Generative AI for CIRA and CDR, Cloud Threat Detection and Response Automation, with Skyhawk Security

Every cloud infrastructure can be infiltrated; it’s an inconvenient truth. But employing Generative AI for CIRA and CDR (Cloud Threat Detection, Investigation and Response Automation), an emerging cyber security technology, coined by Gartner on their most recent Hype Cycle, is proving to be a scalable response, at least according to Israeli startup Skyhawk Security.

With the rising cloud usage and increasing sophistication of malicious Generative AI for hacking techniques, we’re quickly heading to a future akin to the wild-wild-west of cyber activity and enterprise vulnerability. Nowadays, hacking is not reserved for versed cyber criminals, everyday folk can take part due to the ease of use of Generative AI tools. Spend a few minutes on ChatGPT and voila: you’ve got a convincing email ready to compromise the network of a fortune 500 company impersonating a pressing email from the CEO. Up the ante and subscribe to WormGPT or FraudGPT: Large Language Models (LLMs) built on GPT-J designed to circumvent safeguards enforced by GPT LLMs when prompted for malicious intents, like writing malware code (but with some clever prompting, the same has been demonstrated to be achieved on ChatGPT). You’re now equipped to generate malware and send a phishing email to fool an unsuspecting employee into downloading it on their organization’s network and wreak havoc.

Inside the enterprise, where the majority of operations are conducted and stored in the cloud, and where an incident can result in a multi-million dollar loss, cloud security is rapidly unraveling and vulnerabilities are growing at an incomprehensible rate. In large part thanks to the rise of Generative AI. Last year, Thales Global Cloud Security Study found that 45% of businesses experienced a data breach in their cloud environment. This year’s figures will likely top that. There’s too much exposure and low hanging fruit for hackers, like misconfigurations, insecure interfaces and APIs, unauthorized access points or DDoS attack vulnerability. “I’m getting calls everyday and it’s only intensifying,” said Chen Burshan, the CEO of Skyhawk Security, an Israeli startup attempting to secure the entire cloud landscape. Their unique approach is proving formidable among the cloud security community; using Generative AI to stop a potential threat in its tracks, but in real-time and not after-the-fact.

Skyhawk Security is attempting to reshape the cloud security landscape with their Generative AI powered Shift Left CDR (Cloud Detection and Response) and Cloud Security Posture Management (CSPM) technology.

In 2022, Skyhawk was spun off from Radware, an industry veteran in cybersecurity. The board’s decision to make it a standalone entity has proven astute. Earlier this year, the company secured $35 million in funding from Tiger Global Management and brought in industry veteran Chen Burshan, formerly GM and led the Israeli site at Dome9, a cloud security company acquired by Check Point at 2018.

"We're scaling up [Skyhawk] to become a large and significant provider of cloud threat detection and response," said Burshan. Skyhawk's technology connects to a customer’s cloud environment, monitoring activities in near real-time. By employing machine learning (ML) models and Generative AI, the platform detects suspicious behaviors and blocks them before they become full-blown security incidents, like moving laterally and exfiltrating data. 

For the non-cyber initiated, the typical cloud security vendor’s offerings are analogous to strong locks for all the doors of a home. But in case a thief manages to pick those locks, motion detectors are the second layer of defense to intrusions, the offering of Skyhawk in a nutshell, explained Burshan.

"In March, we added Generative AI, integrating GPT-4 and other proprietary LLM agents into our detection flow," explained Amir Shachar, Director of AI and Research at Skyhawk and author of Semi-discrete Calculus. This unique implementation allows Skyhawk to label all data securely, thereby enhancing the capability to identify malicious activities, if they are in fact malicious. “The reason we use AI and Generative AI is specifically because it affords us the opportunity to learn and block the behaviors that aren’t yet known - the unknown unknowns.” The attack signatures of hackers and sequence of malicious behaviors are typically known in the cyber security ecosystem, but they evolve.

Traditional Cloud Threat Detection systems start the detection process with events close to the perimeter. This has proven problematic for two reasons: alert fatigue caused by non-priority events and late alerts on high-risk incidents - false positives and false negatives. Skyhawk’s Shift Left CDR innovation addresses these issues head-on. Their technology begins threat detection before any event occurs, focusing directly on the organization's most critical assets. The system analyzes the topology and paths to the crown jewels and prioritizes incidents that are likely to end up on a critical asset. This enables more effective and timely responses to threats.

Skyhawk employs a centralized approach, harnessing customer data to construct a universal model capable of accommodating a more comprehensive range of security incidents. It is a significant advantage in an era where data provenance can be a concern.

Their analysis technology is three-pronged. First, they employ ML to detect malicious behavior in the cloud accounts (network, IAM, IOCs etc), in other words, anomaly detection. Second, another ML layer correlates these behaviors, differentiate benign from real events and build a correlated attack flow indicating how malicious an incident really is. And third, their Generative AI layer rapidly score these incidents against industry data and transform it into actionable insights. The startup debuted their technology update in March this year. 

When Burshan joined Skyhawk, CDR was considered merely a part of a broader CNAPP category. “As the industry matures, it will become evident that CDR will have its own standalone category,” he said. This prediction seems to have come true with Gartner recently introducing the term Cloud Investigation and Response Automation (CIRA) to describe this emerging field.

Cloud Investigation and Response Automation (CIRA) is an emerging technology category aimed at enhancing cloud security by automating aspects of threat detection, investigation, and response in cloud environments. Traditional approaches to cloud security are often manual, partial, and time-consuming, given the complexity and volume of data generated in the cloud. CIRA seeks to alleviate these issues by providing automation tools that can quickly identify and respond to security threats in cloud-based systems.

Key capabilities often included in CIRA platforms are Automated Threat Detection, Data Fusion, Accelerated Investigation and Response, and Multi-Cloud Environment Support. The inclusion of CIRA in the Gartner Hype Cycle indicates growing awareness and interest in automating cloud security procedures, and the technology is likely to gain traction as more businesses move to cloud-based operations.

As it stands, the pace of cloud innovation has outstripped traditional security measures. Skyhawk believes that it’s essential to adapt and provide new layers of security that can keep up with rapid changes. "The way to infiltrate an organization is much easier compared to what it was before," said Burshan.

Skyhawk’s Shift Left CDR technology is also rooted in a rich data set built over years, amounting to thousands of documented incidents. The company claims its the largest dataset in the CDR/CIRA category. This advantage allows them to train their AI models more effectively, setting them apart in a growing market.

The integration of Generative AI and ML in Skyhawk's new Shift Left CDR technology significantly enhances the productivity of security teams. With an uptick in cyber threats and growing demand for efficient cloud security solutions, Skyhawk is positioning to redefine how organizations protect their cloud environments and mitigate the looming weaponization of Generative AI in the cloud.