Filtered Incident Response: Arcanna & Hive integration
Imagine you ran a newspaper and had a team that brought you various pieces of news to publish. Of course, you couldn't just post everything, that would quickly become overwhelming for your readers, and soon they would stop paying attention. You have to pick only the most exciting stories that people would find interesting and valuable.
Humans are tempted to pay less attention to information that contains more noise than exciting parts. We are prone to becoming tired and lose interest. This also happens even to security team members who are overwhelmed with alerts.
In a nutshell, this is what your SOC team needs from smart tools: just the most interesting and helpful information. You need a high-quality filter to select only those alerts which are likely to have an impact.
The Hive - Incident Response platform
Think about The Hive as the guardian dog of your digital system. As soon as a threat is detected, a ticket is created containing all the necessary intelligence to assess the situation.
The incident gets a code, and it is linked to the IP source and destination. Once these are established, the platform checks these IPs against an existing known list of suspicious IPs. If a match is found, the system evaluates the damage and comes up with possible solutions.
As in a real hive, the analysts can collaborate on a case and bring ideas and pieces of evidence to speed up the patching process.
Arcanna- the trustworthy filter
The role of Arcanna.ai is to help analysts focus only on the most critical alerts by filtering out the false positives and low-priority warnings. The AI-powered platform learns from thousands of previous incidents recorded as logs that make a situation noteworthy and automatically classifies each alert.
The primary roles of Arcanna are noise reduction and alert fatigue reduction. It achieves this by automating the alert triage process, an otherwise overwhelming task due to the volume of alerts and data in an organization.
Machine learning to manage incident response
The combination between Hive and Arcanna creates a robust incident management system.
The alert triage system powered by Arcanna filters the alert data lake automatically. It classifies the alerts and only alerts SOC team members about those issues which could escalate into real threats.
The number of potential cases is an issue on its own since continuously monitoring hundreds of alerts in chronological order instead of risk priority could result in handling minor threats and missing out on critical incidents.
This is where the machine learning algorithm proves very useful: the neural network looks at each alert, classifies it as either positive or false positive.
The ones that make it through the AI filter are turned into tickets which are then served to the NOC or SOC teams.
Document threats and automatize further
Using tools like Arcanna and The Hive follows the same steps as manual investigation, only much faster and more accurate. Sometimes a solution doesn't even require human intervention as long as the alert is low priority and there is already a decision pattern for that type of situation.
The tools can open the ticket, perform the necessary actions, validate that there is no longer a threat, and close the ticket. The escalation is reserved for complex cases which don't have a well-defined procedure from previous similar situations.
The great news, in this case, is that after the SOC team found a solution, it can create a template with it in Hive and automate similar issues once they arise, thus simplifying their work and speeding up the system.