Page 57 - Cyber Defense eMagazine - November 2017
P. 57

Robotic automation can help reduce workloads by minimizing “swivel chair” tasks. It can save
               analysts the trouble of opening trouble-tickets, changing firewall rules, and so on. But it cannot
               address the time-consuming challenges of analyzing billions of alerts to detect hidden threats.


               To sort false positives from genuine security threats requires advanced cognitive abilities. A new
               generation of SecOps solutions applies cognitive automation to improve the accuracy of threat
               detection and thereby accelerate the mitigation of threats.

               These new security automation products apply Machine Learning techniques to rapidly analyze
               SIEM alerts and other contextual data. Their deep ranking and correlation algorithms perform
               analysis far more sophisticated than the simple rule-based matching used by SIEM systems.
               These products can even take into account the context of events, which enables them to more
               easily identify false positives. Unlike robotic automation products that operate by rote, cognitive
               automation systems accept feedback and tuning from security analysts, so they can learn from
               experience and become more accurate over time.




               ALIGNING INTELLIGENT AUTOMATION WITH SECOPS REQUIREMENTS
               By  differentiating  automation  from  orchestration  and  robotic  automation  from  cognitive
               automation,  it’s  possible  to  come  up  with  a  basic  rubric  for  applying  automation  and
               orchestration to reduce workloads and improve outcomes in a SOC:

                   ●  Incident Response – Use orchestration that applies robotic automation to open tickets
                       and make configuration changes to mitigate threats.

                   ●  Alert  Triage  –Orchestration  is  helpful  for  collecting  investigative  data,  but  for  optimal
                       results, use cognitive automation to distinguish false positives from genuine threats and
                       to quickly understand those threats so they can be stopped.

                   ●  Threat  Hunting  –  Rely  on  cognitive  automation  to  perform  sophisticated  analysis  at
                       scale, discovering deep correlations to uncover unknown threats.

               With  this  rubric  in  mind,  SecOps  teams  can  develop  strategies  for  investing  in  new  security
               technologies,  confident  that  they  have  aligned  new  product  capabilities  with  specific  work
               requirements in the SOC.

               If a SOC is overwhelmed by the volume of security alerts they are receiving, they should invest
               in  cognitive  automation.  Automating  analysis  of  alerts  can  greatly  speed  the  identification  of
               false positives, dramatically reducing the number of alerts that analysts need to investigate. In
               some enterprises, cognitive automation has been able to reduce false positives by as much as
               95%.

               Additionally,  if  a  SOC  is  concerned  about  detecting  Zero  Day  threats  or  data  breaches  that
               might  leave  a  network  vulnerable for  weeks  or months, then  cognitive  automation  is  a  must.
               Machine  Learning  that  goes  beyond  the  rule-based  analysis  of  SIEMs  will  be  able  to  detect
               threats that most of today’s security products overlook.

                   57    Cyber Defense eMagazine – November 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.
   52   53   54   55   56   57   58   59   60   61   62