False positive alerts are the bane of any Security Operations Center (SOC). A false positive suggests something is wrong and requires a security analyst’s attention, preferably as soon as possible. But the alert turns out to be false: there’s nothing wrong. Unfortunately, determining that there’s nothing wrong takes time. And time is one of a SOC’s two most precious assets. (The other is expertise.)

When security attacks are as subtle and sophisticated as they are today, security analysts need all the time they can get to investigate alerts that are genuine. They also need time to engage in proactive threat hunting. False positives take time away from both these activities.

SOCs today receive anywhere from tens of thousands to millions of alerts daily, and the vast majority of those alerts turn out to be false. Technology can dramatically reduce the staggeringly high number of false positives that analysts have to investigate. What kind of technology? Machine learning is a key component in reducing false positives and improving a SOC’s overall responsiveness.

In this post, the third in our series about SOAR+ security automation platforms, we’ll look at machine learning and the benefits it offers for alert triage and reducing Mean Time to Resolution (MTTR) for security tickets in the SOC.

Machine Learning for Alert Triage and Resolving Threats

A SOC typically receives alerts from a Security Information and Event Management (SIEM) platform, which aggregates alerts from other security tools, devices, and systems on the network. As it aggregates alerts, the SIEM platform forwards them to security analysts. To handle this flood of information, some SOC teams have deployed a Security Orchestration, Automation and Response (SOAR) platform, which might enrich the data included in an alert (for example, it might check the reputation of an IP address mentioned in an alert) and might perform some rudimentary categorization of alerts.

Nothing in a SIEM or SOAR platform inherently reduces the number of false positives arriving in the SOC. To reduce that flood of faulty alerts, an organization has two choices, only one of which is practical:

  • Embed intelligence everywhere
    An organization could replace its entire IT infrastructure with smarter devices that could analyze local events, do a better job of discerning what is and what is not really a threat, and only raise alerts when a threat is real. Of course, this wholesale re-engineering is impossible to achieve. Smarter devices don’t exist at every level of IT infrastructure. Even if they did, the decision by individual devices whether or not to raise an alert would still require further analysis so that alerts could be correlated, since some security events can be discovered only by recognizing links between different alerts being raised by disparate systems.

  • Add intelligent automation in the SOC
    An organization could add intelligence automation in the SOC, so that automated analysis can do a better of job of figuring out which alerts are false positives and which are real. How is that intelligence automation going to make that determination? By building a model of what constitutes normal activity across the organization and recognizing the anomalies that suggest intruders in the network or some other kind of threat.

Building a Workable Model of Normal IT Activity with Machine Learning

Building a model of normal IT activity in a modern organization is a huge undertaking. Think of what’s involved: patterns of network traffic, patterns of logins, patterns of application access, a mobile workforce, new Internet of Things (IoT) devices, shadow IT, and more.

Any model, however large and complex, has to be flexible enough to account for gradual but legitimate changes over time, as well as daily, weekly, monthly, and quarterly fluctuations based on work schedules and business cycles.

Earlier generations of security tools attempted to use fixed rules to model IT activity. But simple rules aren’t flexible and detailed enough to avoid false positives in such a vast, fluctuating system.

For example, let’s say that you have a rule that says that network logins from the executive team should normally occur only during regular business hours at headquarters; otherwise, an alarm should be raised. But one day the CFO logs in at midnight. That login might trigger a flurry of alerts, unless the model is flexible enough to account for the CFO traveling once a month to meet with EMEA business partners. You don’t want to cut off the CFO’s access to internal apps because a rule-based security model wasn’t sufficiently nuanced.

To build a sufficiently sophisticated model for alert triage requires automation. Specifically, it requires machine learning – an automated approach to model building that derives a detailed collection of rules and guidelines (weighted based on likelihoods) of behavior observed over time. Machine learning learns by monitoring activity, building a model, observing more activity, refining the model, and so on. It becomes more accurate over time and adapts to changes automatically. It’s flexible when it needs to be, but rigid enough to raise an alert when a troubling anomaly occurs.

Because of its sophistication and accuracy, machine learning is an essential component of any SOAR platform designed to minimize false positives and give analysts more free time for threat mitigation and proactive threat hunting.

Benefits of Machine Learning for SOCs

By incorporating a machine-learning model of activity into a SOAR platform and SOAR playbooks (scripts used for analyzing and responding to alerts), a SOC can:

  • Dramatically reduce the number of false positives it investigates
    In some cases, it’s possible to eliminate 95% or more of alerts through machine learning and SOAR automation.

  • Confidently automate threat analysis
    Because the SOAR platform—extended with machine learning to become a SOAR+ platform—has a realistic model of how the organization’s IT infrastructure works, SOCs can trust the platform to perform threat analysis, which is normally performed by analysts themselves. Automating analysis saves more time and dramatically reduces MTTR for threats, enabling SOCs to stop attacks and contain damage much more quickly.

  • Confidently automate responses to alerts and threats
    Just as analysis becomes more accurate through machine learning, responses to alerts and threats become more accurate and effective as well. 

  • Gain free time for investigating real threats, including false negatives
    Has a SIEM system overlooked a genuine threat and classified it falsely as negative? To determine if that’s the case, security analysts need free time that they don’t have today. By reducing false positives and accelerating threat analysis and response times, machine learning gives analysts more free time to investigate important threats that might otherwise be overlooked.

  • Take advantage of a model for normal IT activity that becomes only more accurate over time
    Machine learning models automatically refine themselves by observing activity. In addition, they can be refined further, if needed, by analysts making adjustments themselves.

With security threats increasing in frequency and sophistication, leveraging machine learning in the SOC is a compelling and sensible strategy.

The LogicHub SOAR+ Platform and Machine Learning

Developed by security industry veterans and experienced data scientists, the LogicHub SOAR+ platform is the only security automation platform that automates alert triage, threat hunting, threat detection, and threat mitigation, enabling SOC teams to reduce MTTR rates and stay ahead of threats. By applying machine learning and advanced analytics on large data sets, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives.

To learn more about the LogicHub SOAR+ security automation platform and the benefits of its machine learning for SOC playbooks, contact a LogicHub sales representative today.