Home
Blog
launch
July 10, 2024
10
min read

Transforming cyber investigations: The power of asking the right questions

What if we could create a team of investigators with the ability to collect and harvest the right information, to determine the scope and track investigations in real-time? Command Zero’s question-based investigative approach, combined with automation, ensures no detail is overlooked. This method makes expert knowledge accessible to all analysts. Discover how this empowers Tier-2+ analysts with expert system capabilities in our latest blog. It’s not enough to just provide the query. We need to ask those questions for them, driving deeper investigations and educating analysts continuously. This ensures they understand the process, reasoning, and outcomes, leading to better, repeatable techniques.

investigations
AI
Dean De Beer
Cofounder & CTO
In this article
H2 Title
H3 Title

In the ever-evolving landscape of cybersecurity, the complexity and volume of threats continue to escalate. At Command Zero, we've recognized the need for a change in how investigations are conducted. Our platform is designed to empower every tier-2+ users (tier-2, tier-3, incident responders and threat hunters) with advanced expert capabilities, fundamentally changing the game in cyber investigations.  

The Modern Cyber Investigation Challenge

Today's enterprise environments are a labyrinth of interconnected systems. Security analysts are expected to navigate dozens of individual tools and platforms, each with its own unique intricacies. From Identity and Access Management (IAM) systems and Security Information and Event Management (SIEM) tools to Endpoint Detection and Response (EDR) solutions and Data Loss Prevention (DLP) platforms, the list is extensive and ever-growing.

The challenge with investigations doesn't stop at security-specific tools. Analysts must also be proficient in various non-security systems such as SaaS applications, productivity tools, and cloud infrastructure platforms like GitHub, M365, AWS, Azure, or Google Cloud. Each of these systems requires deep, often administrator-level knowledge to fully understand and effectively investigate.

This creates a paradox: While tier-2+ analysts (Tier-2, tier-3, incident responders and threat hunters) are expected to have expertise across all these systems, it's impossible for any individual to be an expert in everything. For instance, an analyst who's a guru in Okta, Microsoft Exchange, and CrowdStrike EDR may struggle with GitHub, AWS, and Proofpoint, or vice versa.

Furthermore, these systems are often managed by different administrative groups within an organization. Security operations teams frequently lack direct access to all systems, especially those outside their immediate purview. This becomes particularly problematic when dealing with escalated cases that typically span multiple systems across various organizational domains.

The Scarcity of Tier-2+ Analysts and Incident Responders

Tier-2+ analysts are among the scarcest profiles in cybersecurity today. Despite accounting for only a small fraction of the cyber team, they are responsible for handling the most critical activities in security operations.

These teams are tasked with managing all escalations and subsequent incidents across complex modern environments. Each case can span multiple sites, clouds, and SaaS applications, potentially touching dozens of cyber systems along the way.

The State of Cyber Investigations Today

The reality is that most organizations conduct escalated investigations as a best-effort activity. These efforts are often led by individuals with innate knowledge about the environment and organizational context.

Tier-2+ analysts are chronically oversubscribed, with more escalations than they can handle. This results in many potential incidents waiting for thorough analysis, with some never receiving adequate attention.

A typical cyber investigation involves significant time spent on groundwork before getting to the core analysis. This includes collecting data from various sources, requesting system access, and consulting administrators for guidance. Post-investigation tasks like generating timelines, packaging information, and writing reports add to the workload.

In the cybersecurity industry, we've become accustomed to solutions designed for advanced users with extensive subject matter expertise and platform-specific training. This approach, while convenient for software vendors, places a significant burden on users and organizations.

Similarly, the recent trend of integrating Large Language Models (LLMs) into cybersecurity tools often still requires users to know what questions to ask and how to prompt the AI effectively.

The Command Zero Solution

When we sat down to better understand the scope of the problem and the knowledge required, we closely looked at what expert investigators do before, during and after an incident. This led to the question: What if we could create a team of investigators with the ability to collect and harvest the right information, to determine the scope and track investigations in real-time? A team who could tackle the 'last mile' of investigations and take actions to track, mitigate and remediate attacks.

Analysts can review autonomous sequences and dig deeper, or kick of user-led investigations using pre-built questions and flows.

Command Zero’s goal is to deliver a product with expert capabilities accessible to the general practitioner. There is limited benefit to the security industry to build yet another system designed exclusively for expert users. We are building an expert system, not a system for experts, to enable all tier-2+ analysts, and in turn have a greater impact in an organization’s ability to respond and prevent future incidents.

