The Challenge 

Digital transformation and the adoption of remote and hybrid work models that applied in enterprises, dramatically increase the risk of cyber-attacks and lead companies to outsource SOC services (SOCaaS). At the same time, the traditional operating model of a security service provider, which is distinguished in three (3) levels: DATA, SIEM & SOC, has the following issues per level:

DATA: Incomplete parameterization of system logging policies, which gives the allow the cybercriminal to infiltrate the customer/target’s network with zero-time malicious code, and disable the logging policy.

SIEM: Incomplete or insufficient implementation and/or optimization of correlation rules and usage of SIEM software results that is not being able to perform normalization of security events for the customer’s infrastructure, and not effectively detecting the attack.

SOC: Incorrect analysis and characterization of level criticality as low or false positive, will lead to the cyber attack going unnoticed.

Services Description

In order to address the above challenges, ADACOM upgraded the SOC services it provides, to AI-Driven Managed Extended Detection and Response (AI-Driven Managed XDR) services, without their provision depending on technological solutions of a single vendor.

Multi-layered approach and the use of a series of algorithms, is generally best dealt of vague forms of Cyber threats. ADACOM’s SOC services, in addition to the collection and correlation of security events and analysis by experienced analysts, are based end-to-end on Machine Learning (ML) and Artificial Intelligence (AI) algorithms that create the operating models of an infrastructure on the four (4) fundamental axes: End points, Users, Network & Cloud Services

Our differentiation in services delivery is that: Customer’s IT infrastructure is not provide security events to our SIEM solution, but the implemented technological solution in each level, detects cyber-attacks through behavioral models based on machine learning and artificial intelligence algorithms. In addition, the security incidents investigation is implemented not only by the analysts but also by the artificial intelligence service of IBM QRadar Advisor with Watson, that we had integrated with our SOC services.

Implementation at Endpoints

For the detection and respond to a cyber-attack on the endpoints of an organization we have integrated eASIS Threat Management Platform (based on IBM QRadar SIEM software), with an Endpoint Detection and Response solution. This is an endpoint protection mechanism that provides continuous monitoring and response to advanced threats through ML and AI algorithms, unlike anti-virus and anti-malware solutions, which mainly focus on addressing threats in pre-execution phase. The analysis engine of the solution uses various approaches, such as machine learning models, behavioral analysis, and other sophisticated detection techniques, to detect and neutralize any cybercriminal.

Implementation to Users

To detect threats based on user behavior, we have integrated the eASIS platform with a user behavior analysis solution. This solution leverages user behavior and machine learning models to add their behavior to flows and events in order to identify the accounts used by cybercriminals during the attack. The UBA service adds two key functions: (a) risk profiling and (b) unifying user identities.

Identifying a threat is done by scoring the risk of various events using advanced mathematical models that use machine learning. Each event is assigned a risk, depending on the severity and criticality of the event detected.

The UBA service bases its results on three main categories of events and flows:

1. In the network traffic related to access, authentication, and account changes.

2. In the behavior of users on the network, from devices such as: proxies, firewalls, IPS and VPN.

3. In events from endpoints and applications, such as Windows, Linux, and SaaS applications.

Consolidation of user identities is achieved by combining different accounts for one user. By importing the accounts from an Active Directory, LDAP, lookup table, or CSV, the service can learn which accounts belong to each user. The above feature allows risk calculation for each user, even if he has multiple accounts.

Machine Learning (ML) is an additional tool that enhances the UBA service and provides accurate and in-depth calculations to detect even a zero day threat.

Network Implementation

To detect advanced network threats, a Network Detection and Response (NDR) solution can be installed, which interfaces with the internal network and is integrated with the eASIS platform to monitor for malicious actions based on suspicious behaviors.

The analysis engine of this solution is not based on static analysis models like a SIEM by using correlation rules and use cases, but on the analysis and understanding of network behavior using machine learning and artificial intelligence algorithms. Essentially by analyzing the network behavior of users, endpoints, servers, etc., the solution is trained to understand an organization’s environment in order to detect abnormal behavior, as a result of malicious activity or malicious software.

Implementation in Cloud Services

To detect advanced threats in the cloud services used by an organization, these services are connected via API with our Cloud Treat Analytics service. The solution monitors for malicious actions in the cloud, based on suspicious behaviors. The analysis engine of this solution is based on analyzing and understanding the behavior of transactions with cloud services, user to cloud and cloud to cloud, using machine learning and artificial intelligence algorithms. Essentially by analyzing behavior, the solution is trained to understand the organization’s cloud services in order to detect abnormal behavior, as a result of malicious activity or malicious software.

How it work ?

Under the framework of security incident investigation service through artificial intelligence mechanisms, SOC analysts which are responsible for monitoring security incidents, will analyze each security incident to determine whether it is a real incident that should be investigated or false positive.

To reduce the time required to investigate a critical infrastructure incident, our analysts run the IBM QRadar Advisor with Watson service. The service will lend speed and accuracy to the incidents investigation. It records the data that make up the attack and based on the information it has, and connected to cloud security services in order to investigate whether similar attacks have been carried out in the past. It also enriches the case of the incident with additional information that detected and they are related to the cyber attack. These information include techniques and attack tactics (MITRE ATT&CK) and other (Observables – Hashes, Domains, etc) detected information as well.

At the push of a button, security analyst finds malicious communications associated with the attack such as infected hosts’ communications with systems and with CnC over the Internet. Upon investigation completion, the analyst has all information about the attack and is able to forward it to the security incident response team in order to terminate the attack.

Benefits of AI-Driven Managed XDR Services

• Eliminate the issues stemming from the SOC services providers’  traditional operating model: DATA – SIEM – SOC.
• End-to-end services based on machine learning and artificial intelligence algorithms at the four (4) operating axes of an infrastructure: Endpoints, Users, Network and Cloud Services
• Implementation and services provision that do not depend on technological solutions from a single vendor, but from multiple technologies integrated with eASIS Threat Management Platform.