Despite the early and sincere focus on search/investigations, modern SIEM and SOAR capabilities have evolved to satisfy compliance/regulatory requirements. Today, these technologies do not provide dedicated investigation tools and the right user experience for an effective flow. In this post, we dive into findings from our research, discover sample use cases and recommend solutions to common issues for investigations.

In this interview, we dive deep into the world of cybersecurity investigations with Eric Hulse, Head of Research at Command Zero. Eric shares invaluable insights from some of the recent customer engagements, explaining how Command Zero is revolutionizing the way security teams operate, from drastically reducing investigation times to empowering analysts at all levels. He reveals how the platform can integrate with common tools like Microsoft Entra ID, Okta, Office 365, CrowdStrike, Proofpoint and other data sources in as little as 15 minutes. He also covers how it's helping teams tackle the overwhelming volume of alerts and incidents. Eric talks about Command Zero's unique approach to AI implementation, moving beyond simple chatbots to provide context-rich, actionable insights. From streamlining HR-led investigations to providing comprehensive identity visibility across multiple platforms, Eric illustrates how the platform is addressing the industry-wide challenge of doing more with less in cybersecurity.

Security Operations Centers (SOCs) struggle with uncertain security alerts, which create inefficiencies and analyst fatigue. The main challenge is the high volume of non-conclusive alerts that only indicate "interesting patterns" rather than definitive threats. Analysts must investigate numerous alerts daily, requiring extensive context-gathering about users and their behaviors. While playbooks can help with known attack patterns, they're difficult to maintain and can't keep pace with constantly evolving security threats. In this article, I’d like to highlight some of the common practical hurdles we observe with uncertain (aka non-conclusive, non-definitive) security alerts, and our recommendations to overcome them. The key is facilitating better decision-making through improved data collection, context building, and flexible investigation tools.

It is no surprise that a significant challenge for cyber teams is a pronounced skills shortage in the industry. The gap between the demand for experienced cybersecurity professionals and the available talent pool is widening for all cyber disciplines. This research indicates that this gap is even more acute for incident response and cyber investigations.

Command Zero published its first research report: “Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders” on September 10, 2024. The report is based on 352 interviews with cyber leaders including CISOs, security VPs and incident responders. It sheds light on the primary challenges encountered in cyber investigations including those stemming from alerts, insider threats, incident response, and threat hunting activities. This blog post is the first post of a blog series covering the key findings, takeaways and recommendations from this report.

The integration of RAG-based question selection has significantly improved our cybersecurity investigation capabilities. By leveraging AI to intelligently select and prioritize investigative questions, we can initiate investigations and provide outcomes more swiftly and effectively. As we continue to refine this approach, we're excited about its potential to shape the future of AI-driven cybersecurity investigations. The synergy between human expertise and AI-powered guidance is proving to be a formidable tool in cyber investigations.

Most conversations at Black Hat USA 2024 surfaced that we’re at an exciting juncture for cyber. Some of the incoming changes include expansion of cyber giants into adjacent segments, additional movement in SIEM and SOC automation segments and continued industry consolidation.

Black Hat USA 2024 provided a clear picture of where we stand as an industry and where we need to go. As we navigate these challenges, collaboration, innovation, and a renewed focus on resilience will be key to our collective success. Some key take aways from this event include the CrowdStrike incident and its impact on cyber, use of AI in cyber, election security, the privacy vs security dilemma and the increasing personal legal risks for CISOs.

Okta is one of the most used identity providers with various identity and access management solutions. Like other IDAM providers, Okta is a valuable resource for starting identity investigations. Impactful identity and authorization patterns including user password changes, password policies, multi-factor authentication (MFA) alerts and application consent grants can be reviewed on Okta during investigations. In this post, we’ll follow a potential account takeover flow starting from Okta alerts ingested by Command Zero. While we can expand any investigation to other data sources, I'll keep the focus on Okta to simplify this example flow.

Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations. In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID.

Our general philosophy towards AI is simple. We use LLMs to augment the capabilities of our platform. We structure our content (Questions, Facets, Metadata, Prompts, Answers, Relationships) to improve the quality of the models’ responses. As with developing any production-ready application, LLMs bring their own set of unique implementation challenges. For us, these challenges can be categorized as accuracy, latency, scalability and cost. All of which have an impact on the user experience.

For identifying Midnight Blizzard or any password spraying attack in your environment, there are multiple paths you can take with Command Zero: 1) Tracking unusual application consents 2)Tracking password spraying attempts 3)Tracking MFA failures 4) Tracking new or re-activated user accounts. As with all investigation flows, these flows can be saved as facets to drive speed and consistency across individual analysts or analyst teams.

Universal talent gap is a challenge we must operate with in cyber. To combat this, we need to shift from platforms for advanced users only to intrinsically skilled platforms that augment all users. Command Zero delivers the expert platform for cyber investigations. Expert investigative questions and investigative flows (facets in our terminology) are the investigative fuel of the Command Zero platform. By leveraging this expert content, all tier-2+ users (tier-2, tier-3, incident responders and threat hunters) can deliver expert outcomes every time.

Command Zero set out to solve the most significant bottleneck for security operations: investigations. There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.

What if we could create a team of investigators with the ability to collect and harvest the right information, to determine the scope and track investigations in real-time? Command Zero’s question-based investigative approach, combined with automation, ensures no detail is overlooked. This method makes expert knowledge accessible to all analysts. Discover how this empowers Tier-2+ analysts with expert system capabilities in our latest blog. It’s not enough to just provide the query. We need to ask those questions for them, driving deeper investigations and educating analysts continuously. This ensures they understand the process, reasoning, and outcomes, leading to better, repeatable techniques.

Today, Command Zero is coming out of stealth, ready to revolutionize security operations. Command Zero is the industry’s first autonomous & user-led cyber investigations platform. It is built to tackle the most significant bottleneck in security operations: investigations. Supercharging tier-2, and tier-3 analysts (the scarcest talent in security operations) is the most impactful project a CISO can take on. Command Zero is built to deliver this transformative project at scale.