top of page

Cybersecurity’s Miracle Years with Generative AI

Annos Mirabilis: Part 2 of 2

2023 began as the year of Generative AI, and 2024 begins with its transformative application to Cybersecurity

System Two Security is the industry’s first generative AI native cybersecurity product that goes beyond superficial copilots and uniquely applies the underlying structure of large language models (LLMs) for empowering enterprises to counter new unknown threats at machine-speed and disrupting the inefficient sprawl of detection tools in SOCs. This two-part blog delves deep into the challenges of cybersecurity and the product’s application of generative AI technology to address them. The first blog had analyzed the challenges of cybersecurity including an uneven arms race stacked up in favor of adversaries, an unfulfilled promise of AI adoption and untenable risks of SOC platform consolidation.

The company is releasing its maiden product, S2S Insights, at the upcoming RSA 2024 and the product’s early access program (EAP) is open for sign-ups for trailblazer enterprise SOCs and managed security service providers who want to get ahead of the curve in the adoption of generative AI for cybersecurity.

Hidden Generative AI Gems for a Level Playing Field in Cybersecurity

While the recent advent of generative AI has taken over the world, large language models’ (LLMs’) off-the-shelf natural language-based reasoning capabilities cannot bring new cybersecurity competencies to an enterprise. Shallow applications of off-the-shelf LLMs, dubbed as security copilots, bring incremental productivity to enterprise SOC workers in the form of semantic search, information retrieval, text summarization and code generation. While they bring some respite to the overstressed work life of SOC analysts, they neither dent the undue advantages of the adversary nor resolve the conundrum of tool proliferation. However, the underlying transformer structure behind LLMs can prove to be a hidden gem when applied on cybersecurity in a specialized way beyond the narrower language-related context. The Hive Think Tank event last year with two faculty members from Princeton University, including a co-author of the seminal GPT paper, explored such applications of LLMs beyond language (video recording).

The cornerstones of LLMs need to be reapplied to build a generative AI powered level playing field in enterprise cybersecurity:

  • Threat actor behavior graph-as-sequence: Off-the-shelf LLMs capture semantic and linguistic relationships between words (“tokens”) and infer based on them to generate sequences of words. When applied to cybersecurity, the LLM needs to capture the relationships between threat actors’ behavioral actions, risks, and responses. This encodes a more formal graph-like structure into the LLM comprising of a very large corpus of inter-related threat actor actions and further generates new potential relationships. This is a novel alternative to the internal structure of the LLM and the metric (called “attention”) to be optimized to generate new sequences of threat action behaviors. Recent research results from Amazon have also confirmed the viability and scalability of such graph-as-a-sequence based LLM structures.

  • Ambiguous unstructured threat intelligence as prompts: The human-driven threat hunting world has evolved powerful threat intelligence sharing networks, which have been recently bolstered by Federal agencies. It is a very organic, decentralized, and resilient network powered by peer-to-peer threat information sharing and hubs that aggregate these chatters. However, these are often conflicting and ambiguous; hence struggle to scale within an enterprise due to lack of highly skilled professionals to separate the signal from noise. Specialized threat actor behavior LLMs (as described above) can be very effective in reasoning, validating, and responding to such firehose of threat intelligence at scale.

  • Enterprise system context-as-encoding: Vector encodings have proven very effective to constrain LLMs with large corpuses of textual knowledge. However, threat actor behavior LLMs need to capture complex enterprise system structures as embeddings, which will efficiently capture the combinatorial complexity. Recent graph-vectorization research results have shown multiple graph-aware encoding structures that can effectively scale to constrain LLMs with complex system relationships.

  • Zero-shot threat actor behavior prediction: Graph-as-sequence LLMs with the right tokenization become prediction engines that generate possible sequences of threat actor action based on highly ambiguous threat intelligence prompts, while satisfying the encoded enterprise system constraints. Such graph-LLM-as-predictors have been implemented in biochemistry for use-cases like protein sequence predictions. Due to the generative nature of such LLMs, the predictions are zero-shot in nature without requiring training for specific novel sequences (such as predicting a new variant of an attack).

