The typical Security Operations Center (SOC) faces 10,000 alerts per day, most of which will turn out to be false positives. Investigating those alerts, false or not, takes time. There’s a lot to sort through, and it’s not uncommon for alerts that indicate the presence of a real attack to be misinterpreted or missed altogether. No wonder that 79% of security analysts are “overwhelmed by the volume of threat alerts,” according to EMA. And no wonder that the average dwell time for an attack is over 100 days. Security analysts often need that long to find enough evidence to detect, characterize, and shut down an attack.

The number of devices on internal networks is only going up, and the sophistication of security attacks is increasing. More alerts and higher risks mean more high-stakes work for SOCs to do right, while working with limited budgets and time.

Automation, SOAR, and SOAR+

How can SOCs make progress in threat detection? Automation is an obvious answer. Over the past few years, many SOCs have deployed Security Orchestration and Automation Response (SOAR) platforms. These platforms automate two stages of a SOC teams work. They automate the collection and enrichment of data before SOC teams perform their threat analysis, and they can automate some basic responses, such as closing ports and isolating servers, once that analysis is complete.

SOAR+ fills the gap.

The LogicHub SOAR+ platform is the only security automation platform that delivers autonomous detection and response automation for security operations teams. By applying machine learning and analytics on large data sets, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives.

Autonomous Threat Detection with SOAR+

How does LogicHub provide autonomous threat detection for SOCs?

The LogicHub SOAR+ platform enables security analysts to run playbooks on streams of data at regular intervals.

A stream is a periodic collection of data. For example, it might be a process that runs every 10 minutes and collects all new log entries in Splunk or from a SIEM platform such as ArcSight or SumoLogic. The stream then makes this data available for analysis by one or more playbooks.

Each playbook consists of one or more logical flows. Each flow analyzes data, applies machine-learning-based weighting systems to events, and assigns scores to events, flagging the most important events as requiring the attention of security analysts.

As part of the analysis, LogicHub might compare data to known malicious patterns. It might check the reputation of IP addresses. And using machine learning, it might compare recent activity to the baseline behavior observed over days, weeks or months, making it easier to detect suspicious anomalies.

Each of these analyses gets its own score. Then the flow combines and correlates scores to come up with an overall score. If an incident receives a high score, such as 8, 9, or 10 out of 10, the flow automatically opens a case for the incident in the LogicHub case management system. Optionally, it can open a case in another case management system, such as ZenDesk, which has been integrated with LogicHub. Analysts can fine-tune flows as needed to make their analysis even more accurate over time.

The result of this autonomous threat detection? Security analysts no longer have to pore over hundreds or thousands of alerts per day. Instead, they simply open the cases that LogicHub’s automated analysis flagged as requiring attention. The platform eliminates 97% of false positive alerts, enabling analysts to focus just on the incidents that matter. When analysts work is focused on the threats that matter, and those the cases for those threats included detailed analysis, Mean Time To Resolution (MTTR) plummets, and the organization overall becomes more secure.

Conclusion: SOAR+ Provides the Threat Detection SOCs Desperately Need

SOAR platforms and the LogicHub SOAR+ platform share a common goal: help security analysts detect and respond to threats more quickly. The difference is that, by providing autonomous threat detection through automated playbooks, SOAR+ automates much more of security analysts work, reducing distractions and giving them the detailed case data necessary for stopping threats fast.

Autonomous threat detection continually analyzes streams of data, discovers incidents that could be possible threats, and opens cases for just those incidents. It streamlines work for security analysts, frees them from the drudgery of examining false positives, and lets them focus on doing what they do best: analyzing incidents and protecting their organization’s IT infrastructure.

To learn more about the LogicHub SOAR+ security automation platform, read our use case or contact a LogicHub sales representative.


Related Posts

September 13, 2022 Kumar Saurabh

Why No Code Solutions Are a Double-Edged Sword

Most out-of-the-box security automation is based on a simple logic — essentially, if “this”...

Learn More

August 16, 2022 Willy Leichter

Understanding MDR, XDR, EDR and TDR

A program with proper threat detection and response (TDR) has two key pillars: understanding the...

Learn More

August 9, 2022 Willy Leichter

Intuition vs. Automation: What Man and Machine Bring to Data Security

Cybersecurity experts Colin Henderson and Ray Espinoza share their take on the automation-driven...

Learn More

August 2, 2022 Anthony Morris

Using AI/ML to Create Better Security Detections

The blue-team challenge Ask any person who has interacted with a security operations center (SOC)...

Learn More

July 26, 2022 Willy Leichter

How to Select the Right MDR Service

It can be difficult to understand the differences between the various managed detection and...

Learn More

July 21, 2022 Willy Leichter

The Evolving Role of the SOC Analyst

As the cyber threat landscape evolves, so does the role of the security operations center (SOC)...

Learn More

July 19, 2022 Kumar Saurabh

Life, Liberty, and the Pursuit of Security

As cyber threats evolve, organizations of all sizes need to ramp up their security efforts....

Learn More

July 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: July 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

July 12, 2022 Willy Leichter

Security Tools Need to Get with the API Program

No cloud API is an island The evolution of cloud services has coincided with the development of...

Learn More

July 6, 2022 Willy Leichter

Why the Rush to MDR?

LogicHub recently published a survey conducted by Osterman Research, looking at changing trends and...

Learn More