ABSTRACT:

Security Operations Centers (SOCs) act as security hubs for many companies, providing a central place to detect and respond to digital threats. However, SOC analysts are often overwhelmed by the sheer volume of alerts – over 20,000 per day in our dataset – generated by the multitude of security products within the organizations’ networks.

Some of these security tools are misconfigured or low quality, compounding the problem. In our dataset, consisting of data from a range of large companies across the globe, we found that upwards of 95% of all alerts are marked as non-actionable by analysts. Therefore, in practice, finding and responding to the most critical and meaningful alerts also requires investigating many false alarms.

In this talk, I will discuss the difficulties of dealing with real-world security telemetry, including the prevalence of noise and incorrect labels, and techniques to detect and deal with them.

Finally, I will present FloodBot, a tool to filter false positives and prioritize alerts generated by security tools. FloodBot is able to efficiently filter out security alerts which analysts are predicted to label as not actionable, while keeping the number of false negatives extremely low. Our results indicate that FloodBot is both a necessary and effective tool for large SOC deployments.

BIO:

Daniel Kats is a principal researcher at Symantec Research Labs, where he has worked since 2016. Daniel completed an M.Sc. at the University of Toronto, studying under Eyal de Lara in the Systems and Networking Group, where he specialized in the Linux virtualization subsystem. Since joining Symantec, Daniel has worked on a number of projects dealing with developing automated techniques to detect and triage malicious behaviors across a number of products and services. He is also partial to chocolate cake. 

Hosted by Professor Richard Korf