Imagine you had a security analyst on your team who could analyse every single alert generated by your security tools 24 hours a day, 365 days a year, and based on external threat intelligence and business context, escalate only the most important ones to you for further review. That would be great, right?
SOC.OS is that analyst.
On-premise security tools are configured to forward security alerts to a lightweight agent installed on your IT network.
Multiple source systems can be sent to a single agent – e.g. firewall IPS/IDS and endpoint protection devices. Once alerts are received by the agent, they are forwarded to the SOC.OS cloud platform. Additionally, the SOC.OS cloud platform can be configured with the appropriate credentials to collect alerts directly from the APIs of your cloud-based security tools.
SOC.OS is constantly developing integrations with new security devices. Click on the link below for full details.
View Compatible Tools
Once received, the alert data is cleansed, parsed and the MITRE ATT&CK® threat associated with the alert is identified. Alerts are then enriched with threat intelligence data from AbuseIPDB and AlientVault OTX (Open Threat Exchange) as well as your own business context, providing the analyst with rich and much needed context to enable data driven remediation decisions to be made quickly and effectively.
Within the tool, users have the ability to list critical business assets (e.g. an important web server or email address), such that when an alert contains these assets, it’s not only extremely easy to locate this asset very quickly, but they’re automatically scored higher and moved closer to the top of the priority ranked investigation workbench.
Every IP contained in all your alerts
is checked on AbuseIPDB
Alert enrichment with AlienVault OTX, which has access to 19 million threat indicators daily
Alert mapping to a MITRE ATT&CK technique and/or tactic
The enriched alerts are then correlated into related groups, or in SOC.OS language “clusters”, based on a number of rules. This ensures that, for example, alerts targeting the same part of your network with similar threat types would appear in the same cluster, and can be easily examined in one go. Each cluster consists of anywhere between 1 to 5,000 alerts.
These clusters are then ranked so that the ones deemed to require urgent investigation can be found easily on the SOC.OS workbench. Users also have the ability to specify high-importance assets in their network, with clusters containing these assets being moved further up the priority ranking.
SOC.OS works 24/7/365 analysing and enriching every alert it ingests
Clusters which contain your critical assets are prioritised higher than those that don’t
Only alerts which share similar entities and MITRE ATT&CK threat types are grouped together
Cluster investigation can then be completed entirely through the SOC.OS workbench – the original alerts, 3rd party threat feeds, custom business context enrichment and in-tool security training tips are all accessible using a single intuitive UI.
The clusters themselves are visualised using a bespoke data visualisation tool in a graphical way, allowing the analyst to understand in one quick glance, the MITRE ATT&CK® threat type, the incident timeline (which can span days, weeks and months) and the entities involved.
Once investigated, a cluster is never closed completely – it is archived and automatically re-opened if a new alert is correlated with this incident. Analysts are then shown the complete history of this cluster, so they immediately gain the insights from the previous investigation.
Investigate all of your alerts in a single platform
Simple and intuitive UI ideal for upskilling less experienced analysts
Accurately track (slower evolving) incidents through time