We started a project called “SOC-ng the next generation”, aiming to contribute to the solution by limiting the core problem of human presence and their quality in the SOC.
SOC is an abbreviation for Security Operations Center, which is a central element in terms of security of the entire ICT environment. It is the central point where all logs and events are collected and evaluated and through which appropriate measures are taken.
These logs and events received in the SOC are to be analysed by security experts. Currently, however, there is a lack of qualified security experts that can analyse and keep an eye on the behaviour of the client’s environment.
This problem results either from the general lack of people or from the lack of their professionality and motivation, as the work can be quite monotonous, especially when working only with one client.
Our company has solved this problem. We have mastered the processes of headhunting, training and continuous professional growth of security analysts, we have improved the analysis process itself, which allows analysts to protect the client's environment much better, and since we provide services to multiple clients at the same time, this work also brings greater challenges, which makes it more interesting and attractive for our analysts.
Machine learning comes to the rescue
Based on our experience and vast data we’ve been collecting, we are convinced that the weakest point, which is the human investigation, can be solved with a new technology – the machine learning approach.
We believe that investigation processes, which require common sense and analytical thinking, can be taught to machine learning with better results than to humans.
Therefore we started a project called “SOC-ng the next generation”, aiming to contribute to the solution by limiting the core problem of human presence and their quality in the SOC.
Traditionally, there are several different ways of attack detection and most of them are based on the signature detection. However, attackers have adapted to this approach long time ago by using obfuscation or polymorphism to make the processes seem legitimate and avoid any detection.
This results in almost 200.000 new malicious code modifications per day. To be able to detect and limit any further spread of these codes, first the attacked victims must be detected, then specialists must analyse the malicious code/traffic and choose detection patterns and finally distribute these new patterns among defenders.
This process takes a significant amount of time, which means the Zero Day vulnerabilities could have been attacking the system for days and systems without updates haven’t been protected at all.
These threats are used for Advanced Persistent Threat (APT) attacks that are difficult to detect. Zero-day vulnerabilities can be found on the vast darknet, giving criminals and state actors a powerful weapon to attack another country, business, or military or strategic infrastructure.
By using the machine learning and the analytical technologies, we can train the detection systems for automated and non-signature based detection and investigation of any behavioural patterns of attacks even before the exact code has been revealed and analysed. This may improve the real-time protection against not-yet-analysed codes and network attack strategies.
Similarly, the machine learning systems could be trained on a particular ICT environment to recognize its standard operation. If the environment behaviour diverts from the learned pattern, operators would be immediately notified.
The goal is to minimalize human interaction in the SOC by replacing people with machines trained for proper investigation.
