Analysts in Security Operations Centers (SOCs) are feeling overwhelmed, and numbers tell the story. A 2018 survey of security professionals found that their organizations are receiving anywhere from 10,000 to over 1 million alerts per day. Even at the lower end of that scale, the volume of alerts is almost impossible for any team of security analysts to handle, especially if they’re still working with traditional security tools, such as SIEM (Security Information and Event Management) systems and SOAR (Security, Orchestration, and Automation Response) platforms.
SIEM systems monitoring networks and devices and raise alerts when anomalies occur. Those alerts are often sent to SOAR platforms, where alert data is aggregated and enriched. The SOAR platform might feed that data to a case management system such as ZenDesk, giving analysts a formal (and enormous) queue of alert tickets to work through.
That work consists of a lot of analysis. Is this alert really an indication of a threat? How does one know? What information would be needed to make a determination? Where can that information be found? If the threat is genuine, what actions should be taken to mitigate it?
The Evolution of Threat Analysis: SOAR, UEBA, and SOAR+
SOAR platforms automate some of this analysis. For example, they might look up the reputation of an IP address involved in an alert, so that when an analyst opens the ticket for that alert, he or she can take the address’s reputation into consideration.
But SOAR platforms leave most of the difficult analytical work to analysts themselves. And that analysis takes time, especially because of requirements involving context and deep correlation.
Effective threat analysis involves correlating seemingly disparate factors, such as login activity, time of day, address location, and so on, and making a determination about whether an event actually constitutes a threat. Perhaps the CFO is an early riser, so the fact that he logged into an SAP system at 6:15 am isn’t that unusual. But if the company is based in Cincinnati and he logged in at 6:15 on Sunday morning from an IP address in Estonia, that should probably raise a flag.
User and Entity Behavioral Analytics (UEBA) systems attempted to address this sort of analysis by building a model of typical behavior for users and devices. But UEBA’s rule-based decision-making turned out to be too rigid, resulting in too many false positives in the alert queue—a major problem for SOC teams already overwhelmed by false positives.
SOAR+ is a new category of security solution that addresses the problem with advanced analytics that are more comprehensive, more detailed, and more accurate than the analytics offered by UEBA and SOAR.
By applying advanced analytics to the problem of alert triage and threat detection, a SOAR+ platform is able to automate much of the time-consuming cognitive work performed by security analysts. When tuned for an organization’s IT environment, a SOAR+ platform can deliver results with 95% or better of the accuracy of security analysts in just a fraction of the time.
Advanced Analytics for SOCs
How does a SOAR+ apply advanced analytics? By automating these steps in playbooks that execute automatically:
Data collection and enrichment
Like SOAR platforms, SOAR+ collects alert data and enriches automatically to accelerate analysis.
Some events can be immediately labeled as known good or known bad. SOAR+ automatically makes these determinations, reducing the amount of data that needs to be analyzed in additional steps.
Deep correlation based on an organization’s environment
To identify any possible threats in the remaining data, the analytics engine compares the alert data to a model of the organization’s IT activity, developed through the application of machine learning to determine what’s normal for the organization over time. In this stage, the analytics engine automatically weights the scores of individual events and other factors. Security analysts can fine-tune these scores, if needed. The result is analysis that is broader that traditional SOAR analysis and more subtle and accurate than traditional UEBA analysis.
Finally, the analytics engine combines the weighted scores to arrive at a risk assessment for the alert. The output of this stage makes it easy for security analysts to prioritize the alerts that require their attention.
Automated threat resolution
In many cases, the output of the threat ranking stage can be fed directly into a threat mitigation process included in the playbook, enabling the SOAR+ platform not only to identify threats but to resolve them as well. Actions might include isolating a server, running an AV scan, closing a firewall port, and so on.
Security analysts can fine tune the event scoring and threat ranking to increase the accuracy of the machine-learning model and to reflect the SOC team’s priority in addressing threats.
Benefits of SOAR+ Advanced Analytics for Security Analysts
SOAR+ advanced analytics offers important benefits for today’s SOCs. Advanced analytics:
Reduced a SOC’s workload
By automating threat analysis, advanced analytics greatly reduces the workload of security analysts. False positives are immediately and accurately identified, eliminating most of the alerts in a security analyst’s queue.
Improve the accuracy of threat detection
Applying deep correlation and machine learning enables a SOAR+ platform to identify threats more quickly and more accurately. Advanced analytics is particularly useful for identifying false negatives – alerts that might have been cursorily dismissed as benign using traditional analytical rubrics but are recognized as genuinely malicious when more sophisticated threat models are applied.
Becomes even more accurate over time automatically
Because the advanced analytics engine accepts feedback from security analysts, supports a flexible weighting system for threat ranking, and refines its own threat model through iterative machine-learning techniques, the analytics engine becomes more accurate over time, giving analysts even more incentive to trust the engine with analysts that they formerly had to perform themselves.
Reduces Mean Time to Resolution (MTTR)
Because advanced analytics quickly and accurately identifies threats, it enables SOCs to take action to resolve threats and restore the security of the organization.
The LogicHub SOAR+ Platform and Advanced Analytics
Advanced analytics are clearly what SOCs need to reduce their overwhelming workloads and be able to address security threats more quickly, effectively, and proactively.
Developed by security industry veterans and experienced data scientists, the LogicHub SOAR+ platform is the only security automation platform that delivers autonomous detection and response automation for SOC teams. By applying machine learning and advanced analytics on large data sets, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives.
To learn more about the LogicHub SOAR+ security automation platform, contact a LogicHub sales representative today. https://www.logichub.com/product