Review: JASK ASOC isn't just another overloaded SIEM

The JASK Autonomous Security Operations Center coordinates various alerts and events into a picture of an ongoing threat or attack — the kinds of techniques that human threat hunters employ, only much faster.

security automation robot protects defends from attack intrusion breach
Thinkstock

When security information and event management (SIEM) systems were invented, they filled an incredible need in cybersecurity. At the time, enterprises were installing lots of perimeter security devices, but needed to log into each one to get alerts. A typical security operations center (SOC) might have 20 monitors, each one focused on a different piece of security hardware or software, and with no coordination between them. SIEMs combined all of those security information consoles into a single place, while also incorporating event management, which is basically logfile capture and the recording of network happenings that don’t have a direct, or at least an obvious, impact on security.

For many years, the SIEM was the pinnacle of defensive technologies, and the keystone of many SOCs and security operations teams. But then things got even more complicated. Networks expanded. Endpoints moved to the cloud. Mobility exploded. Digital transformation demanded that users and customers have full access to every service from any device at any time. Specialized cybersecurity programs followed in the wake of all those trends and, of course, were designed to feed into whatever SIEM an organization fielded.

But it was all too much. Suddenly, that single pane of glass seemed hopelessly inadequate to track thousands, or hundreds of thousands, or even millions of alerts all streaming in over a very short period of time. SOCs were a lot less physically cluttered, but arguably much less effective. Today, overworked IT teams necessarily concentrate their efforts on so-called critical alerts elevated by the SIEM itself or a connected security program. They fix what they can, have to deal with many false positives, and let even high-level alerts ranked just below critical languish for months. Millions of lower priority warnings are left unanswered.

The JASK Autonomous Security Operations Center (ASOC) was designed as an intelligent SIEM that could operate in even the noisiest and largest enterprise networks without overloading IT teams with false positives. It can also take much of the burden off of analysts by providing context and evidence each time it raises an issue.

ASK ASOC Dash John Breeden

The main dashboard for the JASK ASOC looks like a typical SIEM at first. But a closer look reveals that millions of records are being filtered down into thousands of signals, and only eight insights that humans need to check out.

Everything about the JASK ASOC is different from how a traditional SIEM operates. For one, the entire ASOC infrastructure exists inside a secure Amazon Web Services cloud. Network administrators only need to install a JASK software sensor to help facilitate the link between the local console and the brains of the platform in the cloud. The ASOC can interface with nearly any existing cybersecurity program and works to protect both on-premises and cloud-based assets — including those running under a different cloud provider.

Even the pricing model is unusual. It is a tiered subscription model based on the number of employees at an organization. There are no limits or restrictions on the amount of data an organization can send for processing, so the ASOC can look at everything being collected by any other security or logging program in their network.

What keeps the JASK ASOC from becoming just another overloaded SIEM is its reliance on artificial intelligence and machine learning. Because the core JASK ASOC engine is processing millions of alerts and events all the time, it has seen quite a lot of attacks and attack indicators. But beyond pattern matching, it knows how to coordinate various elements into a picture of an ongoing threat or attack, even when an attacker is moving low and slow to avoid traditional detection methods and those elements are weeks or months apart. These are the kinds of techniques that advanced human threat hunters employ, only the ASOC can work so much faster.

The ASOC doesn’t even issue alerts in the traditional sense. Instead, it coordinates all of the events and anomalies that it discovers and groups them together. Only once it believes that it has found solid evidence of a threat does it present what it calls an insight to IT teams monitoring the SOC.

Testing ASOC

In our testing, the ASOC did a brilliant job of paring down the noise found with traditional SIEM deployments. In our testbed, we initially were looking at seven million records over a 24-hour period, which is the first step in data collection. Records are anything at all that happens on a network, from a log file update to a user sign-on. They don’t necessarily have anything to do with security, but are collected just in case.

This turned into 23,045 signals. The ASOC’s so-called signals are essentially what every other SIEM calls an alert. These are basically records or events with a security tag associated with them. It might be something as common as a firewall blocking an intrusion or as seemingly benign as a user mistyping their password. In a traditional SIEM, these signals or alerts would be individually evaluated, assigned a priority and kicked up to a human analyst to examine — though unless the alert is listed as critical, it will probably be ignored for a very long time, or even forever.

JASK ASOC Firewall Alert John Breeden II

Small things like firewall alerts are often overlooked in busy SOCs, but the JASK ASOC keeps track of them and tries to combine them with other warnings to create a threat campaign warning if necessary.

Instead of looking at each signal, the ASOC begins to coordinate them based on similar factors. And because the AI knows how threats operate, it can zero in on specific elements as it works to confirm or deny the presence of an active threat. Only after it has put together a good case does it generate an insight for humans to examine. In our testbed, there were only five insights generated out of the 23,000 signals and seven million records recorded in a 24-hour period.

JASK ASOC Insights John Breeden II

Users can easily drill down into any collected insight to help launch a threat investigation. They will find that the ASOC has already done much of the work for them.

The amount of detail contained in each insight is impressive. They are basically completed threat hunts with full justification as to why the insight was generated. Everything that an analyst would start doing to investigate a traditional alert has already been done by the ASOC and coordinated into one place with easy-to-use drill-down menus. It took us no more than two or three clicks to go from the high-level story of an attack down to individual systems.

One of the criticisms of using AI in cybersecurity, or any field really, is the difficulty that those artificial intelligences have in explaining why they reached a conclusion. They can’t show their work or explain their thought process. That is not the case here. Every single element that went into the decision to generate an insight is broken down, including how much that element contributed to the decision.

JASK ASOC How Decide John Breeden II

Most artificial intelligence engines have trouble explaining why they arrived at various conclusions, but the JASK ASOC can break down every element in its thought process. Users can then tweak those elements to help with future accuracy.

For example, an insight might be based on a match with a threat intelligence feed, evidence of vertical port scanning, a user accessing a new machine for the first time, endpoint malware alerts, connection to an algorithmically generated domain, an alert from an intrusion protection system, SSH authentication failures and a host of other factors. These factors are shown on a timeline along with the relative amount of influence they had on the decision to create an insight.

Insights are also fully editable by human administrators. Perhaps some of those signals came from a laboratory or test environment that is designed to produce that kind of activity. Users can then select an individual element of the insight and remove it from consideration. The AI will then recalculate its results and possibility give a new recommendation. Or you can add elements, perhaps asking it to coordinate its results with a security device on a partner or peripheral network to see if that might further refine the threat.

Each time a user adds or removes elements, ASOC will watch and act accordingly in the future, or at least consider doing so. In this way, human users can also help to train the ASOC to, for example, take a harder look at mission-critical assets, perhaps more quickly generating insights from fewer elements involving those systems. In this way, the behavior of the AI is easily directed and trained for the unique environment that it is protecting.

The JASK ASOC is a great example of how well computers and humans can work together in cybersecurity to protect networks. Eventually, the goal is probably to have the AI become more autonomous and less dependent on human oversight. But for now, the ASOC can concentrate on what computers do best, rapidly gathering information elements and putting them together to form a cohesive picture. And then humans can provide their own insights, evaluating what the ASOC did, taking appropriate action to protect their network, and helping the AI to act even more efficiently in the future.

In this era of constant threats, IT skills shortage, and rapidly evolving technology, human and machine partnerships can provide an effective answer to the ongoing problems of cybersecurity. The JASK ASOC is a highly effective example of how that can work.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!