Next Gen SOC: Automating Alert Overload

In every Security Operations Center (SOC) analysts continue to be flooded with alerts. As the adversary continues to develop and enhance their attack methodologies, security vendors continue to produce new and innovative ways of detecting alerts. These technologies/solutions leverage machine learning algorithms to build a baseline profile on user behavior and network traffic to alert when activity falls outside that established pattern. Unfortunately, the alerts generated from the machine learning solutions add to an already overwhelmed SOC. In addition to the growth in toolset usage, the amount of data coming in from those tools continue to grow, all while the headcount within a SOC typically does not. While traditional SOCs focus on tuning alerts to meet their organizational behaviors, this research focuses on combining detection mechanisms from various tools or cross-referencing data from the different sources in an automated fashion. By modifying the fidelity of these alerts, analysts are left with more context and actionable alerts to investigate.