Maximizing Efficiency with Automation: Reducing False Positives from Anomaly-Based Detection
About this blog
Currently, there are a lot of excellent blogs out there in the Cyber Security community. Most of which focus on Red Teaming, Threat Detection and Threat Intelligence. I felt there was a big gap for Cyber Security Operations. I decided to fill this gap by creating a technical blog for SOC managers and fusion center directors who are aspiring to design their own operation. I will be describing how I have implemented operations in the past and any new occurences, thoughts or ideas to implement.
War stories from the SOC and how to deal with the daunting task of thousands of security events
From security event intake, enrichment, incident management and analysis. It takes a well structured and automated SOC, an average of 16 minutes to handle an event in it's entirety. Over the tens of thousands of alerts at one of our operations we took a random sample of 20,000 across a variety of incident classifications.
Pairing automation and highly skilled individuals has a remarkable outcome. An analyst can identify a threat convert an event into Incident mode and activate the Incident Response Retainer within the hour. It's paramount to have these capabilities. Threat actors are also using automation in their attacks, so it's equally important for us to respond similarly.
During a 6 month period at NVISO Security we processed 17,000 Access Anomaly events ranging from "Unfamiliar Sign-Ins" to "Impossible Travel Activities." Many organisations spend hundreds of hours attempting to dig through these alerts to find compromised accounts.
NVISO Security has automated this process from security event intake to analysis. In the last 6 months we have seen 163 confirmed compromises purely through our automations. On average it takes NVISO Security 7 minutes to process a security event from intake to notification.