Black Hat USA 2024 provided a clear picture of where we stand as an industry and where we need to go. As we navigate these challenges, collaboration, innovation, and a renewed focus on resilience will be key to our collective success. Some key take aways from this event include the CrowdStrike incident and its impact on cyber, use of AI in cyber, election security, the privacy vs security dilemma and the increasing personal legal risks for CISOs.

Okta is one of the most used identity providers with various identity and access management solutions. Like other IDAM providers, Okta is a valuable resource for starting identity investigations. Impactful identity and authorization patterns including user password changes, password policies, multi-factor authentication (MFA) alerts and application consent grants can be reviewed on Okta during investigations. In this post, we’ll follow a potential account takeover flow starting from Okta alerts ingested by Command Zero. While we can expand any investigation to other data sources, I'll keep the focus on Okta to simplify this example flow.

Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations. In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID.

Our general philosophy towards AI is simple. We use LLMs to augment the capabilities of our platform. We structure our content (Questions, Facets, Metadata, Prompts, Answers, Relationships) to improve the quality of the models’ responses. As with developing any production-ready application, LLMs bring their own set of unique implementation challenges. For us, these challenges can be categorized as accuracy, latency, scalability and cost. All of which have an impact on the user experience.

For identifying Midnight Blizzard or any password spraying attack in your environment, there are multiple paths you can take with Command Zero: 1) Tracking unusual application consents 2)Tracking password spraying attempts 3)Tracking MFA failures 4) Tracking new or re-activated user accounts. As with all investigation flows, these flows can be saved as facets to drive speed and consistency across individual analysts or analyst teams.

Universal talent gap is a challenge we must operate with in cyber. To combat this, we need to shift from platforms for advanced users only to intrinsically skilled platforms that augment all users. Command Zero delivers the expert platform for cyber investigations. Expert investigative questions and investigative flows (facets in our terminology) are the investigative fuel of the Command Zero platform. By leveraging this expert content, all tier-2+ users (tier-2, tier-3, incident responders and threat hunters) can deliver expert outcomes every time.

Command Zero set out to solve the most significant bottleneck for security operations: investigations. There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.

What if we could create a team of investigators with the ability to collect and harvest the right information, to determine the scope and track investigations in real-time? Command Zero’s question-based investigative approach, combined with automation, ensures no detail is overlooked. This method makes expert knowledge accessible to all analysts. Discover how this empowers Tier-2+ analysts with expert system capabilities in our latest blog. It’s not enough to just provide the query. We need to ask those questions for them, driving deeper investigations and educating analysts continuously. This ensures they understand the process, reasoning, and outcomes, leading to better, repeatable techniques.

Today, Command Zero is coming out of stealth, ready to revolutionize security operations. Command Zero is the industry’s first autonomous & user-led cyber investigations platform. It is built to tackle the most significant bottleneck in security operations: investigations. Supercharging tier-2, and tier-3 analysts (the scarcest talent in security operations) is the most impactful project a CISO can take on. Command Zero is built to deliver this transformative project at scale.