AI Assistant built on Elastic

Strengthen our security posture by embedding AI into existing workflows

More than 95% of C-suite executives believe that security AI assistants that proactively detect and remediate threats can improve team productivity and reduce organizational risk. To create a stronger security posture for our customers, our partners, and our own organization, Elastic Security built a generative AI security assistant to empower security analysts.

We use the Elastic AI Assistant to transform our information security (InfoSec) team’s threat intelligence process, increasing the efficiency and effectiveness of threat analysis. By embedding AI into analyst workflows, our security teams can develop actionable intelligence faster, ultimately contributing to a stronger security posture for our organization.

Our AI Assistant, built on Elastic’s Search AI Platform, streamlines our threat intelligence process. Six months after launch, threat intelligence analysts are reclaiming 75% of their time by reducing the time spent on meticulous information aggregation for reporting purposes, allowing them to focus on analysis and actionable recommendations.

“There are massive amounts of data that are generated, both by existing environments and our growing usage of cloud and SaaS services. How do we understand and make sense of what’s happening? The scale is something humans are unable to analyze and process on their own. AI is critical to the success of any security team today.”

— Mandy Andress, CISO, Elastic

Keeping up with attackers in the AI era

Threat intelligence provides actionable insights about adversaries' tactics, techniques, and procedures (TTPs) and is a critical first step in building a foundation for a proactive security program.

The escalating use of AI by attackers, compounded with the difficulties of keeping pace with the threat landscape, amplifies existing challenges:

• Scale of threat landscape: The growing attack surface, resulting from our increasing use of SaaS applications, makes it challenging to keep up with the scale of emerging threats and adapt quickly.
• Inefficient manual reporting: Faced with a constant stream of new threat reports from disparate sources, analysts have traditionally relied on manual collection, documentation, and analysis. This tedious and time-consuming process can take days or weeks to accomplish.
• Difficulty getting actionable intelligence: To build reports that are actionable and relevant to stakeholders, analysts need to explicitly focus on the potential impact and risk of a given threat specific to our environment. Translating the relevance of these threats to Elastic can be difficult when the volume and complexity of information grow exponentially.
• Need for proactive defense: To continue building a proactive defense strategy, analysts must quickly deliver critical insights on where stakeholders should prioritize their limited resources, which detection rules to add, and other actionable recommendations.

“The hardest part of any security program is understanding where to focus your resources, including team time, staffing, and funding. Threat intelligence is the first and most critical step to any security program to find the best way to allocate the limited resources you have.”

— Mandy Andress, CISO, Elastic

Our AI Assistant streamlines threat intelligence reporting

To manage the increasing volume of threats from attackers and data produced from our internal services, our InfoSec team turned to AI. Elastic AI Assistant for Security enables teams to augment analyst expertise, boost efficiency, and reduce the manual workload of investigation and response. The team utilizes their AI Assistant to minimize the manual and tedious aspects of reporting by streamlining the process of writing threat intelligence reports.

To customize Elastic AI Assistant for this reporting use case, the team created markdown templates for each of the different threat intelligence reports and stored them in the AI Assistant’s knowledge base. Each template loaded in the knowledge base has dedicated sections for required information and instructions for the large language model (LLM).

With this process change, our threat intelligence analysts have further standardized their approach to gathering and collecting data in real-time from various sources, including threat feeds, security blogs, incident reports, and other relevant information. The AI Assistant now efficiently delivers a preliminary version of the threat intelligence report, which analysts can then refine and update.

The purpose of accelerating the threat intelligence process is twofold:

1. Analysts can deliver more coverage for threat insights in real time.
2. Analysts can spend more time understanding the relevance and impact of threats specific to Elastic’s environment.

The time saved from using Elastic AI Assistant is now allocated toward creating more effective reporting. Instead of focusing on manual report building, the team spends the bulk of their time developing more comprehensive, actionable intelligence. This includes in-depth threat trend analysis to help identify patterns and predict future threats based on threat activities over time, enabling our security team to quickly understand the ever-changing threat landscape, reduce the number of unknowns through new detection capabilities, and mature our security posture.

