SOAR Use Case: EDR Alert Triage
Data Loss Prevention (DLP) aims to protect an organization’s most precious commodity: its data. By monitoring the flow of data by email, web protocols, and transfer to portable media such as USB memory drives, DLP systems enable organizations to detect, block, and investigate suspicious activity that could lead to sensitive data leaving the organization. This is mission-critical work, protecting intellectual property and other confidential data such as customer records, and helping organizations ensure they comply with data privacy and data security regulations, which could include Gramm-Leach-Bliley, HIPAA, the California Consumer Privacy Act, and the EU GDPR.
Of course, even in small organizations, there are high volumes of email and file transfers for DLP systems to monitor. Larger Security Operations Centers (SOCs) receive as many as 10,000 DLP alerts per week. Processing these alerts is time-consuming work. Security analysts often copy alerts from SOC email inboxes and paste into spreadsheets. Analysts need to de-duplicate alerts, sometimes by comparing timestamps, so that events aren’t represented by multiple alerts. Analysts will then examine the individual alerts, looking for signs of suspicious activity and comparing the volume of similar events to a baseline for a articular system or user, assuming the analysts have been able to determine what those baselines should be. URLs may need to be investigated and attachments opened and canned. Investigating a single alert may require 25 minutes or longer of a security analyst’s time.
This is detailed, repetitive work. It can be frustrating, too, since up to 95% of those closely examined alerts will turn out to be false positives or duplicate tickets. To find the few alerts that genuinely require action may take a SOC 7 to 10 hours or longer each week. With data volumes rising dramatically and SOCs chronically short-staffed, organizations need a better way of handling DLP alert triage to ensure they can protect their sensitive data.
Devo SOAR provides autonomous threat detection and response automation for SOC teams. By applying machine learning and advanced analytics on large data sets, Devo SOAR automates security analyst workflows and decisions, helping SOC teams save time, find critical threats, and eliminate false positives.
Devo SOAR integrates with DLP systems and applies playbook rules to filter out benign alerts based on URL path, filename, user, and other attributes, dramatically reducing the total volume of alert data. From there, by leveraging predefined thresholds and even tracking “normal” activity for each user over time, Devo SOAR can flag activity that appears genuinely suspicious, and can also automatically open cases for these incidents, feeding them automatically into a case management system, and sparing analysts the trouble of working in email and Excel. Analysts can investigate cases themselves with Devo SOAR driving automation. For example, it can automatically send an email to the user or the user’s manager, flagging the possible security violation and asking for confirmation that the activity is both legitimate and necessary for business.