More than an Assistant – A New Architecture for GenAI in Cloud Security

By Loris Degioanni - JULY 25, 2023


Cloud Security AI - Sysdig Sage

There is no question that cybersecurity is on the brink of an AI revolution. The cloud security industry, for example, with its complexity and chronic talent shortage, has the potential to be radically impacted by AI. Yet the exact nature of this revolution remains uncertain, largely because the AI-based future of cybersecurity is still being invented, step by step.

Today, Sysdig takes a significant leap forward in shaping this future. We’re excited to announce Sysdig Sage, the AI security assistant specializing in cloud security. This blog post aims to describe what Sysdig Sage is; what it can do for you (with examples!); and more importantly, what sets Sysdig Sage apart. Moreover, I’ll outline Sysdig’s perspective on the present and future role of AI in cybersecurity.

Up until now, industry attempts to harness large language models (LLMs) in cybersecurity have mainly fallen into two categories:

  • Context enrichment: Here, AI performs relatively simple tasks that support user workflows. For example, you can feed a compliance violation event to ChatGPT, which can then suggest AWS commands for use in the remediation process. This stateless approach is useful but fairly basic.
  • Query building: This entails providing natural language interfaces to repositories of security events and logs, such as security information and event management (SIEM) back-ends or extended detection and response (XDR) tools. LLMs excel at formulating queries and interpreting small data sets, offering valuable support to both novice and advanced users. Modern LLMs can also retain context across multiple questions, providing effective “chatbot” functionality.

Sysdig Sage is based on a more ambitious and comprehensive approach, striving to be as indistinguishable as possible from a cybersecurity expert, with deep cloud security expertise and the ability to skillfully assist you with the Sysdig Secure cloud-native application protection platform (CNAPP). With this powerful combination, you can gain a clearer picture of your security posture, meet compliance requirements more quickly, and stop cloud attacks more confidently.

In developing Sysdig Sage, we are focusing on these properties:

  • Advanced, multistep reasoning: In a complex field like cloud security, questions rarely have straightforward answers. Often, you need to investigate and iterate before finding a solution. Sysdig Sage is designed to undertake multiple investigative steps before delivering an answer.
Cloud Security and GenAI - Introducing Sysdig Sage
  • Integrating multiple domains: Cloud security comprises numerous data sources, each with its own formats and semantics – vulnerabilities, compliance violations, runtime events, and continuous integration/continuous delivery (CI/CD) security. A true assistant must understand and correlate these domains, treating them as parts of a larger puzzle rather than a collection of acronyms and subcategories.
Cloud Security and GenAI - Introducing Sysdig Sage
  • Exercising judgment: Sysdig Sage is smart enough to aid in risk assessment, prioritization, and decision-making. It can help you understand the scope of an attack, separate the needle from the haystack, and identify correlations.
Cloud Security and GenAI - Introducing Sysdig Sage
  • Proactivity: Sysdig Sage understands what you are doing and interjects with helpful insights at the appropriate moments. It also guides you toward problem resolution.
Cloud Security and GenAI - Introducing Sysdig Sage
  • Action-taking capability: Sysdig Sage can guide you through the UI when you need help, modify a noisy runtime rule, or send a summary on Slack.
Cloud Security and GenAI - Introducing Sysdig Sage

One of the most impressive aspects of Sysdig Sage is that it’s supercharged by Falco, the open source standard for runtime security from the Cloud Native Computing Foundation. The collective knowledge of Falco’s community is integrated into Sysdig Sage right out of the box. This is because most LLMs are trained on publicly available data, which of course encompasses all knowable information (and every discussion!) about Falco. Consequently, Sysdig Sage is extra-effective at detecting, triaging, and responding to runtime threats.

Architecturally, Sysdig Sage is powered by what we call the “LLM controller”. This component, based on a state-of-the-art generative AI architecture and infused with Sysdig’s unique secret sauce, mediates the interaction between the user and the AI. The controller offers expert guidance, validates the accuracy of the responses (therefore mitigating hallucinations), and can perform actions in the product on behalf of the LLM. This not only enhances the scope and effectiveness of the ML models but “steers” the LLM toward specific areas using hierarchical prompting. The controller also safeguards the user’s sensitive data (for example, it is capable of anonymizing the messages that the LLM receives) and mitigates privacy issues.

Our investment in Sysdig Sage stems from our firm belief that generative AI is the most significant revolution the security industry has ever seen. Sysdig is dedicated to leading this revolution, aiming to deliver not just the first, but more importantly, the best AI for cloud security. We have been working tirelessly to create Sysdig Sage, and are confident that it will transform the way you approach cloud security.

Want to learn more? Sysdig Sage is currently accepting candidates for early access later this year. Sign up here for more information.

Subscribe and get the latest updates