A well-prepared team with detailed visibility into the operational status of the environment, what and who are on the network and access to data, both current and historical, and analysis of that data in real-time are the building blocks of effective and successful investigations.

Technology-Specific Expertise and the Power of Questions in Cyber Investigations

At the heart of Command Zero's approach is the recognition of the critical role that questions play in cyber investigations. The right questions help investigators understand the nature and scope of an incident, identify potential causes and consequences, and develop effective action plans. They also help the investigator identify the key elements such as the targets, the attackers, the methods, and the consequences.

Asking the right questions and interpreting answers determine the outcome of every investigation.

Command Zero is built around this question-based investigative approach. It provides a comprehensive platform for asking the right questions across all relevant systems and data sources, then helps interpret the answers to build a detailed narrative of each case.

Command Zero doesn't just provide data access; it encapsulates the expertise of top-tier investigators within the platform, making it available to all users. The platform not only provides a comprehensive knowledge base but recommends and executes questions and investigation paths for each connected data source, more likely to cover all systems involved in a case.

Moreover, it assists in interpreting results and drawing conclusions based on carefully curated knowledge. This feature essentially democratizes expertise to all users, allowing less experienced analysts to benefit from the insights of seasoned professionals.

The system's intelligence goes beyond static recommendations. Questions asked during an investigation can be automated and repeated, generating new questions based on the answers received. This creates a dynamic, ever-evolving investigative process that becomes more effective and efficient over time.

Direct Access to Data and Context

While building Command Zero, we've reimagined how analysts interact with data sources during an investigation. Instead of requiring direct system access or deep technical knowledge, our platform abstracts the complexity away. We use a federated data model that connects directly to data sources via existing APIs, allowing analysts to interrogate any system using pre-built, natural language question sets.

This approach is a significant departure from the industry standard of funneling logs into a central platform for filtering and normalization. With Command Zero, analysts can query systems on-demand, without worrying about the intricacies of data access or the complexities of the data structures.

Our Security Research team has invested considerable effort in integrating and maintaining the data sources, normalizing data, and creating a uniform experience across diverse sets of data. This allows analysts to focus on the investigative process rather than grappling with technical hurdles to get to the data.

Historical Data for Context

Context is crucial in any investigation. Command Zero makes all previous investigations and associated notes, comments, labels and annotations readily available to analysts. With every question or note taken on the platform, your teams build institutional investigation history, which then becomes institutional investigation knowledge. This feature allows for quick understanding of historical behavior and context for the subjects under investigation so your analysts can speed up investigations while making better and more informed decisions.  

For instance, when looking into a potential account compromise involving an employee, analysts can instantly access their role, previous investigations related to them, and any additional relevant context and activity.

This capability not only speeds up investigations and improves accuracy but also facilitates seamless handovers between analysts. New team members can quickly get up to speed by reviewing the steps of ongoing or past investigations related to the leads in scope.

Automation and Autonomous AI

While the insights and creativity of the analyst are crucial in investigations, machines outperform in executing repetitive tasks and analyzing large data sets. Command Zero leverages both strengths by incorporating automation and LLMs to augment human investigators.

Our platform can automatically ask dozens of follow-up questions based on initial findings, exploring numerous avenues of investigation simultaneously. This capability significantly reduces the"grunt work" involved in investigations, allowing human analysts to focus on higher-level analysis and decision-making.

One of the ways Command Zero improves the investigation experience is by reducing the toil for analysts. This involves abstracting data access, providing expertise for each data source (as covered in previous sections) along with automating segments or end-to-end investigations.  

Any sequence of investigation questions can be saved into a facet (a dynamic playbook) which can be run autonomously or on demand for similar cases. These sequences resolve some cases without analyst input and present the investigation steps, outcomes and reporting for review. They can also be triggered manually by analysts to run repetitive tasks, saving time and providing consistency in how cases are handled.

Facets bring in best practices for all users out of the box, they can also be built with no-code to consistency and institutional knowledge.

All questions, responses and deductions in an investigation can be reviewed step by step by analysts, and he or she can combine user-led questions on top of these autonomous capabilities. This combination of automation and dynamic analyst input delivers the best investigation outcomes available today.

During an investigation, each question and response are interpreted and summarized, in context of the investigation and organization, by LLMs. This helps analysts better interpret the responses from data sources. The same capabilities also generate timelines and end-to-end reports for investigations, saving valuable cycles for all analysts.  

