Gartner names Arcanna.ai as a Cool Vendor for the Modern SOC.
The human decision-making process is a complex cognitive function that involves several interconnected steps. When one of us needs to make a decision, we first gather relevant information to build the context, cues, and insights that help us make the best choice. Our brain identifies patterns and draws connections between the present scenario and similar situations we've encountered before. This more intentional kind of processing is known as “System 2”1 thinking and requires time and effort to go from raw data to informed opinion.
However, when we experience similar scenarios in the future, our intuition (“System 1,”1 loosely) kicks in to help us make decisions in a split second.
Similarly, every time a SOC analyst triages an alert, they are performing a “System 1” type of reasoning by very quickly scanning dozens of different data points, combining it with their knowledge and experience, and ultimately coming to a conclusion: is this malicious, benign, or do I need more information to decide?
Our Decision Models aim to mimic this process at machine speed. When setting up new types of use cases within Arcanna, someone with knowledge and expertise about how their organization handles certain types of scenarios (for example, triaging EDR alerts) comes in and builds a new Use Case within Arcanna. And since there are usually historical alerts that can be processed, the analyst can jump-start the process by training the Decision Model to recognize common or important scenarios.
This sequence of context gathering and pattern matching to create Use Cases within Arcanna is just like a human’s decision-making workflow for a new scenario (Figure 1). Ultimately we’re processing and categorizing the incoming data into a set of options (as an aside, this is known in Machine Learning terms as a classification task). Just like analysts weave together many kinds of signals, apply experience-based judgment, and then select one outcome from a finite set of options (Malicious, Benign, or Suspicious, for example), our Decision Models choose the right outcome (the best label) once it has considered that same set of evidence.
Once the model has been deployed and trained (which can be accomplished in just a few minutes for initial training), it will start to mimic the intuition of the expert(s) who trained it, thereby allowing every alert that comes in to receive a decision in seconds.
At this point, Decision Models can be embedded into your existing workflows to allow your entire SOC to benefit from (and improve upon) that expertise.
1.) Speed at Scale
Our Decision Models usually provide answers in 5 seconds or less, even if we’re considering dozens of different data points across alerts and enrichment information. We can achieve these speeds because our models leverage a proprietary blend of traditional deep learning AI rather than GenAI. To pull from a real-world example, one of our global customers triages 200 alerts via Arcanna in the time it previously took them to triage one. This is true even as they process thousands of alerts per day.
2.) Trust
Of course, doing things quickly but incorrectly is an even worse situation than doing them slowly and correctly. Fortunately, because Decision Models learn from your analysts, you can feel confident that the predictions they make will be aligned with the reality of your organization, freeing your team up to spend more time on the dozens of other priorities they have. Moreover, each decision that Arcanna makes will have a confidence score that you can use to determine if you trust it.
For events that are significantly different from what the Decision Model has previously seen, Arcanna will report it as an outlier.
And finally, if your latest Decision Model is not performing well, rolling back to a previous state is a button click away.
3.) Consistency
As your team interacts with the Decision Models, we help them to be more consistent. This is especially useful for teams with different experience levels, on different shifts, or who are understaffed. After deployment, one of our customers found that their team of 16 analysts was treating the same kinds of alerts very differently – an insight they were only able to gain quantitatively through Arcanna.
4.) Evolution of Knowledge
Any time your organization’s reality changes (such as new threats, risks that can no longer be accepted, and new internal processes), updating traditional automation (such as SOAR) becomes a tightrope walk. Doing this reliably at scale in a way that leverages the growing knowledge and experience of your entire SOC (even as the team, knowledge, and experience change over time) is tedious and challenging. Since Arcanna’s Decision Models learn directly from the actions your team takes over time, they’ll naturally evolve with you.
5.) Improving SLAs
When you can trust that your AI will make consistent decisions that are aligned with how your team would perform the same analysis, it becomes possible to enable an AI-first approach to serving your organization or (in the case of MSSPs) your customers. Arcanna’s Decision Models can be set up to automatically take actions (such as escalating or closing tickets and documenting why those actions were taken) on your behalf to dramatically improve response time. We find that several of our customers use this as a way to handle far more alerts and focus their efforts on the most important few (such as those that are escalated).
Because Arcanna’s Decision Models are highly flexible, there are many use cases we can support. We do, however, see certain ones appearing more frequently.
1.) Alert Triage – most customers have Decision Models for eachtype of technology they process (i.e. EDR, Firewall, Identity), though some also create Decision Models for ATT&CK Tactics
2.) Alert Prioritization – when an Alert Triage Decision Model identifies something as bad, this dynamically identifies how bad it is (i.e. P0 vs. P1 vs. P2)
3.) Alert Routing – every vendor has their own way of describing certain data, and some omit critical fields entirely; this allows customers to automatically normalize everything at scale
4.) Threat Hunting – for sophisticated SOCs that have a hypothesis-driven threat hunting function, creating Decision Models for each hypothesis allows continuous analysis of activity for undetected threats
For a deeper dive on these (and other use cases), check out our blog.
1. Daniel Kahneman, Thinking, Fast and Slow (New York: Farrar, Straus and Giroux, 2011), 20.
