TEHTRIS XDR Usage: discover the strengths of Cyberia eGuardian, our SOC analysts e-assistant

TEHTRIS AI R&D team has developed from scratch an Artificial Intelligence based module called Cyberia eGuardian. The aim of this module is to help, directly from the XDR Platform, SOC analysts to control the IT security and save time. Cyberia eGuardian has a 360° watch coverage, 24/24 – 7/7, on endpoints security events and it performs on them an integral pretreatment, prioritizing, grouping and highlighting security incidents for SOC analysts.

Cyberia eGuardian offers an advanced Deep Learning analysis of TEHTRIS EDR Optimus alerts and events, which aims to be extended to all XDR products in future releases. This analysis consists, on the one hand, in the qualification of each alert and event as “High Priority” or “Low Priority” and as “Anomaly” or not, and, on the other hand, in the grouping of alerts and events by action, over time across the IT infrastructure, and by execution, or unitary process on one machine.

Alerts prioritisation and AI continuous learning

Cyberia eGuardian Artificial Intelligence model is trained to distinguish high priority alerts amongst the mass of low priority alerts and events.

The High or Low priority attribution is based on a AI inferred Priority Score that goes from 0%, for the lowest probability of being a dangerous alert, to 100%, for the highest probability of being dangerous

MSSP strategy with Cyberia eGuardian

Cyberia eGuardian pretreatment and prioritization allows analysts to optimize their time by automatically identifying urgent and important security events to focus on first. TEHTRIS proposes a customizable MSSP strategy consisting of the combination of MITRE based severity qualification and AI based priority score as in the figure below.

MSSP Analysis with Cyberia eGuardian

Priority and Severity complementarity

This strategy allows to pinpoint top priority security events, saving analysts from most of time-consuming, uninteresting and low value rutinary triage tasks. Cyberia eGuardian analysis automatically sorts alerts by priority, reducing the number to be analyzed by the SOC analyst to 0.1%, it’s a significant time-saver for operational security team.

AI personalization and man-in the-loop continuous learning

The Artificial Intelligence base model will adapt to customer specifics and preferences automatically a few days after deployment thanks to inplace neural network continuous learning. This allows the Cyberia eGuardian AI model to evolve and learn with customer’s environment evolutions over time.

Cyberia eGuardian is based on a supervised Deep Neural Network model. This means that it needs labeled data to learn. Alerts are automatically labeled as “High Priority” or “Low Priority” using direct and indirect SOC analysts feedback, in a man-in-the-loop continuous learning approach. This kind of approach grants control to security experts on this AI security tool.

Grouping and Anomaly Detection

It is well known that a great volume of the alerts and events are generated by actions that occur with certain regularity.

Quickly identifying new or rare alerts can become a challenge. In order to address this issue, Cyberia eGuardian enriches and contextualizes every alert and event with Recurrence Insights.

The Recurrence, or number of alerts, generated by the same action, is given, together with the first seen and last seen dates, as well as statistics on the action’s hourly frequency and distribution of the last 24 hours and the list of Endpoints where the action has been seen.

Cyberia eGuardian also offers the automatic grouping of multiple alerts together based on predefined conditions about their associated process. This means that all grouped alerts are generated by the same execution, Cyberia eGuardian gives then a whole view of all the information on the process gathered by multiple EDR modules on time.

Anomaly Detection

Cyberia eGuardian offers an anomaly detection analysis. This anomaly detection is based on the predictions of multiple unsupervised AI models that each vote for the final anomaly prediction. The aim of this feature is to report unusual alerts based on their content. The anomaly detection modela learn everyday in order to keep track of the evolutions of the costumers security events baseline.

Thanks to the information gathered from AI predictions, Cyberia eGuardian can provide an at-risk ranking on machines and users. Each security event is enrichened with machine and user context based on insights from the Cyberia eGuardian anomaly detection models.

AI Explanation and security insights

Ethics and Trust as principles at the heart of TEHTRIS, have inspired R&D teams to develop ethical and transparent AI models. Therefore, Cyberia eGuardian explains its predictions. This explanation highlights the variables of the security event on which the AI algorithm based its choice.

Cyberia eGuardian predictions explanation is which makes it not only an Artificial Intelligence tool but an Augmented Intelligence defense weapon, giving experts information they need to make the final decision.

Cyberia, TEHTRIS’ native Artificial Intelligence

Cyberia eGuardian is an XDR option that saves time and increases the efficiency of SOC analyst teams. This augmented and autonomous Artificial Intelligence within the TEHTRIS XDR Platform is a major innovation combining Machine Learning, Deep Learning & Behavior Analysis to continuously respond to cyber-attacks, particularly those undetectable by humans.

Cyberia eGuardian, our genuine e-assistant is one of 5 projects supported by the French government and BPI France to “automate cybersecurity” as part of #France2030 investment program.

Discover more about Cyberia