Triage More Security Threats Faster
Security Alerts Fatigue
THE CHALLENGE:
Recent results from Forrester Research, show that the average security operation team receives 11,000+ alerts per day. These alerts consume 53% of the SOC team’s time to triage and investigate. About 33% of these alerts turn out to be false positives. SOC Analysts spend too much time manually investigating alerts to figure out what is going on, why it happened, and how to prevent it in the future. Even worse, SOC analysts are frustrated with an overwhelming number of security alerts and repetitive false positives, that each require time-consuming investigations. While companies have found SOAR tools useful for context enrichment when automated, these tools are not designed to discover new patterns from alerts nor built to learn decision rules that should be applied to reduce false positives. In addition to that, tweaking detection logic and tuning SOAR automation is a painful and risky process as well.
THE SOLUTION:
DTonomy’s AI-based cross-correlation and adaptive learning capabilities don’t only look for anomalies, instead, it looks for relationships between alerts. Too often atomic alerts are too noisy and not practical to start an investigation without proper correlation. Writing correlation rules manually is a time-consuming, never-ending task and limits the possibility of discovering new types of attacks. Additionally, as analysts triage security alerts, the analyst’s knowledge and processes are not captured, slowing down future resolution activities. When security teams can correlate alerts and capture previous response activities, teams can use pattern analytics to enable you to triage security alerts much more efficiently. The DTonomy system ‘learns out’ false positive patterns based on security analysts’ activities. Doing this provides analysts with a smaller number of automatically-grouped alerts to review more efficiently.
Using a pattern-driven approach, true positives can be viewed quickly as being aligned with attack processes such as MITRE ATT&CK framework. Likewise, there are patterns exhibited by false positives as well. For example, if you see multiple machines connecting to a single IP generating 100 alerts at the same time frame, or always aligning with certain deployment activity, that will give you confidence that they are false positives. DTonomy learns these patterns, enriches context for the alerts, ultimately helping to automatically identify both true positive and false positive much faster.
DTonomy uses AI algorithms to discover patterns that augment your manual correlation process
Trustworthy AI is used to ensure you are leveraging the power of AI confidently.
The DTonomy pattern-driven approach enables SOC teams to:
- Deduplicate alerts so that repetitive alerts are easily tracked and teams do not waste time triaging similar alerts again and again
- Identify false positive patterns based on learning from analysts’ resolutions that are applied to help quickly identify similar future alerts
- Automatically personalize security risk scores based on previous analyst resolutions that DTonomy has learned
- Recommend appropriate playbook response based on the alert type and historic resolution activities
- Enable you to unlock more automation that suits your environment
- Keep the SOC optimized automatically and continuously
Want to test drive DTonomy AIR for free?
SIGN UP FOR THE COMMUNITY EDITION NOW!
Copyright © DTonomy 2021