There’s no secret that I have an affinity for cars. Some may say that I need an intervention. If you were to ask me what my favorite car is, I would be hard pressed to nail down an answer. But what I do know is this: my blue Porsche 911 is a thing of beauty. Not to mention doing 0 to 60 mph in 4 seconds.
Driving one of these on Hwy 183 in Austin on any given day makes my heart race. Even if you don’t care about cars, you would notice how much a blue sports car stands out on the highway filled with white sedans. Not that there’s anything wrong with white sedans, but they are everywhere — to the point that you don’t even notice them anymore.
For the last two years, I have been trying very hard to think differently: how can IronNet build a cybersecurity engine that makes significant threat alerts stand out in the vast cyber-sea of false positives?
Needless to say, I’m thrilled that my team has accomplished that goal. IronNet’s incredible engineers, elite cybersecurity practitioners, cloud architects, data scientists, and I have successfully delivered our advanced detection correlation engine. Even though it’s under the hood of our network detection and response (NDR) solution, this unique engine will make any cybersecurity analyst's heart race.
What is the correlation engine?
The engine automatically correlates detections and alerts that are essentially infused with the “CODE-ified” expertise of IronNet’s elite, Tier 3 analysts, and threat hunters. So, when our NDR tool creates an event, it’s not just generating an alert based on a single analytic (or “one-off analytics” as our VP of Prioritization and Detection Dean Teffer describes). Instead, that event has been automatically linked to other events generated in our system. From there, that one alert now stands out from all those other alerts shot from the cannon.
How does it work?
It’s important to understand that the power of IronNet integrations with best-of-breed detection tools such as CrowdStrike EDR, PaloAlto firewalls, Splunk SIEM, and more — all talking together thanks to AWS cloud — allows our NDR to look at network data (deep within the network), log data, and endpoint data to correlate events automatically.
For example, let’s take a rudimentary attack scenario. Before IronNet created the correlation engine, our analytics would detect a phishing activity, followed by DGA activity. Then, it would discretely detect what seemed to be C2 activity. We would triage those alerts independently, building the connective tissue using a lot of investigative elbow grease. As with most NDR solutions, what this approach meant was this: In the SOC game of alert cannon vs. analyst, the cannon always won. Analysts were pummeled and fatigued — not to mention concern over the number of alerts that were never triaged and the potential impact to their enterprise.
Today, the correlation engine automatically pre-packages these events so they tell a clear, relevant story as fast as 0 to 60 mph in 4 seconds. Consider an activity that looks like C2 communications. Could it really be an innocuous system update instead? Does the alert link up with another suspicious activity like an unusual email with a strange link or attachment? And, now what? A beacon? While seeing a beacon in your network activity most certainly is often normal, if you string it along with the other two alerts, then you have a problem. A bad story stands out, allowing analysts to kick it into high gear — straight to triage.
This technology allows us to widen the aperture to catch more unknown unknowns — without flooding the SOC — and to deliver to our customers better alert efficacy, better detections, and, ultimately, better insight given that they now have the ability to leverage input from their other security tools. Next month, I will go into more detail about how to realize better value from your existing security infrastructure by bringing in events and entity resolution from those tools.
The Model C
Speaking of cars… Did you know that the Ford Model T actually came in red, not just black? But I digress.
IronNet, the industry leader in Collective Defense, is continuing to build leading-edge innovative technology that is transforming cybersecurity as we know (knew) it. Being integrated into the IronNet Collective Defense platform, this innovative engine doesn't have a stand alone name; however, I like to call it Model C. Bear with me: C for correlation and “see” for all those alerts that now will stand out among all those white sedans crowding your lane.