Salem Cyber

☀ Introducing Salem 2.0 ☀ Sun’s out, scams about! Before you mentally check out for summer vacation, Salem 2.0 is here to be your poolside security partner, keeping your digital life guarded while you catch some rays 😎 . We have two exciting new features: 🗣 Slack Integration: Think of it as having a security Mai Tai delivered straight to your chat 🍹 – needed information, always at your fingertips. You can now view threat escalations and Salem knowledge right from your Slack chat! 🔐 Third Party SSO: Make using Salem a breeze by using your preferred IDP to manage who has access to Salem.

Interesting article by Gartner discussing the hype around AI and inflated expectations. In a previous post, we discussed the three issues with the new wave of AI that have led to failed expectations: 🧠 Imperfect Reasoning – Gen AI models were trained on how we speak, but not necessarily on what is empirically true. The model usually aces the language component (as it was trained to do) but fails on the facts. 🐢 Slow request processing –There is a reason you often hear the term large Language Model; it’s because they are huge. To run the best ones, you need specialized computer chips that have a lot of memory to load the model, and a lot of processing power to make billions of calculations for each prompt. 💲 High Costs – Hardware is expensive, hard to get, and you need a lot of it. The R&D investment into models such as the ones behind ChatGPT are in the hundreds of millions of dollars. So, how can you choose a cyber GenAI product that is worth the hype? 1️⃣ Find a narrowly defined mission that is both critical, necessary, and super repetitive. For us, alert triage using GenAI plus other models fits this definition. There is a whole world of ML, AI, and other statistical modeling methods that have been employed for decades. Our strategy is to use the best methods to best address specific reasoning problems. By using multiple models, we can stitch together a pipeline that collectively represents the reasoning a cyber analyst would use to come to definitive conclusions. While there is no one-size-fits-all AI solution for many of the cyber problems we face, relying exclusively on GenAI might lead to inflated expectations and disappointing results. 2️⃣ Find the AI tools that best fit your problem, not the problem that best fits your AI. We know that cyber is a nuanced business because the technology a business uses is layered with tradeoffs and technical debut. So, training models on lab data just isn’t going to produce the right result. We won’t give away our methods but will say that battle scars teach the best lessons.

We're thrilled to announce that Salem is now integrated with Slack! Building on the success of our previous chat integrations, Salem with Slack allows organizations to: ⏩ Respond Faster: Address security alerts directly within Slack, minimizing response times and mitigating potential threats. 🤝 Enhance Collaboration: Facilitate real-time communication and collaboration among security teams, streamlining incident response efforts. ⌚ Have 24/7 Oversight: Maintain constant awareness of security threats, ensuring continuous protection even outside traditional working hours. We offer seamless connections with leading enterprise chat solutions like Slack, Microsoft Teams, and more! 📩 Message us to find out if Salem works with your preferred chat tools.

This week, Salem Cyber turns 3 years old 🎉 We’re so grateful for all of our clients, friends, family, and community who have supported us on this journey. Together, we've built a legacy of empowering cyber operators and enabling them to consistently respond to threats well. Here's to many more milestones together!

Great post by Gartner detailing the explosive growth of GenAI. In the cyber space, we've seen this explosive growth in a few different areas. While there's many incredible opportunities for GenAI to support operations, the right one for a company depends on the company's mission for its implementation. 🤖 Cyber GPT These solutions, like Microsoft's Security Copilot, bring the power of ChatGPT into your cyber data. Analysts will be able to ask questions to an AI chatbot that will provide explanations and recommendations. The net effect will be analysts making decisions 20%+ faster; if your analysts review 50 alerts a day, they will be able to squeeze in an extra 10. Other benefits are hard to quantify but equally important; for example, report and presentation writing will improve how analysts communicate to leadership about the threats they encounter. 👩💻 Automated SOC Solutions, such as Salem Cyber, will automate the process of investigating cyber alerts from your security tools. This will include both dynamically creating individual alert enrichment playbooks and understanding the nuance of an alert investigation to make a choice to escalate or not. The benefit of this AI is the speed and scale that comes with analyzing actions flagged as suspicious. In a human-only SOC, there is a hard limit related to the cognitive capacity of your team. In this world, you could perhaps perform thousands of investigations to find the 1 or 2 alerts that need to be escalated to someone in the SOC. 🔬 Anomaly Detection Practically every detection side tool (EDR, SIEM, Cloud) has some form of AI/ML anomaly detection. The idea is that models can review large sets of data, find patterns, and flag new transactions that are suspicious. As data scientists become more indoctrinated in the unique challenges of analyzing data for cyber threats, these capabilities have and will continue to get better. These solutions can help address the emotive question, “I have all this data; shouldn’t something look at what’s in there”?  We look forward to seeing how GenAI continues to grow in the cyber space!

