.jpg)
Si se pide a los analistas de seguridad que describan los puntos más problemáticos de su trabajo, sin duda obtendrán respuestas muy diversas. Una cosa que casi con toda seguridad tendrán en común es el reto de hacer frente a la fatiga de las alertas. Hemos observado que los retos en este ámbito se reducen a tres puntos dolorosos para los analistas:
- "No hay suficientes horas al día para atender el volumen de alertas que tengo encima".
- "Soy incapaz de utilizar eficazmente mi tiempo porque no puedo distinguir entre los falsos y los verdaderos positivos".
- "Me preocupa pasar por alto un ataque real porque la señal queda enterrada en el ruido de mi solución heredada".
Hay muchas razones que explican los puntos débiles descritos en las soluciones de seguridad heredadas, pero en gran medida se reducen a:
- Simplistic, condition-and-anomaly matching creates false positives.
- Incapacidad de aprovechar las pistas contextuales de la red para mejorar la eficacia.
- Centrarse únicamente en las detecciones, y no en cómo organizarlas eficazmente para que un analista pueda centrarse en las cosas que realmente requieren su atención.
A better way for security analysts:
From day one, Vectra AI has built detections to eliminate the likelihood of false positives by empowering algorithms with context from the modern network. Where traditional network security products might look simply for a pattern, or statistical anomaly without context, Vectra AI designs our detections to leverage context from the network and identify anomalies just like a security analyst would.
For instance, our Smash and Grab Exfil detection will learn what data movement is normal on a subnet-by-subnet basis, factor in sites that are popular in your environment, and look for anomalous outbound flows of data, even in encrypted channels. Vectra AI further correlates the detections across host and account entities, learning the archetype and identifying each object, and then prioritizes detections for analysts in an actionable, stack ranked fashion. This dramatically simplifies the effort it takes to operate Vectra AI compared to competitors who are simply generating detections and leaving it to the analyst to discern the meaning.
But there was still one area we weren’t entirely satisfied with, dealing with true positives. That's because not all true positives are malicious. You might also reliably detect activity where the behavior is as the system says it is; in the context in which an event is happening, it may be a benign true positive rather than a malicious true positive. For instance, some anti-virus products embed file hash lookups within DNS lookups to the AV Vendor. This behavior may look very much like a Command-and-Control channel encoding data within the DNS payload, and that’s because it is. But the fact remains that while this is a true DNS Tunnel, it is not malicious, but rather benign. Our philosophy has been that we will provide visibility into these high-quality detections of attacker behaviors and methods, but balance this by only prioritizing high confidence, correlated, detections at a host or account level to the user for attention.
This got us thinking, is there a way that we could apply some of the same techniques that we use to power our world-class ML/AI algorithms to help differentiate between malicious and benign true positives? The goal was to largely eliminate the need for our customers to analyze benign true positives while prioritizing malicious true positives for their immediate attention. Thus AI-triage was born.
Similar to our process for creating our detections, we added AI-triage capabilities by first analyzing the methodology that real-world analysts apply to resolve these issues. We then trained our ML/AI system to help automate the resolution of the highest confidence scenarios.
Cómo funciona AI-Triage:
Inherent to the Vectra AI Platform, AI-triage works by automatically analyzing all of the active detections in the system, leveraging the context from individual detections, as well as commonalities between detections to look for instances of benign true positives that we can automatically triage on behalf of the customer. For instance, if we see dozens of endpoints all generating the same hidden HTTPS Tunnel detection to the same destination, over at least 14 days without other indicators of compromise, we can confidently identify this as a benign true positive. AI-triage will then automatically create a triage rule on the customers' behalf, without requiring any valuable time from the analyst. Should an analyst want to review it, the activity is still available within the platform, but does not require any analyst action, and does not impact the host or account score.
We’ve observed that AI-triage reduces overall detections that an analyst would otherwise need to investigate by over 80%, meaning that more time can be spent focusing on events requiring analyst attention.
Despliegue con un solo clic
Now that you know all the benefits AI-triage offers, you will be pleased to know that you can activate the capabilities with just a single click. AI-triage requires no tuning or administration whatsoever from the customer. You can enable it, by simply going to Settings -> AI-triage, and enabling the feature at which point AI-triage will begin running in the background to identify high confidence benign true positive detections and triaging them for you.
In 30 days since its release, over half of our customers have already turned on AI-triage. We’re seeing a substantial reduction in benign true positives for the vast majority of customers. But, this is just the beginning of our journey to make security analysts more efficient. We will be extending AI-triage capabilities to cover new scenarios and other products in our portfolio in upcoming releases.
Si desea más información sobre AI-Triage, consulte nuestro artículo de KB "AI-Triage en detalle": https://support.vectra.ai/s/article/KB-VS-1582
Para más información sobre la detección ML/AI de categoría mundial de Vectra, visite: https://support.vectra.ai/s/article/KB-VS-1285