Finding a straw in a haystack

Cyber security is no longer like finding a needle in a haystack, but more like finding a specific piece of straw in a haystack. Each SOC is familiar with limited time and resources. SMT joins forces with Mnemonic to take on this challenge, no time to waste.

How do we do that?

We will explain it by using an example, in which we take company XYZ with about [Office9] 2,000 employees. The numbers we use in the example come from reports from our existing customers.

Company XYZ generates an average of 403,602 security alerts coming from software every day. To look at each of these events individually is virtually impossible, so we set up special software to separate the chaff from the corn. The Security Information and Event Management (SIEM) system is a good example of this. A well-configured SIEM can filter out between [MH10] 99% to 99.8% of security alerts. This is a significant reduction, but still an average of 700 and 4,000 notable events is left. What to do now?

Notable Events

Security Analysts examine the notable events based on random checks and by fine tuning try to get the numbers down even further. A calculation teaches us that with 700 notable events per day and an occupation of 6 security analysts on a SOC, each investigation can not last longer than 4 minutes. With 4000 notable events per day we are talking about a maximum of 43 seconds per investigation! In many companies this is where the reduction stops.

Take it one step further

The qualification from Security Alert to Notable Event is a reduction in volume of 99%. But even then the numbers are not favorable to security analysts. What we need is another reduction of 99% to make it all manageable.

This is where Mnemonic will help. Through the Argus Platform, Mnemonic adds machine learning and big data analytics to the qualification of the events. Every day, Argus analyzes over 4.5 billion security alerts worldwide and with this intelligence they reduce the 700 to 4000 notable events further to 80 to 82 notable events. These notable events are manually evaluated by Mnemonic security analysts to eventually end up with only 2 security incidents per day. The reliability of these security incidents is a demonstrable 98.4% and the available time for the security analyst runs up to 4 hours per event. Let the hunt begin!

mnemonic

Mnemonic is an IT and Information Security organization that delivers Managed Security Services, provides threat intelligence and advanced detection of targeted attacks. Mnemonic is one of Europe’s largest IT security service providers, the preferred security partner of top companies in the region and a reliable source for threat intelligence for Europol and various other law enforcement agencies worldwide. Gartner appointed Mnemonic, as only European organization, as a Representative Vendor. Mnemonic publishes an annual Security Report in which they elaborate about the events that took place in the world of security.

Download the 2018 Security Report here.

August 2017