Next generation of the Security Operations Center
We started a project called “SOC-ng the next generation”, aiming to contribute to the solution by limiting the core problem of human presence and their quality in the SOC.
The SOC stands for the Security and Operations Center, the core of all large ICT environment security. It is the central point where all logs and events are collected, evaluated and where action is taken.
These logs and events received in the SOC are to be analysed by security experts. Currently, however, there is a lack of qualified security experts that can analyse and keep an eye on the behaviour of the client’s environment.
This problem results either from the general lack of people or from the lack of their professionality and motivation, as the work can be quite monotonous, especially when working only with one client.
Our company solves this problem. We have mastered the processes of headhunting, training and sustaining continuous improvement of the analysts, we have improved the analysation process itself, enabling our analysts to protect the customer’s environment much better, and thanks to multiple customers the work is more challenging and thus also more interesting and more attractive to our analysts.
HUMAN INVESTIGATION SOLVED WITH MACHINE LEARNING APPROACH
Based on our experience and vast data we’ve been collecting, we are convinced that the weakest point, which is the human investigation, can be solved with a new technology – the machine learning approach.
We believe that investigation processes, which require common sense and analytical thinking, can be taught to machine learning with better results than to humans.
Therefore we started a project called “SOC-ng the next generation”, aiming to contribute to the solution by limiting the core problem of human presence and their quality in the SOC.
Traditionally, there are several different ways of attack detection and most of them are based on the signature detection. However, attackers have adapted to this approach long time ago by using obfuscation or polymorphism to make the processes seem legitimate and avoid any detection.
This results in almost 200.000 new malicious code modifications per day. To be able to detect and limit any further spread of these codes, first the attacked victims must be detected, then specialists must analyse the malicious code/traffic and choose detection patterns and finally distribute these new patterns among defenders.
This process takes a significant amount of time, which means the Zero Day vulnerabilities could have been attacking the system for days and systems without updates haven’t been protected at all.
These threats are utilized for advanced persistent threat (APT) attacks and can be hard to detect. Zero-day vulnerabilities are available on their own big dark market which makes it easier for the criminals and state actors to obtain powerful weapons to attack the state, business and the military or strategic infrastructure.
By using the machine learning and the analytical technologies, we can train the detection systems for automated and non-signature based detection and investigation of any behavioural patterns of attacks even before the exact code has been revealed and analysed. This may improve the real-time protection against not-yet-analysed codes and network attack strategies.
Similarly, the machine learning systems could be trained on a particular ICT environment to recognize its standard operation. If the environment behaviour diverts from the learned pattern, operators would be immediately notified.
The goal is to minimalize human interaction in the SOC by replacing people with machines trained for proper investigation.