Security Analysts receive lots of detections from numerous security monitoring sources. These atomic detections are easy to set up, but quickly contribute to the growing amount of alert fatigue felt by security analysts that find themselves overwhelmed with alerts. Contributing to this problem is the fact that as much as 26-50% of the security alerts they receive are reported as false positives or non-actionable, according to McAfee and Cisco. These atomic detections contain limited information and are rarely sufficient on their own to enable decision making. Unless the alert clearly indicates the existence of well-known malware or a known-bad phishing link, security teams must look at signals from different places to recover the story of the alert, in order to make a decision on its risk level and what if anything should be done about it.
Working with DTonomy customers and other security experts, we have seen a variety of different patterns across different detection-types that are very informative. Here are 10 common correlations we have seen across customers that may be helpful to know about.
There could be variety of different and sometimes valid reasons why a security detection might highlight that process A started process B. Similarly for privilege escalations, registry modifications and other unusual external detections. On their own, they may indicate risk or represent a false positive. But when they start to line up, in the steps of an adversary kill chain, the risk starts to accumulate and becomes worthy of your attention and immediate response.
If your employees are reporting suspicious phishing emails they receive, you may have come to the conclusion that having the users login history information and/or detections around abnormal logins in place is incredibly helpful. Only with this info can you identify any following on risk from the phishing attempts, as well as the broader risk surrounding these reported suspicious phishing emails.
In reality, the subset of detections that are helpful in identifying any ongoing threat are often buried in hundreds of thousands of security detections. This makes it easy to lose sight of the insights that can be gained from the connections between detections. This is where machine learning can add tremendous value, by looking across the data and figuring out the interesting patterns and connections amongst them. These patterns help security teams to better understand the context of each of the detections. Looking only at this data, though, is only one means for speeding the analysis of alerts. Equally or more important is to leverage the learning from the decisions that experienced analysts have already made, based on their analysis of alerts, to help you investigate any similar alert. We developed DTonomy to enable both of these insight types and continue to learn about more patterns, like the 9 above, which customers became aware of through DTonomy’s Pattern Discovery Engine, Adaptive Scoring Engine, or Active Recommendation Engine.
We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!