Collaborative Intelligence: Topic Modelling of Large Language Model use in Live Cybersecurity Operations

TL;DR

This study analyzes how cybersecurity SOC operators use GPT-4 in live operations, revealing that they mainly leverage LLMs to understand complex texts, which can inform the development of collaborative tools.

Contribution

It introduces a novel topic modeling workflow to analyze LLM usage in cybersecurity operations, providing insights into user behavior and workflow integration.

Findings

SOC operators primarily use LLMs for understanding complex text strings.

Approximately 40% of LLM usage relates to interpreting complex commands.

The study suggests designing collaborative LLM tools to support SOC workflows.

Abstract

Objective: This work describes the topic modelling of Security Operations Centre (SOC) use of a large language model (LLM), during live security operations. The goal is to better understand how these specialists voluntarily use this tool. Background: Human-automation teams have been extensively studied, but transformer-based language models have sparked a new wave of collaboration. SOC personnel at a major cybersecurity provider used an LLM to support live security operations. This study examines how these specialists incorporated the LLM into their work. Method: Our data set is the result of 10 months of SOC operators accessing GPT-4 over an internally deployed HTTP-based chat application. We performed two topic modelling exercises, first using the established BERTopic model (Grootendorst, 2022), and second, using a novel topic modeling workflow. Results: Both the BERTopic analysis and novel modelling approach revealed that SOC operators primarily used the LLM to facilitate their understanding of complex text strings. Variations on this use-case accounted for ~40% of SOC LLM usage. Conclusion: SOC operators are required to rapidly interpret complex commands and similar information. Their natural tendency to leverage LLMs to support this activity indicates that their workflow can be supported and augmented by designing collaborative LLM tools for use in the SOC. Application: This work can aid in creating next-generation tools for Security Operations Centres. By understanding common use-cases, we can develop workflows supporting SOC task flow. One example is a right-click context menu for executing a command line analysis LLM call directly in the SOC environment.