One of the biggest challenges cybersecurity analysts face in day-to-day operations is trying to efficiently process a high volume of alerts and identify actual threats.
The many different devices, platforms, applications and security tools that an organization uses generate thousands of daily security-related alerts. This includes endpoints like mobile phones and laptops, IT network security solutions like firewalls and security information and event management (SIEM) platforms, as well as cloud applications and infrastructure.
This flood of notifications can overwhelm even the best of security teams trying to continuously monitor them. As a result, they can miss actual threats among all the unusual but legitimate user behavior. False positives, which the National Institute of Standards and Technology (NIST) defines as alerts that incorrectly indicate the presence of a vulnerability or malicious activity, or that classify benign activity as malicious, are common and are a major distraction. The result is that IT and cybersecurity organizations spend lots of unplanned time investigating situations that ultimately aren’t malicious attacks.
A managed cybersecurity platform like ActiveEye, which powers Motorola Solutions managed detection and response (MDR) services, solves this problem. By enabling all of these alerts to be collected in one place, and then filtering out the “noise” of known good activity, the most critical alerts are surfaced for investigation. And by applying advanced analytics and learning, the alerts most likely to require action are prioritized.
Data filtering and alert prioritization make security operations center (SOC) analysts more productive, and ultimately improves your overall security posture. Analysts can focus their attention on a far more limited number of alerts to investigate, which accelerates the response time. If our SOC analysts identify an actual threat, they can either initiate mitigation actions directly from the ActiveEye platform, engage your cybersecurity team with suggested mitigation advice, or combine efforts to address it, depending on the type and severity of the issue.
Let’s take a deeper look at how these capabilities make ActiveEye such a powerful platform.
Why Is Orchestration and Automation Critical?
Security Orchestration, Automation and Response (SOAR) is critical to identifying cyber threats and resolving alerts faster, and it plays a starring role in ActiveEye.
Automation: Accelerating Investigation Time
Investigation of a security alert triggers a multitude of questions from the analyst. The key to accelerating time to resolution is gathering these answers as quickly as possible. Automation in ActiveEye performs hundreds of tasks for the analyst. The platform uses APIs to connect to external threat intelligence sources, geo tracking databases, domain registrars and EDR consoles to bring all available knowledge to the table. ActiveEye also can query its own historical data for information on previous similar situations, trends and other related historical activity.
When an analyst views alerts in ActiveEye, all relevant data is immediately available to begin making decisions. The interface allows the analyst to quickly pivot across real-time data on that system, that user and that indicator of compromise across the organization. The investigative power of the console further automates manual investigation.
In many cases, the analysts decide that mitigating action is required. ActiveEye has several built-in response actions that automate what would otherwise be manual actions. ActiveEye enables the analyst to easily make endpoint actions such as quarantining a system from the network, stopping a process, removing a file or adding a file to the blocklist for all other hosts.
Orchestration: Applying Automation at Scale
In many cases, based on our experience with a broad range of incidents, we already know the workflow an analyst will use to determine if the situation requires an action and what that action would be. The ActiveEye “Virtual Analyst” is an orchestration engine that uses Playbooks to initiate and tie together one or more automation functions. Playbooks can be as basic as suppressing an alert known to be a short term anomaly to as advanced as automatically validating malicious files and then removing them from a compromised system.
The Virtual Analyst works at both a Global and a Local level. Global playbooks are applied to all customers for well understood threats and responses. Local playbooks are specific to your environment. These account for systems that act a certain way, specific technologies in use, unique network configurations or temporary escalation procedures.
The Virtual Analyst fully processes on average over 95 percent of alerts seen by ActiveEye. This helps further accelerate time to mitigation in two ways. First, known “good” activity is validated and removed from the queue, while obvious actionable activity is validated and immediately actioned. Second, the Virtual Analyst can increase the severity of an alert level based on collected intelligence or add notes to the alert to guide the analyst investigation.
Orchestration leverages automation to dramatically reduce the load of manual review required in your environment. Keep in mind, however, this could still be a lot of activity, especially if an attacker is creating a smoke screen. There is one more element important in accelerating time to mitigation.
Prioritization: Most Actionable First
SOC analysts are always busy. The question we have is, “Are they working on the most important activity?” Even with the load of manual investigation dramatically reduced, there is still a queue.
ActiveEye uses advanced algorithms and evaluation of past analyst actions to prioritize the queue based on “Urgency” instead of just “Severity”. This means activity most likely to be actionable and require mitigation is worked first. This is critical when there is more than one item requiring manual investigation.
Measuring Success: Responding to Complex Threats Faster
The key metric to monitor is time to complete the investigation or initiate mitigating actions. ActiveEye tracks this for you and places the ongoing measure on your dashboard. This metric is also included in monthly reports for sharing with your internal teams. Since investigating and responding to many alerts requires collaboration between our teams, we view this as a holistic measure of how well we are working together.
The ActiveEye platform has a variety of capabilities and features that help us protect enterprise endpoint, network and cloud environments in addition to specific content and integrations for public safety systems like PremierOne®, Spillman Flex® and CommandCentral, and VESTA® 9-1-1 and ASTRO® . With our SOC analysts continually monitoring your systems and network for potential attacks and remediating them as needed, your security team can focus on other important tasks.
Machine learning reduces the time human security experts need to spend sorting false positives from actual threats, and automating common responses allows threats to be addressed even faster. In a world of ever-evolving cyber attacks, increased attack surfaces and determined threat actors, a managed security platform like ActiveEye is crucial to maintaining a strong cybersecurity posture.
To learn more about all the capabilities in ActiveEye, download our technical overview white paper.