By Arie Fred, VP of Product, SecBI
Security incidents happen, despite the preventive technologies put in place to stop them. Thus, there is a need for an effective incident monitoring and response program in which incident investigation and alert prioritization are core capabilities. Security analysts spend too much time finding, searching, organizing, and analyzing information. They try to find insights from incomplete data across multiple soiled systems to adequately prioritize and investigate the thousands of alerts they receive each week. Making matters worse, there is an acute shortage of experienced security personnel. Faced with all this, finding and investigating the threats that actually matter is very challenging.
For example, a typical enterprise may see hundreds of alerts every day generated by their SIEMs for visits to sites which are blacklisted by their proxy. Prioritizing and investigating these alerts can prove difficult. Most enterprises simply don’t have the staff or time to be able to investigate all of these alerts. Given these limited resources while also facing the possibility that some of these alerts may be real incidents worthy of a detailed investigation, analysts would like answers to simple questions such as:
- Of these alerts, how many users are involved?
- Which of these alerts should I investigate first?
- Can I investigate these alerts to completion quickly?
Eventually, all this leads to the possibility that these alerts are not investigated at all as they were already blocked due to visiting sites which are blacklisted.
This is why a new approach is needed. This new solution created by SecBI helps analysts of all experience levels achieve the goal of incident investigation and response programs more efficiently by applying the right context on the alerts, investigating the high priority alerts with the necessary context, and consequently minimizing the risk to their organization.
Machine learning and Behavior Analytics have shown promise in accurately detecting advanced attacks. However, it’s tough to differentiate between solutions as all vendors make similar-sounding claims. Diving into their technology reveals how dramatically dissimilar they really are, which makes a massive difference in what they can actually detect.
Unlike UBA solutions that utilize only statistical techniques, SecBI combines unsupervised, supervised, and adaptive machine learning with statistical techniques to build behavioral profiles that more reliably link anomalies with malicious intent. SecBI applies all analytics in parallel, on all data (with no sub-sampling like many UBA solutions do), and for all entities (i.e., users, hosts, devices, etc.). SecBI’s machine learning modules use global behavioral patterns: entity specific patterns around historical normal behavior and peer-based pattern analysis to determine the possible threats. As a result, SecBI detects a broader range of anomalies than other UBA solutions, and with greater accuracy.
Adaptive learning enables analysts to label warnings as either true anomalies or authorized exceptions and continuously incorporates that feedback into SecBI’s machine learning models. This leads to superior detection results, as unsupervised models are transformed into context-driven supervised ones.
It isn’t sufficient to produce an alert, especially one driven by machine learning, which is probabilistic in nature. Analysts can’t be expected to investigate and close out alerts generated by UBA solutions, no matter how strong they are, unless they have confidence in the solution’s results. SecBI is the only machine learning solution that integrates analytics with forensics. This provides analysts with detailed supporting evidence, potentially dating back months. Forensics help analysts determine exactly what happened, when it happened, and who else was affected, making it very easy for them to work their way from detection to investigation to closure of alerts.
A new approach to incident response is needed to help analysts more efficiently prioritize and investigate incidents in their environment. When deploying SecBI’s new method, enterprises can leverage network traffic and security data for better analytics, which when combined with a unique usage of threat intelligence, provides unmatched visibility.