We recently told you about the analytical tools implemented in Defensys SENSE.
Some of them are programmatic experts – algorhytms that use statistical analysis and machine learning methods to detect anomalies and threats in users and endpoints behaviors.
Today we’re going to continue the overview of Defensys SENSE capabilities and will take a look at behavioral models that are the basis of programmatic experts. In this article we’ll tell you in details about the processes of additional learning and relearning of behavioral models and how they can help to get rid of false positives and false negatives increasing the effectiveness of working with the detected anomalies.
Behavioral models work is established on the processes of the knowledge extraction and updating related to the observation entities. This data is being processed from the event logs and this process is built on the complex mathematical models and calculations.
This helps to build observation entity profile and to detect the deviation in its behavior.
Picture 1– The process of the system’s initial learning
Among the programmatic experts there are behavioral models that use retro data for the observation entity profile building.
The Oil company has a colossal infrastructure and its SOC contains 3 response lines. Undoubtedly, a new system should have been customized and adapted to all internal processes. After the PoC project, for incident orchestration the Company has chosen the Defensys SOAR.
The Company already had a plenty of installed systems, such as SIEM, CMDB and others. Of course, the SOAR had to be integrated with all of them. Therefore, Defensys successfully set up several connectors for incidents receipt and their enrichment. Much information is taken into SOAR from antivirus and AD.
5 standard response playbooks were offered to the Company. To meet shifts in demand, some playbooks were upgraded and completely automatized. After incident detection, several responsible departments now immediately receive tasks via integrated Service Desk system. Each task contains necessary fields in question-and-answer form. The user chooses “fulfilled” or “not fulfilled” in the answer field depending on the process steps. When SOAR receives requested information back, the scenario changes according to the results without any human intervention. For instance, after the answers review, a particular switch port can be automatically turned off in the company’s large infrastructure. To put the idea into practice, Defensys engineers prepared a customized entity to keep the track of all network segments and implemented this up-to-date list in the response procedure to find the exact port and disable or enable it when needed.
It was discussed above how automating the typical stages of audits simultaneously results from and at the same time, helps to increase the maturity of the process as a whole. Having implemented the appropriate solution, some organizations may think that is the end of the matter – all that is left to do is keep the process running. Tasks are automated, monitoring is underway, and data is organized.
In fact, this is just the beginning. Organizations are moving to the next level of cyber security maturity when they stop doing audits “because the authority forces them to do this” and realize that this tool can be used to proactively respond to problems.
Internal audits can be organized in many different ways but quite often they begin with the fact that, as cyber security employees gain the experience they start to form their own, in-house, standards. As they learn the various regulatory requirements, they feel the need to formulate a metric for themselves that reflects the level of asset compliance without reference to specific external documents.
This is how internal standards and compliance assessment methodologies are born.