Improving cybersecurity alert triage through deep learning
Cyber security teams across all business types are bombarded with thousands of alerts on a daily basis. These need to be investigated and analysed to decide which to prioritise for further analysis and investigation by experts. This process is currently done manually in many organisations but will soon no longer be either an acceptable or scalable approach. This is because these teams are overwhelmed with alerts from security tools such as information and event management (SIEM) or endpoint detection and response (EDR) mostly due to growingly volumes of generated alerts.
This means analysts look at only a small fraction of the daily thousands of alerts leading to threats that go unnoticed for weeks or even months which can have serious consequences.
There are two main issues which arise from the current triage process. The first is alert storms which are periods of time when alerts overflow the ordinary rate, caused by vulnerabilities, targeted attacks, misconfiguration, or user negligence. This means SOC analysts fall behind on those alerts they need to look at and in turn can lead to business-critical damage, disruption, downtime or income loss.
The second is alert fatigue. This is when the personnel regularly dealing with the alerts experience high stress levels and can lead on to a loss of attention and then attacks can slip right past them.
Other challenges organisations face with the current method is lack of experienced personnel due to skills shortage, a large portion of alerts being false positives and poor-quality alerts that lack the required context for analysis. The significant part of alerts received which are false positives leads to much wasted time in analysing and triage, therefore causing delay in finding the real incidents.
Arcanna.ai, a Cognitive Automation platform that uses AI to automate processes, smooths the triage process by leveraging deep learning and automates the decision process for alert triage. Because the dataset required consists of alert events coming from various and any security tools and sensors, without being limited to certain compatible systems, Arcanna.ai is a domain-agnostic Cognitive Automation Platform.
It combines deep learning neural networks such as Long Short-Term Memory, automation and knowledge retention to automate the alert triage process in an efficient manner. This method enables Arcanna.ai to learn from expert knowledge and adapt to the particularities of the ecosystem in which it runs.
This model therefore becomes a representation of all the experts that have ever provided analysis and feedback and consequently acts according to their collective knowledge.
Siscale, the creators of Arcanna.ai, are currently running a crowdfunding investment campaign via SeedBlink where they have already received financing from 41 investors.