当前位置:首页 > 报告详情

整合相关事件日志和警报.pdf

上传人: 可*** 编号:991857 2025-12-07 62页 2.91MB

1、CONTEXT IS ALL U NEEDFinding Relevant Events Logs&Alerts+11,000 Alerts/DayRECEIVED BY SECURITY TEAMS(FORRESTER)ON AVERAGEONLY 9%OF ATTACKS GENERATE ALERTS(MANDIANT)ATTACKS ARE SO STEALTHY287 DaysTO DETECT&CONTAIN A BREACH(IBM)ON AVERAGE130 ToolsIN USE BY SECURITY TEAMS(PALO ALTO NETWORKS)WITH UP TOb

2、loated&ineffectiveIN FACE OF RAPIDLY EVOLVING ADVERSARIESTHERE IS NO DOUBT,ATTACK DETECTION IS Lack of Correlationof seemingly disparate events.Hidden within,are attack kill chains.Surveyed in 2017-2024(by SANS),security experts blame CYBER NOISEContextualization&CorrelationCoordinatedAttacksSiloed

3、SignalsEMAIL PHYSICALNETWORKCLOUDIDENTITY APPS INDUSTRIALInput Data or Context SizeEX:index=na earliest=5mUsually a subset is chosen through the timespan,resulting in many clusters per time period,complicating the analysis with overlapping periods and numerous clusters.Features to be usedEX:src_ip,d

4、st_ip,severity,etc.Usually,features require further preprocessing and weighing,requiring deep data science expertise applied to every use case.Feature mapping EX:usr:”joe5”and id:”joe5s4”are similar Usually,similar values may exist in different fields.The user must modify the data to capture these d

5、ynamic data modeling cases,requiring data engineering expertise applied to every use case.Classical Clustering ChallengesFeature enrichment EX:tech:“T1056”Usually,data can benefit from enrichments such as MITRE ATT&CK Tactics&Techniques resembled,or event entities metadata from a CMDB or ITSM or IAM

6、 system.The user must source&apply the enrichment content logic to the data and expand the data model.Data encodingsEX:ports 8443 and 8008 are similar Usually,features will have values that are not identical but are similar.The user must develop these data encodings per feature to underline the data

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: - **安全警报处理效率低**:平均只有9%的攻击会生成警报,攻击隐蔽性强,平均需要287天来检测和遏制。 - **工具使用过多**:安全团队平均使用130个工具,但效果不佳。 - **数据关联挑战**:缺乏事件关联,难以发现攻击链。 - **数据科学需求**:需要数据科学专业知识进行数据预处理、特征映射和编码。 - **SOC聚类解决方案**:提供基于知识的预处理、映射、编码和加权,以及自动化的特征映射和实时动态映射。 - **攻击关联**:通过关联事件形成攻击流程,减少警报数量,提高响应效率。 - **效益**:减少60%的时间节省,90%的响应时间缩短,30倍的生产力提升。
9%的警报能救命?" "如何从海量数据中挖掘攻击线索?" 破解攻击链的秘密?"
客服
商务合作
小程序
服务号
折叠