Cetas Blog Post

Catalyzing the SOC Workflow with Cetas Cyber’s Automated Risk Scoring

September 1, 2022

Cybersecurity is a growing concern for organizations of all sizes. As the risks grow, security operation centers also need to evolve their approach to stay ahead of the curve.

We, at Cetas Cyber, understand that security professionals continue to struggle with too many alerts, most of which are false positives. Even though the goal is to quickly identify critical alerts which require immediate attention, security practitioners spend countless hours manually searching through their data to identify abnormal alert patterns. This wastes time and increases the risk of missing or improperly remediating the real attack.

The purpose of this piece is to explain how Cetas Cyber helps security teams better understand the impact of a threat on their organizations, i.e what is the risk to the business?

The Solution

Properly making sense of the scale and variety of the threats facing today’s SOC teams requires an autonomous scoring mechanism that evaluates and prioritizes the riskiness of each possible threat. This autonomous scoring mechanism needs to consider the context in which these threats are being generated. We believe context can be provided in two ways: (1) a criticality metric that underlies each threat detection model in our model exchange and (2) a confidence metric that considers historical threat and model behavior along with analyst feedback.

Cetas Cyber’s risk scoring framework is the resulting methodology that considers criticality and confidence to assess the urgency of security attacks in your organization. Through this scoring framework, we provide an optimized risk assessment that allows security teams to immediately prioritize the highest fidelity alerts while reducing a significant amount of the noise that plagues the modern SOC.

The Cetas Cyber Risk Score enables SOC analysts to:

  1. Gain an immediate understanding of the risk that a threat has to the organization
  2. Understand the urgency of a threat and prioritize their investigation accordingly
  3. Customize risk assessment to fit the specific business context of the organization
  4. Significantly reduce false positive alerts

Image

False Positive Reduction with Cetas Cyber Risk Scores

Cetas Cyber’s risk scoring is motivated by the top 2 goals of any SOC team: minimize false positives and minimize mean time to response. To accomplish this, not only do we calculate a risk score for every alert, but we also automatically bucket each alert into one of 4 categories.

Image

The 4 categories are:

  1. Auto-Incident – riskiest and most urgent alerts
  2. Manual-Incident – risky alerts which merit investigation but not urgent
  3. Manual-Suppression – low-risk takers
  4. Auto-Suppression – false positive alerts

At any point in time, 70-90% of all generated threats will fall into the auto-suppression category and will not require any further investigation from a SOC analyst.

Auto-Incidents and the Cetas Cyber Feedback Loop

Context is the most important thing for investigating security alerts, but it tends to always change. We, at Cetas Cyber, understand that context can change from day to day and what a SOC analyst finds important today may not be important tomorrow. SOC analysts can provide feedback to our intelligence framework so that our understanding of context changes with the SOC analyst. SOC analysts can label every incident as a false positive, true positive, or false negative. This feedback enables the creation of higher efficacy and robust threat detection models which are automatically tuned to the specific requirements of SOC teams.

Image