Last year, at the Explore 2023 conference, VMware announced a very interesting product – Project Cypress (it now runs on Intelligent Assist capabilities). This solution allows you to integrate generative AI into VMware security solutions, acting as a co-pilot when investigating information security incidents.
VMware recently showed this product in action:
Security Operations Center (SOC) analysts play a key role in protecting an organization’s digital assets and data. They must continually monitor, investigate, and respond to information security threats on a daily basis. Meanwhile, they face the following challenges:
- Expanding cyber threat landscape – the ever-evolving cyber threat landscape is producing a constant influx of increasingly sophisticated attacks. Analysts often find themselves overwhelmed by the sheer volume of notifications and incidents, requiring additional assistance.
- Fatigue from a large flow of notifications – this is now a common phenomenon among analysts due to the high level of false positives. An AI co-pilot with machine learning capabilities can help filter and prioritize notifications, reducing fatigue and improving overall efficiency.
- Response time – quick response to security incidents is critical. It is AI that can help in this matter by providing timely information on immediate actions to eliminate threats.
- Lack of qualified analysts – this remains a big problem in mid-sized companies. Therefore, automation tools are definitely required here, reducing the requirements for personnel qualifications.
VMware’s generative AI in chatbot form is designed to improve the efficiency of the Security Operations Center solution. Its task is to analyze current notifications of security events related to the network functioning of the virtual data center. VMware has three goals here.
- Help customer Security Operations Center analysts to make better initial assessments of emerging security threats that have been identified through technical means.
- Provide analysts with more context regarding detected threats in terms of the functioning of the infrastructure and the impact on it.
- Provide them with quick response actions that they can take directly from the Project Cypress console window.
If you look at the VMware NSX product console in terms of detected threats and actions to eliminate them, you can see that we have a lot of campaigns and notifications, making it easy to get confused. This is where trained generative AI comes in. It perfectly understands the essence of these notifications, their context in relation to your infrastructure, and has knowledge of exactly how these threats can be eliminated.
Let’s see the Project Cypress solution in action and activate it. After that, you will see that it really reduces all those warnings to just a few dialogs from which you can communicate with the AI as if you were working with a professional virtualization and information security administrator.
As a result of internal VMware testing and analytics, customers have seen significant reductions in response time to threats using generative AI. And the number of notifications is immediately reduced several times, and only useful notifications that you need to work with right now are displayed:
Some campaigns are grouped together because they all look similar. You can see recurring threats grouped and the MITER ATT&CK framework matrix associated with each group.
You can now go to Project Cypress and pose a question or ask for an action to be taken. For example, you can ask something like: “Can you explain this campaign to me? What’s going on there?”
So, we see here a suspicious event of scheduled tasks running, followed by some commands and control traffic, after which data exfiltration occurs (that is, its unauthorized transfer to the outside). Based on the totality of what is happening, this case looks like CryptoWall – a case of Ransomware that encrypts data on disks, after which it displays a message about how much and where the victim has to pay in order to get the decryption key.
You can ask the generative AI how this attack could have happened and what its consequences would be:
You can also ask Cypress to show you options to correct this situation and eliminate the threat:
Please note that Cypress not only talks about what can be done, but also gives its recommendation in this particular case – namely, it suggests disconnecting the virtual machine from the network and dealing with it separately. You are also asked to disable only this suspicious type of traffic.
If you choose to disable only this type of traffic, you are presented with IDS signatures that you can immediately apply to this workload:
After this, the policies will be successfully applied, and you can verify this in the Security > IDS/IPS section:
Conclusion
Project Cypress is an interactive solution for finding network vulnerabilities and solving problems powered by generative AI. It allows you to filter notifications about information security incidents, group them and talk about their potential impact on the infrastructure. You can communicate with AI until the moment when you do not understand exactly how you should act next.
You can then continue to apply policies to, for example, stop data exfiltration and regain command and control. This happens almost instantly, taking only a few seconds. At the same time, you can continue to ask generative AI your questions during the investigation of the incident and after the vulnerability is closed.
The goal of this AI workflow is to process notifications faster and give you more context about what’s happening, rather than having to spend a lot of time searching through consoles for settings and reading documentation.
