The typical Security Operations Center (SOC) faces 10,000 alerts per day, most of which will turn out to be false positives. Investigating those alerts, false or not, takes time. There’s a lot to sort through, and it’s not uncommon for alerts that indicate the presence of a real attack to be misinterpreted or missed altogether. No wonder that 79% of security analysts are “overwhelmed by the volume of threat alerts,” according to EMA. And no wonder that the average dwell time for an attack is over 100 days. Security analysts often need that long to find enough evidence to detect, characterize, and shut down an attack.
The number of devices on internal networks is only going up, and the sophistication of security attacks is increasing. More alerts and higher risks mean more high-stakes work for SOCs to do right, while working with limited budgets and time.
Automation, SOAR, and SOAR+
How can SOCs make progress in threat detection? Automation is an obvious answer. Over the past few years, many SOCs have deployed Security Orchestration and Automation Response (SOAR) platforms. These platforms automate two stages of a SOC teams work. They automate the collection and enrichment of data before SOC teams perform their threat analysis, and they can automate some basic responses, such as closing ports and isolating servers, once that analysis is complete.
SOAR+ fills the gap.
The LogicHub SOAR+ platform is the only security automation platform that delivers autonomous detection and response automation for security operations teams. By applying machine learning and analytics on large data sets, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives.
Autonomous Threat Detection with SOAR+
How does LogicHub provide autonomous threat detection for SOCs?
The LogicHub SOAR+ platform enables security analysts to run playbooks on streams of data at regular intervals.
A stream is a periodic collection of data. For example, it might be a process that runs every 10 minutes and collects all new log entries in Splunk or from a SIEM platform such as ArcSight or SumoLogic. The stream then makes this data available for analysis by one or more playbooks.
Each playbook consists of one or more logical flows. Each flow analyzes data, applies machine-learning-based weighting systems to events, and assigns scores to events, flagging the most important events as requiring the attention of security analysts.
As part of the analysis, LogicHub might compare data to known malicious patterns. It might check the reputation of IP addresses. And using machine learning, it might compare recent activity to the baseline behavior observed over days, weeks or months, making it easier to detect suspicious anomalies.
Each of these analyses gets its own score. Then the flow combines and correlates scores to come up with an overall score. If an incident receives a high score, such as 8, 9, or 10 out of 10, the flow automatically opens a case for the incident in the LogicHub case management system. Optionally, it can open a case in another case management system, such as ZenDesk, which has been integrated with LogicHub. Analysts can fine-tune flows as needed to make their analysis even more accurate over time.
The result of this autonomous threat detection? Security analysts no longer have to pore over hundreds or thousands of alerts per day. Instead, they simply open the cases that LogicHub’s automated analysis flagged as requiring attention. The platform eliminates 97% of false positive alerts, enabling analysts to focus just on the incidents that matter. When analysts work is focused on the threats that matter, and those the cases for those threats included detailed analysis, Mean Time To Resolution (MTTR) plummets, and the organization overall becomes more secure.
Conclusion: SOAR+ Provides the Threat Detection SOCs Desperately Need
SOAR platforms and the LogicHub SOAR+ platform share a common goal: help security analysts detect and respond to threats more quickly. The difference is that, by providing autonomous threat detection through automated playbooks, SOAR+ automates much more of security analysts work, reducing distractions and giving them the detailed case data necessary for stopping threats fast.
Autonomous threat detection continually analyzes streams of data, discovers incidents that could be possible threats, and opens cases for just those incidents. It streamlines work for security analysts, frees them from the drudgery of examining false positives, and lets them focus on doing what they do best: analyzing incidents and protecting their organization’s IT infrastructure.
To learn more about the LogicHub SOAR+ security automation platform, read our use case or contact a LogicHub sales representative.