Close this search box.

How to Integrate Large Language Models (LLMs) Into SIEM Tools

Security information and event management (SIEM) tools offer a tried and tested way of achieving insight across even the most sprawling and complex environments. By aggregating log data from every corner of your network, SIEMs offer a centralized view of your entire infrastructure. This visibility is crucial – but sometimes, getting the right piece of information to the right person can be the bottleneck left in your defenses. This article will explore the new possibilities granted by large language models (LLM) in cybersecurity, specifically regarding SIEM tools.

Attackers Already Using LLMs Against Critical Systems

We’ve already discussed how GenAI is transforming social engineering attacks, but publicly-available LLMs are aiding advanced threat groups in a myriad of other ways. Microsoft’s most recent Cyber Signals report details how groups such as the Russian military’s intelligence cohort have been conducting reconnaissance with GenAI.

One key focus of the threat group – dubbed Forest Blizzard – is the exploration of satellite and radar technologies in Ukraine. This included requests for ChatGPT to supply technical blueprints and explanations of communication protocols. Other nation-backed groups have been observed to be using OpenAI’s tooling in similar ways: CCP-backed Salmon Typhoon is actively using it to source information on high-profile individuals and US influence. Essentially, LLMs have already become a part of threat actors’ intelligence-gathering toolkits. They’re further using LLMs to enhance scripting techniques such as file manipulation. 

LLMs in SIEM: How Large Language Models Are Applied

Microsoft has already started experimenting with embedding GenAI into a pre-existing SIEM solution: as a result, they saw analysts conduct tasks 26% faster in a randomized controlled trial. To establish how, take a look at the four following applications of LLMs in SIEM tools. 

#1. Phishing analysis

As a security tool that supports integrated security, SIEM can help corroborate indicators of phishing when attackers use it against end-users.  Indicators of attempted phishing attacks such as suspected data leakage and communication with known hostile hosts can be caught before an attack has been executed in full. 

However – phishing attacks rely almost exclusively on the right message reaching the right user at the right time. As linguistic models, LLMs are perfectly suited to analyzing the intent of a message; coupled with the proactive checks and balances that assess the validity of attached files or URLs, phishing prevention is one security mechanism that stands to greatly benefit from the ongoing popularity of LLMs. Even employee education can expect improvements thanks to these LLMs. By helping security teams create more realistic and adaptive emails, voicemails and SMS messages in mock attacks, your employees are able to detect the real ones in the nick of time. This dual approach of detection and education significantly reduces the risk of phishing attacks slipping through. 

#2. Rapid Incident Analysis

Cybersecurity incidents can occur at any moment, making it crucial for security analysts to respond swiftly to contain and mitigate their effects. And while attackers are already using LLMs to understand and identify potential vulnerabilities in software and systems, the same approach can work both ways.

In moments where a high-pace response is required, a fast overview can give on-call analysts the ability to quickly piece together the wider puzzle.  These LLMs not only help in anomaly detection but also guide security teams in investigating these anomalies. Furthermore, they can automate responses to specific incidents, such as resetting passwords or isolating compromised endpoints, thereby streamlining the incident response process.

#3. SIEM Tool Onboarding

The criticality of analysts’ time means that – when onboarding and gaining experience with a new SIEM tool – the organization’s security posture requires extra care and caution. If an analyst is not yet comfortable using a tool to the best of its abilities, there are unrealized posture gains that still need to be made. 

While it’s possible to wait around and organically let your analysts figure out the intricacies of a tool, it’s certainly not the most efficient way – conversely, pulling them out of day-to-day tasks for lengthy tool training is similarly inefficient. Hitting the perfect middle ground, an accessible LLM function can be built-in to a new SIEM tool, which can suggest alternate, faster ways of navigation, integration and usage, helping level the skill gap as and when analysts really need it. 

#4. Incident Response Planning 

Incident Response Plans (IRPs) outline the necessary steps an organization must take to recover from various failures, such as malware infestations. These plans often rely on Standard Operating Procedures (SOPs) to guide specific actions, like securing an account or isolating network equipment. However, many companies either lack up-to-date SOPs or do not have them at all, placing a frankly naive reliance on staff to manage high-stress incidents.

LLMs can play a critical role in drafting initial IRPs, suggesting best practices, and identifying documentation gaps. They can also support and foster stakeholder engagement by transforming complex security and compliance information into relevant and approachable summaries. This enhances decision-making and helps staff prioritize in times of crisis.

By integrating LLMs into SIEM tools, organizations can improve their cybersecurity posture, streamline operations, and enhance incident response capabilities, ensuring they are better prepared to face evolving threats.

Compliance Considerations

While GenAI offers a number of potential benefits, its status as cutting-edge means there’s two considerations to keep an eye on.

Data Management

When integrating AI into your enterprise, it is essential to ensure that the chosen vendors offer built-in features that limit the LLM’s access only to specific employees and teams. Engaging cyber risk stakeholders across the organization should help you define and align on the access controls required by each use case. Consider asking your SIEM provider for a bill of software, and clarify how third-party tool providers manage and store training and conversation data.

Log Management

Log management involves collecting, storing, and analyzing computer-generated log files to monitor and review activity: it is the foundation of how SIEM tools analyze and protect the systems in your organization. For instance, governmental directives such as M-31-21 mandate that these logs need to be stored for a minimum of one year. Cloud LLM platforms already allow for streamlined data capture surrounding user requests and identity; and as SIEM architecture is already maturing toward efficient log management, even relatively log-heavy LLMs represent a benefit to security thanks to SIEM tools’ automated log analysis.

Reach Your Next-Gen SIEM Potential with Stellar Cyber

Taking the leap to ML-powered SIEM shouldn’t require a total overhaul of your wider security tooling. Instead, choose a tool that both grants next-gen SIEM and integrates with the entire roster of your devices, networks, and security solutions on hand. Stellar Cyber’s Next-Gen SIEM offers a unified, AI-driven solution that simplifies and supercharges.