Securonix innovations: realising real-time detection and response
Estimated reading time: 3 minutes
What security incident event management, or SIEM, tends to do well is collect the logs of security events and correlate these events based on a set of security rules ie., if someone scans your port from a certain IP address, and an attack is detected, then one can conclude that the scanning action is malicious and something should be done about it.
“But you need to be constantly writing (rules), updating, and changing them, “Ajay Kumar, Securonix’s Director for APJME shared.
From Securonix’s perspective, they realised early on (about a decade ago) that they needed to analyse users’ behaviour, how these users use a system, how their machine actually interacts with other systems in the network, and so on.
“Over a period of time, you can trend (or see predictable patterns) and based on that identify anomalies, and report and highlight threats in your network,” Ajay said.
Being able to identify these predictable patterns means there is less need to specifically write security rules. Instead, when anything that changes from a behavioural pattern that is plotted over a period of time, that is when an alert is flagged.
From Securonix’s perspective, they realised early on (about a decade ago) that they needed to analyse users’ behaviour, how these users use a system, how their machine actually interacts with other systems in the network, and so on.
This is called user and entity behaviour analytics, or UEBA.
Scaling this
A feature called risk aggregation, will aggregate pattern deviations from a set of behaviour to calculate its risk.
“So, a threshold value is set up, and when that threshold value is breached, then an analyst is alerted. ”Overall, this helps to tune out the avalanche of noisy alerts that tend to come up for every single behaviour deviation; only the ones that have been ‘qualified’ or have a high risk value are brought to an analyst’s attention.
Another innovation that helps prevent analyst fatigue is threat modelling.
Most attackers have standard techniques, tactics, and procedures they will employ to reach a target. For example, a preferred way to get into a network, a specific class of exploit, a set of tools and tactics they use during different phases of their persistence in an organisation’s environment, and so on.
“So, when we see individual alerts, we map them to a threat model; we stick to a series of five or six different events and then present these to the analyst.”
Using the Mitre attack framework, analysts can estimate the stage of an alleged attack, and know where which areas to zoom into and respond towards.
Another innovation that helps prevent analyst fatigue is threat modelling.
“What we are trying to do is stitch together a series of alerts, ascertain the attack stage, and the risk to your enterprise at that given time, before we raise an alarm,” Ajay explained.
The much sought-after real-time element comes into play because Securonix is able to correlate using artificial intelligence (AI) and machine learning (ML), to discover normal behaviour versus abnomalies. The anomalies can be filtered and analysts can focus on them rather than focusing on everything.