Automation is a hot-button issue in cybersecurity today, and for good reason. With the proliferation of both threats and threat intelligence, today’s SOCs are fighting an uphill battle against an unstopping wave of alerts that threatens to swamp them. This phenomenon, known as “alert overload,” is adversely impacting the security posture and cyber resilience of many SOCs. The situation has become so severe that it has given rise to a whole new variety of cybersecurity software called SOARs (Security Orchestration, Automation, and Response). SOARs take over where the SIEM’s responsibilities end and automate the orchestration and enforcement of low-level alerts. But whether it’s SOARs or XDR, or ADR, the driver is the same: the need to implement smart automation to streamline incident response and automate at least the first levels of threat enforcement.

‍

The Threat Intel Dilemma

The Threat Intel approach is an accepted standard. But in today’s threat environment, traditional threat intel via feeds and TIPs creates a whole new set of challenges that SOCs struggle with. Typically, good threat intel means lots of alerts – “see, we are catching tons of stuff!” But that is actually just threat data, not real intel. In order to get intel, you need to add analysts – lots of analysts. And when you build your defense in depth rather than in intelligence, you’ll need even more analysts. 

Even for mature SOCs with big teams, this cycle eventually leads to alert overload. And that leads to security posture fatigue. For smaller security teams, the challenge is even more critical. These organizations need the same level of security as F1000s, but they don’t have the budget to keep throwing new software and analysts at the problem.‍

‍

Smarter Security. Not More Security

The key feature missing from traditional threat intel products is… not to be blunt... intelligence. Intelligence to evaluate and curate alerts and intelligence to automate enforcement with a high level of confidence. The Augur Predictive Detection & Response platform is the next evolution in threat intel. It solves alert overload with intelligent curation and high-reliability enforcement automation and lets you simplify SOC operations rather than adding new layers of complex software and analysts. 

Let’s assume that you already know all about how Augur predicts attacks on average 51 days before threat actors launch their attacks. What you may not know is that those predictions are 97% accurate, and even more importantly, Augur generates an incredibly low 0.01% false positives – making Augur’s predictions accurate enough to be used for automated blocking. Augur also correlates its findings with your internal data to identify threat groups that have or will target you and block all threat infrastructure associated with those groups - not just the IPs that have already attacked you.

So unlike traditional threat feeds and TIPs that just connect with your SIEM and feed you alerts and enrichment data, Augur also integrates with all the systems in your security perimeter. Augur integrates with firewalls, EDRs, email systems, WAFs, proxy servers, and almost any endpoint with an API to automate the blocking of predicted threats, eliminating the need for TIPs and SOARs.

‍

Augur and Zero-day Protection

By definition, traditional threat intelligence lives in the past. Threat intel works by collecting, cross-referencing, and correlating information from multiple sources to identify cyberattack vectors. Intel sources are diverse, including the dark web, cyberthreat intelligence tools like OSINT, discussion forums, media, social networks, threat feeds, and analysis by security companies. But they have one thing in common: they are only looking at what has already happened. Meaning that every attack has at least one “patient zero” – a case where a novel attack occurred and likely succeeded. That first success is a necessary part of blacklisting an IP or creating an attack signature.

Augur is revolutionary in that it doesn’t rely solely on attacks and breaches. Instead, augur uses machine-learning-based behavioral modeling to profile cybercriminal behavior and predict attacks. Augur builds attack group profiles and tracks the build-up of attack infrastructure by these groups. Augur also leverages your network data to help generate personalized and curated alerts. Then the platform blocks threat infrastructure preemptively to keep you safe. Augur can’t always say exactly when, but it can predict who will attack and from where with very high accuracy. 

With Augur enforcement automation, you radically lower your risk of being “patient zero.” Case in point: Augur predicted important elements of the SolarWinds hack and was able to protect clients by blocking beaconing routes.‍

‍

Eliminating Alert Overload in 2021

‍According to a 2019 article on the popular Security Boulevard blog, security leaders ranked alert overload as one of their top 3 SOC challenges – along with lack of automation and lack of integration. That’s 3 for 3 of the top benefits Augur can bring to your SOC. The article also cited a study carried out by Fidelis Cybersecurity in which 67% of CISOs, CIOs, and CTOs agreed that alert overload was one of the top issues facing their SOC teams. You can read more about alert overload here.

Leveraging Augur’s predictive model of threat intelligence takes away one of the cybercriminals’ biggest advantages: surprise. In addition, adding integration and automation takes away another of the cybercriminals’ key advantages: using constant high-volume attacks to break down SOC defenses. By eliminating alert overload and allowing your SOC team to prepare for coming attacks, you lower overall risk. And if your predictive system also has enforcement automation that integrates with your other security systems, you can improve your security posture while streamlining threat hunting and response. That is the Augur advantage.

‍