Utilizing SOC Automation to Enhance Threat Detection
Cybercrime has gradually evolved into a thriving industry and is expected to inflict over $5 trillion worth of damages annually by 2021, making the prevention and detection of cyber vulnerabilities paramount. Persistent efforts by enterprises to combat and mitigate the risks arising out of cyberattacks have led to the convergence of AI (Artificial Intelligence) and ML (Machine Learning), across the cybersecurity landscape, triggering the onset of automation practices. Cybersecurity automation is being hailed as the next big step in information security, attributed especially to the cumbersome endeavors required for manually managing cybersecurity policies.
Reports from cybersecurity experts and industry research have consistently highlighted the shortage of skilled IT security personnel. In 2019, it was estimated that over 40% of organizations lacked the required cybersecurity skills to improve their security posture. Ironically, this is also one of the biggest challenges while implementing cybersecurity automation, with only 30% of organizations featuring an in-house team capable enough to use security automation.
ABOUT CYBERSECURY AUTOMATION
Today, there are numerous cybersecurity products designed to automate processes. For instance, vulnerability management products such as anti-malware may be set up to scan and automatically detect BYODs (bring your own device) on an organization’s system. These products identify cyber threats and eliminate identified defects based on the security protocols outlined by the organization. When talking about adopting new best practices in automation, gurus in this industry refer to security equipment like Robotic Process Automation (RPA), and Security Operations Center (SOC) automation are used when a security operations center automates aspects of their cybersecurity defense such as detection, investigation, and response. One of the more common types of SOC automation is via SOAR (Security Orchestration Automation and Response).
SOC AUTOMATION – USE CASES
The goal of SOC automation is to augment the SOC team to speed up the time from detection to remediation. Most SOCs face a lack of manpower which makes it overwhelming, if not impossible, to handle the number of alerts the SOC sees each day. By automating aspects of the SOC, the SOC team can focus on complex threats and not waste time on benign alerts or known threats. Known threats can be quickly resolved by automating the response process.
Research has identified the following seven unique use cases for SOC automation.
1. Incident analysis
Various AI techniques are used to mine data on security incidents, parse them based on parameters, cluster them for commonalities and assign risk scores. The core role of SOC analysts is to monitor for threats, but historically, this has required tedious and repetitive triage for them. This could result in misidentified threats, inefficient use of highly skilled analysts, staff burnout and turnover. AI helps scale analysis efficiently by casting a wide net that continues to grow wider and wider.
2. Landscape analysis
AI is harnessed to defend widening topologies. Companies are digitizing more and more of their operations. This includes updating old and developing new internal, often hybrid, platforms and networks. As more employees use cloud apps and mobile devices for work, not to mention increase IoT configurations, the enterprise security perimeter spans far beyond the organization’s traditional “four walls.” Extensive network and endpoint security resources are required to manage all communications, transactions, connections, applications, and policies. These resources are often disconnected, thus limiting visibility and details of the risk profile. AI can support, reach and scale across these heterogeneous topologies while correlating threats and assessing how one threat may impact another resource.
3. Incident detection
This SOC automation use case helps differentiate and prioritize different classes of threats and distributes notifications or prevention activities accordingly. This could take many forms, from automating ticket creation and adding pertinent remediation information to detecting the presence of malware before malicious files are opened. AI-powered incident detection is obviously crucial for preventing attacks as it reduces dwell time and accelerates time to repair, but it is also enabled preemptive and proactive measures.
4. Incident response
AI is used to preempt malicious attacks by automating containment actions; orchestration of software, devices or networks; or the deployment of other specific safeguards. Incorporating AI’s predictive capabilities helps complete the shift from reactive cybersecurity mitigation to a proactive cybersecurity strategy in an enterprise’s fight against hackers. The use of AI-powered incident response applications in organizations today remains incremental, but a proactive approach to the never-ending cybersecurity storm is critical for enterprise security.
5. Emergent threat mitigation
SOC automation is used to learn about novel threats by recognizing patterns or clusters and then providing feedback. Some companies are training machine learning algorithms to recognize attacks perpetrated by other machine learning algorithms, such as smart malware or artificial hackers and bots that personalize attacks tailored to specific victims.
These emerging, AI-based threat mitigation techniques will prove useful as attack tactics, such as malware, botnets, and ransomware, continue to mutate along with the pernicious ways AI is used to target and manipulate user and business vulnerabilities.
6. Gamification of security training
AI can also be used to simulate diverse types of attacks and make the education process more fun, engaging and competitive for security analysts. Microsoft’s Into the Breach exercise is one example in which the company divided SOC analysts into different teams. The teams were challenged to defend against AI-generated threats, which were developed based on data and techniques derived from real-world attacks.
