How Machine Learning Within IncMan SOAR Empowers Security Analysts

Back to all articles

machine learning_social

In a recent blog post we took a look at the differences between Artificial Intelligence (AI) and Machine Learning (ML) and how today there were being used within the cybersecurity industry to help fight the growing number and sophistication of cyber attacks.

Artificial intelligence and machine learning are no stranger to DFLabs. Artificial intelligence is a game changer for security, and it has gained a lot of steam in recent years. Vendors and organizations are building AI into their products and security practices, and DFLabs is no exception. In this blog post we will briefly look at how DFLabs’ SOAR solution utilizes machine learning in order to help improve the effectiveness and efficiencies of security operations surrounding incident response.

As a quick summary, DFLabs’ Security Orchestration, Automation and Response (SOAR) platform, IncMan SOAR, is designed for SOCs, CSIRTs and MSSPs to automate, orchestrate and measure security operations and incident response processes and tasks, all from within one single, intuitive platform. Within the platform SOAR technology helps organizations detect, respond to, contain and remediate cybersecurity incidents with fewer human resources by automating analysis and decision-making processes using machine learning software that works with and multiplies the effectiveness of existing security tools. Using IncMan SOAR, security analyst time can be spent on higher priority and more skillful tasks, such as carrying out remediation activities or proactively threat hunting. As a result, their valuable time is not wasted sorting through a constant influx of alerts, nor are they forced into repetitive tasks to test the validity of these alerts (mostly resulting in false positives).

DFLabs Automated Responder Knowledge

DFLabs’ advanced and patent-pending Automated Responder Knowledge (ARK) module applies machine learning to historical responses taken by an organization’s security analysts and recommends appropriate actions when similar threats and incidents occur. It compares actions from previous incidents with hundreds of incident attributes to recommended relevant Playbooks and Runbooks to effectively and efficiently respond, manage and mitigate future incidents.

Over time this knowledge base automatically builds up from the range of incidents and actions previously taken, ensuring critical tribal knowledge is saved. It begins with no knowledge but learns from the experience and actions, becoming more effective over time. The gained knowledge can then easily be transferred to analysts and responders, ensuring a consistent and repeatable response process for future security alerts and incidents, but most importantly it also remains firmly within the organization, even if an analyst decides to move on.

DFLabs’ ARK can easily be presented in a 4 step process:

  • ARK constructs a model of the organizations threat landscape based on known and historical incidents.

  • ARK scores and evaluates any incident based on unique and shared indicators and attributes and their relevance to historical incidents.

  • The algorithms within ARK use this model to suggest playbooks and runbooks for similar or related threats.

  • Threats known to the model are considered to have greater relevance, are scored more reliably, and are assigned a greater urgency and higher prioritization.

The Wider Adoption of AI

When added to a security program, AI can help organizations solve many issues which potentially can not be solved by humans alone, such as the increasing numbers of dreaded false positives. Acting as a force multiplier, IncMan SOAR with its machine learning capabilities enables security teams to do more with less, empowering analysts to utilize their skills, while reducing incident dwell time. This ultimately helps organizations stay one step ahead of any potential threat, regardless if limited human resources are available.

We should still though be mindful that in addition to these positive uses of artificial intelligence, AI and machine learning algorithms which drive it can open organizations up to unintended risks. As organizations work to employ more of this type of technology into their defense strategy, cyber attackers are also viewing it as another attack vector which could be used to their advantage. Therefore, when choosing and implementing AI technology (if it is not being utilized via a third-party solution by experts like DFLabs), it is extremely important to understand the technology driving it and its operational use. If adopted standalone, ensure best practices are followed to minimize any potential associated risks.

If you would like to see IncMan SOAR in action and learn more about how its ARK module applies machine learning to the incident response process, you can read our previous blog post, as well as get in contact with one of our experts today to arrange a demo first-hand.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo