Revolutionizing cybersecurity investigations with expert questions and AI

Introduction

Command Zero is pioneering a revolutionary approach to investigations. By harnessing the power of AI and expert knowledge, we've created a platform that investigates like a seasoned security responder. Our question-based system doesn't just provide answers; it guides analysts through complex investigations with the precision and insight of an expert. This innovative approach is transforming how security professionals tackle the most challenging enterprise cases/incidents.

Why investigate with questions?

Our original vision for Command Zero was to emulate the thought process of a seasoned security responder. We quickly realized that experienced analysts approach problems by asking a series of expert questions when given access to data. This questioning process often leads to more questions, mirroring how security professionals think and tackle complex issues.

Evolving tech stacks, threats and investigation scopes

Modern tech stacks, threat vectors and threat volume have expanded logarithmically in the cloud/AI era. Consequently, investigations no longer focus solely on the security stack. During a complex investigation, analysts often need to pivot from security logs to various other data sources, including:

• SharePoint for insider threat investigations

• GitHub for developer activity analysis

• AWS access logs for cloud security

• Okta and other identity providers for authentication insights

This diversity of data sources presents a challenge for analysts: staying abreast of new platforms and understanding the nuances within each.

Embedding expert knowledge

By creating a question-based system, we've embedded years of accumulated investigative and technical knowledge from our research and content development teams. This approach allows us to:

• Make expert insights easily accessible to all users

• Help analysts quickly gain understanding of unfamiliar data sources or log types

• Package questions together to give analysts a significant advantage without extensive ramp-up time.

Guiding the investigation with expert content and AI

Command Zero doesn't just provide questions; it guides the user through the investigative process. Each question in our platform goes through a rigorous creation and validation process, generating critical metadata:

1. Intent: The purpose behind asking the question in a security context

2. Context: The security-related background for presenting the question

This metadata allows our system to propose next steps, suggest areas to investigate, and offer relevant questions based on the user's needs and available data.

The AI implementation delivers AI-assisted investigations and autonomous investigation flows. LLMs are used for the selection of relevant questions and pre-built investigation flows (facets) within investigations, natural language-based investigation guidance, interpretation of data, summarization, reporting and delivering verdicts.  

Advantages of leading with questions

Our question-based approach offers several key benefits:

Key benefits

1. Guided Investigations: Users are led through a "guided tour" rather than having to understand and navigate the path themselves. The encoded knowledge in the platform, coupled with automation and AI capabilities deliver the best AI-assisted investigation experience available.  

2. Controlled Inputs and Outputs: LLMs are run in structured patterns and LLM outputs are validated continuously. These practices minimize the potential for model hallucinations or incorrect verdicts while leveraging AI.

3. Cost and Speed Optimization: By controlling the investigation flow and balancing traditional techniques and LLMs, the duration and computational costs are optimized.

4. Pre-Enriched Data: The platform enriches data before presenting it to the large language models, reducing iterations and improving efficiency.

Adaptability and continuous improvement

The Command Zero platform is designed to evolve based on user interactions:

• The investigation path adapts based on newly produced data.

• User inputs, such as annotations, comments, labels, and tags, influence the system's guidance.

• Our approach allows for dynamic adjustments to inputs and outputs, optimizing for the most effective investigation outcomes.

• The Command Zero Security Research team publishes new questions every Wednesday for all of our users. Most questions are built based on customer requests and use cases. When a question is built, it is made available to all Command Zero users, benefiting the entire community of analysts on the platform.  

For example, a new investigation about Jack Black starts with:  

• The user’s credentials, permissions, devices and high-level access information across systems. This is especially helpful in complex environments with thousands of users, multiple identity providers and isolated systems.

• Previous notes and tags about the user,

• Previous investigations where Jack was involved.  

So, analysts get a head start with all historical and current context about the user. The platform suggests which questions or facets (pre-built investigation templates) to run and then suggests follow-up questions based on the responses to these questions. Based on the learnings from this investigation, analysts can save their investigation flow as a facet and re-use it in similar investigations to save time and improve consistency.  

Consistency and repeatability

Every analyst has a different background and way of thinking, resulting in different investigation flows for similar cases. This makes it difficult to standardize investigation flows and make sure all necessary questions are being asked for each investigation.  

Command Zero helps standardize the investigation sequence for similar cases, so all analysts go through predictable flows that reflect the best practices. On top of these flows, every analyst can easily go deeper into branches of the investigation that they are interested in. This approach offers a good combination of consistency and repeatability, while encouraging individual curiosity and strengths for each analyst.

Collaboration and knowledge sharing

The Command Zero platform is designed with collaboration in mind:

• Multiple analysts can work on a single investigation.

