False positive alerts are the bane of any Security Operations Center (SOC). A false positive suggests something is wrong and requires a security analyst’s attention, preferably as soon as possible. But the alert turns out to be false: there’s nothing wrong. Unfortunately, determining that there’s nothing wrong takes time. And time is one of a SOC’s two most precious assets. (The other is expertise.)

When security attacks are as subtle and sophisticated as they are today, security analysts need all the time they can get to investigate alerts that are genuine. They also need time to engage in proactive threat hunting. False positives take time away from both these activities.

SOCs today receive anywhere from tens of thousands to millions of alerts daily, and the vast majority of those alerts turn out to be false. Technology can dramatically reduce the staggeringly high number of false positives that analysts have to investigate. What kind of technology? Machine learning is a key component in reducing false positives and improving a SOC’s overall responsiveness.

In this post, the third in our series about SOAR+ security automation platforms, we’ll look at machine learning and the benefits it offers for alert triage and reducing Mean Time to Resolution (MTTR) for security tickets in the SOC.

Machine Learning for Alert Triage and Resolving Threats

A SOC typically receives alerts from a Security Information and Event Management (SIEM) platform, which aggregates alerts from other security tools, devices, and systems on the network. As it aggregates alerts, the SIEM platform forwards them to security analysts. To handle this flood of information, some SOC teams have deployed a Security Orchestration, Automation and Response (SOAR) platform, which might enrich the data included in an alert (for example, it might check the reputation of an IP address mentioned in an alert) and might perform some rudimentary categorization of alerts.

Nothing in a SIEM or SOAR platform inherently reduces the number of false positives arriving in the SOC. To reduce that flood of faulty alerts, an organization has two choices, only one of which is practical:

  • Embed intelligence everywhere An organization could replace its entire IT infrastructure with smarter devices that could analyze local events, do a better job of discerning what is and what is not really a threat, and only raise alerts when a threat is real. Of course, this wholesale re-engineering is impossible to achieve. Smarter devices don’t exist at every level of IT infrastructure. Even if they did, the decision by individual devices whether or not to raise an alert would still require further analysis so that alerts could be correlated, since some security events can be discovered only by recognizing links between different alerts being raised by disparate systems.
  • Add intelligent automation in the SOC An organization could add intelligence automation in the SOC, so that automated analysis can do a better of job of figuring out which alerts are false positives and which are real. How is that intelligence automation going to make that determination? By building a model of what constitutes normal activity across the organization and recognizing the anomalies that suggest intruders in the network or some other kind of threat.

Building a Workable Model of Normal IT Activity with Machine Learning

Building a model of normal IT activity in a modern organization is a huge undertaking. Think of what’s involved: patterns of network traffic, patterns of logins, patterns of application access, a mobile workforce, new Internet of Things (IoT) devices, shadow IT, and more.

Any model, however large and complex, has to be flexible enough to account for gradual but legitimate changes over time, as well as daily, weekly, monthly, and quarterly fluctuations based on work schedules and business cycles.

Earlier generations of security tools attempted to use fixed rules to model IT activity. But simple rules aren’t flexible and detailed enough to avoid false positives in such a vast, fluctuating system.

For example, let’s say that you have a rule that says that network logins from the executive team should normally occur only during regular business hours at headquarters; otherwise, an alarm should be raised. But one day the CFO logs in at midnight. That login might trigger a flurry of alerts, unless the model is flexible enough to account for the CFO traveling once a month to meet with EMEA business partners. You don’t want to cut off the CFO’s access to internal apps because a rule-based security model wasn’t sufficiently nuanced.

To build a sufficiently sophisticated model for alert triage requires automation. Specifically, it requires machine learning – an automated approach to model building that derives a detailed collection of rules and guidelines (weighted based on likelihoods) of behavior observed over time. Machine learning learns by monitoring activity, building a model, observing more activity, refining the model, and so on. It becomes more accurate over time and adapts to changes automatically. It’s flexible when it needs to be, but rigid enough to raise an alert when a troubling anomaly occurs.

Because of its sophistication and accuracy, machine learning is an essential component of any SOAR platform designed to minimize false positives and give analysts more free time for threat mitigation and proactive threat hunting.

Benefits of Machine Learning for SOCs

By incorporating a machine-learning model of activity into a SOAR platform and SOAR playbooks (scripts used for analyzing and responding to alerts), a SOC can:

  • Dramatically reduce the number of false positives it investigates In some cases, it’s possible to eliminate 95% or more of alerts through machine learning and SOAR automation.
  • Confidently automate threat analysis Because the SOAR platform—extended with machine learning to become a  SOAR+ platform —has a realistic model of how the organization’s IT infrastructure works, SOCs can trust the platform to perform threat analysis, which is normally performed by analysts themselves. Automating analysis saves more time and dramatically reduces MTTR for threats, enabling SOCs to stop attacks and contain damage much more quickly.
  • Confidently automate responses to responses to alerts and threats Just as analysis becomes more accurate through machine learning, responses to alerts and threats become more accurate and effective as well.
  • Gain free time for investigating real threats, including false negatives Has a SIEM system overlooked a genuine threat and classified it falsely as negative? To determine if that’s the case, security analysts need free time that they don’t have today. By reducing false positives and accelerating threat analysis and response times, machine learning gives analysts more free time to investigate important threats that might otherwise be overlooked.
  • Take advantage of a model for normal IT activity that becomes only more accurate
    over time
    Machine learning models automatically refine themselves by observing activity. In addition, they can be refined further, if needed, by analysts making adjustments themselves.

With security threats increasing in frequency and sophistication, leveraging machine learning in the SOC is a compelling and sensible strategy.

The LogicHub SOAR+ Platform and Machine Learning

Developed by security industry veterans and experienced data scientists, the LogicHub SOAR+ platform is the only security automation platform that automates alert triage, threat hunting, threat detection, and threat mitigation, enabling SOC teams to reduce MTTR rates and stay ahead of threats. By applying machine learning and advanced analytics on large data sets, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives.

To learn more about the LogicHub SOAR+ security automation platform and the benefits of its machine learning for SOC playbooks, contact a LogicHub sales representative today.

Blog

Related Posts

June 22, 2022 Willy Leichter

Replace Your SIEM with Neural Net Technology

Security Information Event Management (SIEM) systems are an outdated technology. It’s no longer...

Learn More

June 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: June 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

June 14, 2022 Tessa Mishoe

Follina Zero-Day Vulnerability Breakdown: Analysis and Remediation

Background The newest Microsoft Office zero-day vulnerability, Follina, has been causing a buzz...

Learn More

June 8, 2022 Ryan Thomas

Five Reasons for Alert Fatigue and How to Make It Stop

Alert (or alarm) fatigue is the phenomenon of becoming desensitized (and thus ignoring or failing...

Learn More

May 31, 2022 Kumar Saurabh

The 3 Biggest Challenges Faced by Today's SOCs & One Smart Solution

As a security operations professional, you've put in your fair share of late nights. You know what...

Learn More

May 24, 2022 Ryan Thomas

LogicHub MDR - Jump Start for AWS Applications

Funny thing about cloud infrastructure - it is well documented that running applications in the...

Learn More

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More