Triple Security Analyst Productivity and Alleviate Alert Fatigue Using Artificial Intelligence
Introduction
As cyber threats continue to increase in sophistication, companies face a shortage of highly skilled security analysts. This shortage of security experts, combined with the overwhelming volume of data that needs to be processed, can lead to alert fatigue which can then lead to missed opportunities to stop attacks early.
Focused on this problem, VMware Carbon Black introduces a complimentary new feature for XDR and Enterprise EDR customers – Anomaly Classification. This feature addresses the problem by providing the means to improve the security analyst experience and stop attacks faster.
Anomaly Classification enables the separation of legitimate, malicious, and living-off-the-land attacks, improving the system's ability to detect and prioritize alerts for manual triaging by SOC analysts. We found that the approach enhances the productivity of analysts by two to threefold and effectively identifies over 95% of malicious alerts from our experimental datasets.
In using Anomaly Classification, customers can automatically surface the most relevant Watchlist alerts to optimize their alert triage process and ultimately reduce the workload of security analysts. Additionally, security analysts can now provide feedback on their determination, which further trains the classification algorithm.
There are several immediate benefits to customers:
- Reduced alert fatigue
- Improved efficiency
- Enhanced accuracy
By prioritizing alerts and providing context, the feature helps analysts focus on the most important threats, while reducing the time spent on investigating false positives. The machine learning models continually improve over time, resulting in higher accuracy and reducing the likelihood of real missed threats.
Combating Alert Fatigue
Endpoint Detection and Response (EDR) threat detection is based on detection rules that are effective in identifying known threats and suspicious behavior. With this new enhancement to the classification of alerts, Carbon Black’s already low false positive rate of alerts is further improved. This enhancement provides analysts with greater control over their alert queue, aiding in the balance between accurate alert generation for real threats while not overwhelming them with false positives.
To identify if your team is suffering from alert fatigue, these are some of the common signs to look out for:
- only investigating alerts from the last 24 hours
- ignoring older alerts that may still be relevant
- applying broad filtering rules to eliminate alerts without thoroughly investigating them
- selectively triaging certain alerts while ignoring others
- ignoring alert details when determining if an alert is irrelevant or a false positive
Additionally, an excessive daily rate of high-severity alerts (e.g., greater than 50) can lead to the Security Operations Center (SOC) giving up on dismissing alerts.
Anomaly Classification and AI
The Anomaly Classification feature leverages artificial intelligence (AI) with machine learning algorithms to automatically reduce noise and surface relevant alerts, thus reducing the workload of security analysts and improving the accuracy and speed of threat detection.
This novel feature identifies anomalous alerts and enables analysts to exclude potentially irrelevant ones. By learning what is typical in each setting, the function can pinpoint high-prevalence alerts that are more likely to be irrelevant to security analysts and use this information to filter out extraneous noise. If the model identifies an alert as anomalous, an additional marker of “anomalous” will appear in the alert details, along with the explanation for the prediction.
The feature also allows security analysts to provide user determination feedback, which is utilized to train the classification algorithm. User determination is the valuable feedback provided by users (such as SOC analysts) on the accuracy of the detection made by the system. This feedback not only allows users to steer the model toward their desired outcomes but also aids in assessing and refining the system’s efficiency over time. When users receive an alert, they can classify it as either a True Positive or a False Positive. By collecting and analyzing this feedback, we can continuously enhance our machine learning system, ultimately further reducing alert fatigue for SOC analysts and bolstering the overall performance of the Carbon Black Cloud solution.
The efficiency of the system lies in its ability to intelligently cluster and score alerts, rather than relying solely on simple statistical prevalence analysis. By employing a clustering algorithm, the system effectively identifies, and groups alerts based on their underlying cause and enables the separation of legitimate, malicious, and living-off-the-land attacks, improving the system's ability to detect and prioritize alerts for manual triaging by SOC analysts.
AI in the Loop
The new artificial intelligence-based watchlist alert Anomaly Classification feature is a powerful tool that can help reduce alert fatigue and improve the efficiency and effectiveness of security teams. The integration of user determination in our cybersecurity solution exemplifies the powerful synergy between user feedback and machine learning. By continuously adapting and refining the system based on real-world experiences, we are able to create a more robust and accurate solution for detecting and addressing threats, while addressing the challenges posed by the shortage of security analysts and the overwhelming volume of data that needs to be processed.
Figure 1: Users can filter Anomaly Classification Watchlist alerts and submit their user determination feedback directly on the Alert page.
Additional resources to check out: