How automated investigation can accelerate threat detection

security automation
Credit: Thinkstock
Finding threats quicker

Cyber‫ security analysts are overwhelmed with the pressure of keeping their companies safe. Not only do they need to filter through countless alerts, many of which turn out to be false positives, but also the volume of real threats is growing exponentially. They quickly need to triage and move on, stopping the most pressing threats – but not always the most dangerous. Cyber analysts need a new, holistic approach to threat detection that monitors, analyzes and cross-references data across multiple dimensions to help them detect complex threats as early as possible.

Here’s what you need to consider when adopting an automated investigation environment, with assistance from Noam Rosenfeld, senior vice president of research and development at Cyber Intelligence Solutions, Verint Systems and former head of cyber defense department in the IDF.

security automation
Credit: Thinkstock
Getting the big picture

Suspicious activity must be examined during each stage of the kill chain using technologies such as command and control detection, lateral movement detection, file analysis, network forensics, endpoint forensics, etc. – to ensure that complex attacks are being detected and that analysts have complete information to resolve the threats.

security automation
Credit: Thinkstock
Making connections between alerts

Today most organizations rely on point solutions to detect threats. Each system sends its own alerts – as many as thousands per day – leaving analysts to piece them together into a cohesive picture. Alternatively, a comprehensive approach to detection and response connects key leads and evidence into a comprehensive attack story, automatically giving investigators a full view of all the events related to a single breach.

security automation
Credit: Thinkstock
Balancing machine and human investigation

Automated investigation saves time by analyzing the leads from detection sensors and combining them with forensics data into clear incident storylines. Given the overwhelming amount of data and the skills shortage, using machines to do the leg work leaves analysts more time to examine the incidents that require their immediate attention.

security automation
Credit: Thinkstock
Reducing resolution time

Threat resolution is based on detection, investigation (eliminating false positives, validating findings using forensics), and analysis, and finally, recommendations for resolution. Fusing multiple data points into a small number of prioritized incidents makes each of the stages significantly shorter.

security automation
Credit: Thinkstock
Team collaboration & knowledge sharing

In an ideal world, security teams work 24/7 to detect, investigate and halt critical incidents. Even in the real world, investigators are not working in a vacuum. An automated system more easily documents every step of the investigation, facilitating information sharing and accelerating resolution. By keeping everyone informed, the team can respond more rapidly and accurately.

security automation
Credit: Thinkstock
Reduce the skills barrier

A fully automated, easy-to-manage system allows new analysts with little analysis or forensics experience to become Tier1 analysts within a short time. A visual workspace that documents each attack story clearly and chronologically, grouping the relevant forensic data with each lead, enables every member of the team to handle incidents more effectively.

security automation
Credit: Pexel
Getting the analyst back in front

Machine automation can do a lot to reduce the amount of overwhelming data, but no replacement exists for human experience and intuition. The optimal solution is to automate all of the legwork until an investigation reaches the stage where an expert decision is required – and then hand it over to the pros.