Posted by Dr. Haim Zlatokrilov, VP Products on May 6, 2020 11:39:34 AM
Dr. Haim Zlatokrilov, VP Products
Find me on:

Security teams at large, distributed organizations face unique challenges, with analysts often working in the dark, lacking essential information about the organization. Automation technology can help bridge the gap caused by these more complex networks.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

It almost goes without saying that you can better protect someone or something that you know well. Think about a security analyst in a team of two or three people, at a company of 2,000 employees or so. The analyst will likely know who the CXOs are, what are the different divisions and what the most critical functions assets in the company are.  Normally the company’s IT infrastructure will also be relatively straightforward. If the security system alerts of suspicious activity on “Julie Smith”, and Julie is the CFO, a light will go off in the analyst’s head.

At a large organization, a division head may manage a team of thousands and be extremely central to the company’s functioning, but the SOC analyst may not have even heard of this person’s existence. He or she will likely be less familiar with the company’s various IT assets, like domains, servers, applications, databases etc. How is the analyst to know which are legitimate and which are not? Which are more important and which are less?

Some large organizations also provide communications services, and the SOC team needs to protect not only the core organization, but also its customers. Familiarity is not even an option in this scenario, and the security team is working largely in the dark.

SIEM is the orchestration tool that was supposed to take SOC teams from the dark into the light, bring order to the mess and help them focus on high-risk attacks. Unfortunately, SIEMs – even market-leading SIEMs which call themselves “Next Generation SIEM” – failed. Why?

One of the main reasons is that SIEMs require security teams have a strong understanding of the company’s structure – both in terms of personnel and in terms of its technology platforms – in order to constantly write and maintain effective correlation rules. But if you’re working with a large, complex and ever-changing network of people and IT assets, how can you effectively write rules to manage the system?  You can’t.

Not only that, but SIEMs inundate SOC teams with mountains of alerts, the vast majority false positives. How can they know which alerts to focus on? They don’t. Again, the task becomes even harder when you have ‘blind spots’ – and don’t know the people and assets of the organization like the back of your hand.

Relief from this nightmare scenario can come from one source only – effective automation. If the system can learn, constantly change and adapt according to the shifting organizational landscape, and basically do much of the work today demanded (unreasonably) from the SOC team, the security system can be managed effectively.

At empow we have developed a unique SIEM technology, based on kill chain patters and patented AI and Natural Language Processing (NLP) algorithms and using the MITRE ATT&CKTM language, that basically removes the need to write and maintain correlation rules. The i-SIEM gathers information through its EDR, UEBA and NTA engines and is able to weed out the mountains of false positives. 

The result is a SOC team that is fed with only truly high-risk alerts. Now analysts can do what they are trained to do and dig deeper into those few alerts and take action to protect the network. The result is a SIEM that is able to fill in the many blind spots SOC teams have in large, distributed systems, through effective automation.

Topics: SIEM, NG-SIEM, SOC