While reducing the Mean-Time-To-Detect (MTTD) is critical, the reality is Mean-Time-To-Respond (MTTR) is where too many organizations fall short to prevent a breach. This is primarily due to the enormous time it takes to investigate and validate the attack, once identified, with the necessary accuracy and context for building a precise and non-disruptive response. When we talk about precision in response that really considers two factors:
- How targeted is the response action? Whereby a response action is low impact, but of high value, for example, shutting down a single user’s application access.
- How dynamic is it? Is the recommended action prioritized based on risk and does that risk vary based on organizational shifts, behavioral changes, and threat actor activity?
The reason… Most solutions don’t gather enough contextual information across multiple data sources. Neither do they analyze, chain, and validate detected threats into an attack campaign. Solutions that are too overly focused on endpoint, network and log telemetry can neither detect nor provide enough context to enable a highly confident set of response actions without a lot of refinement and customization. The bottom line is most response playbooks are generic blueprints and are not customized to either the threat situation or the customer environment.
The security analyst works with contextual information to rule in and rule out malicious true positives, however, most SIEM and SOAR technologies lack the same detection and playbook capabilities. Without additional context, the analyst’s manual investigation takes time, which further extends MTTR.
So, what is needed from a solution to build that confidence? Let’s explore a few ways a proper solution can fulfill what the SOC team needs to build confidence with context.
Automatic Ingestion and Interpretation Data from Many Different Sources
All SIEM vendors will advise on increasing the number of data sources to enhance the SOC team’s confidence. Applications such as cloud, endpoint, network, IoT, identity, etc. will allow for cross-product correlation and validation. While all SIEM vendors can correlate these events, they do not take graduality into account to validate and tie the next series of events building context.
True Machine Learning and Advanced Security Analytics
Gurucul provides static and adaptive chained ML engines, constantly increasing detection accuracy through feedback loops. Gurucul’s responsive playbooks serve as a granular addition after the detection of any malicious action or business policy violation. SIEM and XDR platforms that are based on correlation, whether manual or AI-driven, chain event field data together to provide an accurate match. In this case the granularity not only limits the SIEM, removing the contextual event mapping that must be performed by an individual analyst in this case.
So why is granular mapping an issue? Granular mapping is an issue because tight coupling prevents changing or adding any new vendor, result in need for the same rules to be recreated for the same detections. It also means the user is building a Boolean match, right or wrong, with little context between the individual alerts.
ML-powered threat detection can better detect new and unknown attacks and adjust to changing behaviors without needing to be updated. When a new, never-before-seen cyber-attack appears in the wild, a rule-based detection solution is only effective after the vendor provides an update, which can take days or even weeks depending on how responsive they are. An ML-based platform recognizes and flags potential threats, based on contextual data and a full set of security analytics. By combining security, identity, and behavioral analytics along with a risk score engine, the accuracy and context provided means the SOC team’s manual efforts are greatly reduced.
Validation of Findings and Comprehensive Risk Scores
The ability to prioritize responses based on risk is the final piece of the puzzle for improving the SOC team’s confidence. Many SIEM or XDR products give a generic risk score based on CVE and CVSS scores (if they provide one at all). These scores generally are not tailored to the environment. More advanced solutions, as offered by Gurucul, will generate a risk score based on ML/security analytics and correlation of vulnerabilities from siloed data sources such as sandbox, IDS/IPS, EDR, IAM, etc.
Building Risk-Driven and Highly Precise Playbooks with PAN XSOAR
Gurucul’s Security Analytics and Operations Platform solutions automate ingestion, parsing, threat detection, context gathering and attack validation that enriches Cortex XSOAR beyond other solutions by also providing historical information about users, entities, and accounts. Gurucul’s integration with Palo Alto Networks Cortex XSOAR is all about attack response timeliness and precision.
The Gurucul content pack for Cortex XSOAR enables you to:
- Automatically sync incidents between the Cortex XSOAR and Gurucul platforms
- Trigger fully automated remediation playbooks in Cortex XSOAR instantly from Gurucul incidents to reduce response times
- Assign a risk score to anomalous users and entities and enrich events with metadata including threat indicators, behavior baselines, and event details for prioritized incident analysis in Cortex XSOAR
- Leverage the full power and features of Cortex XSOAR for your Gurucul workflows
- Address key Gurucul network and user behavior analytics use cases across your automated security workflows including insider threats, data exfiltration, account compromise, privileged access abuse, cloud security access, zero-day exploits, malware, and IoT threats
The Gurucul Security Analytics and Operations Platform drives high efficacy threat detection and automated response with true machine learning, advanced security analytics, that also includes identity and behavior analytics.
For more information on the Gurucul use cases, please visit our website.
To learn more about the Cortex XSOAR Marketplace and download the Gurucul content pack, visit https://www.paloaltonetworks.com/cortex/xsoar/marketplace