A day in the life of an automated ‘virtual’ cybersecurity analyst
I’d like to introduce you to an automated, ‘virtual’ security analyst whose sole mission is to make security teams happy by increasing the coverage, performance, and efficiencies in a modern SOC.
We’ve got this virtual analyst deployed in Security Operation Centers (SOCs) across the globe, but I can best describe its typical work-life at a large financial institution (one of our customer sites). Our automated, virtual analyst works round-the-clock to monitor and analyze endpoint sensor data for this customer—helping to keep their data and network safe.
Who it works with: Human security analysts
The virtual analyst works alongside exceptionally smart cybersecurity professionals. Its job as an automated, virtual security analyst is to look at the very high volume of security events in the organization and to decide what needs to be escalated to its human co-workers for remediation.
The virtual analyst’s shift never ends—starting at midnight and ending 24 hours later at midnight. It works 24 hours, 7 days a week, 365 days a year for this team. Read: Cybercriminals don’t punch a clock
How it works: Decision Automation
The virtual analyst makes hundreds of decisions by the minute, analyzing large volumes of security data. Its technology is built upon a new class of software called Robotic Decision Automation (RDA). With Decision Automation it can monitor both high-volume and low-volume security event feeds. It consistently analyzes every event occurring in real-time with data streaming across the environment.
To make accurate decisions, this virtual analyst applies a combination of probabilities via Bayesian Belief Networks seeded with best-practice judgments that come from a team of security experts with over 100 years managing SOCs. It also applies machine learning and AI techniques to make a mathematical calculation that determines if an event or set of events is malicious and actionable.
For example, in just the past 24 hours, the virtual analyst analyzed:
~83K NIDPS events by asking 55+ questions for each event
~140 EPP events with 25+ questions
~27 Million web content filter events with 31 questions for each and every event
In this same 24-hour period, the virtual analyst only escalated 1 situation requiring just one of the human security teammates to get involved and remediate the internal computer that was in distress. While it found this single escalation, the virtual analyst saved the team hundreds of hours by monitoring 24 hours a day.
Let’s face it, humans are excellent handling creative tasks like incident automating even more repetitive tasks or threat hunting but scaling to monitor this much data is simply better for software to handle.
What it does: Analyzes large volumes of security data
Using a variety of data points, the virtual analyst makes expert decisions to determine if an incident should be escalated to the team.
On the first day on the job, the human security teammates give the virtual analyst important information, such as the IP address space the company owns on the Internet. Like any security analyst new to an organization, the virtual analyst needs this information to understand traffic flow and the IP addresses its protecting.
Keep in mind, this virtual analyst is not like a Security Information and Event Management (SIEM) system, where human security analysts must create correlation rules that require regular updates and validations to ensure they are working. Instead, the virtual analyst uses mathematical calculations along with its 180+ day short term memory to analyze the streaming data in real-time. Its memory incorporates what has occurred (or is occurring) in the environment, down to the system level. This allows the virtual analyst to identify if something is just a routine business activity or if a system in question is one that has been repeatedly compromised with malware.
Better yet, the virtual analyst looks beyond the security device telemetry and can keep track of the latest vulnerability scans. The scan information can be used to infer system criticality. For example, by knowing the OS and the running processes on a system, the virtual analyst can accurately infer a Domain Controller from a laptop. It can then leverage this information in its calculation about the severity of the escalation.
To help make accurate decisions the virtual analyst also consumes other forms of data such as threat intelligence via STIX/TAXII. Threat Intelligence can be useful to the virtual analyst’s decision making, but it does not need it to be highly accurate. In fact, less than 10 percent of the virtual analyst’s confirmed escalations involved a threat intelligence Indicator of Compromise (IOC).
Finally, the virtual analyst can also keep track of Dynamic Host Configuration Protocol (DHCP) log information, this way it knows the hostname that is tied to the events it's analyzing. The Respond Analyst can display this information to its human teammates within an escalation so they can make quicker decisions and not waste their time looking up which host was using an IP address at the time.
For example, last week the virtual analyst kept track of an employee’s infected computer as it moved around the company’s campus. It obtained 5 IP addresses in less than 60 minutes. Imagine the time this virtual analyst saved its human co-workers?! The security team didn’t have to hurriedly piece disparate information together to determine that just one laptop was misbehaving (even though it initially appeared as if something more widespread was taking place). The virtual analyst saw the IP addresses changing and kept scoping in the new events to the existing escalation instead of creating a new escalation for each IP address. The human teammates loved the information the virtual analyst was able to provide so quickly!
In a few cases, the human security teammates want to know more about why the virtual analyst escalated a specific set of security events to them. When that happens, they can reach out to one of our experts (of course, this all is dependent on what they sign up for when the virtual analyst is deployed). Since the virtual analyst is seeded with expert knowledge, there are times it makes subtle, yet important decisions on the security events it analyzes. The human teammates appreciate the added benefit of reaching out to a seasoned SecOps veteran to discuss escalations if necessary.
Why security teams love it: Makes humans happy
This virtual analyst (aka The Respond Analyst) strives to make its human teammates happier and less stressed. As event data volume grows, the Respond Analyst plugs right in to extend the security team’s capability (coverage and visibility). In many situations, the security leadership has a limited budget to hire, train and retain new analysts—but the Respond Analyst comes in at a reasonable cost to fill that gap. It takes on the mundane work of monitoring, which frees up its human teammates to concentrate on more interesting tasks like threat hunting, security engineering/automation tasks, and of course responding to higher-fidelity escalations.
The Respond Analyst’s teammates have come to trust and rely on its decisions and know any escalation is worth their attention. When the Respond Analyst’s human counterparts don’t have to wake up at 2 AM to chase down yet another false positive—we know it has done the job!
For over the past 10 years Steven has built and matured security operations, and hunt teams for companies across the globe. Steven Wimmer has provided strategic and operational consulting to over 20 companies globally, including end to end SOC builds, hunt teams, and incident response. Prior to his role as Senior Technical Account Manager at Respond Software, Steven worked on developing hunt operations and cyber intelligence services at HP Enterprise. Steven is a seasoned cybersecurity veteran with a focus on developing and improving security operations in all verticals.View all posts by Steven Wimmer