September 1, 2022
Cybersecurity is a growing concern for organizations of all sizes. As the risks grow, security operation centers also need to evolve their approach to stay ahead of the curve.
We, at Cetas Cyber, understand that security professionals continue to struggle with too many alerts, most of which are false positives. Even though the goal is to quickly identify critical alerts which require immediate attention, security practitioners spend countless hours manually searching through their data to identify abnormal alert patterns. This wastes time and increases the risk of missing or improperly remediating the real attack.
The purpose of this piece is to explain how Cetas Cyber helps security teams better understand the impact of a threat on their organizations, i.e what is the risk to the business?
Properly making sense of the scale and variety of the threats facing today’s SOC teams requires an autonomous scoring mechanism that evaluates and prioritizes the riskiness of each possible threat. This autonomous scoring mechanism needs to consider the context in which these threats are being generated. We believe context can be provided in two ways: (1) a criticality metric that underlies each threat detection model in our model exchange and (2) a confidence metric that considers historical threat and model behavior along with analyst feedback.
Cetas Cyber’s risk scoring framework is the resulting methodology that considers criticality and confidence to assess the urgency of security attacks in your organization. Through this scoring framework, we provide an optimized risk assessment that allows security teams to immediately prioritize the highest fidelity alerts while reducing a significant amount of the noise that plagues the modern SOC.
The Cetas Cyber Risk Score enables SOC analysts to:
Cetas Cyber’s risk scoring is motivated by the top 2 goals of any SOC team: minimize false positives and minimize mean time to response. To accomplish this, not only do we calculate a risk score for every alert, but we also automatically bucket each alert into one of 4 categories.
The 4 categories are:
At any point in time, 70-90% of all generated threats will fall into the auto-suppression category and will not require any further investigation from a SOC analyst.
Context is the most important thing for investigating security alerts, but it tends to always change. We, at Cetas Cyber, understand that context can change from day to day and what a SOC analyst finds important today may not be important tomorrow. SOC analysts can provide feedback to our intelligence framework so that our understanding of context changes with the SOC analyst. SOC analysts can label every incident as a false positive, true positive, or false negative. This feedback enables the creation of higher efficacy and robust threat detection models which are automatically tuned to the specific requirements of SOC teams.
Copyright © 2022 Cetas