Could you explain the working of SOC Insights capability without getting into technicalities?
SOC Insights applies AI-driven analytics to analyse massive alert, network, device, user and DNS threat intelligence data to quickly correlate events, prioritise them based on more than just ‘malware risk ranking’, and provide recommendations and tools to quickly resolve the threats that truly matter most. This helps reduce alert fatigue, analyst burnout, and improve SecOps efficiency, enabling them to do more with available resources. This extends to the rest of the security ecosystem as these AI-driven insights can be used to trigger automated responses or shared with other tools in the security stack to make them more effective as well.
For example, when an analyst starts work in the morning, rather that digging through hundreds of thousands of alerts in hopes of identifying the ones that need attention most, the SOC Insights UI has already analysed these events, correlating them with network and other data, and grouped them into a much more manageable set of ‘insights’ that can be reviewed in a fraction of the time. (i.e. one customer received over ½ million events which SOC Insights distilled down to only 2 dozen.)
Once the analysts have identified the insight they want to work on next, they click on ‘Investigate Insight’ and are immediately taken to a portal where they can pivot around network, event, threat intelligence, and other data in whatever order they wish. This makes it much faster (and easier) to understand the full context around the insight to weigh its true risk, and better understand the work required to address it. A simple example is to consider an attack with high-impact malware, but it is only seen on the guest network. Another is when two types of phishing attacks are identified, and immediate, on-demand access to rich context data can help identify which of these could impact a larger number of users.
How is Infoblox using AI, humans and data dynamics to work together to deliver useful and actionable insights?
Infoblox uses a combination of AI, human expertise, and data dynamics to identify and deliver actionable insights. The AI-driven analytics are trained by DNS experts (humans) who are skilled in cybersecurity and the nuances of DNS, providing our customers with the AI tools autocollect network, ecosystem, event, and DNS threat intelligence while filtering out irrelevant information and recognising patterns that highlight what is most important. This process is done quickly and automatically within BloxOne Threat Defense, giving the SOC back the hours it could take a human analyst to collect, filter, parse, sort, and otherwise manipulate the data in other tools. Finally, by intelligently collecting only relevant data into threat research and insight investigation portals, our customers’ analysts can start their investigation immediately, leveraging available information on-demand, without digging through individual alerts or waiting on NetOps for user and device information for context around threat activity. This way, Infoblox ensures that the insights delivered are both useful and actionable.
Why is this SOC Insights feature important?
Alert Fatigue, analyst burnout, the skill shortage, and similar issues for the SOC all come from the challenge of having too many security events every day, and too much data to dig through to make sense of it all. SOC Insights is important because it helps security teams by automating much of the important yet time consuming gathering and filtering of data. It then applies AI-driven analytics to this vast amount of data to distill and correlate hundreds of thousands of events into a more manageable set of ‘insights’, each connected to relevant asset, event, threat and other data analysts may need to quickly refer to, to help them understand threats and make informed, effective decisions… fast.
How does SOC Insights work with your security ecosystem today, and are there any long term plans? Can you give any examples?
In a world where most vendor ecosystems involve little more than sharing alert data with SIEMS or triggering a ticketing system (like ServiceNow), BloxOne Threat Defense breaks this mold in several ways:
- Proactively: Infoblox can collect, filter, normalise, and distribute threat intelligence across the security stack (NGFW, SWG, EDR, etc.) to uplift their own detection and protection capabilities. And it can easily integrate with existing Threat Intelligence Platforms (TIP) if they exist.
- Visibility: Infoblox can share event, network, DNS threat intelligence, and other data with tools that desire more context around alerts like SIEM or SOAR.
- Automation: Infoblox can automatically trigger actions by other tools, such as having a vulnerability scanner check a device connected to an alert to see if the alert can be ignored (if necessary patches are in place) or if there is need for more action.
When will SOC Insights feature available? Is it available globally? How does a customer get started?
SOC Insights is being launched globally on February 14, and is available immediately. Existing customers of BloxOne Threat Defense ‘Business Cloud’ and ‘Advanced’ will receive new ‘Configuration’ insights as part of their base product license. The SOC Insights ‘Security’ add-on package will be available for those same ‘Business Cloud’ and ‘Advanced’ customers, as an optional, separate purchase. SOC insights is licensed based on the number of users, which by default is the number of employees available in a tiered pricing structure.
Discussion about this post