Time to Hit Reset in the SOC

Today’s Security Operations Center (SOC) is struggling.  It holds one of the most critical functions in the security org, yet it remains in a difficult place.  Sophisticated attackers, numerous detection tools that don’t always work together while delivering contradictory output, and mountains of alerts to analyze and address. These are among the many challenges.

Symantec’s rich experience in threat intelligence has given us excellent insight into what’s going on. One major cause of struggle in the SOC has been around forever. Despite decades of cybersecurity advancements, SOC analysts still receive 1000s of incidents every day.  While this is well-documented, the solutions offered by vendors still have not solved the problem. In fact, in some cases, the "solution" puts an even bigger burden on the SOC, requiring hours of custom configuration. This can increase the risk of false positives!

So, what if we could change all of this by using AI to reduce the number of incidents the SOC analyst needs to investigate? And give the SOC more insight into true threats? What if we could go even further by providing an extra analytical layer that separates the suspicious behavior from the benign? And most of all, what if we could find a way to lighten the SOC’s workload?

The good news is that we can.  

We have just introduced a new EDR feature that harnesses the power of the Adaptive technology that’s already in SES Complete. It automatically separates normal from suspicious behavior, so the SOC analyst has fewer incidents to investigate. And with fewer tasks on the “to do” list, the analyst has a much smaller chance of missing a true threat.

With “Adaptive Incidents”, as it is called, we use our AI to evaluate all events in the environment. As we analyze, we look for normal activity that could be considered suspicious. It's very often that threat actors hide in plain sight and try to do tasks that are very similar to what administrators do, but they vary things slightly to achieve a malicious outcome.

Of course, the rate of work generated by normal business operations massively outweighs the weight of the activity of the threat actors. But our Adaptive Incidents studies day-to-day operations – contextually and situationally – to establish a baseline of normal activity for each customer. With that intelligence, we can create an “adaptation” of the rules that trigger incidents for the SOC to investigate.  And with the adaptation in place, it’s only the events that we haven’t seen in the normal environment that will raise an incident and be presented to the SOC for investigation. 

Fundamentally, Adaptive Incidents removes the scenario, for example, where the SOC team investigates an incident and finds something that the company’s development team does every single day. In short, this new capability lightens the SOC team’s load.  It helps analysts to focus on the incidents that have the greatest potential to be malicious.

But that’s not all that it does.  It provides:

• Added visibility – The analytics driving Adaptive Incidents gives customers more visibility into what is happening in their environments.  
• Fewer false positives -- Adaptations reduce the number of incidents created, reducing the workload on the SOC investigations team. But at the same time, we're increasing the confidence that these incidents are indeed unusual, anomalous activities that need to be investigated.
• Improved incident rule tuning – With the data captured in the cloud console, customers can better understand how their incident rules are performing and tune them as needed.
• Extra Detection Analytics –With so much data coming into the SOC, it is very difficult to perform large scale analytics on millions of events per day.  Instead, we automatically identify common behaviors and provide another thread that the SOC analyst can use to carry out investigations. 

Prior to Adaptive Incidents, the only way the SOC could reduce the number of incidents in the environment was to switch off an entire incident category. Doing this could mean that the SOC misses true threats that may lead to a breach.  But Adaptive Incidents allows us to look at events at a more granular level and present only those that require investigation. It’s customized to each environment; it’s automatic; and it’s part of SES Complete.  Any customer using SES Complete’s EDR should be able to see their Adaptive Incidents in the ICDm cloud console today.

Our extensive global telemetry enables us to build the groundbreaking adaptive technology that is part of Adaptive Incidents. This is just one of the features across the entire portfolio that includes the adaptive capability.  Other features are Adaptive Protection, which is part of SES Complete, and User Risk Based Detection, which is part of DLP16.  

It’s a game-changer because it uses contextual information from each customer to better reduce false positives and risk overall. Look for other adaptive features to be released soon.