Analysts in Security Operations Centers (SOCs) are feeling overwhelmed, and numbers tell the story. A 2018 survey of security professionals found that their organizations are receiving anywhere from 10,000 to over 1 million alerts per day. Even at the lower end of that scale, the volume of alerts is almost impossible for any team of security analysts to handle, especially if they’re still working with traditional security tools, such as SIEM (Security Information and Event Management) systems and SOAR (Security, Orchestration, and Automation Response) platforms.

SIEM systems monitoring networks and devices and raise alerts when anomalies occur. Those alerts are often sent to SOAR platforms, where alert data is aggregated and enriched. The SOAR platform might feed that data to a case management system such as ZenDesk, giving analysts a formal (and enormous) queue of alert tickets to work through.

That work consists of a lot of analysis. Is this alert really an indication of a threat? How does one know? What information would be needed to make a determination? Where can that information be found? If the threat is genuine, what actions should be taken to mitigate it?

The Evolution of Threat Analysis: SOAR, UEBA, and SOAR+

SOAR platforms automate some of this analysis. For example, they might look up the reputation of an IP address involved in an alert, so that when an analyst opens the ticket for that alert, he or she can take the address’s reputation into consideration.

But SOAR platforms leave most of the difficult analytical work to analysts themselves. And that analysis takes time, especially because of requirements involving context and deep correlation.

Effective threat analysis involves correlating seemingly disparate factors, such as login activity, time of day, address location, and so on, and making a determination about whether an event actually constitutes a threat. Perhaps the CFO is an early riser, so the fact that he logged into an SAP system at 6:15 am isn’t that unusual. But if the company is based in Cincinnati and he logged in at 6:15 on Sunday morning from an IP address in Estonia, that should probably raise a flag.

User and Entity Behavioral Analytics (UEBA) systems attempted to address this sort of analysis by building a model of typical behavior for users and devices. But UEBA’s rule-based decision-making turned out to be too rigid, resulting in too many false positives in the alert queue—a major problem for SOC teams already overwhelmed by false positives.

SOAR+ is a new category of security solution that addresses the problem with advanced analytics that are more comprehensive, more detailed, and more accurate than the analytics offered by UEBA and SOAR.

By applying advanced analytics to the problem of alert triage and threat detection, a SOAR+ platform is able to automate much of the time-consuming cognitive work performed by security analysts. When tuned for an organization’s IT environment, a SOAR+ platform can deliver results with 95% or better of the accuracy of security analysts in just a fraction of the time.

Advanced Analytics for SOCs

How does a SOAR+ apply advanced analytics? By automating these steps in playbooks that execute automatically:

  • Data collection and enrichment
    Like SOAR platforms, SOAR+ collects alert data and enriches automatically to accelerate analysis.

  • Multi-dimensional reductions
    Some events can be immediately labeled as known good or known bad. SOAR+ automatically makes these determinations, reducing the amount of data that needs to be analyzed in additional steps.

  • Deep correlation based on an organization’s environment
    To identify any possible threats in the remaining data, the analytics engine compares the alert data to a model of the organization’s IT activity, developed through the application of machine learning to determine what’s normal for the organization over time. In this stage, the analytics engine automatically weights the scores of individual events and other factors. Security analysts can fine-tune these scores, if needed. The result is analysis that is broader that traditional SOAR analysis and more subtle and accurate than traditional UEBA analysis.

  • Threat ranking
    Finally, the analytics engine combines the weighted scores to arrive at a risk assessment for the alert. The output of this stage makes it easy for security analysts to prioritize the alerts that require their attention.

  • Automated threat resolution
    In many cases, the output of the threat ranking stage can be fed directly into a threat mitigation process included in the playbook, enabling the SOAR+ platform not only to identify threats but to resolve them as well. Actions might include isolating a server, running an AV scan, closing a firewall port, and so on.

Security analysts can fine tune the event scoring and threat ranking to increase the accuracy of the machine-learning model and to reflect the SOC team’s priority in addressing threats.

Benefits of SOAR+ Advanced Analytics for Security Analysts

SOAR+ advanced analytics offers important benefits for today’s SOCs. Advanced analytics:

  • Reduced a SOC’s workload
    By automating threat analysis, advanced analytics greatly reduces the workload of security analysts. False positives are immediately and accurately identified, eliminating most of the alerts in a security analyst’s queue.

  • Improve the accuracy of threat detection
    Applying deep correlation and machine learning enables a SOAR+ platform to identify threats more quickly and more accurately. Advanced analytics is particularly useful for identifying false negatives – alerts that might have been cursorily dismissed as benign using traditional analytical rubrics but are recognized as genuinely malicious when more sophisticated threat models are applied.

  • Becomes even more accurate over time automatically
    Because the advanced analytics engine accepts feedback from security analysts, supports a flexible weighting system for threat ranking, and refines its own threat model through iterative machine-learning techniques, the analytics engine becomes more accurate over time, giving analysts even more incentive to trust the engine with analysts that they formerly had to perform themselves.

  • Reduces Mean Time to Resolution (MTTR)
    Because advanced analytics quickly and accurately identifies threats, it enables SOCs to take action to resolve threats and restore the security of the organization.

The LogicHub SOAR+ Platform and Advanced Analytics

Advanced analytics are clearly what SOCs need to reduce their overwhelming workloads and be able to address security threats more quickly, effectively, and proactively.

Developed by security industry veterans and experienced data scientists, the LogicHub SOAR+ platform is the only security automation platform that delivers autonomous detection and response automation for SOC teams. By applying machine learning and advanced analytics on large data sets, LogicHub automates security analyst workflows and decisions, helping teams save time, find critical threats, and eliminate false positives.

To learn more about the LogicHub SOAR+ security automation platform, contact a LogicHub sales representative today.


Related Posts

June 22, 2022 Willy Leichter

Replace Your SIEM with Neural Net Technology

Security Information Event Management (SIEM) systems are an outdated technology. It’s no longer...

Learn More

June 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: June 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

June 14, 2022 Tessa Mishoe

Follina Zero-Day Vulnerability Breakdown: Analysis and Remediation

Background The newest Microsoft Office zero-day vulnerability, Follina, has been causing a buzz...

Learn More

June 8, 2022 Ryan Thomas

Five Reasons for Alert Fatigue and How to Make It Stop

Alert (or alarm) fatigue is the phenomenon of becoming desensitized (and thus ignoring or failing...

Learn More

May 31, 2022 Kumar Saurabh

The 3 Biggest Challenges Faced by Today's SOCs & One Smart Solution

As a security operations professional, you've put in your fair share of late nights. You know what...

Learn More

May 24, 2022 Ryan Thomas

LogicHub MDR - Jump Start for AWS Applications

Funny thing about cloud infrastructure - it is well documented that running applications in the...

Learn More

May 20, 2022 Willy Leichter

Automating Threat Detection: Three Case Studies

Demystifying the technology with case studies of AI security in action Many automation tools, such...

Learn More

May 17, 2022 Willy Leichter

It's Time to Put AI to Work in Security

While we’ve been talking about and imagining artificial intelligence for years, it only has...

Learn More

May 15, 2022 Tessa Mishoe

LogicHub Security RoundUp: May 2022

Hello, and welcome to the latest edition of the LogicHub Monthly Update! Each month we’ll be...

Learn More

May 9, 2022 Tessa Mishoe

Bad Luck: BlackCat Ransomware Bulletin

Blackcat Ransomware On April 19th of 2022, the FBI Cyber Division released a flash bulletin...

Learn More