We’re thrilled to introduce a new feature to the Dropzone AI SOC analyst—AI interviewer. This feature automates interviews of users to gather contextual information needed during security investigations.
Latency and Friction in Security Investigations
Alerts are either false positives or real security incidents. It takes some time to discover into which bucket a security alert will fall into. If an alert indicates something malicious is taking place, then you want to start the investigation as soon as possible. Each minute that goes by gives the attacker more time to achieve their goals. That’s why the triage and investigation process needs to be streamlined as much as possible.
Oftentimes during a security investigation, the analyst needs contextual information that can only come from a user. Did they add permissions to this external account? Did they use these “break glass” credentials? Did they clone this GitHub repository?
Conducting these user interviews the normal way requires both parties to be at the keyboard and available to chat, which sometimes happens but often doesn’t work out. While the security analyst is waiting for the user to respond, it makes sense for them to switch gears and start on other tasks. All of this adds friction and latency to the investigation.
Minutes Matter—Coinbase Case Study
We don’t often hear the details about real-world incidents, so it’s important to pay attention when we do. Coinbase had a near-miss with a security incident in 2023. Targeted by what they suspect to be the 0ktapass threat group, Coinbase’s security team was able to identify the suspicious activity and contact the user to stop the attack in about 20 minutes.
Here’s what went down, according to Coinbase:
- Sunday, February 5, 2023: Several Coinbase employees received unsolicited SMS messages prompting them to log in through a provided link. While most ignored these messages, one employee clicked the link and entered their credentials.
- Shortly after: The attacker attempted to access Coinbase systems using the stolen credentials but didn’t have Multi-Factor Authentication (MFA) verification and so was not able to sign in.
- Approximately 20 minutes later: The attacker called the targeted employee, impersonating a Coinbase IT staff member in a social engineering attempt. The employee, believing the call to be legitimate, followed the attacker's instructions, including logging into their workstation.
- During this interaction: The employee grew suspicious due to the nature of the requests. Concurrently, Coinbase's CSIRT detected unusual activity and contacted the employee through internal messaging to verify the behavior. That’s when the employee terminated communication with the attacker. The CSIRT promptly suspended the employee's access and initiated a comprehensive investigation.
The 0ktapass campaign affected companies such as Twilio and Cloudflare and served as a wake-up call for security teams everywhere to the need for speed in security investigations.
Need for Speed: Automating User Interviews with AI
Looking at the Coinbase incident, we learn the need for security teams to be hyper-vigilant and able to reach out to users as soon as possible. Dropzone AI’s new AI interviewer feature makes this simple.
Here’s how it works:
- You deploy the Dropzone AI Slack application. Other messaging platforms such as Microsoft Teams are on our roadmap.
- When it determines that a user interview is needed, the Dropzone AI SOC analyst will reach out to users to gather information for the investigation. You can see an example of this in the product tour embedded below.
- Based on the interview, the Dropzone AI SOC analyst will update the investigation. The investigation report will include the transcript from the interview.
- Administrators can configure the AI interviewer by selecting the types of investigations interviews are available for, and whether those should be fully automated or require approval before running.
The new AI interviewer feature in Dropzone’s AI SOC analyst speeds up MTTR by removing latency from security alert investigations.
Removing Latency and Friction from Security Investigations
In the case of Coinbase, the security team was able avoid a breach by responding in about 20 minutes. Speeding up mean time to respond (MTTR) is a primary reason why organizations bring Dropzone’s AI SOC analyst onto their teams.
Dropzone AI starts investigations as soon as alerts hit the queue, eliminating mean time to acknowledge (MTTA), which is the largest component of MTTR. On average, Dropzone’s AI SOC analyst completes investigations within 3-10 minutes and delivers detailed reports with findings and evidence. The new AI interviewer feature ensures that as much of this process is automated as possible.
If you’d like to ensure that 100% of your alerts receive thorough investigations in minutes, including user interviews, schedule a demo.
To learn more about the AI interviewer feature, try the product tour below (or click here to open in a full tab).
