The Missing Link for Workflow Automation in the SOC
Deliver SOC efficiency so you can spend time on things that actually matter
Cloud security platforms can offer a lot of value for your Security Operations Center(SOC), but seamlessly integrating them into your environment and existing processes/workflows can be difficult and time-consuming. Adopting more security tools over time has led to more disjoint processes and more isolated data stores – even more with the move to the cloud. Some organizations have attempted to build an automation framework themselves to help cope with this problem but it is difficult to build and even harder to maintain.
The ability to be proactive relies on your SOCs ability to keep up with the expanding threat landscape and organizational changes, which all starts with detections.
It is nearly impossible for humans to keep up at machine speed and build a full narrative of an attack. Teams need a way to normalize and standardize on frameworks and automate workflows to effectively detect, hunt and triage across SOC silos to get a clear visualization of what is happening and get a handle on the noise.
Unify and Automate the SOC Lifecycle
Stop overlooking your gaps
I’m going to show a more detailed view of the SOC lifecycle that includes often overlooked, everyday steps that analysts need to perform to have effective and scalable operations. Not all organizations perform all these steps and there has never been a solution that unifies and automates the experience across this lifecycle, until now 😉
Anvilogic Detection Automation Engineering Platform: Detection, Hunting, and Triage
Built by engineers with over 20 years of SOC experience, the Anvilogic platform that includes automating detection, hunting and triage, sits on top of your SIEM, searches your remote data stores, and ultimately is the missing piece organizations have been looking for that brings workflow automation from a cloud security platform to your local environment.
See below how detection, hunting and triage seamlessly integrates with the Anvilogic SaaS Platform to deliver true workflow automation:
Threat Prioritization + Detection Code Dev
The Anvilogic Detection Automation Engineering is a SaaS platform that gives recommendations to help teams manage their threat priorities, as well as maintain version controlled detection code. Unlike other detection code repositories, the curated rules are automatically recommended to you based on your threat priorities and your environment, just like which youtube video (Netflix show) to watch next. The Anvilogic Detection Automation Platform enables a seamless workflow automation from the cloud into your local environment that can add big efficiency gains across the SOC workflows, such as automatically assessing your data feeds and their quality in order to recommend rules that will work for your environment.
Detection Code Deployment
One-click deployment downloads ready-to-go detection code from the Anvilogic Cloud Platform and deploys that code to your local SIEM. These are deployed as standardized configurations that no longer need to be managed manually – saving time you can spend on more important things.
Alert Correlation + Enrichment
Anvilogic platform provides:
- Generate correlation rules quickly through a no-code UI builder
- Automatically deploy correlation rules, that we call “Threat Scenarios”, to the local SIEM environment.
- Enrich and store suspicious events in a standardized format that allows flexible and powerful time-sequenced correlation on an entity (such as hostname).
- Enrich and automatically map every rule out-of-the-box with fields, such as, MITRE tactic, MITRE technique, data category, kill chain phase, threat groups, CIS security controls, and much, much more.
Alert Triage: Advanced Scenario Detection to Visualize Alerts
Being able to triage these advanced scenario detections in an effective way is crucial. It requires a new way of being able to visualize alerts that contain multiple events and more importantly being able to understand the story of why that alert was triggered.
The example alert below is from a scenario rule that looks for:
- Any suspicious events mapped to the MITRE Tactic Initial Access
- Followed by any suspicious events mapped to the MITRE Tactic Execution
- Followed by any suspicious events mapped to the MITRE Tactic Command & Control
- Indicating all suspicious events happening on the same host within a given time period
Using the Anvilogic Platform Triage Dashboard you can easily tell:
- Events that contributed to this alert firing
- Any host the alerts were all correlated against
- How many distinct use cases are a part of this alert
- The time frame when all the alerts occurred.
In addition, you also receive a timeline of the events and a short description of what that event is about, which makes piecing together the story much easier.
