Sentinel, OpenAI, and Rapid Ransomware Recovery

Jim Liddle discusses the integration of Microsoft Sentinel with Azure OpenAI, and its exciting potential for ransomware recovery.

August 19, 2024  |  Jim Liddle

Now that we are nearly two years into the Generative AI revolution, the enterprise is getting serious about driving value. Here at Nasuni we are seeing an increase in data-driven, AI-powered automation of specific processes. This ranges from intelligent chatbots powered by retrieval-augmented generation (RAG) tied to customer knowledge bases to the optimization of tasks or processes within a complex manufacturing workflow. Yet one of the more interesting applications I’ve been monitoring involves the integration of Microsoft Sentinel with Azure OpenAI, and its exciting potential for ransomware recovery.

If vs. When

In the security world you often hear about protect and detect. Unfortunately, the last few years of attacks have made it quite clear that with ransomware, it’s not a question of if you will be hit, but when. Effective rapid detection will limit the attack surface, but there is nothing you can do to ensure 100% protection. The bad actors will inevitably find their way through, and it probably will not be your technology that lets them in the door, but a lax process or careless person. This is especially true today, when malicious actors can use large language models to craft more effective phishing emails.

Given the impossibility of constructing a perfect security perimeter, the questions then become:

  1. How quickly can you restore the encrypted data?
  2. How quickly can you resume normal operations?

Our technology allows customers to detect and quarantine attacks earlier, then restore millions of files in under ten seconds, for technical reasons I will detail in a subsequent post, yet restoration is only part of the recovery process. After a ransomware attack, the rush to resume normal operations demands expert knowledge of the situation, including the particular attack variant and any proven practices that other victims used to recover efficiently. IT and security teams need to know as much as possible about what in the world just happened to their systems. And they need to know immediately.

To this end, the integration of Microsoft Sentinel and Azure OpenAI is a fascinating possibility.

Nasuni, Sentinel & OpenAI

Nasuni unveiled an integration with Sentinel last year. Microsoft’s cloud-native security information and event management (SIEM) solution has proven to be a great fit, especially given how it plays into our ransomware defense package. If you are attacked, Sentinel unifies all the alerts related to that incident, from Nasuni and any other security solutions, then tracks, reports, and coordinates responses. This helps SecOps teams get more efficient and precise in their threat mitigation.

Since our announcement, Microsoft has given customers the chance to augment Sentinel with some added intelligence. Let’s say your organization suffers a ransomware attack. If you have Nasuni’s Ransomware Protection service, that attack will be detected and quarantined early, limiting the damage, and Sentinel will collect and report on the event, the Nasuni response, and any other actions within your larger portfolio of security apps.

With the new Sentinel AI option configured, it is possible to ask for further information about the attack from Azure OpenAI GPT models. Sentinel then pulls that information back and presents it to your security experts – the intelligent humans who are actually dealing with the problem. This way, Sentinel goes beyond its traditional capabilities and suggests additional proactive steps to accelerate your organization’s recovery.

Security Nirvana & AI Playbooks

Is this a finished solution? Not yet. A security team deep in the trenches of a recovery will want to focus their limited energy and time on optimizing their prompts to retrieve the best results. Yet such new AI-powered integration can no doubt add value to any current Sentinel environment.

The integration of AI Playbooks in security operations is likely to evolve significantly over the next few years. As more organizations recognize the benefits of AI-powered automation, we can expect widespread adoption of AI Playbooks across various industries, leading to a standardization of best practices in incident response.

The security nirvana, of course, would be the integration of more advanced analytics and predictive capabilities that enable AI Playbooks to proactively identify and mitigate potential threats before they materialize, further reducing the attack surface for organizations.

Overall, the evolution of AI Playbooks, combined with novel integrations such as Sentinel and Azure OpenAI, is likely to lead to a future where security operations are more efficient, effective, and proactive in defending against cyber threats. The continued refinement of this technology will play a crucial role in shaping the cybersecurity landscape of tomorrow, offering hope that the development and widespread deployment of advanced ransomware recovery strategies will mitigate the malware’s long-term impact.

Ready to dive deeper into a new approach to data infrastructure?