With security incident management platforms having been around for a few years as a viable technology deployment, a core set of features have implicitly become agreed-upon industry standards that every solution offering should have. Features that aid process documentation and standardization, SLA and metric tracking, user identity management, and SIEM data ingestion are now points-of-parity among security incident management vendors.
But analysts and SOC Mangers are still so caught up with daily firefighting and moving from incident to incident that opportunities to learn from and improve upon response processes remain unexplored. Modern incident management solutions should be intelligent enough to learn from both incident data and analyst actions, and provide actionable insights to prime SOCs for continuous learning.
Let’s go over some machine learning capabilities that modern IM platforms should leverage, ultimately improving both analyst-level and business-level metrics.
Incident ownership and team composition
With analysts busy in daily battles, measurement of most effective incident ownership takes a backseat. Modern IM platforms should be able to analyze incident data and recommend ideal incident-analyst pairings with time, ensuring that analysts are always handling incidents at optimal capacity.
While conducting joint investigations, each analyst usually has a unique strength and preferred area of expertise to bring to the table. Machine learning algorithms can study and suggest the most efficient team composition for each incident type and ensure that there is always a synergy of skills when analysts collaborate.
Response workflows are different for each incident and each SOC, traditionally built from collective knowledge and best practices. An intelligent IM platform will learn from incident data and suggest leaner, more effective workflows with time, ensuring that SOCs are always on the path of further improvement. These workflow-based suggestions could take the form of playbook tasks, task inputs and arguments, and even entire playbooks to run for variations of a known incident.
Response workflows usually involve top-heavy work and are thus consigned to minimal rework with time as SOCs focus more on implementing day-to-day detection and resolution. Thus, this area becomes an ideal candidate for machines to learn from otherwise latent datasets and put the insights into action.
Even though IM platforms help standardize initial response, analysts still have unique investigation procedures as they move deeper into the incident. If the platform learns from this dataset of analyst actions and suggests commonly used security commands with time, all analyst response procedures can coalesce into one lean, efficient, repeatable cycle.
An example in action
Let’s illustrate a hypothetical incident where these machine learning cogs help turn the SOC’s wheels. Let’s say a suspected phishing incident is ingested from the SOC’s SIEM. The IM platform correlates each analyst’s performance in successfully closing phishing incidents and assigns this incident to the top performing analyst.
After triage and enrichment is conducted using automated playbooks, the results are collated on a screen for the analyst to study. With those results, the incident management platform also gives a list of suggested commands to run next, having already studied the types of actions usually carried out for phishing incidents.
Next to each suggested command, the platform also suggests which analysts would be best suited to run, analyze, and infer results from those commands. The lead analyst can quickly see which other analyst names recur most often and invite them onto the investigation floor to run security commands interactively.
Once the incident is successfully dealt with, the platform pulls up a message explaining that a command (for example, getting user details from Active Directory) has been run manually many times for phishing incidents. It follows this up with a suggestion that this action be baked into the phishing response playbook currently used by the SOC. After analyst review and acceptance of this suggestion, a standardized task that queries Active Directory for user details is added to the playbook at hand.
Stay tuned for more drill-downs of features that modern incident management platforms should provide. For more cutting edge and informative cybersecurity content, please subscribe to blog and newsletter updates from Demisto.