You are also able to:
- Drill into each event to get the specific field value pairs, all automatically mapped to the Anvilogic Data Model, for further understanding of the events.
- Dynamically create a drill down query for exposure checks or investigation against the original data feed the event came simply by selecting the values you want to search.
- Receive triage playbooks within the dashboard that are specific to the rule so you know what to do next.
Feedback: Easy communication to determine quality and tune rules
Analysts can quickly and easily give feedback on the rule which goes back to the detection engineers so they can make rule modifications if needed. Community ratings are used in recommendation algorithms for suggesting organizations the best detection rules that will work for their environment.
Rule Tuning: Reduce alert fatigue through prevention of legitimate activity
Tuning rules are a very important part of the SOC lifecycle. Every organization’s environment is different and baselines are constantly changing. Being able to give feedback to detection engineers to modify the logic of the rule is important, but equally as important is being able to quickly add field value pairs to an allowlist (safelist/whitelist). Preventing legitimate activity in your environment from triggering alerts is a huge step in reducing alert fatigue.
Easily prevent over-tuning, which can lead to gaps in a story, missed alerts, attacks, and even more alert fatigue.
While viewing events inside of a scenario alert, you can easily right-click on any field value pair to add it to an allowlist for that rule (or globally) – preventing that value from triggering an alert in the future. There are many features available that allow management to control which fields analysts are able to allowlist on for each rule, which ones are required, and full auditing of who, what, when, and why something was added, removed, or modified in an allowlist. Furthermore, granular permissions are available to control who can perform any of these actions through the different dashboards within the app for allowlisting as well as any other features. These mechanisms put more rigor around the tuning processes that improves visibility and helps prevent over tuning.
Furthermore, allowlisting recommendations are given for noisy alerts to help you quickly identify the key-value pairs responsible and add them to an allowlist to prevent future alerts for legitimate activity.
Underpinned throughout the entire tuning process is a concept of “observations”. As domain experts triage alerts they can quickly add an observation to a value that gives more environmental context that is specific to their organization. This allows the priceless organizational knowledge that more senior analysts have gained from years of experience to be available to everyone.
As these values show up in alerts in the future the context is shown on hover of that value. Below an observation is shown for the host “lab-win10-02.anvilogic-lab.local”. Someone previously had already taken the time to determine this host normally is executing powershell commands. This context is useful in the future when triaging an alert for this machine and determining if the alert should be tuned.
Alerts can be managed within the Anvilogic hunting and triage part of the platform itself or alerts can be sent to a SOAR, SIEM, ticketing system, case management system, or any remote system that has a REST API.
Using the Anvilogic platform for hunting and triage alerts can easily be annotated individually or in bulk to workflow statuses that can be customized by the organization. If managing the alerts in a remote system there are REST APIs to update the status as well which allows you to still benefit from Anvilogic’s analytics and reporting capabilities.
Deploying on-prem gives the unique ability to collect generalized metadata about your operations and data which can help give you actionable insights and answer the questions you have about your security program. These analytics can be configured directly within the Anvilogic hunting and triage platform module if desired.
When enabled they unlock powerful insights that previously were either impossible or very difficult to collect such as “What is my average dwell time?” or “What is the environment coverage, normalization status, and delay of my data feeds?”.
Insights into your security operations are critical in helping drive investments and direction in order to continuously improve. Through the use of the Anvilogic platform for detection, hunting and triage these metrics and insights are automatically delivered to you. The data isn’t just shown to you but recommendations are generated to help you know where to invest or improve next. Whether it is detection gap analysis mapped to the MITRE framework, productivity recommendations, allowlisting recommendations, or more, continuous and up-to-date reporting is critical for keeping up with the rapidly evolving landscape.
Read more about Anvilogic’s Continuous Maturity Scoring: https://anvilogic.com/solutions/maturity-score/
Looking to see more?
Take a a self-guided product tour for a closer look at the Anvilogic Platform: https://anvilogic.com/product-tour