, I've seen that IP address before. Maybe let me take a look for it. Yeah, it's from, you know, 2016. We saw that IP address. Let's do some more querying on it. Uh maybe it led to this file. Let's go look for this file now." Or let's go look for this or or what might be. or maybe you

go and do some domain uh things and see where that might have existed in the past. There's all kinds of things you can do as far as building your own sort of in threat knowledgecape within your own organization by bringing all these tools together and using the LLM as a catalyst to be able to put them together. So some other things that you can do which this is kind of we'll get into predictive in a minute but these are some other kind of cool stuff that you can do and I've done a little bit of this some log analysis time sequence this gets into statistics so you can start to look at things as an

overarching uh landscape of what your organization looks it looks at. Just pull in like for your active directory controllers pull in your event logs for an entire month. let the it kind of digest it and say what is my normal behavior of my network look like for my active directory controllers what's normal log in log out maybe I can get down to user behavior maybe I can get down to times a day uh which servers responding maybe I have a server that's actually degraded and it's not responding as well as the other one you might be able to tell some of that stuff you could also do this with the cloud side of it with the UL logs or user sign

on sign offs you can do anything you want um spatial analys analysis. That's kind of one. Have you ever heard the um uh what do I want to say? The uh where you have two loginins from two different locations and you can't can't do that. There's a rule for it. The >> USB or superhum. >> Yeah, superhuman type of thing. It can figure that out, but it can do it on different levels instead of just that sign in sign out going. There's no way for this person to log into this server and log into 28 servers all at once. It's just not it doesn't happen because they can't do it unless it's some kind of automated process. This must be a

bot. it's not a user or something of that. And then same thing with the swarm or hive analysis that gets more into like kind of like the ransomware. When a ransomware is deployed, it will start to it can start to spider out all over the place. It will it can see that and going, "Wow, this seems kind of really weird for the type of behavior that's going on." Uh let me see what we got. Okay, threat intelligence. So before uh before AI, you had to the same thing. analyst had to sift through a bunch of sources. Maybe they had to I used to have a whole list of all kinds of places I'd have to

go to to get information that I'm looking for. And then any gaps in the analyst knowledge or or places where they look is going to show up in the report. You won't know it because it's a gap. But what the LLM could do is automate some of that collection at data at scale and make a broader connections that you might not be able to um just to be able to ingest more threat detail, maybe even from a longer period of time. Like I said, if you ever tried to look at a log that's like a year old, that's just like an IIS log. It's one right after another for day after day after day, year after year after year, and

it'll continue to grow until the end. Um, so fishing detection, here's another one that we could kind of use it for. So some of the terminology is already in place. You see that with your proof points and things like that. They look at metadata. They look for forge senders. They look for analyze message content and and all that stuff that we do as if you ever review like a fishing email. That's the stuff that you look for. But the part that it has sometimes a little bit of trouble with where you might be able to use that is what about dialect or text patterns or content. Does this person have specific ways that they speak? If you've ever professors

are really notorious for this. They're able to detect whether or not you wrote something because they talk to you all the time. They're like, "You don't talk like that." I mean, I I remember my son one time when he was about like 10 years old, he you you know, you do that. You plagiarize a little bit. He throws in there. I was like, there's no way you speak like that. So, it it was an easy detect. Same idea. You detect the context, what's being asked. Would you be asking a salesperson for a wire transfer? That kind of those are the kind of things that it might be able to pick up on. This is one of them that's

already you're starting to see in place. You don't often get emails from this. This is just a general rule alert, but you get the idea where that could kind of take where you could take that from there. It's going, "Hey, this is unusual for this person to send you an email. Is this something that you might want to be careful about what you click on before you actually go do it? Um, so malware analysis, again, we'll talk a little bit more about this. Uh, before you used to have to go and detonate it in a lab. I used to do that all the time. Load it up in a debugger, walk your way through it,

step through, try to figure out what the processes, imports, you name it. Um, one way you can actually do that is you can throw it into, as long as it's small enough, you can throw it into an LLM and ask it to do a a breakdown of it real quick. So, I did one here real quick. This was registry explorer.exe. Dropped it in there. I said, "Tell me what this is. Tell me what it's about." And it read some of this stuff from strings, which is fine. And then it went out to the internet and did some other stuff and looked it up and goes, "This is what I think this is." And then you could