Our principals for LLM implementation

Implementing LLMs (and AI capabilities) is a hot topic in every industry, and cyber is no exception. We believe LLMs present a huge potential for our industry. That stated, we do not share the belief that AI is the silver bullet to solve every problem in our space.  

So far, we've taken a pragmatic approach to implementing LLMs in the platform. We've made the decision to use LLMs and embedded vector stores to augment the analyst experience. We don’t rely on them for questions or the core functionality of the platform. We use LLMs to help drive investigations behind the scenes. Reporting and contextual analysis are good examples where LLMs are heavily used on the platform today.  

Advanced LLMs help save cycles reporting and assure that no detail gets overlooked during investigations.

The questions we create and the associated context and intent that we generate, is designed in such a way to help provide input to the models to make better decisions and propose additional actions.

This approach ensures that while AI enhances our platform's capabilities, it doesn't become a crutch or a point of concern for organizations with reservations about the implementation of AI. Our customers can opt to run the platform with LLMs (managed by Command Zero) or by bringing their own LLMs.  

From Art to Science: Standardizing Cyber Investigations

Traditionally, cyber investigations have been more art than science. The lack of uniform processes, tools, and technological expertise has led investigators to develop unique, often bespoke methods to resolve escalations. While this creativity should be encouraged and is admirable, it creates a high-risk setup even for well-funded teams, leading to issues with attrition, repeatability, and consistency of results.

Command Zero aims to transform this landscape by standardizing the investigative process. By providing a structured, repeatable approach backed by expert content, automation and AI, we're making high-quality investigations accessible to a broader range of organizations, not just those with extensive resources and access to top-tier talent.

The Future of Cyber Investigations

As cyber threats continue to evolve in sophistication and scale, the future of investigations lies in expert content, intelligent automation and AI augmentation.

It is no longer enough to simply provide users the means to query available data or even to provide those queries or questions for the user to ask. We need to continuously ask those questions for them, the answers returned driving further questions to be asked or paths of investigation for the user to follow. In doing so, we need to describe the process, reasoning and outcomes produced, ensuring that the analyst is continually educated in new techniques and repeatable, trackable investigative processes.

Command Zero is at the forefront of this new paradigm. By combining the best of autonomous capabilities with human intelligence and creativity, we're not just improving investigations – we're revolutionizing how organizations detect, investigate, and respond to security threats. In doing so, we need to describe the process, reasoning and outcomes produced in a transparent manner. This ensures that the analyst is continually educated in new techniques and repeatable and trackable cyber investigation processes.

In conclusion, the Command Zero platform represents a significant leap forward in cyber investigations. We are empowering security operations teams to work more effectively than ever before. We achieve this by addressing the key challenges of modern security operations – from data access and expertise gaps to the need for historical context and intelligent automation. Our platform addresses the universal challenges faced by organizations of all sizes and verticals, transforming the often-chaotic nature of cyber investigations into a more structured, efficient, and scalable process. As cyber threats continue to evolve, so too will Command Zero, always staying one step ahead to keep our clients secure.

In upcoming blog posts I’ll go into more detail on our approach and technology decisions.

Please check out our platform page to learn more about Command Zero.

Dean De Beer
Cofounder & CTO

Continue reading

launch
Highlight

Fuel cyber investigations with expert questions

Universal talent gap is a challenge we must operate with in cyber. To combat this, we need to shift from platforms for advanced users only to intrinsically skilled platforms that augment all users. Command Zero delivers the expert platform for cyber investigations. Expert investigative questions and investigative flows (facets in our terminology) are the investigative fuel of the Command Zero platform. By leveraging this expert content, all tier-2+ users (tier-2, tier-3, incident responders and threat hunters) can deliver expert outcomes every time.
Eric Hulse
Jul 17, 2024
12
min read
launch
Highlight

Introducing Command Zero & Why focusing on tier-2+ is the best investment for security operations

Today, Command Zero is coming out of stealth, ready to revolutionize security operations. Command Zero is the industry’s first autonomous & user-led cyber investigations platform. It is built to tackle the most significant bottleneck in security operations: investigations. Supercharging tier-2, and tier-3 analysts (the scarcest talent in security operations) is the most impactful project a CISO can take on. Command Zero is built to deliver this transformative project at scale.
Dov Yoran
Jul 9, 2024
6
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All