We recently announced the latest release of our attack analytics and incident investigation platform that features the addition of network packet and flow data to our existing log-based user and entity behavior analytics (UEBA). We believe this delivers two critical benefits: dramatically improved attack detection precision and a vastly accelerated triage, investigation and response process.
At the beginning of this month, Gartner’s Neil McDonald and Oliver Rochford published The Five Characteristics of an Intelligence-Driven Security Operations Center, a research note that describes how they see the enterprise security operations center (SOC) evolving to leverage both the scale and intelligence delivered by big data security analytics platforms. They call the new version ISOC, or, “Intelligent SOC,” and in their paper they highlight a central point that is the foundation of our product vision:
“Rather than to seek full automation of all SOC activities, enterprises should seek ‘automatability’ — the capability of being automated as higher levels of confidence are achieved. Even then, analytics-driven, human-augmented (my emphasis) security decision support systems will be used to provide the SOC analyst with the context of the recommended action, along with the details behind the verdict and recommended action. An analyst can then initiate the automated response or action. In this way, a human is still involved in the process, but the process itself is highly automated to make effective use of scarce SOC resources."
(And, for what it’s worth, Niara not being about replacing security analysts with an automated system, but instead about making them more effective, is what resonated with Drew Conry-Murray of Packet Pushers who wrote this recent article).
We believe that for the analytics to be precise enough to initiate an attack investigation and response, it needs to apply a wide variety of machine learning models and techniques to the full range of available data (packets, flows, logs, alert, threat intel, etc.). Analytics with the highest level of confidence deploy in a three-dimensional framework comprising sources, techniques and stages of the kill chain to separate malicious attacks from simple anomalous activity. A supervised machine learning model, designed to spot command and control via domain analysis, is totally different from an unsupervised technique that flags exfiltration in data flows. But, when they work in conjunction with the other data science, source or stage “arrows” in the analytics quiver, false positives drop and true attacks are uncovered.
But as Gartner points out, a “trust me” alert isn’t enough. That’s where Niara’s fully integrated forensic context brings the security analyst into the process by providing the intelligence needed to make the right decisions and take the right actions. Every alert, incident, signal or interaction comes with one-click visibility into all the security-related activity for that actor or entity—backed by the actual packets, which are a source of truth. Analysts start with high value indicators of an attack and execute highly efficient triage, investigation and response.
Analytics and forensics are two sides of the same attack management coin—only when they are implemented together will enterprise security teams realize the Gartner ISOC vision of an adaptive security architecture that is both context-aware and intelligence-driven.