probably take it one step further. But that gives you a first level triage without having to do anything. No detonation, no nothing. It just went through and kind of did some of the work for you. Again, gonna re-emphasize that these are tools. They don't do your job for you. You have to trust but verify. Um, here's some other use cases we can automate. Threat detection uh just by looking at behavior, instant summarization, and reporting. When you uh many times like when we're doing instant response, we're writing little blurps. And what I mean by that is I analyzed this this machine for its um uh internet history. Here's the internet history file and here's kind of the

place they go. It's one little section. And then underneath it, it would be like, hey, I analyzed the MFT. Here's the things that happened at this particular date in time. You could take that document, put it in there, and have it re redigested into more of a report for a non-technical person or into a little bit more legible thing. Um so root cause analysis, again, that's back to the logs. um security playbook and um uh creation where you could take this the you could take a document like the ransomware one that I just showed you and say can you generate me a like a viso diagram or a playbook on how I would actually handle that um automated

response actions we just talked about that with agents and MCP threat intelligence and post incident review and learning so there's a lot there I know it's I'm kind of rushing I know I'm a little bit I'm right about on time But uh here's some future cases, some things that LLMs are going to take you to going in the future. So this could be at the rate they're going. This could be next week, it could be six months, or it could be a year from now. But I'm telling you, this thing, I changed this thing four times between the time I actually was told that I got it to last night at 1:30. Um >> probably out of date by now.

>> Yeah, it's probably out of date. You're So some predictive threat intelligence. One of the uh one of the things that I'm a data geek nerd. I like that kind of stuff. So the more data I can collect, the more I can kind of look at things and go, what does this mean? What does that look? I used to obviously use a lot of hypothesis and types of things with like Excel and spreadsheets and and SQL, but this can do some of that for you going, hey, I see all these loginins that are going here or I see this type of activity. I would expect maybe this to happen next or just by looking at the

data on a normal week Monday through Monday through Sunday you would expect this kind of data transfer Monday through Friday and then you expect it to drop off right that's just being in your head predictive but what if you were able to take that and extrapolate that not from a week not from a month but for a year sometimes that's not going to play the case and there might be certain reasons why those particular outcomes aren't the name. Uh, one of the classes that I also teach about data analytics, we spend a lot of time in business side of the world. We're like, why would you order sweats during the middle of summer or things like that? So, you can kind of

do that predictive. What are people going to do? That's where that is. Um, so automated instant response playbook execution, we just talked a little bit about that. Take your playbook and agentize it. What are the things that are going to do there? So, you say, uh, I've detected this. We move from level one sock to level two. Now, what's supposed to happen? Can I agentize that? Can I make it help my my sock people do what they need to do? Um, detection to defense, prompt injection, adversarial attacks. Obviously, the stuff these attacks are still getting through. So, why is it bad code? Is it just the way it's set up? do um many times especially

when it we get into the cloud I'm telling you what there's more I have more cloud types of incidents than anything else just because it's so complex and how it goes together that we don't completely understand you know how a Kubernetes cluster works in in some of those things or how some of these other pieces go together which opens these back up as old types of attacks automated compliance from policy enforcement um continued security awareness and training When people do things that go out of that behavioral line, you could actually trigger, hey, you need to do this. Kind of like when you get the fishing report where like no before sends you the fish, you click on

it, you're on a list. So those kind of things, real time factecking and misinformation detection, things like that that you think you know or whatnot. Um, I just talked about predictive analysis, so I'm not going to get into more detail about that one. Um, user entity and behavior analytics. Uh, this is one of the areas I like a lot because it's just users tend to behave the same way continuously because they do their job. It's what they're supposed to do and then they have a kind of a pattern. But if you've ever worked a case where it's like a disgruntled employee or a criminal type of thing, their behavior changes at a certain point and that behavior can be detected

with a with this like are they suddenly downloading a lot of files to their one drive? Are they accessing more files than they normally do? This is not an alertable function because it's not something that's an attack. You don't notice it, but a agent might notice that going this person is now changed their behavior. Maybe they're coming in early in the morning and they never did before. Maybe they're staying late at night. These are types of things that uh are trigger points that when we're doing criminal investigations that we see that kind of stuff happen. The behavior of the user changes. Um, so where can you begin to experiment? We're getting close to kind of the end. This LLMs are a

great segue into getting into machine learning and all that type of stuff. You get into the machine learning side of it. It's uber like I have no idea what this guy's talking about. What's all this training and data and all that, don't worry about that. Just work with an LLM. Pick one. Pick Claude. Pick perplexity. Pick pick Grock. Actually try them all for that matter. Actually enter the same prompt into all four of them or whatever you have and see what you get. You'll be surprised at actually the outcome. Sometimes they're aligned, sometimes they're not. Um, learn the vocabulary. We just talked about MCP, lang chain, agents. There's all kinds of tools. Things are moving relatively