• The sequence of questions and events is readily available to all analysts.

• Case handoffs and escalations are streamlined, as the entire investigative history is preserved.

• Steps and findings can be easily shared among team members. This creates opportunities for peer reviews, coaching and learning from past investigations.  

How a question-based investigation compares with alternative methods

There are significant benefits to a question-based investigation model. Here is how Command Zero’s approach compare with alternative approaches to investigations:  

Command Zero vs. AI Chatbots

While AI-powered SecOps chatbots are making waves in the industry, our approach differs significantly:

• User Knowledge: Chatbots require users to know what they need and how to articulate that need for the chatbot and the underlying LLMs to understand. Depending on an analyst’s background, the input they provide will be different, and the output of chatbots will vary, causing drifts in investigations. For example, a BEC investigation can be handled in completely different ways by two analysts with different backgrounds. Command Zero minimizes this requirement with an encoded knowledgebase right out of the box.

• Structured Input: Chatbots receive any user input and try to make sense of them, resulting in hyperbole and non-deterministic results. Command Zero phrases questions in a way that's easily consumable by our model, incorporating context, intent, and associated investigation data.

• Cross-Data Source Relationships: Chatbots require multiple prompts to switch between data sources, potentially drifting with each step. Command Zero provides a more structured approach where questions can be chained together, allowing for powerful investigations across multiple data sources in a predictable way.

For example, an analyst with a networking background will prompt an AI chatbot very differently compared to an analyst with an endpoint background. Their experiences and verdicts will vary significantly based on how they prompt the chatbot.  

Command Zero vs. Query-Based Approaches

Our question-based approach offers several advantages over traditional query-based methods:

1. No Query Language Expertise Required: Users don't need to understand complex query languages or data structures for each data source. Similarly, this means that an analyst can create investigation sequences during an investigation, rather than relying on a security content/engineering team to build these components for later use.  

2. Broader Data Access: Users can access data sources using a federated data model, gaining a level of data coverage that may not be available in centralized security stores like Splunk. For example, an investigation may be triggered by a SIEM/SOAR alert, but not all information that analysts need to reach a verdict may be collected in centralized data stores. So, analysts may need to individually collect data from EDR, multiple SaaS applications and file sharing services.  

3. Immediate Scope/Impact Identification: During investigations, analysts can pull a broader scope of logs or context from data sources, going beyond what might be typically pushed to centralized. This helps define the impact radius and severity of cases in seconds rather than hours.  

For example, an analyst may be proficient in KQL and gather data from systems using this method, but they may not be able dig deep into resources that require Lucene or SPL. Similarly, analysts may limit data collection to centralized data repositories if they don’t have the technical expertise and the access to collect data from individual resources directly.  

Command Zero vs. AI SOC analysts

Command Zero’s focus is on tier-2 and tier-3 case investigations (aka escalated cases), so the focus is fundamentally different compared to AI SOC analysts, which primarily focus on alert triage and tier-1 tasks. That stated, we frequently get questions on how we compare with these solutions:  

1. AI SOC analysts are designed to tackle triaging and simple tier-1 cases. They are great at these simple tasks, yet they break when faced with complex cases that require deep reasoning.  

2. They don’t provide a transparent and auditable flow for their decision making. Hallucinations are unpredictable and out of control by design. Having a human in the loop to check for them can be expensive,  

3. Agentic approaches are often serial in implementation and agents calling tools, parsing and incorporating tool output, will be slow by design. These solutions demo well in controlled environments but will face performance challenges in real-life situations.  

4. Agentic approaches can become expensive to run depending on the level of interaction between agents, data and tools

Command Zero selectively uses LLMs for structured decision-making processes, eliminating most of the issues stemming from agentic LLM implementations. The platform comes with embedded technical and investigation expertise in the form of questions and facets. The AI implementation delivers AI-assisted investigations and autonomous investigation flows. LLMs are used for the selection of relevant questions and pre-built investigation flows (facets) within investigations, natural language-based investigation guidance, interpretation of data, summarization, reporting and delivering verdicts. There are structured controls in place to eliminate hallucinations and non-deterministic results.

Conclusion

By leveraging questions as the foundation of our platform, Command Zero is revolutionizing the way security investigations are conducted. Analysts benefit from a guided, collaborative, and efficient approach to investigations that adapts to their needs to run complex cases to the ground. Thanks to a question-based approach, analysts can complete investigations in minutes instead of hours, collaborate and learn from each other and build institutional knowledge with each investigation.

Check out our platform page to learn more about Command Zero’s question-based approach to investigations.