How can security operations teams leverage ChatGPT?

Pixelated hand pointing to the word security
(Image credit: Pixabay)

Artificial intelligence (AI) has ushered in a transformative era, revolutionizing various facets of our lives and industries. From healthcare and finance to transportation and entertainment, the impact of AI is truly remarkable.

By harnessing the power of OpenAI's ChatGPT, security operations (SecOps) teams can elevate their capabilities to new heights. This tool has the potential to complement incident response and various other tasks that SecOps teams commonly handle. While it is essential to exercise caution when utilizing1. Always Exercise Caution when Using ChatGPT ChatGPT, adopting a use-case-based approach enables organizations to effectively leverage this tool and unlock its full potential.

Kevin Schmidt

Kevin Schmidt is the Director Analyst at Gartner.

1. Always exercise caution when using ChatGPT

While ChatGPT is a valuable tool for experimentation, insights, and learning, use it judiciously. Organizations must consider the following points when incorporating ChatGPT into their SecOps practices.

First, establish a clear mechanism to scrutinize the usage of ChatGPT, including guidelines on the types of data that can and cannot be entered into a ChatGPT session. Ensuring data sanitization is crucial to protect sensitive information.

Second, select use cases that align with your organization's goals and requirements. ChatGPT's results need to be validated and verified so avoid using it in time-sensitive matters. There are various areas where ChatGPT can prove useful in cybersecurity operations, such as threat intelligence analysis, secure code assessment, identifying security events, risk and compliance analysis and security configuration tuning.

Third, validating the results obtained from ChatGPT is of utmost importance. Senior staff members should initially validate the outputs and establish best practices, while more inexperienced staff members may require mentoring and guidance to effectively validate the results. Validation should include a combination of people, processes, and technology. Complementary tools, both opensource and commercial, as well as internal tools, can aid in the validation process.

2. Interacting and engaging with ChatGPT in an effective way

To ensure the confidentiality of personal and corporate information, avoid entering sensitive data into ChatGPT sessions. Look to obfuscate sensitive information such as usernames, IP addresses, and locations to the best extent possible.

One of the valuable applications of ChatGPT is assisting in building new detection mechanisms. It can help users understand log data and its various components. For example, when onboarding log data into a security information and event management (SIEM) tool, junior team members can leverage ChatGPT to gain insights into the different parts of a log message. By breaking down log messages and providing a synopsis, ChatGPT can aid in comprehension. However, more complex log messages may result in less accurate outputs, so care must be taken in using the results. ChatGPT can be used to generate regular expressions to aid in parsing log messages. Again, this requires validation using tools like Regex101 which can be used to validate the regular expressions generated by ChatGPT.

Additionally, ChatGPT can assist in creating Sigma rules, which can be further validated using tools like Uncoder.IO for rule creation and conversion. A resulting Sigma rule can then be used to create a SIEM-specific query, which should be tested on a representative data set in a non-production environment.

Incident response is another critical area where ChatGPT can be leveraged effectively, as is its ability to assist in developing initial queries to investigate potential user account compromises. By providing sample queries and validating the output, junior team members can develop their expertise in this domain. Junior team members can also leverage ChatGPT to understand initial indicators of malware behavior. For example, they can provide a brief description of a sample or hash value and request insights regarding potential malicious behavior.

We've featured the best productivity tools.

Kevin Schmidt is an experienced professional in the field of cybersecurity, currently serving as the Director Analyst at Gartner. At Gartner, Kevin is an integral part of the GTP Secure Infrastructure team, focusing on Security Operations. He plays a crucial role in areas such as Security Operations Center (SOC) management, monitoring, and vulnerability assessment.