rapidly. If you keep up with the vernacular, you'll have an idea of what people are talking about. And then experiment with the tools and ideas. You can those agents where I showed you where you it was the tool. You can actually use MCP right in the claw desktop. You just have to uh do a quick search on how to enable it. And what'll happen is in the quad specifically, except I've done that one, uh down under where it says the load document, you'll get a new icon that'll be like all the tools that you've loaded. And that could be something like the fetch or whatever. There's a bunch of them. There's one there for connecting to Slack. So, you

could actually take the LLM, type something in, and create a Slack channel right from there with a tool. You can do stuff like that. Um, experiment with the tools and ideas. Python is very supportive of it. Uh, but you can use other languages. they just might not have the same level of uh things that you can load in as far as frameworks. It's just uh Python is just really supportive of it. You'll find a lot of stuff that are is out there already ready for you to use. Just need to modify it. Um some changes that you're going to expect. There's going to be some disruptions. We're going to break stuff. We're going to definitely do

that. But it should increase your efficiency, improve your accuracy, and reduce costs over time. Remember, this is a tool. But if you learn how to use the tool, you'll know where things are going ary and where things aren't going and then you can kind of make some connections from there. We don't want these tools to be considered at least from senior executives or whatever as your replacement. You want to go, "Yeah, I know about that. I know how to do this. Here's how we can make this effective from an IT point of view so that they don't see it as a replacement for you. You can see it as an augmentation just like anything else

that we purchase whether it be USB or uh uh USB drive whatever it might be whatever you need as a tool it's a tool so just use it tell them that you know what it is and how it work um some other things that are associated with it this gets a little bit more into if you're going to do your own LLM you can train your own models this takes time and this is a different aspect of it I'm not g getting much into detail detail, but I wouldn't talk about it. You have to when you're going to train your own, you're going to have to worry about things like this, the bias that you might introduce to it

because you're training it on specific data sets, handling unstructured data, the quality of data, and the compatibility with applications that you might be working with. So, that's a caveat if you're going to train your own model. One thing about training your own model, it will it will like the onboarding of a new employee, it's going to know the context by which you're working and you'll know the underpinnings that are under the hood versus something that you download from hugging face or whatnot. Um, some other things products are going to continue to introduce AI into their into their product structure. So what you need to be aware of is kind of like now that you know some nomenclature and

some things are how to or you can ask them questions and let's see if you can like stump the sales guy so to speak. Start to understand about like um integration and compatibility. Where's the data going? What's the privacy? What's this look like? Are you collecting metadata? Are you collecting this? Am I uploading something? Is it in your cloud and not mine? Uh transparency, training and support, continuous improvement. Those are the things that you're going to be looking for. You don't want to get into a product and then six months later it's like, "Oh, well, we don't use uh we're not using Claude anymore. We're using the latest version, but you're not compatible, so I can't help you." You

know, those kind of things. Um, here's some uh resources that you can use. So, there's MCP, that's a list of MCP servers. If you pull that up, it'll just there's all kinds of stuff in there. Slack, SQL, all kinds of things that your connector can use. Um uh this one this is these also or go with that the the model the servers as well as kind of an introduction to kind of tell you what MCP is about. Here's Langchain which will explain how Langchain works. Fidantic which actually has some really fantastic documentation and source code so that you can kind of start to kind of like Lego it together so to speak with even some of their own data like a

little CSV file and put it together. hugging face and is a local LLM. You can download that and have it run on you a reasonable machine. It should have a graphics card that's capable of doing it. Uh but then you can actually doicile everything locally and not even use something like a claude or whatnot. You can you can just have everything running locally. Uh let's see what else I got. All right, so this is one of my closing notes. I always love this from Jurassic Park. Your scientists were so preoccupied with whether or not they could do it, they didn't ask whether or not they should. This is one of those type of areas where

just because you have this stuff doesn't mean you necessarily have to just go full bolt and just apply it to everything. Take your time, understand how it works. Do it little bits at a time. Experiment. Even do it in your own little lab type of thing and put those things together. You don't even have to use the LLM. If you have APIs that are exposed by any of your products, just you just access it. Like Postman is a is a tool that you can use to access the API and just pull data back. Just see what that is. Don't agentize it yet until you're you're ready for it. Um, now I can open it up to questions and

