Cloud-Based Investigations Platform Targets Complexity in Incident ResponseCloud-Based Investigations Platform Targets Complexity in Incident Response

Investigating a cybersecurity incident juxtaposes the need for a great deal of expertise with a great deal of grunt work — and the resulting job can be tough to navigate.

Training up hard-to-find cybersecurity experts is necessary to meet the need, but so are better tools to speed up the steps of an investigation, from the initial triage to the resulting report. To that end, startup Command Zero, which launched today, has a stated aim to address the gap by helping companies reduce log-parsing workloads and providing much-needed expert support to investigators.

The goal of Command Zero's cloud platform is to give analysts and threat-hunting teams the ability to conduct more consistent investigations more quickly and have the outcomes be more auditable, says Dov Yoran, co-founder and CEO of the Austin, Tex.-based company.

Automation, Simplicity to Reduce Grunt Work

Command Zero's approach involves a platform that plugs into a company's infrastructure, enables different technology modules, and guides the analyst through the investigation, including prompting them with context-dependent questions and pointing them to which data sources might hold the answers.

Along the way, it automates many labor-intensive and low-value steps in the investigation process, organizes log information gleaned from an incident, and uses AI to write consistent investigations reports, according to a launch announcement on the company's site. The approach allows tier-2 and tier-3 analysts to be quantitatively more efficient, Yoran tells Dark Reading: One team that piloted the platform reduced the average time of an investigation from 4 to 5 hours to 20 to 30 minutes; while another reduced time from 15 minutes using six different tools, to five minutes using the single platform, he said.

"The whole idea is that we've done lots of this in past lives, and so bringing carefully curated expert knowledge and content into the platform, into the investigations, and to the investigator will dramatically increase their impact," he says. "These [skilled professionals] are the most scarce resources on the enterprise security team."

Filling an Important Skills Gap

Jon Oltsik, analyst emeritus at market intelligence firm Enterprise Strategy Group, agrees that while cybersecurity industry groups consistently flag a shortage of skilled experts to fill jobs in the industry, the real issue is a shortage of the right kinds of skills — such as analysts who can investigate incidents effectively.

"Investigations often require lots of internal data sources, threat intelligence analysis, and a fair amount of time [and] care," he says. "Investigations and digital forensics are advanced skills that many organizations lack entirely or have minimal resources in this area. Given the preponderance of data breaches and ransomware, organizations know they need improvement in these areas, but most default to service providers."

Allie Mellen, a principal researcher in the Security and Risk group at Forrester, notes, "We do have a talent gap. There are a lot of people that want to get into cybersecurity, but most don't have the knowledge and experience required for investigations. They have to learn on the job."

Adding insult to injury, an annual security survey conducted by Forrester Research found that thousands of security managers and leaders identified investigations as the most time-consuming part of the incident-response process, according to Mellen.

"Investigating incidents is undoubtedly a major pain point for companies," Mellen says. "The industry often overemphasizes the importance of detection and taking action for response, without considering the big task in the middle: investigation."

Moving Beyond AI for Reports

Generative AI (GenAI) and large language models (LLMs) promise to make automated investigations systems function better as analysts' assistants. For his part, Yoran stresses that investigations will always involve human judgment — AI and machine learning automation can only do so much.

But, while machine learning is increasingly incorporated into products in ways that users may not realize, AI remains largely an overpromised feature, says Forrester's Mellen. LLMs, for example, are really good at producing "a plethora of text ... instead of a concise and visual description" to explain an incident alert, she says.

The future of investigations platforms like Command Zero, Yoran says, is the potential to easily pull data from all the devices and log files on a network, using machine learning models to find anomalies, and using GenAI to turn natural language queries into searches and actions.