The Future of Security Analytics
I have always worked in and been passionate about Security Analytics. I started my career in the trenches as a SOC Analyst and worked my way up to a Detection Engineering role. During that time, I began to understand some of the wider challenges in Security Analytics and became convinced that there had to be “a better way”. Since then, I have chased opportunities to work for organizations that have found a “better way” of working and are capable of providing tangible value to the industry. However, on that same journey, I also realized that just having a great solution is meaningless without the involvement of skilled communicators, organizers, and leaders who can effectively bring that solution to the market and drive adoption. Consequently, I found my calling as a Sales Engineer and have spent the last four years helping put great solutions into the hands of practitioners that need it.
As such, joining the team at Anvilogic was a no-brainer. The solution is unparalleled at addressing the most painful challenges faced by Detection Engineers, Threat Hunters, and SOC Analysts, is supported by a team of experienced practitioners with a deep understanding of those challenges, and is led by seasoned veterans of the cyber security industry that know how to run a successful business. In summary, I can’t imagine an organization more capable of and well-positioned to bring meaningful change to Security Analytics.
A Quick Glimpse
There are many benefits to Anvilogic’s approach to Security Analytics. However, as a former Detection Engineer, the most interesting capability of the platform is “Threat Scenarios”.
In a nutshell, Threat Scenarios are a way to tie multiple lower-level alerts together into a more complete and higher-fidelity use case. This effectively reduces the volume of potentially noisy alerts that SOC Analyst have to engage and benefits the entire downstream workflow all the way through to incident response.
Instead of engaging hundreds of alerts generated by traditional correlation rules or detections, Analysts are able to focus on a much smaller subset of those alerts that have been bundled together as part of a “Threat Scenario” and, by nature, are enriched with useful and relevant context that would normally have to be gathered manually as part of an investigation, such as a common entity, user, host, etc.
For the Detection Engineers in the audience, it might be useful to think of this as adding an additional layer of correlation on top of the alerts that are already being generated by existing detections. “Alerting on alerts” might sound silly, but I can assure you that it is a highly effective approach.
I can say that with confidence because the concept itself is not exactly new. Cross-correlation has been around since the ArcSight days and Risk-Based Alerting in Splunk is basically a less complex spin-off. UEBA is effectively the same concept, with perhaps some ML/AI sprinkled on top to assist with baselining. Even SOAR solutions include this capability as part of workflow automation. The problem with all of these flavors of layered alerting is that they have either been a) extremely performance intensive, b) black-box solutions with little to no customizability, or c) require a significant amount of code to build and maintain.
Anvilogic’s solution addresses all three of these key challenges and makes advanced detection engineering, threat hunting, and analysis possible for all teams.
- Anvilogic’s detection engine sits on top of your existing SIEM and other data storage and only analyzes the events of interest. This allows you to correlate across alerts and data from the entire environment without issuing expensive searches against raw data in disparate locations.
- There are hundreds of out-of-the-box Threat Scenarios available to download from Anvilogic’s Armory and each use case is completely detailed, easy to understand, and fully customizable.
3. Development Skill
- Users can download, customize, or build their own Threat Scenarios from scratch without needing to be an expert in their SIEM technology or write a single line of code. The platform provides a visual interface for development that significantly reduces the skill and time required.
This capability is just the tip of the iceberg, there are countless more features and functionalities that make Anvilogic’s SOC Platform a true game changer for Security Analytics. If you’d like to learn more, please reach out and ask for a demo by clicking on this link. Additionally, keep an eye out for more blog posts from myself and the rest of our team as we begin to dive deeper into how Anvilogic’s solution is changing the industry.