In a discussion between Ben Harrison, Director SOC and Security Services at Cygilant and Jake McCabe, CISSP, Presales Director at LogPoint, we summarize why machine learning and a SOC go hand in hand.
Traditional SIEMs offer a rules-based approach as it looks for alerts. Because you can easily write a search, it’s very good at picking out known-bad entities. However, there are certain things that can occur which are not so black and white. For example, say a user transfers a large amount of data to a file transferring website. You can detect that activity, but the question is whether that is good or bad activity? Is the person stealing data or is it totally benign and business related?
A modern SIEM includes machine learning, a very nice complement to this rules-based approach. It can help businesses better understand whether activity in their environment is good or bad. Machine learning models the behavior of users and entities within your environment without you or a SOC analyst to train it in anyway. It essentially looks at behaviors over time to build a baseline of how users and entities act and understand what is “normal.”. With these baselines, SOC analysts can look for changes in behavior - anomalies. When looking at anomalies on a larger scale, you can start to deduce whether activities are good or bad.
Using the example above of a large website transfer, you can look at what happened before and after. For instance, if there was activity that looked like lateral movement, did it look like data staging or was data transferred from different places on the network to that host and then sent to the Internet? Taking this approach of looking at other types of events detected by looking at anomalies, it can help you identify threats that would otherwise be very different to detect with a rules-based approach.