“There is so much information out there about what threat actors are doing and what threat groups are trying to achieve. The sheer amount of data for even a large threat intelligence team is huge. The AI Assistant helps us navigate that in an efficient and manageable way.”

— Tommy Bumford, Principal Information Security Analyst, Threat Intelligence, Elastic

Building a threat library with AI to mitigate risk

Using Elastic AI Assistant, threat intelligence analysts can proactively mitigate risk by efficiently creating any type of report they need. Here are a few types the team creates:

Intelligence reports (INTREPs): Generic intelligence reports that provide intelligence to stakeholders, including impactful recommendations when relevant

Significant act reports (SIGACTs): Reports focused on a single threat event — such as data breaches, large-scale cyber disruptions, or similar events — to understand the root cause and recommend next steps

Threat actor profiles: Living profiles of threat actor groups that are constantly updated with new information to keep up to date with threat actor motivations, capabilities, and attack patterns

Threat trend reports: Analysis and reporting on an identified trend of threat activity over time to stay informed on emerging behaviors or attacks, helping implement or improve security measures

Intelligence summaries: Roll-up reporting on threats that occur within a given time range, allowing stakeholders to easily get up to speed and dive deeper at any moment

Accelerating analyst efficiency with AI

Since utilizing Elastic AI Assistant, our threat intelligence and information security teams are already recouping time to focus on engaging with stakeholders on recommended actions.

Since implementing the AI Assistant, the team has recouped 75% of analysts’ time while increasing threat intelligence report output by 92%. This productivity lift enables the team to efficiently build various types of threat intelligence reports by reducing manual effort.

Time recouped for threat intelligence reporting delivers several other benefits:

• Comprehensive analysis: The time reclaimed is now spent building more comprehensive trend analysis and delivering critical insights on why a given threat, threat actor, or trend is relevant to our organization. This has been crucial for gaining even greater visibility into our attack surface and addressing blind spots within our environment.
• Proactive security posture: To continue making more informed decisions and prioritize security measures, the AI Assistant’s ability to expedite threat intelligence enables our InfoSec team to be proactive. Predicting what threat actors might do next enables us to establish an effective, offensive security posture before an attack occurs.
• Reduced unknowns and increased detections: Building a knowledge base of threat data and intelligence reporting enables our teams to reduce unknowns, facilitating enhancements to detection rules that directly improve our security posture.
• Increased stakeholder engagement and impact: Delivering relevant and actionable next steps has increased stakeholder engagement, enabling the team to collaborate on next steps that mitigate risk across our attack surface.

“The AI Assistant is helping us save a ton of time in producing reports that get published to the masses. Being able to do that, especially at the scale that we need to, is crucial to develop our security posture and avoid different types of attacks.”

— Tommy Bumford, Principal Information Security Analyst, Threat Intelligence, Elastic

We continue to expand our AI roadmap for security by investing in:

1. Enhancing data collection: To enhance trend analysis, we are planning to expand our data collection process to better understand the global threat environment.
2. Increasing automation: We aim to further automate the threat intelligence process, with analysts monitoring each step of the process instead of manually working on each step. This will help build toward a better offensive strategy.
3. Applying AI to assist investigations: Beyond threat intelligence reporting, we are expanding and embedding AI in other security workflows, including detection, investigation, triage, and identity access management, to streamline operations and enhance our overall security posture.

This use case is based on our use of our own products and services. As such, certain typical costs, such as licensing fees, were not incurred. The results, savings, and fees presented are illustrative and for information only, and may not necessarily reflect the outcomes achievable by users under our standard commercial terms and applicable fees. While similar results may be possible, individual outcomes may vary significantly depending on numerous factors. No guarantees are made or implied.