Demystifying technology using AI security case studies in action
Many automation tools, such as SOAR, suffer from a Catch-22 irony: you know that automation saves you huge amounts of time, but is difficult to implement and requires skills you don’t need to have in- house. In essence, you can’t afford tools that will save you money.
To help with many of these tools, it now promises “no-code” capabilities, with intuitive GUIs that help non-programmers generate abstract functions. While this technique can help with SOAR automation, it is often not enough.
Recently, LogicHub has been applying machine learning to understand and automate the process of building security playbooks typically done by advanced automation experts. This is another example of breaking down a complex problem into factors and automating these steps to improve routine processes.
For example, in developing an anti-phishing playbook there are a few questions an experienced analyst will ask:
- What kind of email server are you using?
- What fields in email attachments do you want to check?
- Want to use external reputation tools like VirusTotal?
- What timeframes are you concerned about?
- What are the normal baselines for your users-logins, volume, downloads, etc.
LogicHub used the same AI approach and created a bot-based system called AuDRA (Autonomous Detection and Response Assistant) that interactively helps non-expert users by asking them important questions, getting there relevant information, establishing granular baselines, selecting review frequency, scoring a range of critical factors, and automatically generating complex security playbooks. The system tests the scoring model based on analyst feedback on a range of events, and quickly learns and adapts to the specific customer environment.
eBook: The Definitive Guide to AI and Automation Powered Detection and Response
Why Your Next SOC Assistants Are Bots (and Your Networks Will Be More Secure Than Ever)
Case Study #1: The Insurance Company Automates Threat Hunting
A mid-size insurance company in the midwest is faced with a dilemma: they want to increase proactive threat hunting to spot potential risks, while keeping a lean security team without relying on dozens of low-level and analyst.
As new threats are discovered and new vulnerabilities are published, the team needs tools to quickly assess their specific risks to their unique infrastructure. For example, if a threat affects specific endpoints with different levels of patching, can they look for examples of the threat while at the same time, prioritizing patching of vulnerable systems in their ITSM system?
In partnership with LogicHub, the security team conducted beta testing of the new AuDRA system to automate the development of unique playbooks. The team wants to integrate CVE alerts from the NVD (National Vulnerability Database), endpoint scans from their CrowdStrike EDR system, ticketing information from their ServiceNow system, and scanning logs from in a range of legacy security products and cloud applications.
Their goal is to quickly build new playbooks and update others to search for activity from the latest vulnerabilities such as Log4j, remote execution, and other zero-day threats. However, the development of these automation playbooks typically takes at least two weeks, with additional time for testing and tuning.
Using LogicHub AuDRA, several non -programmers on the team quickly defined parameters, connected to multiple resources, and developed advanced automation playbooks in a matter of hours. Even with ML testing and tuning, new playbooks were successfully deployed within 48 hours. The team saved approximately 85% of the time required to manually build playbooks, delivering results that would have been impossible without automation.
More importantly, the team quickly identified signs of a possible attack from these vulnerabilities, prioritized security patches, and in some cases, disabled older endpoints that could not be updated. quickly.
Don’t Trust – Measure
At the end of the day, it should not be a theoretical discussion, but should focus on measurable results. Can automation and machine learning improve efficiency, and produce higher quality results than just humans? To answer that, let’s look at a specific case study.
Forrester analyst Allie Mellen joined LogicHub as a feature guest speaker to discuss the evolution of SOAR technology and how AI could enable a new generation of solutions for SOC. Watch on-demand.
Case Study #2: Major US Bank streamlines SOC
The SOC team at a Top 10 US Bank is struggling to manage the flood of alerts from more than 400 hard-coded Splunk rules. One rule, designed to identify traffic to bad URLs in web proxy logs is triggered approximately 225 times per week.
Each alert requires approximately 30 minutes of an analyst’s time to assess. Although they have developed an effective way to distinguish real threats from false positives, this includes manually checking each alert against other suspicious activity such as unusual increases in files. redirects, increased network traffic, and attempts to reach other known malicious URLs. They also cross-checked threat-analysis sites like VirusTotal. Of the approximately 900 alerts reviewed each month, on average, only 3 require further increases – 897 are false positives. To implement this single policy, it takes more than 127 analyst hours per week-more than 3 FTEs.
Using the machine learning of the LogicHub platform, the team was able to create workflow automations that mimicked all the steps, cross-checking, and correlations that analysts would do for each alert. The system was also able to annotate each alert with full detail and context of what happened.
The result is that each alert from LogicHub requires only 5 minutes of analyst time, compared to the previous 30. However, the team was cautiously skeptical about the quality of the results, so they audited LogicHub against in their manual process.
The test showed that the SOC team not only saved time, but its accuracy improved. In the manual process, security analysts made 98 mistakes per month (a 14% error rate), mischaracterizing threats or their severity. Once SOC adopted LogicHub, error rates dropped from 98/month to 21/month (a 3% error rate).
With the massive time savings gained, the SOC team was able to shift the time of their key analysts to focus on proactive threat hunting, rather than repetitive, numbing tasks.
What is Normal? Depende…
Finding anomalies is no longer new to security, and legacy rules-based systems often claim their ability to detect abnormal and suspicious behavior. It works well if everyone is the same and uses IT resources equally, throughout the day. But the real world is a bit more complicated.
LogicHub announces AuDRA, First AI Threat Hunting Bot
Case Study 3: Software Firm Monitors FTP Traffic
A leading Silicon Valley software vendor is concerned about security risks from unmanaged FTP traffic. Their hundreds of developers need to use FTP frequently, but they are concerned about identifying anomalies that could indicate insider threats or an external attack.
The challenge is determining what “normal” behavior looks like, as each developer has different needs and usage patterns. Some developers rarely access certain directories, while others access dozens of directories every day. It is impossible to generate static rules to implement this.
Using LogicHub’s AI capabilities, the team was able to establish accurate baselines for each user, then continuously monitor usage patterns. They were also able to cross-check this data with other information about login failures, and unusual access to other applications.
Establishing accurate baselines on an individual basis, with frequent staff changes and work assignments is ideally suited for machine learning. With this granular and dynamic knowledge, anomalies can be easily detected.
The result is that the software vendor can now detect real anomalies in user behavior on an individual basis, while associating these anomalies with many other indicators of attack. Without spending hundreds of analyst hours, the team saw some real threats, while confident that their systems were well protected.
Recent findings show that #SIEMs are missing 80% of #MITER ATT & CK techniques. We need to pivot to AI and automation for effective detection and response. Find out how!
eBook: Five Easy Steps to Replacing Your SIEM
LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. From small teams with security challengessa large teams that automate SOCsLogicHub makes advanced detection and response easy and effective for everyone.
*** This is a Security Bloggers Network syndicated blog from Blog | LogicHub® written by Willy Leichter. Read the original post at: https://www.logichub.com/blog/automating-threat-detection-three-case-studies