  • Transferable inference abstracted away from data: The abilities of fine-tuning LLMs and constraining them with vector embeddings can be used to create a decentralized mesh spanning across enterprises without requiring centralization of data. We have already seen this evolve with code generation, where the same code generation LLM is used across enterprises without sharing sensitive source code. Such a mesh of context in the form of fine-tunings and embeddings can effectively transfer learnings without sharing data.

System Two Security: An alchemy of language models.

System Two Security has pushed the frontiers of generative AI to make cybersecurity a level playing field for enterprises. The product has systematically applied the aforementioned foundational cornerstones of LLMs to break the limitations of traditional AI and empower enterprises to hunt new threats & attacks at machine speeds. System Two Security is an instantiation of The Hive’s thesis on the next generation of generative AI native applications.

Enterprise SOCs & managed security service provider customers can now hunt for new attacks and adversaries within minutes (of discovering about a new unknown threat actor behavior) by using its novel custom fine-tuned language agents to profile, detect and contain new threats. This has proven to be a direct path for enterprises to counter threat actor behavior. It displaces the need for depending on multiple tool vendors and reduces mean time to contain new threats to minutes. It, hence provides a strong viable path for enterprises to consolidate SOC tools towards a unified & efficient underlying data infrastructure.

System Two Security (S2S) is working with its initial cohort of customers with two major product releases this year:

  • S2S Insights (May 2024 during RSA 2024): This product reasons over live threat intelligence text feeds from integrated sources and aggregators (like Microsoft, Splunk, CrowdStrike, MISP, Feedly etc.), and generates detection rules within minutes for SOCs to respond to new threat actors. It ensures the most relevant threat actor is at the top of the SOC analysts’ attention in real-time, and counters even the fastest threat actor behavior. This product needs no integration with SOC systems (like SIEM, XDR etc.) and can be deployed with a single-click. It delivers dramatically better mean time to detect (MTTD) and mean time to identify (MTTI) metrics for new threats from the time the first threat intel is accessed.

  • S2S Hunter (Fall 2024 during Black Hat USA 2024): This product automates the entire end-to-end threat hunting cycle by using detection rules generated by S2S Insights for generating threat hypotheses, hunt plan, executing the hunt queries, identification of new threats based on their responses and generating a containment plan. It offers out-of-box integrations with leading SOC systems like SIEMs (e.g. Splunk), XDRs (e.g. CrowdStrike) and data lakes (e.g. Elastic) with seamless data schema discovery and query generation. The product delivers industry leading mean time to contain (MTTC) metric for new threats from the time the first threat intel is accessed.

System Two Security's new approach of leveraging LLMs abstracts threat hunting as generative graph traversals and interleaving hypothesis-generation, querying and response-based reasoning

Entering the Era of Generative AI with System Two Security

In summary, System Two Security powers enterprise SOCs to race ahead of new adversarial threats with generative AI:

  • S2S Insights product release next month (May 2024) delivers machine-speed detections of new attacks and threat actor behaviors.

  • S2S Hunter product release later during Fall 2024 brings full-fledged near real-time threat hunting for new threat actor behaviors.

  • As System Two becomes the primary engine for direct creation, versioning and up-gradation of all active detection rules, enterprise SOCs reduce their indirect dependency on legacy SOC tool detection rules. This significantly mitigates the SOC teams’ tool fatigue.

  • System Two Security’s generative indexing features drive threat pattern-based prioritization, caching and indexing of log data. This dynamically optimizes the enterprise’s data infrastructure in response to changes in threat action behaviors.

  • The combination of the above two factors paves a clear path towards radical consolidation of SOC data infrastructure.

System Two Security is bringing bleeding edge advancements in generative AI to our customers and radically transform their SOC capabilities, tools, and infrastructure. Sign-up to our early access program (EAP) to begin your generative AI powered journey to transform and consolidate your SOC.

74 views0 comments

Recent Posts

See All


bottom of page