Building the security operations center of tomorrow—better insights with compound detection

In the physical world, humans are fantastic at connecting low quality signals into high quality analysis. Consider speaking with someone in a crowded place. You may not hear every word they say, but because you are fluent in the language and can piece together context from the words, you can hear and figure it out. For example, if you’re with a colleague in a noisy station who says, “Our (inaudible) is about to arrive,” you can be pretty confident that based on where you are and the way their mouth moved that “(inaudible)” is “train.”

In the digital world, we need tools that can perform similar feats of adaptive analysis. Effective cybersecurity depends on rapid detection and remediation to limit the damage from high-impact activities. It also requires intelligence across on-premises, hybrid cloud environments, mobile devices, IoT, threat intelligence, partner information, and other endpoints to uncover stealth attacks.

Tomorrow’s security operations center (SOC) tools need to analyze low risk incidents that our current systems are missing. We also need to account for uncertainty and the changing tactics of attackers to anticipate the next step in the kill chain and uncover novel attacks. This is what compound detection is designed to do.

As we’ve written in two previous posts, the law of data gravity provides the framework for addressing both speed and insight correlation across data sources. Microsoft recently released the public preview of Fusion technology, which is based on compound detection, provides the technology that can accelerate the analysis, and helps connect the dots between your data lakes.

The law of data gravity

The law of data gravity states that the bigger the mass of data, the more services and apps are attracted to it, accelerated by the need to decrease latency and maximize bandwidth. According to this law, whenever possible you should run analysis where the data is. When applied to security, this means instead of waiting to gather all your log files into a traditional security information and event management (SIEM) system to do analysis, you can leverage security data that your vendors have amassed in their clouds to detect and remediate threats. For example, if malware is positively identified in one cloud endpoint, you can block it quickly across all endpoints and prevent threats from spreading. Insights from each of your security platforms can then be connected to uncover stealth attacks or novel approaches.

The traditional SIEM was designed to handle correlated data across multiple on-premises systems; however, SIEMs suffer from two related problems. They surface so many alerts, many of which are false positives. This places a huge burden on security analysts who must triage the alerts and correlate them with alerts from other products. To make matters more frustrating, the SIEM’s brittle and static rules can miss important events, leading to false negatives. It’s no wonder that analysts suffer from alert fatigue.

Fusion technology, as part of Azure Sentinel, is the first cloud native SIEM tool to remove some of the burden from security analysts. Fusion uses scalable machine learning algorithms to reduce the alerts from thousands to a manageable list of high fidelity cases.

Compound detection can reduce both false positives and false negatives

Fusion technology is based on the concept of compound detection. As we learned from the shortcomings of the traditional SIEM, we need tools that are able to improve their accuracy over time and can quickly correlate alerts across platforms to reduce the number of false positives that analysts must investigate.

Compound detection works by graphing low and high risk alerts, high-impact activities, such as a successful phishing campaign, and linking elements. Probability algorithms correlate behavior between the alerts and high-impact activities and simulate different attack paths. Because machine learning algorithms can work faster than manual human analysis, compound detection is able to analyze all events—even the low risk ones. It can uncover multi-stage attacks, and it updates its model of the kill chain to improve its ability to detect early stages of a new attack. When the analysis is done, millions of lower fidelity anomalous activities could be reduced to dozens of high-fidelity cases, leaving security analysts the time needed to focus on the security issues that make the biggest difference.

Image of a table which show Traditional correlation engines and Fusion technology solutions. Solutions consist of Iterative attack simulation, Probabilistic cloud kill chain, and Advances in graphical menthods.

Learn more

The days of alert fatigue may not be over yet, but with solutions like compound detection, we’re working towards solving the problem. Read about Azure Sentinel and its underlying technology to find out more.

In the coming weeks, we’ll share another post in this series on the Security blog, where we’ll address the concept of data architecture and provide guidance on what information needs to be pulled together for insights and what can remain where it is.