As reported by iTnews, CBA general manager of cyber defence operations and security integration Andrew Pade said the two agentic AI bots would support cyber security teams in threat hunting, as well as a response agent that will collect information and help advise decisions.
At the Gartner Security and Risk Management Summit, Pade said the threat hunting agent began development roughly a year ago.
While he said ready-made solutions that could be procured from vendors were usually preferred as they didn’t need to be watered and fed, Pade said there was a “gap between an emerging threat” and ready-made products.
“That gap is the area of our greatest risk … we don’t want to encounter an issue that we have to wait for a vendor to provide a solution for,” he said.
“I’m not waiting for someone to solve our problems. We are the ones to solve our own problems.”
According to Pade, the AI agents came from a need to improve “fidelity and … speed”.
“They’re the two things we’re looking for when we’re protecting our staff and customers – how can we get to the emerging threat quickly and how do we not waste time looking through the noise to find it?” he said.
“They’re the two goals for our operational work. Any improvements need to improve speed or fidelity, and ideally both.”
CBA’s agents
The first agent, the “threat hunt agent”, is responsible for creating hypotheses and theories that can be followed up by investigation before a cyber incident occurs, where applications and environments are searched for potential threats, before then returning to analysts with findings “for peer review”.
“Then we’d come up with some actions,” Pade said.
According to CBA, the threat hunting agent now deals with as much as 70 per cent of the work that its security analysts were previously tasked with doing. It has also cut down work that previously took “a couple of days,” due to the complexity of the bank’s environment. It completes these tasks in 30 minutes.
“Threat hunting across [large banks and firms] is quite difficult because it’s across different platforms, it can be on-premises, in the cloud,” Pade said.
“There [are] multiple layers that form an application. And so when we’re threat hunting, we used to take a couple of days to go and get all of these pieces of data … and then to form a hypothesis about how a threat actor might attack that, and then go off and then assess where we’re vulnerable or where we may have built something not in a perfect way.”
Pade added that the threat hunt agent receives the intel and launches a hunt for potential threats automatically.
“Our intel automatically comes in, and it kicks off a hunt. It can happen overnight,” Pade said.
“Whenever the intel comes in, we can then kick off a hunt and then we [the defensive team] can just deal with the actions.
“So the substantive nature of a threat hunt is now the part the team now focuses on, which is the actions – how we remediate or who. That piece of work has sped up that team’s ability to go and focus on what the findings may be.”
While it is worth noting that most of these hunts result in no threats found, it means that threats are constantly monitored for, and when one is found, the bank can “action that, not spend our time finding out who owns what system and what platform it is on and where it sits”, added Pade.
It also means the analyst isn’t wasting time searching for false leads.
The second agent, which is being referred to as the response agent, helps collate data and context to advise on whether activity and other signs indicate malware or other hacker activity.
“When you think about your blue teams, there’s a general flow of detection, triage, analysis and response,” Pade said.
“I don’t know if people have seen what analysts do, but it’s quite monotonous, and it’s not just packaged beautifully for them to go and do the triage. They have to actually work it out and build that context.
“Our AI response agent builds that for them, and … lays it out for them.”
Together, Pade said that the two agentic AI bots have reduced response time.
“The AI agent’s interrogating what it’s seen in the past, not just what’s happening now, builds that story, [forecasts] where it’s going to go next and puts it in front of the analyst,” he said.
He said that this process of building the AI saw its cyber security staff work increasingly closely with its data science team. He added that a new way of working would need to be introduced to guarantee that security teams would keep their jobs.
“We’re learning how to integrate and use AI to take the monotony away from our day and focus on the more substantive work,” he said.
“How do I ensure all of our analysts are still working in cyber in 20 years’ time, not regretting joining a 24x7 always-on function?
“To do that, we have to introduce a different way of working and to leverage some AI capabilities.”
