In order to address the above challenges, ADACOM upgraded the SOC services it provides, to AI-Driven Managed Extended Detection and Response (AI-Driven Managed XDR) services, without their provision depending on technological solutions of a single vendor.
Multi-layered approach and the use of a series of algorithms, is generally best dealt of vague forms of Cyber threats. ADACOM’s SOC services, in addition to the collection and correlation of security events and analysis by experienced analysts, are based end-to-end on Machine Learning (ML) and Artificial Intelligence (AI) algorithms that create the operating models of an infrastructure on the four (4) fundamental axes: End points, Users, Network & Cloud Services
Our differentiation in services delivery is that: Customer’s IT infrastructure is not provide security events to our SIEM solution, but the implemented technological solution in each level, detects cyber-attacks through behavioral models based on machine learning and artificial intelligence algorithms. In addition, the security incidents investigation is implemented not only by the analysts but also by the artificial intelligence service of IBM QRadar Advisor with Watson, that we had integrated with our SOC services.
Implementation at Endpoints
For the detection and respond to a cyber-attack on the endpoints of an organization we have integrated eASIS Threat Management Platform (based on IBM QRadar SIEM software), with an Endpoint Detection and Response solution. This is an endpoint protection mechanism that provides continuous monitoring and response to advanced threats through ML and AI algorithms, unlike anti-virus and anti-malware solutions, which mainly focus on addressing threats in pre-execution phase. The analysis engine of the solution uses various approaches, such as machine learning models, behavioral analysis, and other sophisticated detection techniques, to detect and neutralize any cybercriminal.
Implementation to Users
To detect threats based on user behavior, we have integrated the eASIS platform with a user behavior analysis solution. This solution leverages user behavior and machine learning models to add their behavior to flows and events in order to identify the accounts used by cybercriminals during the attack. The UBA service adds two key functions: (a) risk profiling and (b) unifying user identities.
Identifying a threat is done by scoring the risk of various events using advanced mathematical models that use machine learning. Each event is assigned a risk, depending on the severity and criticality of the event detected.
The UBA service bases its results on three main categories of events and flows:
1. In the network traffic related to access, authentication, and account changes.
2. In the behavior of users on the network, from devices such as: proxies, firewalls, IPS and VPN.
3. In events from endpoints and applications, such as Windows, Linux, and SaaS applications.
Consolidation of user identities is achieved by combining different accounts for one user. By importing the accounts from an Active Directory, LDAP, lookup table, or CSV, the service can learn which accounts belong to each user. The above feature allows risk calculation for each user, even if he has multiple accounts.
Machine Learning (ML) is an additional tool that enhances the UBA service and provides accurate and in-depth calculations to detect even a zero day threat.
To detect advanced network threats, a Network Detection and Response (NDR) solution can be installed, which interfaces with the internal network and is integrated with the eASIS platform to monitor for malicious actions based on suspicious behaviors.
The analysis engine of this solution is not based on static analysis models like a SIEM by using correlation rules and use cases, but on the analysis and understanding of network behavior using machine learning and artificial intelligence algorithms. Essentially by analyzing the network behavior of users, endpoints, servers, etc., the solution is trained to understand an organization’s environment in order to detect abnormal behavior, as a result of malicious activity or malicious software.
Implementation in Cloud Services
To detect advanced threats in the cloud services used by an organization, these services are connected via API with our Cloud Treat Analytics service. The solution monitors for malicious actions in the cloud, based on suspicious behaviors. The analysis engine of this solution is based on analyzing and understanding the behavior of transactions with cloud services, user to cloud and cloud to cloud, using machine learning and artificial intelligence algorithms. Essentially by analyzing behavior, the solution is trained to understand the organization’s cloud services in order to detect abnormal behavior, as a result of malicious activity or malicious software.