This post is also available in: עברית (Hebrew)
Corporate IT security operations have just too much security data and no efficient way to sort through it. Combing through thousands of alerts from the intrusion detection system, firewalls and log files looking for clues to a major security incident can be frustrating and time-consuming. Many, if not most, major breaches were obvious when they were analyzed after the fact. But when they happened the signs were too small to be noticed.
A new autonomous security operations center platform promises to make the workload of security analysts more effective. A warning supplied by the platform in a timely manner can be crucial to preventing a breach. It may also point up potential security weaknesses that can be fixed before serious data loss happens.
JASK (acronym comprised of “Just Ask”) can accept input from a variety of security appliances, software packages, log files and combine it with a vast database of previous security incidents as well as warnings from security services and then look for patterns.
It learns from patterns previously seen from other JASK users to analyze and evaluate those incidents. Then it presents them with its appraisal of the threat level and the degree of confidence.
A security analyst can click on the display of an evaluated series of incidents to get a detailed explanation of the factors that prompted the system to display an alert. The development is based on a large corpus of knowledge as well as a learning curve.
Insider threats, called Signals, in themselves might be minor, but it’s the correlation that makes them important enough to become an Insight.
The software can discover events that would probably never be noticed by a human analyst that’s confronted by thousands of incidents on a daily basis. While individual Signals might be too minor to come to the attention of an analyst, it is only when they are examined together that their importance becomes apparent. This sort of pattern is very common for major security breaches, according to brinkwire.com.
A series of small incidents, perhaps a phishing email sent to an administrative employee that harvests credentials, followed by an email to the CFO or the CEO designed to elicit a cash transfer might get the attention of a security analyst if the events had been noticed. But tie that to a hacking incident that reveals the employee phone book and then to a series of other phishing emails that weren’t acted on, along with emails from an outside server spoofed so that they seemed to be from an inside server are all indications that an attack is about to begin.
JASK is a cloud-based application that lives on Amazon Web Services. It can use data from other cloud services or from on-premises sources.
What makes JASK unusual, along with the machine learning and AI that allow it to make those correlations, is the fact that it doesn’t need to supplant your existing security structure. It makes use of the output of whatever security systems the customer is already using. It can also extract data from your existing log files and from your raw network traffic. All you need to do is provide access.