In conversations with clients, industry experts and practitioners, we've heard three common cyber defense challenges. 🚨 Cyber Alert Overload It can take hours to find the few alerts that require attention. In fact, <1% of alerts flowing through the SOC are actionable. Reducing mean time to detect remains a top business priority. 📈 Expanding Cyber Risks CISOs are being asked to protect more digital assets. Ransomware success and AI are encouraging more attacks (an 18% YoY increase) and CISOs are constantly having to address the everchanging cyber landscape. 💲 Flat Cyber Budgets There is no budget to throw more people at the problem. The industry itself has seen a 65% decline in budget growth so organizations are looking for innovations to help keep pace. What do you think? Have we missed any big ones?

Yesterday, we discussed how AI cyber analyst agents are driving the💲cost of incremental SOC monitoring to zero. But, what does this mean for your team? 🤝 Stronger Internal Partnerships A cyber team is a type of internal service provider. Everyone in an organization has a vested interest in remaining protected from cyber threats. Yet, forging partnerships hasn’t always been easy. The SOC has never had the bandwidth to implement bespoke application monitoring and collaborate back with the app owners to understand expected behavior. AI agents can break down these barriers by compiling timely information from the right people, gaining fuller situational awareness at scale to make better informed decisions about which activity truly requires further investigation. 💤 More Sleep What keeps you up at night? Worrying that something will go wrong when you're not online. The nights, weekends, and holiday teams are often less reliable than your 9 to 5ers, creating concern that you might be walking into some bad stuff the next day. The consistency generated by AI agents will gain your trust, allowing you to relax more when you’re off the clock, knowing that if something pops off, it will be caught.

AI cyber analyst agents are driving the💲cost of incremental SOC monitoring to zero. How? 1️⃣ Less reliance on your MDR AI will perform your 24/7 alert analysis, replacing what is today a low ROI Tier 1 SOC provided by your MDR. This reduced operational reliance on MDR & MSS partners will benefit both parties. Alert triage is high-risk / low-margin work and a top point of friction between buyers and providers. Good MDRs will pivot dollars from SOC staff augmentation to higher-value work like testing, engineering, analytics, threat hunting, incident response, and intelligence. Buyers will insource a small number of operation staff that gain intimate knowledge of the business and can tune the AI agent more effectively to surface what’s truly important. 2️⃣ More ATT&CK coverage Organizations have long desired better detection coverage against the MITRE ATT&CK framework of adversary tactics and techniques. Yet, the noise generated by many ATT&CK based use cases makes them operational nightmares. Fortunately, with AI agents responsible for the volume work of alert analysis, the overhead of alert noise will no longer correlate to increased overhead. Engineers and researchers will gain the time and the freedom to implement creative analytics that feeds alerts to the AI agents. 3️⃣ MTTR measured in minutes Two toll gates make up 90%+ of this overall MTTR: 1) Time to generate an alert and 2) time to recognize that alert as a threat. Both have been negatively influenced by SOC capacity constraints as the SOC can only handle so many alerts, so you slow down inbound alerts and wait for an analyst to pick them up. AI agents eliminate this problem completely, allowing you to accelerate alerting and get near-instant analysis of threat likelihood. The net impact is you can have analysts containing alerts in under 10 minutes, and even auto containing hosts for the most aggressive threats. Stay tuned tomorrow for some additional thoughts 💭

What makes Data Loss Prevention (DLP) hard? One word, “intent.” A DLP analyst needs to validate what information is being acted on, by who (the easier part), and why they are doing what they are doing.  The last part speaks to intent, which most often can’t be represented in a log you can easily search.  Figuring out intent is not an impractical problem until you realize the overwhelming scale of DLP alerts that could/should be adjudicated. At Salem, we think deeply about how to solve for the scale of DLP and other alerts by leveraging AI technology that works fast to contextualize alerts in the way an analyst works, reduce the false positive, and escalate the few likely threats to someone who can act. If you're at Health-ISAC next week, stop by our booth to say hi and learn more about Salem, #datalossprevention, and other use cases!

We're thrilled to share that we are sponsoring the Health-ISAC Spring Americas Summit next week! This is a fantastic opportunity for us to learn from industry leaders and practitioners and share more about how we have helped health-related companies augment their cyber operations with Salem. If you are going to be there, stop by Booth 51 to chat!