Mohammed Al-Moneer of Infoblox discusses SOC Insights, an AI-driven solution that reduces alert fatigue and boosts SecOps efficiency with actionable insights.
In Feb 2024, Infoblox announced the launch of SOC Insights, an industry-first, AI-driven security operations capability that boosts the company’s DNS Detection and Response solution, BloxOne® Threat Defense. SOC Insights empowers security analysts to jump-start investigations that truly matter and dramatically reduce response time by turning vast amounts of security events, network, ecosystem, and unique DNS intelligence data into a manageable set of immediate, actionable insights at AI speed. Mohammed Al-Moneer, Senior Regional Director, META at Infoblox, shares his views on the launch:
Excerpts from the interview;
Could you explain how SOC Insights works without getting into technicalities?
SOC Insights applies AI-driven analytics to analyse massive alert, network, device, user, and DNS threat intelligence data to correlate events quickly, prioritise them based on more than just ‘malware risk ranking,’ and provide recommendations and tools to resolve the threats that matter most quickly. This helps reduce alert fatigue analyst burnout and improve SecOps efficiency, enabling them to do more with available resources. This extends to the rest of the security ecosystem as these AI-driven insights can trigger automated responses or be shared with other security stack tools to make them more effective.
For example, when an analyst starts work in the morning, rather than digging through hundreds of thousands of alerts in hopes of identifying the ones that need attention most, the SOC Insights UI has already analysed these events, correlating them with network and other data, and grouped them into a much more manageable set of ‘insights’ that can be reviewed in a fraction of the time. (i.e., one customer received over ½ million events, which SOC Insights distilled down to only two dozen.)
Once the analysts have identified the insight they want to work on next, they click on ‘Investigate Insight’. They are immediately taken to a portal to pivot around network, event, threat intelligence, and other data in whatever order they wish. This makes it much faster (and easier) to understand the full context around the insight to weigh its true risk and better understand the work required to address it. A simple example is to consider an attack with high-impact malware only seen on the guest network. Another is when two types of phishing attacks are identified, and immediate, on-demand access to rich context data can help identify which could impact a larger number of users.
How does Infoblox use AI, human dynamics, and data dynamics to work together to deliver useful and actionable insights?
Infoblox uses a combination of AI, human expertise, and data dynamics to identify and deliver actionable insights. The AI-driven analytics are trained by DNS experts (humans) who are skilled in cybersecurity and the nuances of DNS, providing our customers with the AI tools to auto collect network, ecosystem, event, and DNS threat intelligence while filtering out irrelevant information and recognising patterns that highlight what is most important.
This process is done quickly and automatically within BloxOne Threat Defense, giving the SOC back the hours it could take a human analyst to collect, filter, parse, sort, and otherwise manipulate the data in other tools. Finally, by intelligently collecting only relevant data into threat research and insight investigation portals, our customers’ analysts can start their investigation immediately, leveraging available information on-demand, without digging through individual alerts or waiting on NetOps for user and device information for context around threat activity. This way, Infoblox ensures that the insights delivered are useful and actionable.
Why is this SOC Insights feature important?
Alert Fatigue, analyst burnout, skill shortage, and similar issues for the SOC all come from the challenge of having too many security events every day and too much data to dig through to make sense of it all. SOC insights are important because they help security teams automate much of the important yet time-consuming data gathering and filtering. It then applies AI-driven analytics to this vast amount of data to distill and correlate hundreds of thousands of events into a more manageable set of ‘insights’, each connected to a relevant asset, event, threat, and other data analysts may need to quickly refer to, to help them understand threats and make informed, effective decisions… fast.
How does SOC Insights work with your security ecosystem today, and are there any long-term plans? Can you give any examples?
In a world where most vendor ecosystems involve little more than sharing alert data with SIEMS or triggering a ticketing system (like ServiceNow), BloxOne Threat Defense breaks this mold in several ways:
- Proactively: Infoblox can collect, filter, normalize, and distribute threat intelligence across the security stack (NGFW, SWG, EDR, etc.) to enhance its own detection and protection capabilities. It can also easily integrate with existing Threat Intelligence Platforms (TIP) if they exist.
- Visibility: Infoblox can share events, networks, DNS threat intelligence, and other data with tools that desire more context around alerts, such as SIEM or SOAR.
- Automation: Infoblox can automatically trigger actions by other tools, such as having a vulnerability scanner check a device connected to an alert to see if the alert can be ignored (if necessary patches are in place) or if more action is needed.
When will the SOC Insights feature be available? Is it available globally? How does a customer get started?
SOC Insights will be launched globally on February 14 and available immediately. Existing customers of BloxOne Threat Defense ‘Business Cloud’ and ‘Advanced’ will receive new ‘Configuration’ insights as part of their base product license. The SOC Insights ‘Security’ add-on package will be available for those same ‘Business Cloud’ and ‘Advanced’ customers as an optional purchase. SOC insights are licensed based on the number of users, which by default is the number of employees available in a tiered pricing structure.