Share Blog Post
The mark of a truly capable security team lies in the efficacy of its threat response and incident management processes. In order to achieve this, organizations need to develop a synergy between the human capital and technology infrastructure by implementing the right processes. In recent times, Machine Learning (ML) has emerged as a force-multiplier in security operations to improve the speed and accuracy of decision-making in the incident response lifecycle.
Where does CFTR use Machine Learning?
While the term machine learning often gets misused as a buzzword in the security industry, Cyware takes a more pragmatic approach to deliver the real benefits of ML for its customers.
- Cyware Fusion and Threat Response (CFTR) uses ML for assessing incident data to assign the right personnel for handling it effectively.
- CFTR analyzes large quantities of data to discern patterns or anomalies using ML-based pattern recognition and behavioral mapping techniques to aid key security operations.
- With the help of ML, CFTR also automates areas that require tremendous human effort.
Inner workings of CFTR’s ML pipeline
CFTR uses the historical data of Incidents and Incident Assignees (Users) to build an efficient model used for various ML tasks. The ML pipeline in CFTR analyzes these data sets to come up with actionable suggestions for security teams.
- The Incident data analyzed by the ML pipeline includes fields such as Incident ID, Incident Type, Severity, Assigned To, Creation Date, Attack Tactics, Attack Techniques, BU Impacted, Locations Impacted, Malware, Sources, Threat Actors, and All IOCs.
- The Incident Ownership data includes fields such as Incident ID, Assigned Analyst, Incident Status, Creation Date, and Incident Phase.
- To build the ML model, the data is first pre-processed using Synthetic Minority Oversampling Technique (SMOTE) to fix the class imbalance in data.
Thereafter, CFTR puts the processed data to work through a range of highly accurate ML models, including:
- XGBoost - XGBoost is a decision tree-based ensemble ML model that uses a gradient-boosting framework.
- GBTe - The GBTe algorithm is a variant of gradient boosting, where one decision tree helps correct errors made by a previously trained tree.
- Random Forest - Random Forests (or Random Decision Forests) is a supervised learning algorithm that consists of a large number of individual decision trees that operate as an ensemble.
- Quadratic Discriminant Analysis (QDA) - QDA is a variant of Linear Discriminant Analysis (LDA), a classification and dimensionality reduction technique for non-linear separation of data.
- Decision Tree Classifier - Decision tree classifiers are a systematic approach to build classification models from an input data set.
- Adaboost Classifier - Adaboost is a boosting technique that combines multiple weak classifiers to build a strong classifier that can accurately predict the class of an object.
- Support Vector Machine (SVM) - SVM is a supervised ML algorithm that can be used for both classification or regression purposes.
Eventually, CFTR picks the best-performing three models and further tunes them to enhance their performance individually.
- At the end of this automated process, CFTR generates a hybrid ML model that is highly accurate and suitable for your organization.
- The ML model can be deployed as a microservice on the cloud or on-premise deployment models.
Using ML to automate Incident Assignment
One of the most common challenges for security teams is to determine the assignment of individual analysts to different incidents. The skill level, expertise, and availability of an analyst all come into play here, making it a tough problem for automation.
- CFTR simplifies this process by automatically suggesting the best-suited analysts by analyzing historic Incident data, Incident ownership details, and Analyst Shift Roster using self-trained ML models.
- The highly accurate ML models are automated right from the collection of data to turning them into useful analyst assignment suggestions.
The benefits of this ML-powered automation are fairly self-evident, as CFTR automatically executes the process of understanding and assigning incidents to analysts in a timely and effective manner. It ensures that workloads are intelligently distributed across the security team.
The bottom line
Every few years, new transformative technologies, such as machine learning, open up possibilities for reimagining our approach to critical organizational functions, such as security operations. However, the true potential of such technologies is only realized when they are matched with the right applications in different domains. With the help of CFTR's highly efficient ML model, incident response teams can intelligently distribute workload and automate the crucial task of assigning incidents to the most suitable team member for faster and effective response.
Posted on: October 23, 2020
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.