Mountain View CA-based cybersecurity company Simbian, which has already had agents working 24x7x365 on tasks which include threat hunting, has deepened their skills in that area. Simbian has launched its AI Threat Hunt Agent, which integrates with the Microsoft Sentinel data lake. This will let Microsoft 365 customers accelerate and scale their organizations’ threat hunting capabilities. Simbian’s AI SOC Agent has also been extended to leverage the vast security data available in Microsoft Sentinel data lake.
So why use the Microsoft Sentinel data lake instead of a competitor?
“Most of the data lakes available on the market are multi-purpose,” said Sumedh Barde, Simbian’s Chief Product Officer. “They have the common functionality needed across every use case. Security app developers then need to add their own “structure” on top such as schema for alerts, events, etc. There are a handful of security-specific data lakes too, such as AWS’s Security Lake. But Microsoft has the strongest vision in this space for security developers, comprising a lake, graph, MCP interface, and more, enabling very rich security apps.”
Barde said working with Microsoft here makes sense for business reasons.
“We must meet customers where they are,” he stated. “Microsoft’s security stack (Microsoft 365 E5) is very popular. The Sentinel data lake is provided with it. So a large number of our prospective customers are likely to have it.”
Barde noted as well that no other player in the market is doing this sort of thing, to the same degree.
“We have not yet heard anyone else automating threat hunting as deeply as we are,” he said. This blog by Microsoft shares use cases that other partners of Sentinel data lake are solving. There are others like Illumio helping with aspects of threat hunting, but it’s only a tangential overlap.”
Simbian’s AI Threat Hunt Agent automates the process of validating threat hunt hypotheses using AI. Simbian threat hunters use natural language to identify the techniques and tools that threat actors may be using and roughly where in the organization they are operating. The AI Threat Hunt Agent queries the organization’s security data across different tools to find evidence supporting the hypothesis, then deeply investigates to confirm if there is a chain of malicious activity, giving analysts timely feedback. Simbian is the first and only threat hunt solution that automates validation of threat hunt hypotheses at scale across an enterprise.
“Let’s say you receive a tip that someone is targeting your billing team, possibly to access your customer database,” Barde said. “You are concerned that you don’t have sufficient detections to catch this. So you begin a threat hunt. Your mission is clear – find if the threat actor has reached your users or assets, where, when, how.”
The problem, Barde emphasized, is that Threat Hunting is hard!
“Threat hunts invariably start with incomplete information about the threat actor and their techniques,” he said. “You use your intuition to formulate hypotheses about how and where the threat actor is operating. Then you “execute” the hunt i.e. gather relevant data from your security tools, analyze it, chase the leads. Then you refine your hypothesis and repeat till you find the threat actor. This exercise can take multiple days of your best people, with no guarantee of results.”
“In this example, the threat hunter suspects that the threat actor begins the attack by spear phishing employees in his company,” Barde said. “So they provide a hypothesis to Simbian in natural language like this “Check whether we are experiencing a targeted spear-phishing attack. Some phishing emails may have bypassed the phishing filter. Determine whether any users interacted with these emails (e.g., opened attachments, clicked links, or saved potentially malicious payloads), and assess the resulting impact, if any.”
By automating the mechanical and reasoning aspects of threat hunting across large volumes of data from Sentinel data lake, customers can hunt broader and deeper to uncover threats that matter and focus on the creative side of threat hunting.
“Typically a threat hunter starts with incomplete information about the threat actor,” Barde commented. “Based on that partial information and their intuition, they formulate multiple hypotheses like the above about how and where the threat actor may be operating. Then they validate each hypothesis.
“This validation is laborious,” he added. “First, the hunter must find what security data is available that is relevant to the hypothesis. For example, in the hypothesis provided above, the hunter will find the relevant data across their email gateway (Proofpoint, Abnormal, Microsoft Defender for M365 etc.) and their EDR (CrowdStrike, Microsoft Defender for Endpoint, etc). Second, they must write queries for those tools to retrieve the said data, and this may need reading docs as not everyone is familiar with every tool’s query language. Third, if there is any data that appears malicious, the hunter must pursue that lead to confirm.
“This step can take the hunter multiple hours for each hypothesis,” Barde emphasized. “This slows them down. What if the hunter could just offload this to AI? That’s what we are doing.”
Hunting broader and deeper refers here to the fact that Simbian is leveraging data in Sentinel data lake, which is capable of storing and efficiently retrieving months of historical data across the entire enterprise.
“This allows the hunter to cast a wide net,” Barde stated.
This completes the lifecycle of threat hunting, providing the foundation of Superintelligence for Accelerated Security. Superintelligence in AI refers to the ability to do tasks that are beyond human capability.
“Simbian’s mission is to build superintelligence to accelerated security operations,” Barde explained. “The threat hunting agent, by using AI and Sentinel data lake, is able to conduct hunts at a scale that human threat hunters just cannot. Simbian’s AI Threat Hunt Agent is validating the user-provided hypothesis using AI and its internal algorithm.
Barde said that the speed that threat hunting takes place at really matters.
“While detection tooling has made tremendous strides in the last few years, nobody can claim to have 100% detection coverage,” he said. “The gap is going to get worse as threat actors use AI to customize attacks, and use low and slow attacks to evade defenses. As organizations receive threat intel relevant to them, they can no longer be complacent that their detections will suffice. They must gear up to threat hunt proactively based on the received intel.”
Barde said the channel opportunity here is significant.
“Simbian is channel-first,” he emphasized. “MSSPs and MDRs often provide threat hunting services to their clients but are constrained by the number of threat hunters. Our AI Threat Hunt Agent will help them scale such services. Most enterprises do not have in-house threat hunters, so we rely on MSSPs and MDRs to provide threat hunting services, aided by Simbian’s agents.”