Learn how security teams turbo charge SOC efficiencies 10X
The security operations team of a leading private research university with over 30,000 students and 10,000 employees was struggling to analyze and respond to an ever-growing number of cybersecurity endpoint, network, user, and cloud alerts in their SIEM.
Despite efforts to tune their SIEM’s detection rules, the university’s Security Operation Center (SOC) still received 1000’s of interesting detection events daily. While security analysts were expected to review them all within hours, they found themselves only able to manually investigate ~10% of the daily alerts because of the time it takes to manually prioritize, enrich, correlate, and investigate each of them. Besides being frustrated and fatigued by the daily process, the team was very concerned that they were leaving the university at risk with the ~90% of their alerts going uninvestigated or investigated only after it was too late to mitigate risk. Unable to hire additional security analysts for team, the SOC ultimately sought a solution that would help them automate processes, help address security analyst fatigue, and reduce the risk associated with uninvestigated alerts.
As they looked for solutions, they found a number of vendors that offered SOAR solutions. These products could help them automate processes but would not address their core issue around their inability to investigate all their daily alerts in a timely fashion.
For these reasons, they selected DTonomy for its unique ability to automatically cross-correlate detections. During their evaluation, they found the automated cross-correlation significantly reduced the time and skillsets required to analyze alerts and additionally connected siloed events into more understandable stories.
DTonomy was implemented into the university’s tech stack in a matter of hours and was adding value in the SOC almost immediately. Its AI-Based Analysis now enables them to analyze all their daily events in under 2 hours per day. Giving them a 10X efficiency gain, they’ve fully addressed their core issue of investigating all their daily alerts in a timely manner. They’ve also found that by using DTonomy’s AI-based pattern discovery engine, their analysis is not only quicker, but also more thorough than what they accomplished manually. One of their favorite features is DTonomy’s adaptive learning engine, which dynamically prioritizes alerts and eliminates false positives based on Analyst history of responses. In this way, they’re able to spend more time on new risks without having to be distracted by previously investigated false positives.
They also found DTonomy’s in-context recommendations to be valuable guides to assist in the analysts’ decision making on next investigative actions and/or responses. Lastly, they have started to create automations using DTonomy’s complete SOAR capabilities and plan to expand on this capability over time. The university SOC is 10x more efficient and can use their valuable resources for the most important alerts.
Since their initial deployment, the university has continually expanded the number of daily events analyzed. DTonomy has enabled them to cover more attack surface without expanding their team or losing their ability to respond to all events daily.
Copyright © DTonomy 2021
We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!