The field of endpoint security is constantly evolving, with new challenges and threats emerging each day. One of the key challenges in this space is capturing weak signals across endpoints and predicting potential intrusion attempt patterns. This is where Large Language Models (LLMs) come into play.
The goal of utilizing LLMs in endpoint security is to mine attack data and identify new threat patterns and correlations. By fine-tuning LLMs and models, leading endpoint detection and response (EDR) and extended detection and response (XDR) vendors are taking on the challenge and making significant progress.
Collecting Endpoint Data for Enhanced Protection
“We collect the most amount of endpoint data in the industry from our XDR. We collect almost 200 megabytes per endpoint, which is, in many cases, 10 to 20 times more than most of the industry participants.” – Nikesh Arora, Palo Alto Networks chairman and CEO
Endpoint data plays a crucial role in improving security measures. Palo Alto Networks, a prominent player in the field, collects a vast amount of endpoint data through their XDR. This data is then cross-correlated and utilized to enhance their firewalls with attack surface management, employing automation through XDR.
Linking Weak Signals for Novel Detections
“One of the areas that we’ve really pioneered is that we can take weak signals from across different endpoints. And we can link these together to find novel detections.” – George Kurtz, CrowdStrike co-founder and CEO
CrowdStrike, another leading vendor, focuses on connecting weak signals from various endpoints to uncover unique threat detections. This approach has proven successful in delivering better signals and reducing noise in the overall detection process.
Other notable XDR platform providers in the industry include Broadcom, Cisco, Fortinet, Microsoft, SentinelOne, Sophos, TEHTRIS, Trend Micro, and VMWare.
Gartner, a renowned research and advisory firm, emphasizes the importance of enhancing LLMs with telemetry and human-annotated data to shape the future of endpoint security. Their Hype Cycle report states, “Endpoint security innovations focus on faster, automated detection and prevention, and remediation of threats, powering integrated, extended detection and response (XDR) to correlate data points and telemetry from endpoint, network, web, email, and identity solutions.”
Growth in EDR and XDR Market
Spending on EDR and XDR solutions is outpacing the broader information security and risk management market. Gartner predicts significant growth in the endpoint protection platform market, from $14.45 billion currently to $26.95 billion in 2027, achieving a compound annual growth rate (CAGR) of 16.8%. The worldwide information security and risk management market is expected to reach $287 billion in 2027, achieving an 11% CAGR.
VentureBeat recently interviewed Elia Zaitsev, CTO of CrowdStrike, to gain insights into the impact of training LLMs with endpoint data on cybersecurity. Zaitsev highlighted the increasing relevance of LLMs in the field of endpoint security, emphasizing their role in augmenting human capabilities rather than replacing them.
“Most of these automation technologies, whether it’s LLMs or something like that, they don’t tend to replace humans really. They tend to automate the rote basic tasks and allow the expert humans to take their valuable time and focus on something harder.” – Elia Zaitsev, CTO of CrowdStrike
According to Zaitsev, the key to maximizing the effectiveness of LLMs lies in their fine-tuning and specialization. Small purpose-built LLMs focused on specific use cases are often more accurate and less prone to errors or false detections compared to larger, monolithic models that attempt to tackle multiple tasks.
Zaitsev also emphasized the importance of high-quality, human-annotated data sets in training LLMs. Expert input and guidance are essential in teaching LLMs how to perform specific tasks, such as summarizing security incidents or operating a platform.
With the rise of generative AI, Zaitsev highlighted the need for a multi-modal approach that combines LLMs with other technologies. This approach leverages the strengths of LLMs in natural language processing and utilizes non-LLM technologies for specific tasks.
Overall, the use of LLMs in endpoint security is rapidly evolving, and their potential for strengthening cybersecurity measures is vast. These models, when trained with high-quality data and combined with human expertise, can significantly enhance the detection and response capabilities of organizations.
