Our world is inundated by data, and perhaps nowhere is the issue more pronounced than in cybersecurity. The symptoms are well-known: alert fatigue, false positives, cyber staff turnover and burnout, and tech stacks made up of dozens of tools generating disconnected security information.
The massive volume is unmanageable for security operations center (SOC) analysts, and is opening the door for critical threats to slip through. According to a survey by the Cloud Security Alliance, 31.9% of IT security professionals report that they ignore alerts because so many are false positives. Further, 35% of security teams say gathering data related to an alert is their most time-consuming task.
Cybercriminals, cyberterrorists and hacktivists often have the upper hand in this scenario, and their attacks, which have become more sophisticated and targeted, get lost in the noise. We’ve seen cybercriminals time and again capitalize on global events to hit at just the right moment, with healthcare and government organizations frequently singled out for ransomware, phishing, and other forms of attack.
Though it's true big data is one of the greatest challenges for the SOC, it also provides one of the biggest opportunities. It's a matter of having the right technologies, tools and strategic approach to leverage it.
Automating, Accelerating & Improving Threat Detection with Data Science
Addressing the overload of data within a SOC requires building a data pipeline that can filter down to the threats that need to be investigated further, quickly and consistently. Typically, organizations start with millions or billions of raw logs that are processed by their security information and event management (SIEM) solution. Because these products often lack automation and response capabilities, as well as a threat intel platform, they churn out thousands of low quality, low confidence incidents that security teams must then attempt to sift through.
On average companies need approximately 113 person-weeks to resolve incidents identified in just one week.
In research conducted in 2017 by VIB on “The State of Incident Response,” respondents reported dealing with an average of 346 incidents per week that each required 2.28 days to resolve. Do the math, and on average companies need approximately 113 person-weeks to resolve incidents identified in just one week.
In addition to too much data, SOC teams are up against additional concerns, including incomplete data, insufficient data, normalization of data, correlation difficulties, and storage and retention.
By leveraging comprehensive data science techniques for these otherwise manually intensive processes, organizations can begin to tackle these issues more efficiently and effectively.
Detect with confidence with an advanced data pipeline.
At Cysiv, we’ve built our solution to address key SOC challenges, including developing and applying a broad range of data science techniques and technologies to automate, accelerate and improve the process of finding and prioritizing threats.
We start with raw logs and telemetry gathered from a variety of sources. The more data we have, the better the Cysiv platform is able to make important correlations, reduce false positives, and improve confidence in the detections to be investigated.
Our SOC Telemetry leverages data from:
- Security controls: Data generated by security infrastructure and tools, including firewall, network IDS/IPS, endpoint protection platform, server/workload/container security, web proxy, email security.
- Infrastructure data: Data used to augment security control data sources; rich endpoint (server/desktop/laptop/workstation) and user activity data, including EDR, Windows security, AD authentication, IAM, DHCP, DNS, cloud audit trail and network metadata.
- Enrichment data: Identity, asset, vulnerability, and threat intelligence data that illuminates security context and impact during an investigation, including (including LDAP, asset inventory, vulnerability scan results).
- Applications: Data generated by mission critical applications running on servers, including database, ERP, CRM, and APIs.
Once the data is normalized, it’s then enriched and passed through Cysiv’s Indicator-Detection engine to produce actionable, high-quality, high-confidence detections and security incidents that warrant deeper human investigation.
The end result is that SOC analysts are able to devote energy to the threats that matter, reducing the probability of a successful attack, breach, theft or disruption at their enterprise. At a time when threats are hitting faster than ever and always changing form, that capability is a decisive game changer.
Download our white paper for a deeper look at how Cysiv incorporates data science into SOC-as-a-Service.