How GenAI can Revolutionize SOC? Taming Alert Fatigue
Way back in 2017, using GenAI embeddings to tackle SOC Alert Fatigue
Every CISO knows that in a SOC, every second counts. Back in 2017, while working with a cutting-edge SOC (Security Operations Center) in a cloud company, our team faced the daunting challenge of analyzing and responding to alerts and incidents on behalf of our clients. On average, our SOC analysts had a mere 1 minute to decipher each alert!
You can imagine the high pressure environment at SOC workspace. Alert fatigue was rampant, and amidst the flood of notifications, there was a real risk of missing genuine threats. It was clear that a transformative solution was needed.
There was no GenAI to help. We decided to use Knowledge Graph-based AI / ML to tackle the problem. We embarked on a journey to harness the power of these technologies to revolutionize our SOC operations, combating alert fatigue and ensuring that no real attacks slipped through the cracks.
Our solution? Utilizing Knowledge Graphs and Embeddings to prioritize alerts and provide valuable insights to SOC analysts.
How did we train the model?
1. Creating the Training Dataset:
We started by capturing a wealth of data - alerts, incidents, and the human analysis behind them - spanning the previous days. Each alert was meticulously labeled by human analysts, accompanied by explanations detailing why certain alerts were deemed false positives.
Attributes of an Alert:
Source IP Address
Destination IP Address
Event Type
Timestamp
Severity Level
Alert Description
2. Training the Model using Knowledge Graph Embeddings:
We used similar algorithms that empower Google search results, and that is to create a large graph of alerts, create a large matrix, and compute Eigen Vectors to create a model.
To create a graph of alerts, we can utilize these attributes to establish connections between alerts based on their similarities. For example, alerts originating from the same source IP address or targeting the same destination IP address can be linked together. Additionally, alerts triggered by similar event types or occurring within a similar timeframe can be connected. By representing these relationships as edges in a graph, we can build a comprehensive network of interconnected alerts, facilitating the detection of patterns and anomalies within the data.
The following graph shows how Embedding will assign a unique vector to each incoming Alert.
3. Evaluating the Model:
With an evaluation dataset in hand, we rigorously tested the effectiveness of our model. We measured its ability to accurately prioritize alerts and distinguish between genuine threats and false positives.
4. Integration with Production Environment:
Once validated, we seamlessly integrated the AI-powered alert prioritization system into our production environment. Now, with every new alert that surfaced, our system provided automated assessments of its validity, drawing on patterns and insights gleaned from past occurrences.
Outcome:
The system demonstrated promising results by effectively identifying and grouping similar alerts, suggesting false positives based on historical data, and clustering real incidents. The overall efficiency improvement, benchmarked at 10 to 20%, was encouraging.
Challenges:
Skewness in Labelled Attacks vs Naive Alerts: Addressing the imbalance between labeled attacks and naive alerts was a significant challenge.
Novel Alerts with Unseen Patterns: The system struggled with novel alerts exhibiting unseen patterns, posing a hurdle to accurate detection.
Retraining the Model on Latest Dataset: Continuously retraining the model on the latest dataset proved to be labor-intensive and time-consuming.
Conclusion:
The impact of our AI-driven solution was encouraging. SOC analysts were no longer drowning in a sea of alerts; instead, they were equipped with actionable insights, enabling them to focus their attention where it mattered most. Alert fatigue reduced.
Looking ahead, the implementation of GenAI LLMs (Generative Artificial Intelligence Language Models) holds promise in mitigating these challenges, potentially enhancing the system's effectiveness and adaptability.
Are you building something awesome by leveraging GenAI? I would love to talk to you and know your journey and how we can collaborate together