Wenn Sie Sicherheitsanalysten bitten, die größten Probleme in ihrer Rolle zu beschreiben, werden Sie zweifellos eine Vielzahl von Antworten erhalten. Eine Sache, die sie mit ziemlicher Sicherheit gemeinsam haben werden, ist die Herausforderung, mit der Alarmmüdigkeit umzugehen. Wir haben festgestellt, dass die Herausforderungen in diesem Bereich auf drei Schmerzpunkte der Analysten zurückzuführen sind:
- "Es gibt nicht genug Stunden am Tag, um das Alarmvolumen zu bewältigen, das auf meinem Teller liegt.
- "Ich bin nicht in der Lage, meine Zeit effizient zu nutzen, weil ich nicht zwischen falschen und echten Positivmeldungen unterscheiden kann."
- "Ich mache mir Sorgen, dass ich einen echten Angriff verpasse, weil das Signal im Rauschen meiner alten Lösung untergeht."
Es gibt viele Gründe für die Probleme, die in den alten Sicherheitslösungen beschrieben sind, aber sie laufen im Wesentlichen darauf hinaus:
- Simplistic, condition-and-anomaly matching creates false positives.
- Die Unfähigkeit, die Kontextinformationen im Netz zu nutzen, um die Effizienz zu verbessern.
- Der Schwerpunkt liegt ausschließlich auf den Entdeckungen und nicht darauf, wie sie effizient organisiert werden können, damit sich ein Analyst auf die Dinge konzentrieren kann, die seine Aufmerksamkeit tatsächlich erfordern.
A better way for security analysts:
From day one, Vectra AI has built detections to eliminate the likelihood of false positives by empowering algorithms with context from the modern network. Where traditional network security products might look simply for a pattern, or statistical anomaly without context, Vectra AI designs our detections to leverage context from the network and identify anomalies just like a security analyst would.
For instance, our Smash and Grab Exfil detection will learn what data movement is normal on a subnet-by-subnet basis, factor in sites that are popular in your environment, and look for anomalous outbound flows of data, even in encrypted channels. Vectra AI further correlates the detections across host and account entities, learning the archetype and identifying each object, and then prioritizes detections for analysts in an actionable, stack ranked fashion. This dramatically simplifies the effort it takes to operate Vectra AI compared to competitors who are simply generating detections and leaving it to the analyst to discern the meaning.
But there was still one area we weren’t entirely satisfied with, dealing with true positives. That's because not all true positives are malicious. You might also reliably detect activity where the behavior is as the system says it is; in the context in which an event is happening, it may be a benign true positive rather than a malicious true positive. For instance, some anti-virus products embed file hash lookups within DNS lookups to the AV Vendor. This behavior may look very much like a Command-and-Control channel encoding data within the DNS payload, and that’s because it is. But the fact remains that while this is a true DNS Tunnel, it is not malicious, but rather benign. Our philosophy has been that we will provide visibility into these high-quality detections of attacker behaviors and methods, but balance this by only prioritizing high confidence, correlated, detections at a host or account level to the user for attention.
This got us thinking, is there a way that we could apply some of the same techniques that we use to power our world-class ML/AI algorithms to help differentiate between malicious and benign true positives? The goal was to largely eliminate the need for our customers to analyze benign true positives while prioritizing malicious true positives for their immediate attention. Thus AI-triage was born.
Similar to our process for creating our detections, we added AI-triage capabilities by first analyzing the methodology that real-world analysts apply to resolve these issues. We then trained our ML/AI system to help automate the resolution of the highest confidence scenarios.
So funktioniert AI-Triage:
Inherent to the Vectra AI Platform, AI-triage works by automatically analyzing all of the active detections in the system, leveraging the context from individual detections, as well as commonalities between detections to look for instances of benign true positives that we can automatically triage on behalf of the customer. For instance, if we see dozens of endpoints all generating the same hidden HTTPS Tunnel detection to the same destination, over at least 14 days without other indicators of compromise, we can confidently identify this as a benign true positive. AI-triage will then automatically create a triage rule on the customers' behalf, without requiring any valuable time from the analyst. Should an analyst want to review it, the activity is still available within the platform, but does not require any analyst action, and does not impact the host or account score.
We’ve observed that AI-triage reduces overall detections that an analyst would otherwise need to investigate by over 80%, meaning that more time can be spent focusing on events requiring analyst attention.
Ein-Klick-Bereitstellung
Now that you know all the benefits AI-triage offers, you will be pleased to know that you can activate the capabilities with just a single click. AI-triage requires no tuning or administration whatsoever from the customer. You can enable it, by simply going to Settings -> AI-triage, and enabling the feature at which point AI-triage will begin running in the background to identify high confidence benign true positive detections and triaging them for you.
In 30 days since its release, over half of our customers have already turned on AI-triage. We’re seeing a substantial reduction in benign true positives for the vast majority of customers. But, this is just the beginning of our journey to make security analysts more efficient. We will be extending AI-triage capabilities to cover new scenarios and other products in our portfolio in upcoming releases.
Wenn Sie weitere Informationen zu AI-Triage wünschen, lesen Sie unseren KB-Artikel "AI-Triage im Detail": https://support.vectra.ai/s/article/KB-VS-1582
Weitere Informationen über die erstklassige ML/AI-Erkennung von Vectrafinden Sie unter: https://support.vectra.ai/s/article/KB-VS-1285