While nascent, this SOC automation application has the potential to scale a culture of security far beyond the SOC. Not only will it make security training more accessible, personalized and fun, but it can also arm the front line of cybersecurity with essential awareness and security workflow best practices.
7. Human SOC analyst augmentation
This is the AI market’s parlance for how AI is used to optimize humans’ threat intelligence and mitigating actions. Although automated techniques are better at managing the volume of potential threat vectors, AI is not equipped for complex problem-solving. Human analysts remain the essential arbiters to develop controls, explain threat techniques and uncover attackers’ motives. Tests show that the highest performance and accuracy of machine learning are often achieved due to a combination of human and AI intelligence. Thus, AI is unlikely to completely displace SOC analysts but rather supplement the team’s efforts and talents.
CYBOWALL / CYBOSOC – AN AUTOMATION-MANUAL HYBRID SOLUTION
CyboWall is a next-gen cybersecurity solution that utilizes Artificial Intelligence & Machine Learning to reduce the complexity of cybersecurity and provide an integrated platform with uniﬁed visibility and management.
CyboSOC is a cloud-based management application tailored to manage many CyboWall through one management dashboard console. CyboSOC has been created to allow MSP / MSSP organizations that are servicing end customers using their analysts, to manage and monitor several CyboWall entities within one management application.
CyboSOC Superior management platform allows MSPs and MSSP to connect to all CyboWall entities that are spread across end customers’ sites and multisite organizations, whether they are deployed on-premise (Agentless), or operational through a cloud (agent-based).
CyboSOC main features:
- Remote monitoring and management over different end-customers’ entities which operate CyboWall under one management platform.
- Clear vision on ongoing breach attempts in every CyboWall (which is assigned to an end-user site).
- Remote analysis of ongoing alerts and events of every remotely monitored CyboWall, including visibility on Cyber-attacks over these entities.
- Centralized management of every CyboWall, (end-user), with assignment of new tenants, billing and invoicing procedures.
To learn more and to book a demo click here.
Written by: Ziv Simhon, VP of Sales at CYBOWALL
Can AI Solve the Lack of Manpower & Expertise in Cybersecurity?
There are several factors why organizations today lack in house AI & cybersecurity expertise:
- Cybersecurity and AI professionals are in high demand, but not enough supply exists.
- According to a research carried out in the UK cyber security labor market, on behalf of the Department for Digital, Culture, Media and Sport (DCMS), approximately 680,000 businesses (50%) have a basic skills gap in cybersecurity.
- The responsibility for cybersecurity handling in small-medium companies usually placed on the IT Manager who has limited time and resources to stay current with new and innovative technologies and releases.
The problem is made worse by the fact that it takes human analysts to comb through the security alerts and other “noise” to identify possible threats to the organization. This is not possible with a small IT team. Even when a company has a full complement of specialized cybersecurity teams, systems, and other resources, this still can occur.
The use of Artificial Intelligent (AI), and Machine Learning (ML), can significantly improve security by increasing the amount of data that can be analyzed – a particularly important aspect of threat detection. There is no doubt This would reduce the likelihood and impact of cyber events. AI and ML can uncover more security vulnerabilities and identify real threats faster than humans can. Despite this, due to a lack of well-trained AI/cybersecurity team members, the burden of cybersecurity threat detection often falls on unqualified and inexperienced IT staff, which subsequently increases an organization’s risk of becoming a target.
Consider the overwhelming volume of threat alerts that cybersecurity teams are exposed to each that could easily reach more than 5,000 per day. In this case, AI can feed these alerts through powerful threat models to assign severity profiles, so that busy security teams can quickly investigate them and present the higher-risk ones, rather than others that are just “noise.” This drastically helps to reduce the number of alerts that must be dealt with each day.
The use of artificial intelligence in cybersecurity tools like CYBOWALL becomes a win-win: Not only do they help find real threats, but they do it much faster than past methods. For instance, where human teams may have once required days (or even weeks) for exploration and understanding the nature of cyber threats in their network, these AI capabilities can complete the analysis in just a matter of seconds.
An effective threat detection solution must work across the entire organization – overall physical sites, remote users, data centers, and cloud environments. If security teams need an extensive stack of tools to do this, it adds extra effort and complexity, which equals lost time and risk to properly detect, verify, and stop attacks.
CYBOWALL allows its users to automatically process no less than 8 security engines through a unified management platform that includes asset management protection, vulnerability assessment, intrusion detection, anomalies, malware hunter, honeypot, file integrity monitoring, and SIEM. These are orchestrated by a powerful AI Attack Hunter, an autonomous machine learning & multi-step g and multi-step attack hunting.
