In response to the client’s interest in leveraging the latest advancements in generative AI for cybersecurity enhancement, I was tasked with the exciting project of crafting and deploying a standalone, AWS-native Security Copilot. This innovative solution is engineered to swiftly parse security alerts, enrich them with customized data sources, generate actionable remediation steps, and produce insightful reports for analyst evaluation, saving time and money.
Business Problem:
- The business faces a cybersecurity challenge due to the abundance of unstructured data, requiring security analysts to manually interpret and analyze it using various tools.
Project Goal:
- Determine whether or not generative AI could be used to augment cybersecurity operations.
Solution:
- Log data from AWS Security Hub
- Automated data cleaning pipeline that queries the data, cleans, formats, and eventually stores it in AWS Athena.
- Data warehouse for cleaned data.
- JSON data is sent to Anthropic Claude 2.1 for summarization. The output is a plain text description detailing what happened in the alert.
- Next, Claude 2.1 provides a synthesis (if necessary) of the alert including the suspected MITRE ATT&CK techniques.
- This text data is used to semantically query 3rd party data such a threat intel feed.
- Based on all previous data, the Claude 3 provides suggested remediation steps for the AWS CLI and AWS Console.
- Finally, all data is placed into a report template for an analyst to complete.
- The data is made available in a user interface for the analyst.
- The LLM was accessed through AWS Bedrock
- Data systems were built on GCP & Qdrant