these are some ways you can get a hold of me. So I think I'm Hey, I'm pretty good on time. Sweet. Mr. Lightning, >> have you seen people use practical instances of AI and security. >> Have you used what >> like an actual practical instance? I know we've talked about a lot of things and like reporting and all this and with our team we're struggling to find an actual use case. >> I use it I use it all the time when I report structuring. So when I'm writing a report and I'm especially when it comes to recommendations when I get to the end and I got to do recommendations I might have something like hey you know

you need to have uh a complex level password type of thing. I might actually go and ask LM what are the best practices for actually doing that and see if I miss something if there's a gap. I mean I I know what I know but there's time maybe there's new tools out there. It might suggest you know you might have the 14 plus characters or whatever but you really should be moving towards zero trust because eventually these type of uh tools such as uh AI are going to be able to crack even the 14 level password or whatnot. And that might be you might put that as a piece within your recommendation. So that's one of those places where that might

work. >> To add to that, we're using it within it's a products within Alaska. You can go play with like their 14-day trial or but the the the best thing I've seen them do is not like their bot to explain the alerts, but they're actually using their all of your top alerts. They'll aggregate together and see if they can correlate alerts that are correlated together and turn those into attacks and summarize. And so like we saw a hit on soft glue group together like 27 alerts that a human may have had a harder time or at least not nearly as quick grouping all those together and saying these are related. It's looking at a large large

context of correlation. They also do like um your your rag example where you can upload articles like your playbooks and >> your playbooks or whatever. >> What would my playbook be on this or what? You can also attach it like with an agent to like the MITER attack framework and pull down the the attack the attack piece that goes with it. So it'll just pull the piece in. >> Same idea. >> Thank you. >> Yep. What's been your success rate looking at AD log those example you gave like signal the noise like has it been effective to actually pull in all those whether it comes up with an alert is it actually actionable like I found some

deviation that was like this is adversarial like have you found successes with some of these like high level hunts >> a little bit it's still >> it's yeah a little bit like for instance when I'm using event logs I'm running it through like chainsaw and some other stuff that actually has um has other alerting mechanisms by which that are there. But I can load it up and say um like say I'm looking for 4688 login type 10 or a machine login. I can do that quicker than actually trying to load it into something else. I can just say here tell me about this. Tell me what this looks like. What other places did it connect to without having to go because

like chainsaw will produce the alert but I have to go look at it then versus if I look for 4688 and it gives me a list and I'm like did they connect anywhere? did this did it connect anywhere else and then it can do that because it has context. >> Would it create another query to go back to the SIM to grab grab those? >> You can do that. You can do that. You can actually in some of the some cases with like the MCP and the a and if you get to the agent side of it, you can actually have it ask you can ask a question like that and then you can say

generate me a query to do that. It'll do that for you and then return the results. it'll that's a much more complex ask, but if you know what you're can put that together. Podendic has a a an example kind of like that where you're using the logs to ask a question that there's no report for and it will generate the SQL right there for you to go back into the sim and pull it out. back in the back. >> So I started on some other resources. >> Um so you had the MCP uh I just let me go back one. There's of course I broke it. Let me see here. See if I can find that one real quick.

There was Okay, you had the MCP servers. Pyantic will will give you a lot of that to a certain degree. Like I said, there's fantastic documentation on there for actually creating agents. So, it's going to give you the details on that and then from there it'll tell you how to create the agent and then with the MCP connector. >> Uh if you don't mind, I have a comment. >> Sure. Absolutely. >> Yeah. So for MCP uh cloud recently introduced really like their $100 per month version where you can have integration with Zapier. >> Mhm. >> Where >> I've heard of Zapier. >> Yeah. Where you can you know they have like 30,000 integrations >> and besides that there is N8 like a open

source service where you can have like pretty much the same approach as here where you can have integrations slack or you know whatever. So >> yeah there's a ton of them. >> Yeah. Where you can build this workflows and integrating AI. >> Yeah, that's the lang chain. We'll build the help you build the workflow and framework along with the MC. It's all interconnected. It's just it takes a little bit of research to figure out exactly where you want to put it together. But yeah, that's cool. Work in progress. >> How are you finding that these like trains? >> Yeah. Uh you can figure it out real quick by asking it an upto-date question like I said like who won the hockey game

last night. It'll tell you ex like when it was its train date. specifically on like hey look for malicious behavior in these logs how well trained like I imagine not a lot of people are log >> no you have to you have to prompt it for what you're kind of looking for and so you still need an analyst for that kind of