Author: Dr. Edward Amoroso, Chief Executive Officer, TAG Infosphere, Research Professor, NYU
The modern security operations center (SOC) benefits from the automation of alert collection and normalization. This blog from guest blogger Dr. Edward Amoroso, CEO of TAG Infosphere, illustrates how such automation can be leveraged in practice using commercial solutions such as the Anvilogic detection engineering and hunting platform.
An obvious shift that has occurred in the day-to-day work activity for enterprise security operations center (SOC) teams involves increased use of automation – and this is particularly true for alert collection and normalization. In prior generations of security analysis, much of this work would have been done manually, but this has proven an unscalable approach.
By alert collection and normalization, we refer specifically to the challenge of implementing an ingest program that uses connectors, application programming interfaces (APIs), network feeds, and other means to collect output telemetry from applicable systems. The goal is to analyze such data to identify evidence of emerging, on-going, or even prior exploits.
The Anvilogic detection engineering and hunting platform has demonstrated considerable usefulness in supporting this dual goal of automated alert collection and normalization for SOC teams. The sections below provide detail to support this observation in the context of the modern SOC.
Alert Collection with Anvilogic
The premise driving the security alert collection task is that most, if not all, of the alerts that find their way into the SOC will have some degree of security relevance, even information that might later be classified as redundant or low priority. This implies that great discipline should be in place to ensure that no alerts are missed or ignored.
It also implies that automation of the alert collection process must be performed – and this is best done in the context of an automated data feed ecosystem that connects the dots between alert generation and alert management for processing. The idea that such work can be done using manual methods no longer makes sense in any complex enterprise.
The Anvilogic platform is designed specifically for such automation. For example, SOC teams that must contend with multiple feeds from systems such as Proofpoint (for email), CrowdStrike (for EDR) and Cortex (for XDR) can ensure that no alerts are being lost. This is valuable for both cybersecurity as well as compliance and regulatory support.
Alert Normalization with Anvilogic
SOC teams also understand that the collection and storage of alerts from heterogeneous sources is not enough to support proper processing and interpretation. Instead, these alerts must be reviewed for differences in assumption, definitions, context, and meaning. This type of processing requires advanced algorithms that can highlight anomalies.
This process of combining and introducing commonality to alerts is known as normalization. It is an essential component of automated alert management, and it must be designed to minimize any data loss that can occur by trying to combine the context or meaning of different alerts. Such normalization is particularly relevant in environments with a mix of different sources.
The Anvilogic detection engineering and hunting platform is designed to support the normalization of various alerts into a common framework (including, for example, the platforms mentioned in the example below). The result is that SOC teams can benefit from several advantages including the following:
- Unified Query Language – SOC teams generally support day-to-day investigations and hunting using popular query languages such as SQL or KQL. Normalization allows this to include all types of alerts.
- Common Schema – A common schema is essential to creating a normalization approach that does not lose any information in the translation process. Such schema should be embedded into the normalization platform.
- Centralized Hunting – The goal of supporting centralized threat hunting is supported by the normalization process. Obviously, this does not imply non-distributed collection or even processing, but centralized normalization simplifies the analysis.
These types of security operational benefits demand that SOC teams implement a practical normalization scheme for their alerts – and the Anvilogic platform accomplishes this goal in the context of automated support. SOC managers and practitioners should ensure that such type of support is readily available in their current environment.
A reasonable management action plan to implement an automation scheme for collection and normalization includes three basic steps that can be accomplished easily by SOC teams and their management staff. While the specifics will vary between environments, the three steps listed below should be present in most action plans:
- Inventory – SOC teams should perform an inventory review to determine how they are currently handling alerts from their various security platforms including EDR and XDR. This inventory process will likely involve both manual and automated support and can benefit from existing aggregation sources such as the SIEM or GRC platforms.
- Requirements – A set of functional requirements will emerge based on this inventory and will drive platform selection. These requirements will typically be organized into a taxonomy including collection of alerts, normalization of data, protection and storage, analysis and process, and translation of insights into action.
- Platform Review – The SOC team should begin to identify options for platform support – and the TAG Cyber team recommends that Anvilogic be included in the process. Their approach to detection engineering and hunting is consistent with the points made here regarding automated support in practical SOC environments.
Implementing these three steps should be relatively easy for most SOC teams to work, so the recommendation here is that this be an immediate priority, especially as the complexity and variety of alerts in the SOC continues to increase.