Logpoint: Rethinking detection and response
James Thorpe
Share this content
Alert fatigue continues to be a real problem for SOC analysts, resulting in frustration, miscommunication and burnout, writes Christian Have, CTO, Logpoint.
The army of automated solutions that was supposed to alleviate the problem has at worst contributed to it, in some cases leading to swivel chair operations and persistent high false positive rates.
It’s not uncommon for the average organisation to have over 70 security solutions all of which are vying for the attention of the SOC (Security Operations Centre) analyst and each pumping out a ton of alerts.
A recent Reddit post by one analyst, since taken down, revealed just how much of a toll this is taking, with the analyst stating he is responding to over 100 alerts during a 12 hour shift, as well as communicating with customers, writing lengthy reports and threat models and creating threat advisory releases.
It’s sadly an all too common story, with reports over the past couple of years routinely finding that over 70% of analysts feel burnt out while others point to the highest turnover rates in the sector as they move to around to other employers or leave altogether.
The problem of false positives is further exacerbated by the evolution of attacks which are now more difficult to detect. Modern attacks propagate throughout the systems of the organisation by using the features of the operating systems themselves.
Living off the Land Binaries and Scripts (LoLBAS), for instance, don’t introduce any code into the system and can pivot within the network without the need to use any additional tools.
This then requires threat detection and response mechanisms to be adjusted to look for indicators that are virtually indistinguishable from legitimate activity which then inevitably increases the number of false positives being generated.
Sporadic detection
What’s more, human analysts will look at tickets in a linear fashion, which means the patterns associated with an attack can often be missed.
As an attack progresses along the kill chain and moves deeper into the network, there will usually be telltale signs but these will occur sporadically.
Being able to connect the dots in the sea of noise and over long periods of time is therefore difficult without assistance. It’s here where security solutions have sought to qualify alerts by applying contextual information and mapping these to attack frameworks such as MITRE ATT&CK.
However, solutions such as Security Orchestration Automation and Response (SOAR) have had limited success because they’ve been unable to fuse these signals together and to automate investigations.
Humans are, in fact, incredibly good at detecting patterns and thinking laterally but we have limits: What we do not excel at is crunching through data and dealing with minutiae.
We therefore need to rethink how we address the problem of alert fatigue by harnessing the best elements of both man and machine and this is now possible due to AI.
It’s important to distinguish here as to what we mean when we refer to AI. We’re not simply talking about large language models (LLMs).
AI should be regarded as an umbrella term for learning algorithms, agents, graphs and many other approaches, all of which can be applied in the SOC.
Hypergraphs as an aid to GenAI
Using such advanced models, it’s possible to connect hundreds of observations to create likely chains of events and to score the observations as well as the chains of observations in order to prioritise investigations.
The scoring is dictated by heuristics such as how often we see a detection from a specific workstation.
Hypergraphs are used to connect these disparate detections that share an observable, such as a user, transaction-ID, or cyber-threat intelligence that points to the same malware group.
These hypergraphs can use various parameters to combine this information and help to present this visually to the analyst.
It’s only at this point that we use an LLM to qualify the threat by asking simple questions on top of a sequence of detections to describe what we’re seeing and prescribe what should be done about it.
Machine learning is then applied to the chains of events to provide recommended actions to the analyst outlining possible courses of action when it comes to further investigation and response.
What this means in effect is that the analyst doesn’t become involved until they are presented with a complete picture comprised of long chains of alerts that are strung together and shown as a whole.
Moreover, because those multiple disparate events are correlated into a single incident object, it makes it much easier to monitor for LoLBAS attacks.
The influx of detections generated when scanning for these attacks can be correlated, connected and analysed by these hypergraphs and viewed in a wider context making the threat and the way it has progressed more visible.
Emancipated analysts
Using hypergraphs in this way could redefine how we detect and respond. It takes the analyst off the front line and puts them in a far stronger position, overseeing and responding to incidents that have a high probability of causing harm.
In doing so, it enables those analysts to spend their time doing more productive activities be that threat hunting or dedicating time to defence.
Yet awareness of the power of AI to address the problem of alert fatigue remains low. According to a recent survey by Gartner, only a third are currently looking at evaluating the use of advanced AI in the SOC and the vast majority (72%) do not have a strategy for doing so.
But the same survey also found that almost half recognised that the technology had the capacity to significantly benefit and increase threat detection capabilities.
In fact, early research indicates using hypergraph-enabled threat detection and response could reduce the number of alerts the analyst deals with by 90% because it will significantly drive down false positive rates.
In doing so, the approach promises to not just conserve resource and transform the role of the SOC analyst from one of the most stressful roles in the industry to one of the most rewarding.
