Imperva Cyber Community

 View Only

How Machine Learning Enables SOC Teams to Reduce Alert Fatigue

By Craig Burlingame posted 08-30-2020 01:10


Access to good data is essential to cybersecurity. If an organization lacks insight into what is going on on its network, then it can miss indicators of an ongoing attack. In essence, you can only protect against the attacks that you can see.

However, many Security Operations Center (SOC) teams suffer from the opposite problem. They have deployed a number of cybersecurity solutions to secure the company’s attack surface against a wide array of cyber threats. Each of these solutions generates alerts regarding potential security incidents that the SOC team must triage, investigate, and possibly remediate.

As a result, many SOC teams are suffering from alert fatigue. The average SOC receives over 10,000 alerts per day, and 27% of SOCs receive over a million daily alerts. This is far more than any one team can manage. As a result, alerts point to true incidents are ignored as false positives are investigated.

Machine Learning Can Solve Alert Management Challenges

Alert management is a challenging problem to solve. Alerts come in high volumes and at varying levels of quality, and SOC teams are tasked with separating the true threats from the false alarms.

Many of the steps in managing security alerts involve identification of patterns in large amounts of data. While humans are often ill-suited to these tasks, this is exactly what machine learning algorithms are designed to do.

Signature and Anomaly Detection Identify Suspicious Actions

Most software generates logs; however, a high percentage of the log data generated isn’t useful to a SOC analyst. What is interesting and useful is when a log or alert indicates something out of the ordinary, which can point to a security incident.

Machine learning algorithms can identify incidents of interest using signature-based or anomaly-based detection schemes. By looking for something that matches a signature of a known attack or something that deviates from the norm, machine learning can identify the alerts most likely to point to a true security incident. This is an essential first step in differentiating important true alerts from time-wasting false positives.

Data Aggregation Provides Context

Most security tools have an imperfect view of the organization's network infrastructure. An endpoint security solution lacks visibility into anything that does not impact the system it protects. In contrast, a network security solution cannot see the internal operations of computers on the network.

This fragmented visibility contributes to high alert volumes. An alert describes a single anomalous or suspicious event, but it is often useless on its own. For example, a single database access provides little useful information, but a number of unusual SQL queries or an anomalous SQL query made shortly after opening a suspicious email attachment points to an attack.

Machine learning algorithms can help to rapidly aggregate alert data in useful ways. This can include matching alerts based upon features such as type, platform, user, or previously-unknown relationships extracted via unsupervised learning.

This correlation of multiple alerts can help to define the chain of events that an attacker performed during a security incident, which is crucial for threat detection and remediation. Machine learning systems are well-suited to processing large volumes of event data and identifying the patterns that link different alerts and security events together.

Playbooks and Learned Rules Triage Alerts

Even eliminating all false positive alerts may not be enough to enable SOC teams to respond effectively. Alert triage is essential to maximizing the effectiveness of the SOC analysts.

Not all security incidents are of equal severity or impact. A user falling for a phishing email and accidentally installing ransomware on their workstation is certainly bad and requires remediation. However, this is not as important as active data exfiltration from the organization’s “crown jewel” database, which contains a variety of sensitive data, including some that may be protected under data privacy laws such as GDPR, HIPAA, and PCI DSS.

Addressing security incidents on a “first come first served” basis can mean that a SOC team wastes crucial time responding to a low-level security incident while a more important one is going on. Machine learning can help with this by performing automatic triage of security alerts. Based upon feeds of relevant data (priority of various systems, attack severity rating, etc.), playbooks, and independent learning, a machine learning algorithm can score alerts based upon estimated impact, maximizing the usefulness of the SOC team.

Automated Response Manages Common Problems

Not every security incident requires the intervention of a human analyst either. Simple or common threats, such as unauthorized or suspicious access to a database, can be blocked by implementing an access control rule.

Machine learning can help to identify potential threats that require these simple interventions, apply the block, and even suggest new security rules and policies. This can help to reduce the load on SOC analysts by eliminating the need to address low-level threats, enabling them to focus their efforts on tasks and threats that require their attention.

Addressing Alert Fatigue with Imperva Data Risk Analytics

Imperva Data Risk Analytics (DRA) leverages machine learning solutions to help reduce the workload of SOC analysts and improve the speed and effectiveness of incident response efforts. It learns about the normal behavior of an organization’s users and their data access patterns, enabling it to identify and block threats based upon behavioral analysis with zero human tuning required.

DRA also provides a number of features designed to maximize the effectiveness of SOC analysts. Similar incidents are grouped into issues, which are presented to an analyst as a group. The analyst can then take a single action to remediate all of the detected incidents and block future similar incidents from occurring. This maximizes the ability of the analyst to decrease organizational risk by enabling them to address potential issues based upon both probability of occurrence and anticipated impact.

Attempting to investigate, triage, and respond to every security alert manually is a losing battle and leaves the organization open to unseen threats. Imperva DRA, with integrated machine learning capabilities, helps SOC analysts to close the gap.

Data Risk Analytics Overview

To view an overview of what DRA can do for you, you can watch the video 👉 here.  👈 You will need to login to the community to watch it. In it you will find: 

  • A Short Introduction to DRA
  • High level Use cases DRA solves
  • Advanced Investigation & Tuning
    • Tips for investigation
    • Tips for tuning
    • Tips for mitigating risk and threats

Learn More with Imperva Community 

The Imperva Community is a great place to learn more about how to use Imperva cyber security technologies like WAF Gateway,  Data Risk Analytics, Database Activity Monitoring and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts. 


Other Relevant Content