Secureworks® has been leveraging Machine Intelligence since as early as 2008. Approaches include supervised, unsupervised, and deep machine learning models that enhance accelerated threat detection and analysis and reduce alert fatigue — providing our customers better security outcomes.
More recently, we’ve applied threat intelligence to improve triage and accelerate countermeasure development. We have also been able to automate threat hunting functions, tailor on-demand reporting through simple requests, and automate much of the security event triage analysis and containment functions of our Incident Response (IR).
These capabilities have the power to automate many tactical aspects of SOC operations. This leads to a substantial improvement in security efficacy and a significant reduction in the mean time it takes to resolve security incidents.
Incident Detection: The Value of Automating Security Incident Detection
Automating the detection of security incidents using log analysis, network scanning, or other monitoring tools is an essential part of modern cybersecurity.
Much of the power offered by an Extended Detection and Response (XDR) solution like Secureworks Taegis™ can be found in its ability to collect, parse, correlate, analyze, and store telemetry from various disparate sensing solutions in the network environment.
However, distinguishing between genuinely malicious activity and false positive alerts or network admin activity still requires training machine learning models. That kind of training includes a certain amount of human expertise.
Our Taegis platform currently processes over 4 trillion security events per week, ingested directly from our customer base and engagements. With an ever-changing threat landscape — and new tools and techniques emerging daily — understanding what constitutes genuinely malicious behavior must be informed by threat behavior analysis.
For instance, when command-line tools like PowerShell are detected within an environment, discerning between its usage by a threat actor and your own staff comes down to the commands issued from the shell.
We have automated the detection and correlation of the most used sequences of commands based on adversary tradecraft. This process allows us to automatically scrutinize occurrences of command line tools and evaluate subsequent commands to determine malicious intent and hands-on keyboard activity.
One of the most challenging issues for both our security and IT operations teams is accurately compiling a list of authorized software used in an environment.
One powerful defensive capability is employing application lists that follow a "deny all, permit by exception" or "Allow Listing" approach. However, historically identifying all software running in an environment — while understanding its provenance and legitimacy — has been a daunting task in practical application.
Machine Intelligence and automation offer the capability to continually evaluate software applications in the environment. These tools can dynamically assess applications for legitimacy, score their results, and block or allow them. And while individual tasks can be performed manually by humans, employing this kind of AI technology allows for more efficient and effective scrutiny of thousands of applications and devices in a dynamic environment.
Incident Investigation: Automating the Investigation Process
Automated incident investigation involves gathering data from multiple sources and employing data correlation techniques to identify potential threats. When an alert is presented to an analyst for triage, several questions need to be addressed:
- Is the alert a true or false positive?
- What is the severity of the threat? How critical are the affected systems?
- What is the operational impact and associated business risk?
- What are the optimal containment measures and next steps?
- Who should be notified and what systemic changes must be implemented to avoid recurrence?
Let's consider a simple phishing attack as an example.
The first step in analyzing a potential phishing attempt is examining the email header data for source information, such as inspecting IP addresses and domains for reputational analysis. This involves searching external data repositories for reputational scores or data provenance:
- From what country did the email originate?
- Who owns the URL?
- Has it been associated with any malicious activity?
All these data searches can be automated and presented to the analyst. This may lead to further containment actions, such as recalling the email, resetting the user's credentials, searching the mail exchange for similar emails sent, and retrieving all unopened emails.
Leveraging AI's power can also help examine user credential login patterns to detect anomalous activity within the associated timeframe of the attack.
Additionally, Machine Intelligence and automation can be employed to identify aspects of phishing emails by examining email headers for trends rather than specific indicators. With multi-modal AI tools, imagery analysis can be used to assist phishing investigations by looking for abnormal email formatting or unusual use of imagery in an email or domain.
By integrating automation into incident investigation, Secureworks aims to streamline the process and enhance accuracy, enabling security professionals to focus their efforts on more complex tasks and matters.
These triage questions can be automated with the right capabilities and understanding of threat behaviors. Machine Intelligence and automation can be used to validate security event alerts, correlate them with other telemetry sources for associated activity, assess system and asset criticality, and initiate appropriate containment actions.
The challenge for security professionals lies in obtaining accurate visibility of their operational environment and understanding its criticality to inform automation capabilities. Once security staff define the models and data, AI models can help determine criticality based on inputs.
Incident Response: Automating Response Processes for Enhanced Security
Rapid and effective IR is crucial to contain and mitigate threats. This involves various processes like quarantining malicious files or disabling vulnerable systems. Once all initial triage activities have been completed, an appropriate response action needs to be taken.
The urgency of containment can vary depending on the stage at which the threat is detected within the kill chain, but it always remains time-sensitive. And you can save time by fully automating critical actions like:
- Disabling credentials
- Resetting passwords
- Isolating hosts
- Shutting down IP addresses or ports
- Terminating malicious activities
However, determining the appropriate containment action depends on the criticality of the affected system(s). Consider this scenario:
A malicious binary is detected on a system, and the automatic response is to isolate that device from the network.
