Angara Security: ML solution to improve monitoring efficiency in SOC centers

Main article: Machine Learning

2024: Introducing an ML Solution to Improve Monitoring Efficiency in SOC Centers

Angara Security has developed an ML solution to improve monitoring efficiency in SOC centers. The developer announced this on June 20, 2024.

Analysis of information security events using detection and correlation rules in SIEM systems remains one of the main ways to detect malicious activity in the IT infrastructure. In practice, this approach is not always effective for detecting intruders' techniques associated with great variability, since creating and maintaining a set of rules for all known procedures is hardly possible.

Angara Security has developed a neural network solution that integrates with the SIEM system. The constructed neural network consists of combined layers, characteristic of both convolutional neural networks (Convolutional Neural Networks) and Recurrent Neural Networks).

The solution allows you to supplement the classical methods of analyzing information security events and determine malicious activity with high accuracy according to the characteristic patterns identified by the ML model. This approach in a number of scenarios expands the list of detected procedures, and also helps to avoid the need to write separate detection rules for each new utility or procedure.

ML models are an excellent auxiliary tool in the work of analysts, since on the one hand they allow you to expand the ability to detect the activity of attackers, on the other hand, to automate part of the processes and free up resources for tasks that require human participation, − said Artem Gribkov, deputy director of Angara SOC for business development. - As of June 2024, the ML model is used for three scenarios. First of all, to identify PowerShell scripts that are actively used by attackers during attacks. Angara SOC experts note that there are a large number of PowerShell tools that can be used both as part of an HPE and directly by an attacker when compromising the system. PowerSploit, Empire, Nishang are just a small part of the well-known collections of such utilities for automating the actions of an attacker aimed at collecting information, exploiting vulnerabilities, elevating privileges, etc. In addition, in many organizations, IT services use legitimate scripts to automate administration. It is sometimes quite difficult to distinguish legitimate from malicious, and it is rather impossible to analyze millions of scripts for writing rules.

The second use case is the identification of DGA domains and DNS tunneling. Classical DNS name analysis methods often involve a large number of false positives. Also popular among cybercriminals are tools that allow you to generate domain names that at first glance are very similar to legitimate ones, which actually makes automatic detection of malicious DNS names impossible. The ML solution allows you to effectively cope with this task.

The third scenario is to analyze the logs of web servers. The use of the ML model is possible as an addition to the facilities of the WAF class or as an alternative in a layered web resource protection system.