We recently told you about the analytical tools implemented in Defensys SENSE.
Some of them are programmatic experts – algorhytms that use statistical analysis and machine learning methods to detect anomalies and threats in users and endpoints behaviors.
Today we’re going to continue the overview of Defensys SENSE capabilities and will take a look at behavioral models that are the basis of programmatic experts. In this article we’ll tell you in details about the processes of additional learning and relearning of behavioral models and how they can help to get rid of false positives and false negatives increasing the effectiveness of working with the detected anomalies.
Behavioral models work is established on the processes of the knowledge extraction and updating related to the observation entities. This data is being processed from the event logs and this process is built on the complex mathematical models and calculations.
This helps to build observation entity profile and to detect the deviation in its behavior.
Picture 1– The process of the system’s initial learning
Among the programmatic experts there are behavioral models that use retro data for the observation entity profile building.
The Oil company has a colossal infrastructure and its SOC contains 3 response lines. Undoubtedly, a new system should have been customized and adapted to all internal processes. After the PoC project, for incident orchestration the Company has chosen the Defensys SOAR.
The Company already had a plenty of installed systems, such as SIEM, CMDB and others. Of course, the SOAR had to be integrated with all of them. Therefore, Defensys successfully set up several connectors for incidents receipt and their enrichment. Much information is taken into SOAR from antivirus and AD.
5 standard response playbooks were offered to the Company. To meet shifts in demand, some playbooks were upgraded and completely automatized. After incident detection, several responsible departments now immediately receive tasks via integrated Service Desk system. Each task contains necessary fields in question-and-answer form. The user chooses “fulfilled” or “not fulfilled” in the answer field depending on the process steps. When SOAR receives requested information back, the scenario changes according to the results without any human intervention. For instance, after the answers review, a particular switch port can be automatically turned off in the company’s large infrastructure. To put the idea into practice, Defensys engineers prepared a customized entity to keep the track of all network segments and implemented this up-to-date list in the response procedure to find the exact port and disable or enable it when needed.