The typical Security Operations Center (SOC) faces 10,000 alerts per day, most of which will turn out to be false positives. Investigating those alerts, false or not, takes time. There’s a lot to sort through, and it’s not uncommon for alerts that indicate the presence of a real attack to be misinterpreted or missed altogether. No wonder that 79% of security analysts are “overwhelmed by the volume of threat alerts,” according to EMA. And no wonder that the average dwell time for an attack is over 100 days. Security analysts often need that long to find enough evidence to detect, characterize, and shut down an attack.

The number of devices on internal networks is only going up, and the sophistication of security attacks is increasing. More alerts and higher risks mean more high-stakes work for SOCs to do right, while working with limited budgets and time.

Automation, SOAR, and SOAR+

How can SOCs make progress in threat detection? Automation is an obvious answer. Over the past few years, many SOCs have deployed Security Orchestration and Automation Response (SOAR) platforms. These platforms automate two stages of a SOC teams work. They automate the collection and enrichment of data before SOC teams perform their threat analysis, and they can automate some basic responses, such as closing ports and isolating servers, once that analysis is complete.

SOAR+ fills the gap.

The LogicHub SOAR+ platform is the only security automation platform that delivers autonomous detection and response automation for security operations teams. By applying machine learning and analytics on large data sets, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives.

Autonomous Threat Detection with SOAR+

How does LogicHub provide autonomous threat detection for SOCs?

The LogicHub SOAR+ platform enables security analysts to run playbooks on streams of data at regular intervals.

A stream is a periodic collection of data. For example, it might be a process that runs every 10 minutes and collects all new log entries in Splunk or from a SIEM platform such as ArcSight or SumoLogic. The stream then makes this data available for analysis by one or more playbooks.

Each playbook consists of one or more logical flows. Each flow analyzes data, applies machine-learning-based weighting systems to events, and assigns scores to events, flagging the most important events as requiring the attention of security analysts.

As part of the analysis, LogicHub might compare data to known malicious patterns. It might check the reputation of IP addresses. And using machine learning, it might compare recent activity to the baseline behavior observed over days, weeks or months, making it easier to detect suspicious anomalies.

Each of these analyses gets its own score. Then the flow combines and correlates scores to come up with an overall score. If an incident receives a high score, such as 8, 9, or 10 out of 10, the flow automatically opens a case for the incident in the LogicHub case management system. Optionally, it can open a case in another case management system, such as ZenDesk, which has been integrated with LogicHub. Analysts can fine-tune flows as needed to make their analysis even more accurate over time.

The result of this autonomous threat detection? Security analysts no longer have to pore over hundreds or thousands of alerts per day. Instead, they simply open the cases that LogicHub’s automated analysis flagged as requiring attention. The platform eliminates 97% of false positive alerts, enabling analysts to focus just on the incidents that matter. When analysts work is focused on the threats that matter, and those the cases for those threats included detailed analysis, Mean Time To Resolution (MTTR) plummets, and the organization overall becomes more secure.

Conclusion: SOAR+ Provides the Threat Detection SOCs Desperately Need

SOAR platforms and the LogicHub SOAR+ platform share a common goal: help security analysts detect and respond to threats more quickly. The difference is that, by providing autonomous threat detection through automated playbooks, SOAR+ automates much more of security analysts work, reducing distractions and giving them the detailed case data necessary for stopping threats fast.

Autonomous threat detection continually analyzes streams of data, discovers incidents that could be possible threats, and opens cases for just those incidents. It streamlines work for security analysts, frees them from the drudgery of examining false positives, and lets them focus on doing what they do best: analyzing incidents and protecting their organization’s IT infrastructure.

To learn more about the LogicHub SOAR+ security automation platform, read our use case or contact a LogicHub sales representative.

Blog

Related Posts

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More

May 6, 2022 Kumar Saurabh

Let Humans Be Humans and AI Be AI

LogicHub’s unique decision automation technology can build clients the ultimate security playbook...

Learn More

May 3, 2022 Kumar Saurabh

How to Build a Threat Detection Playbook In 15 Minutes or Less

Automating a threat-hunting playbook with the help of AI Many threat-hunting playbooks we build for...

Learn More

April 29, 2022 Tessa Mishoe

Integrating Better: What Can Integrations Do For Me?

Introduction Within the realm of security, there are many different toolsets and opinions on what...

Learn More

April 27, 2022 Willy Leichter

Beyond No-Code: Using AI for Guided Security Automation

SOAR Playbooks Outside of football, the term “playbook” is well understood by a relatively small...

Learn More

April 21, 2022 Willy Leichter

Goodbye Lonely SIEM, Hello MDR

When updating your systems from a pure Security Information Event Management (SIEM), choosing the...

Learn More

April 15, 2022 Tessa Mishoe

LogicHub Security Roundup: April 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More