This innovative approach enables the IT security teams to monitor larger volumes of suspicious behavior while reducing the false positives, giving the teams a load of work that can handle. The fact that the results from all these security engines are collated into one easily managed dashboard means that the IT security teams don’t have to toggle from one solution to the next, saving them precious time while increasing productivity.
So to answer the question of whether AI can solve the lack of manpower and expertise in cybersecurity, the answer is a resounding yes.
To learn more and to book a demo click here.
Written by: Ziv Simhon, VP of Sales at CYBOWALL
User & Entity Behavior Analytics (UEBA), Explained
User and Entity Behavior Analytics, or UBEA, uses large datasets to model typical and atypical behaviors of humans and machines within a network. This means that UEBA can detect non-malware-based attacks because it analyzes various behavioral patterns. UEBA also uses these models to assess the threat level, creating a risk score that can help guide the appropriate response. Increasingly, UEBA uses machine learning to identify normal behavior and alert to anomalies and risky deviations that suggest insider threats, lateral movement, compromised accounts, and attacks.
Baselining is key to a UEBA system, as it makes it possible to detect potential threats. The UEBA system compares the established baseline with current user behavior, calculates a risk score, and determines if deviations are acceptable. If the risk score exceeds a certain threshold, the system alerts security analysts in real-time. By defining such baselines, UEBA can identify suspicious behavior, potential threats, and attacks that traditional antivirus may not detect.
The 3 Pillars of UEBA
- Use cases: UEBA solutions report the behavior of entities and users in a network, to detect, monitor, and alert on anomalies. UEBA solutions need to be relevant and support multiple use cases.
Gartner sees UEBA being applied to use cases where finer-tuned analytics and gathering more context is essential, including:
– Malicious Insiders
– APT groups leveraging zero-day vulnerabilities
– Data exfiltration involving novel channels
– User Account access monitoring
- Data sources: UEBA solutions can ingest data from a general data repository. Such repositories include:
– Data warehouse
– Data lake
– Security Information and Event Management (SIEM)
- Analytics: UEBA solutions isolate anomalies using analytic methods, including machine learning, statistical models, rules, and threat signatures.
UEBA vs. SIEM
Security information and event management (SIEM) is the use of a complex set of tools and technologies that give organizations a comprehensive view of their IT security system. It makes use of data and event information, allowing visibility into normal patterns, and delivering alerts when there are unusual circumstances and events. SIEM is similar to UEBA in the sense of using user and entity behavior information to define what is considered a normal behavior and what is not.
SIEMs are good security management tools but are less sophisticated when it comes to more advanced threat detection and response. SIEMs can handle real-time threats rather easily, but they may be unable to detect sophisticated cyberattacks. This is because sophisticated cyberattacks avoid simple one-off threats and instead engage in an extended attack that can go undetected by traditional threat management tools for several weeks or even months.
On the other hand, UEBA solutions can detect more sophisticated threats, such as those that might be undetectable today but over time display a surprising pattern. Malvertising is an example of this, a seemingly harmless advertising applet downloaded to a browser that collects user data or infects a user’s device.
By stacking UEBA and SIEM tools together, enterprises are better able to defend themselves against a wide range of threats. By focusing less on system events and more on specific user or entity activities, UEBA builds a profile of an employee or entity based on usage patterns and sends out an alert if it sees unusual or suspicious user behavior.
With UEBA suspicious user behavior can be detected in the cloud, on-premises, and inside business applications – with an unparalleled time-to-value. Other benefits include:
- The primary pro of UEBA is that it allows you to automatically detect a wide range of cyber-attacks
- Because UEBA allows fewer security analysts to do more, it can also significantly reduce your cybersecurity budget
- UEBA can drastically reduce the detection time of malware outbreaks by using algorithm-driven analytics to detect beaconing, lateral movement, or weaponization
- Outputs from the UEBA module can be correlated with SIEM events, making the original events more insightful than ever
- Discover suspicious user behavior by statically or dynamically enriching the original log data using the information from machine learning
- Incidents can be visualized using dashboards and search templates for faster threat hunting
UEBA + SIEM
With CYBOWALL you don’t have to settle for either as it offers both SIEM and UEBA technologies. In addition to those, CYBOWALL offers 7 other security engines that help protects the organization from ongoing threats and cover:
- Asset Management
- Vulnerability Assessment
- File Integrity Monitor (FIM)
- Intrusion Detection (IDS)
- Malicious Traffic Detection
- Malware Hunter
The above security solutions are orchestrated by UEBA as well, and by a powerful Attack HunterTM; an Autonomous Machine Learning and Multi-step Attack Hunting Engine. Together, they allow organizations to manage all security threats from one unified platform, offering more protection than any other solution in the market.
To learn more and to book a demo click here.
Written by: Moshe Amiel, Cyber & AI Expert, Advisory Board Member at CYBOWALL