But what if that infected device happens to be an Industrial Control System (ICS) for a foundry furnace operating at 3,000 degrees Fahrenheit? Isolating this system could have severe personnel and public safety implications, leading to potential disasters if its operation is not well understood by security staff or AI capabilities.
Automation activities must possess asset and system criticality awareness before response actions can safely take place. And Machine Intelligence and automation can help achieve this critical awareness by overlaying operational criticality information for all assets. This helps in automating the determination of appropriate response actions based on each asset's importance.
Automation does not have to be an all-or-nothing approach; human involvement can still be part of the process based
on confidence in action and system operational awareness.
By integrating Machine Intelligence and automation with human expertise in a seamless manner, Secureworks ensures
robust IR capabilities that enhance overall cybersecurity effectiveness for its customers.
Remediation: Automating the Remediation Process
Automating the remediation process involves automatically patching systems or deploying additional security controls when appropriate. And in the past decade, the top three initial access vectors in Secureworks IR engagements have remained consistent. They are:
- The compromise of unpatched systems
- Malware introduced through email
- Compromised credentials
Fortunately, the triage and response actions for each of these areas have large portions that can be readily automated, particularly in vulnerability management.
Imagine having an AI-driven system that, in near real-time, tracks all new Common Vulnerabilities and Exposures (CVEs) and zero-day notices. This system then determines its relevance to your environment, assigns a criticality level and remediation urgency, and models the operational impact of patching. With an assessment score based on these criteria, that system can automatically apply the patch to manage that vulnerability.
Machine Intelligence and automation can also detect suspected use of stolen credentials.
In response to such detection, it can automatically reset the user's password. Moreover, if the compromised credential has elevated permissions, the account can be automatically disabled. Secureworks continues to incorporate these types of advanced Machine Intelligence and automation capabilities to better protect customers’ digital infrastructure against cyber threats.
Reporting and Analysis: Streamlining Reporting and Analysis of SOC Activity
Streamlining reporting and analysis through dashboards and alerts allows IT teams to conveniently review and address potential issues as they arise.
Traditionally, the labor-intensive nature of report production has been perceived as a time-consuming task for analysts. But these reports helped with maintaining clear communication and consistent awareness among team members and stakeholders, so teams often forged ahead with laborious reporting processes.
Today, Machine Intelligence and automation have the capability to automate report production. It also offers the benefit of natural language queries, making key information about your operation easily accessible to everyone within the organization, regardless of skill level.
Additionally, these advanced capabilities strengthen communication within a diverse global security team by bridging language barriers and fostering efficient collaboration among team members.
In turn, this enables Secureworks to offer higher quality service to customers, regardless of their location or language barrier.
Threat Intelligence Gathering: Problem Solving for SOC Teams
Secureworks focuses on automatically collecting and analyzing threat intelligence to help organizations stay aware of emerging threats in their environment. Two things that will always impact a SOC’s efficiency and effectiveness:
- Alert fatigue
- Disparate data searches from various tools or systems
Analysts often spend much of their time gathering information to make informed decisions.
Considering there are thousands of processes in every operating system and hundreds of command-line arguments, relying solely on an analyst's memory is not reasonable or beneficial to the SOC. But with Machine Intelligence and automation, analysts can perform data retrieval across a wide array of internal and external data repositories, offering context around each security event.
This allows analysts to focus on their primary responsibility: making decisions that reduce risk to the business.
Timely and accurate threat intelligence, correlated to security events during the triage process, is essential for understanding the true nature of a threat. One example: how can one determine if a threat discovered in the environment is commodity e-crime or a targeted attack? Targeted attacks are often significantly more challenging to fully evict the threat actors.
Now, imagine having threat behaviors, tools used, infrastructure leveraged, and Indicators of Compromise dynamically applied during triage, enhancing context through simple natural language queries. With Machine Intelligence and automation, analysts may pose a question without having to craft lengthy and time-consuming queries of disparate data sources:
- "What threat groups are associated with X binaries and URLs found within this alert?"
- "Examine the last 90 days of logs, listing all instances of PowerShell usage by unique user accounts and display it in a graph."
- "Find any DNS traffic related to the malicious domain found in this alert."
Machine learning algorithms can expand beyond specific indicator detection by identifying threat actor activity based on historical patterns without pre-written detection logic.
When new tradecraft is identified by your threat intelligence team or provided externally, Machine Intelligence can automatically create Yara, Snort, and Suricata rules and apply them to your sensing devices.
Machine Intelligence Has Operational Value for SOCs
Automation driven by Machine Intelligence will improve the effectiveness and efficiency of your SOC operations by diminishing alert fatigue, improving threat detection, scaling operations, and containing threats faster.
With the industry continually innovating across the spectrum of AI, now is the time for SOC teams to reap the benefits by harnessing these technologies to optimize security efficacy and reduce mean time to resolve security incidents.
To learn more, view our latest webinar about AI improvements in threat detection.