Throughout March, April and May 2019 we improved Machine Learning backend infrastructures and processes to accelerate discovery of new Indicators of Compromise (IoC). Higher number of discovered IoCs has two benefits: 1. higher percentage of Cognitive incidents will fall into Confirmed Threat category, 2. more IoCs used for (re)training of Machine Learned predictors means extended ability to get net-new detections. The improvemens include:
Confirmed Threat IoC automated discovery - we implemented automation of new IoC discovery for existing Confirm Threats. The technique reduced manual confirmation load by half without compromising the precision of Confirmed Threat incidents (see IoC statistics below)
Talos-integration - we built a Machine Learning pipeline and process for improved exchange of intelligence between Talos and Cognitive Intelligence (see Confirmed Threat IDs CTALxxxx in Coverage of Confirmed Threats Extended blog)
Threat confirmation pipelines - we optimized infrastructures to take maximum effect of each verdict provided by analyst. IoC candidates come through Active Learning (see next item). Every manually confirmed or disproved IoC candidate gets automatically included in fresh Machine Learning ground truth, prediction models get re-trained, re-evaluated and queued for push-to-prod; existing Incident pool gets re-evaluated and Incidents related to the newly confirmed IoC move from Detected to Confirmed.
Active Learning - we built clever prioritization of threat analytics tasks for human analysts - the Machine Learning system identifies the most promising potential new IoCs for confirmation by human, among millions of suspicious - previously unknown - findings each week. Note that we build on top of A.I. Loop, first introduced in Closing one learning loop blog. Note that we also improved robustness of Machine Learning evaluation pipelines (see our NeurIPS paper: Bad practices in evaluation methodology relevant to class-imbalanced problems)
The increase of the number of maintained IoCs is seen in absolute nubers per week above. Note the difference between end of 2018 and 2019 so far. Note also the solid line - the percentage of Confirmed Threats covered by fully-automated Machine Learned update process. Higher percentage means less regular update work by human analyst, thus more time available for net new exploration.
Threat Response integrates with Threat Grid as a reference module. It allows investigators to pivot and get information for IP addresses, domains, URLs and file hashes from the Threat Grid repository. Conversely, Threat Grid leverages the Investigation a...
Threat Response integrates with SMA (Security Management Appliance) as an enrichment and enforcement module. The SMA module allows investigators to take actions such as searching email records for sender email and IP, email subject and message header, am...
Hi All Having a weird spontaneous issue on some WIndows PC's that are setup for 802.1x. After a complete bootup, ISE logs show that the PC is doing MAB authentication and are failing as expected. If I unplug the network cable and reconnec...
With this integration, investigators can see intrusion events from Firepower devices correlated with enrichment from other Cisco Security products, adding greater context and helping the SOC investigate incidents with broader internal visibility.
Threat Response integrates with Umbrella to provide Visibility, Control and Threat Intelligence. The Umbrella module leverages three distinct Umbrella APIs to provide these three functions. Ownership of any of the following 3 APIs gives free access and e...