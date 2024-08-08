Security engineers with early access to a new AI agent-based feature of Sysdig's CNAPP said it's helped them sift through alerts and better customize policies but keeps humans in control in important ways.

Sysdig Sage, in controlled availability with 15 customers of the cloud-native application protection platform (CNAPP), is built on AI agents, an architecture that adds a layer of sophistication beyond a large language model-based chatbot. AI agents are extensions of LLMs that perform specialized tasks and break multi-step queries down into their component parts. Together, they can coordinate fetching data to answer complex or open-ended questions from users.

"This is just a pervasive issue in the realm of security, that you have a lot of information and not enough context … that you feel confident about," said Cat Schwan, security engineer and team lead at Apree Health, a primary care and tech company in Seattle that's used Sysdig Sage in production over the last month. "You can just ask Sage any question, even just like, 'Why am I getting this alert? Why is this important? What should I do?' It helps give analysts of all levels [of experience] a springboard to start taking action."

The importance of a human in the loop An emphasis on human action assisted by AI analytics also attracted another Sysdig user, e-commerce company BigCommerce, based in Austin, Texas. BigCommerce also signed on to participate in the controlled availability program for Sage. "This is what AI should have been doing for us all along," wrote Dan Holden, CISO at BigCommerce, in a public comment on LinkedIn Aug. 1. "It's not about magical detection capability (our math is better than their math BS), it's about making the human's response capability better and faster." So far, BigCommerce has focused on using Sage to evaluate and fine-tune custom security policy rules, according to Jordan Bodily, team lead for infrastructure security engineering at the company. "We're not looking to cut out every event from Sysdig, but what we are interested in is obtaining custom events and amending criticality [ratings] for our needs," Bodily said. "In our case, we've been interacting with Sage to answer several questions: Why was there a spike in event X? [Does] Sage have recommendations to reduce the quantity of an event, such as creating exclusions for what we deem normal?" Previously, this kind of fine-tuning required duplicating an out-of-the-box rule as a template for experimentation, then digging through documentation for the open source Falco policy engine Sysdig uses, then testing changes to the duplicate rule for correct syntax, Bodily said. "For me, that's not a big deal because I'm a heavy user of Sysdig and I'm comfortable with it," he said. "However, there are certainly those that don't interact with it daily and this is where Sage saves us time and frustration." Engineers with less experience in application security will be able to ask Sage questions to better learn how to use Sysdig, without requiring internal experts to spend time answering those questions, according to both Bodily and Schwan. "It really helps bridge the gap in knowledge between security and DevOps for us," Schwan said. "It's helped us figure out exactly what we need to say to our [infrastructure-as-code] team, like, 'Hey, we are seeing this event -- is this something that we should expect to be seeing?'" Neither early user has called on Sysdig Sage in a live threat response scenario yet, although both said they believe it will be helpful in that case. "I do expect that we will naturally shift [into] its ability to help during triage," Bodily said. "We've used it to get more information on some events to help us answer the question of, 'Is this normal activity?' Or 'Have we seen this before?'"