The evolution of the Security Operation Center (SOC)

Security Information and Event Management Platforms (SIEM) have gradually become the center of SOC operations. They create different and relevant security detections/alerts that security analysts have to evaluate. Usually, a tier 1 analyst performs the initial triage of SIEM alerts and escalates high-priority ones to tier 2 or tier 3 for more thorough threat hunting. Tier 2 and 3 analysts will use additional tools such as centralized log management and analytics platform to hunt for anomalous activity that could date back months. The goal is to identify which actions the SOC team should take now, how to stop a breach and how to prevent one in the future.

  • Is it real?
  • What is the impact?
  • How to clean it up if it is real?
  • How to prevent it if it is a false positive?
  • Is it worth automating it and how to automate it?
  • Is it safe to automate?
  • How did it happen?

How AI-based Security Analysis and Response can help:

DTonomy invented the solution to enable security analysts to reach a conclusion on false-positive quicker and reduce the risk of missing true positives on your existing security detections. How does it work? Let’s do a side-by-side comparison.

              

 

Get answers to “false positives” faster.

  • When you identify security alerts as “false positives”, DTonomy learns patterns in your responses and continuously validates them against more evidence. For example, a pattern that could be detected from IP 2.3.4.5 is noticed to be “false positive” with 100% confidence.
  • For incoming alerts, DTonomy’s pattern engine automatically identifies patterns among security alerts so you can identify offensive detection rules quickly. For example, a spiking number of alerts related to ‘Machine_A’ show up within a short period of time. DTonomy AI engine enables you to spot this type of pattern quickly and determine the root cause more easily.
  • Each case is ranked with an aggregated score from security alerts. The risk score of individual alerts is updated intelligently when you resolve it as either “true positive” or “false positive”. So, the risk score is totally personalized to your environment and gives you a more accurate representation of your risk.

Reduce the risk of “false negative”

  • Even if certain alerts are mislabeled as “false positives”, do not worry. Our system will not filter out those alerts. Instead, we continue to monitor them and connect them with new detections that may lead to strong evidence for a “true positive” determination for a group of alerts.

Get a definitive answer on “false positive”

  • As new detections arrive, our pattern always looks back to historical alerts to see if they are connected within a pattern. If no new alerts link to an old pattern, all the alerts in the old pattern can be safely considered as “false positives” as they are not likely risky or strong evidence of an attack.

Fit into your current investigation workflow

Instead of replacing existing threat detection capabilities and workflows, DTonomy has integrations with SIEM and SOAR platforms. DTonomy complements these tools and your log analytics solution used for threat hunting so that it fits into your environment seamlessly.

We are pleased to announce that DTonomy is now part of Stellar Cyber. The integrated solution will enhance cyber threat detection and response automation!

X