Tempo”Š”, “Ša Snowflake Native App”Š”, “Šharnesses AI and Log Language Models for Proactive Cybersecurity
Cybersecurity attackers are innovating, challenging traditional security measures, and pushing organizations to seek more innovative solutions. Tempo, a Snowflake Native App that revolutionizes cybersecurity using AI-powered proactive security, sees even novel attacks. By leveraging Log Language Models (LogLMs), which are a new type of deep learning model invented by DeepTempo, Tempo analyzes logs and other information directly within your Snowflake environment, offering a powerful combination of agentless monitoring, deep learning-based detection, and enhanced productivity for security teams. Interested users can try the solution for free now on the Snowflake Marketplace. Sample data from the Canadian Institute of Cybersecurity is included so that users can confirm the accuracy of Tempo and become familiar with the context that it provides to assist in further triage and response. The heart of Tempo’s capabilities lies in its use of purpose-built LogLMs, trained exclusively on log data to recognize normal patterns of behavior. This approach allows Tempo to immediately identify anomalies, effectively countering the sophistication and innovation on the threat side while simultaneously lowering complexity and cost. Built and pre-trained with the assistance of a major global financial institution, Tempo has demonstrated a unique blend of accuracy and practicality, with false positive and false negative rates lower than 1% after adaptation to a new user’s domain. Tempo has been initially optimized to work with Netflow data and DeepTempo is updating the model to use all flow logs, starting with an upcoming release utilizing VPC flow logs.
One of Tempo’s key advantages is its agentless monitoring capability. By eliminating the need for proprietary agents to gather and normalize logs, Tempo simplifies network management and reduces configuration and maintenance overhead. This approach not only streamlines operations but also contributes to a more manageable network overall, as it can adjust to different schemas and operating environments using only the logs already present in your Snowflake environment. The deep learning-based detection employed by Tempo represents a significant leap forward in threat identification. By leveraging its LogLMs, Tempo can identify subtle deviations from normal behavior, including longer-duration attacks that might slip past traditional signature-based systems. This capability is particularly valuable in the face of innovative attackers, as Tempo doesn’t need to keep track of specific attack patterns. Instead, it simply recognizes when activities deviate from the norm, triggering detection for any threat that emerges. For security operations teams, Tempo offers a welcome respite from the flood of false positives that often plague traditional security information and event management (SIEM) systems. By providing more accurate incident identification and useful context, including optional MITRE ATT&CK mappings, Tempo enables security professionals to triage and scope potential issues more efficiently. This increased productivity allows teams to focus on genuine threats rather than chasing down false alarms or maintaining outdated rule sets. The cost-saving potential of Tempo is substantial. By enabling organizations to keep more of their logs within Snowflake and use their SIEMs primarily for incident response rather than log storage, Tempo can significantly reduce direct costs. In one case study involving a large financial institution, projected savings reached several million dollars, representing up to 45% of their existing SIEM spending. These savings stem from the ability to use Snowflake as the system of record instead of pushing NetFlow and VPC flow logs into a separate SIEM. Furthermore, Tempo’s integration as a Snowflake Native App brings additional practical benefits. DeepTempo has developed methods that allow Tempo to adapt within hours of fine-tuning to your particular environment, ensuring its powerful capabilities can be leveraged effectively across diverse organizational contexts. This adaptability, combined with its seamless integration into existing security workflows, positions Tempo as a tool that not only keeps pace with cybersecurity threats but stays ahead of them. To learn more take a look at our docs and Quick Start guide here.
How Tempo Analyzes NetFlow Data Using LogGMs
The Tempo NativeApp available today uses purpose-built, pre-trained, and optionally fine-tuned Log Language Models (LogLMs) to analyze NetFlow data. It automatically identifies devices on the network and tags them so that the anomaly detection models can do the heavy lifting. Here’s how it works:
1. Data Access: Tempo accesses NetFlow data from your data lake or a data stream. This data includes information about network connections, such as source and destination IP addresses, ports, protocols, and data transfer volumes. 2. Features and extraction: Here is where logs are turned into a language that Tempo, as a LogLM, can understand. 3. Inference: Here Tempo applies its extremely detailed understanding of normal behavior to discern potential attacks; in addition, processes are run that help the model to translate any findings into information related to entities and classes of entities in the logs. 4. Optional Fine Tuning: Tempo includes an optional fine-tuning capability, which may be necessary to adjust Tempo to provide accurate results in especially larger and more dynamic environments. 5. Updated Artifacts: Here is the stage where both updated results and fine-tuned models are saved for future use. 6. Application Output: When Tempo detects behavior that deviates significantly from the baseline, it flags it as a potential security incident. This could include but isn’t limited to unusual connection attempts, unexpected data transfers, or connections to suspicious IP addresses. Importantly, Tempo doesn’t just look at individual data points. Its LogLM considers the broader context of network behavior, allowing it to distinguish between benign anomalies (like system updates) and potentially malicious activities. When a likely incident is identified, some of the context that Tempo can provide to SOCs includes: Entities impacted”Š”, “Šis that one web server OR X% of the web servers affected? Sequence identification”Š”, “Šwhat else happened before and after the concerning incident? Optional Mitre Att&ck mapping”Š”, “Šwhich known attack pattern, if any, does the incident more resemble? If the mapping is not close, users classify the alert as informational or similar since it is either just noise or, less likely, a very sophisticated and novel attack. By leveraging LogLMs to analyze NetFlow and other data, Tempo provides a powerful, proactive approach to security that can detect subtle indicators of compromise or attack, often before traditional security measures catch them. This approach, combined with its agentless nature and ability to work with both streaming and stored data, makes Tempo a comprehensive solution for modern, AI-driven cybersecurity. In conclusion, Tempo represents a paradigm shift in cybersecurity, leveraging the power of AI and Snowflake’s data platform to provide proactive, intelligent threat detection. By utilizing Log Language Models (LogLMs) to analyze initially NetFlow data directly within your Snowflake environment, Tempo offers a unique combination of agentless monitoring, deep learning-based detection, and seamless integration with existing security workflows. This innovative approach not only enhances threat detection capabilities but also significantly improves operational efficiency and cost-effectiveness for security teams. As cyber threats continue to evolve in sophistication and scale, solutions like Tempo are becoming indispensable. By staying ahead of threats, reducing false positives, and providing context-rich insights, Tempo empowers organizations to maintain a robust security posture in an increasingly complex digital landscape. The future of cybersecurity lies in proactive, AI-driven solutions, and DeepTempo is at the forefront of this revolution, offering a powerful tool for organizations looking to stay one step ahead in the ongoing battle against cyber threats. To try the app please follow this link.
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2024/12/fighting-on-the-new-front-line-of-security-with-snowflake-and-loglms/
