While SIM and other security analytics products are able to detect and alert on “known” threats, they are ineffective at recognizing and alerting on threats that the system does not already know how to detect. (If you want to learn more about why that is, read Monica Jain’s blog, 5 Key limitations of doing Threat Detection with Rules)

The simple truth about threat detection is that the intelligence exists today to detect and prevent most threats: that intelligence resides in the form of cyberhunters (or cyberanalysts). The problem is, these skilled human resources don’t scale well—and we do need to scale, as there is about 100x-1000x more data at large enterprises than their cyber hunters and analysts have the bandwidth to investigate.

The solution is to capture that intelligence, skills and intuition/context, automate it using software, and put it to work combatting the growing volume and complexity of today’s threats. That concept is at the core of Security Intelligence Automation (SIA).

SIA relies on 5 key innovations to automate human security intelligence:

Key 1: Create a repository of security domain knowledge

Domain knowledge is the understanding of what event data means and how it relates to the real world. Security analysts bring the breadth and depth of their personal experience in the industry, function, and role to bear on the decision-making they have to do as part of alert triage and cyberhunting.

Automated threat detection won’t be able to match the effectiveness of a human cyber analyst unless it has access to a similar knowledge base and can utilize that as part of the decision making process.

With automation, it is entirely possible that the system can access a much deeper set of domain knowledge than any one person can hold in his head—much like Google or Wikipedia.

Key 2: Capture investigative expertise

Not only do security analysts have a semantic understanding of what the data means, they know how to tie that with other pieces of data to gather much better context on the basis of which they need to make their decisions.

By capturing and applying this expertise, it is possible to rank threats with an effectiveness comparable to a seasoned human analyst.

SIA can help us capture the investigative process with very little overhead beyond tracking the steps that a cyber analyst performs daily while investigating and triaging alerts to determine whether an incident is real or not.

Key 3: Reduce complex events into more generic events

A critical tool that many analysts apply to the problem of threat detection is the ability to group events into “similar” events—and then reason over those similar events. This is what a reduction is; and it’s called a reduction because it can map a very large number of similar events to a few more generic event categories.

In a reduction, when an event has a higher rank in the system, all the events that map to it get ranked more highly because they are similar. SIA products should provide a powerful library of reductions that analysts can use out of the box. It should also make it very easy for analysts to add their own reductions to the library.

Key 4: Incorporate human classification and prioritization via smart tools

At its core Threat Detection is a Threat Prioritization or Threat Classification problem. We have shown how rules barely scratch the surface of that problem and look for only the “known bad” events, instead of trying to catch both the “known” and the “new unknown” bad activity. That job is often left to cyber hunters and cyber analysts.

An SIA product should offer these cyber hunters and cyber analysts tools to explore a set of security events with the goal of classifying these events in a methodical way, one backed by evidence. When they do so, automation tools capture the process and it becomes part of the algorithm. The workflow can be applied to automatically prioritize future events, or other ones from the past.

Key 5: Processes and assimilates analyst feedback easily

Security Monitoring has to succeed in a constantly changing environment. The threat landscape is never static. Also, a security analyst’s understanding of the environment that he operates in keeps getting refined. All of this happens very naturally. However, adapting the threat detection logic in our current systems is not similarly seamless.

Taken together, these five concepts constitute Security Intelligence Automation, a technology that can dramatically improve your analysts’ productivity (by up to 300%) while equally dramatically driving down your time to threat discovery and resolution.


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More