In the realm of security operations, enterprises often face challenges such as a high volume of alerts, an inability to pinpoint real threats, insufficient security knowledge, and a lack of operational staff. While the operational platforms of major security firms exhibit similarities in functionality, some companies diligently analyze customer pain points and requirements, continually enhancing performance and introducing new technologies to help customers overcome these challenges and augment their experience. NSFOCUS is one of them. we will focus on one of NSFOCUS ISOP‘s featured functions: AISecOps.
What is AISecOps?
AISecOps, an acronym for AI+Security+Operations, centers around core technologies like baseline learning and recommendation algorithms. It combines human-machine interaction and filtering mechanisms to classify an extensive array of threat events. This process culminates in the ability to recommend high-risk events, facilitating swift responses to alerts that have the most substantial impact on businesses and assets.
Check out AISecOps Whitepaper to delve deeper into this topic.
NSFOCUS AISecOps Functional Architecture
AISecOps, a submodule of the NSFOCUS ISOP solution, provides comprehensive noise reduction capabilities. It has three primary functions: intelligent alert noise reduction, AI model management, and scenario management.
- Intelligent Alert Noise Reduction: Activating AI noise reduction within the ISOP solution reveals alert data after the noise reduction. It also presents AI judgment recommendations and AI profile information, aiding analysts in making informed decisions.
- AI Model Management: This component oversees all AI models and supports the complete model lifecycle, including model addition, training, and deployment.
- Business Scenario Management: AISecOps tailors detection models and filter combinations for various business scenarios. Users can easily switch between scenarios to adapt to the current situation.
NSFOCUS AISecOps Features
AISecOps boasts three pivotal features: model controllability and selection, model interpretability, and threat localization.
- Model Controllability and Selection: AISecOps controls over multiple AI models throughout their lifecycle, including model addition, training, and deployment. It also facilitates scenario-based model combinations and the creation of custom scenarios.
- Model Interpretability: It can showcase the logic behind the formation of each model, highlighting the characteristics and methods of using each model, making it easier for users to understand.
- Threat Localization: AISecOps not only focuses on model interpretability but also emphasizes the interpretability of identified threats, streamlining the analysis and investigation process.
NSFOCUS AISecOps Use Cases
The AISecOps functionality can be used by users across industries who have a need for alert noise reduction. It can be used as an expansion of the ISOP solution or as a component function module of your security operations process.
Case 1: Project Expansion
Customer: a telecommunications operator
The customer had deployed the NSFOCUS ISOP solution and they wanted to enhance their network security operations by adding the AISecOps module, hoping to enable intelligent noise reduction for large-scale alerts in the network space’s attack and defense, complex attack fusion reasoning, intelligent behavior recognition, and human-machine collaborative analysis.
After deploying AISecOps, the customer realized substantial cost savings in operational analysis personnel, equating to 10 person-years of savings annually, a 2.5x improvement in the accuracy of network security threat event detection, and a 15x improvement in the average detection response time for network attacks. This transformation signified a shift from expert-driven threat governance to data-driven intelligence.
Case 2：AISecOps Integrating with 3rd-party SIEM Platforms
Customer: a telecommunications operator
The telecom operator was using a third-party SIEM platform that could not handle alert events. They wished to rely on AISecOps to achieve alert noise filtering, making alerts more readable, operable, and conducive to investigations. The data shown in the following figure is a small portion of the alerts for this customer on a specific day.
Out of 19,228 alert entries, AISecOps’ scenario-based noise reduction recommended 1,770 threat data entries. After merging data with the same IP, triage model, and triage label, 164 critical event data entries were generated for further investigation and confirmation.
AISecOps provides a detailed breakdown of key alert fields, including IP, timestamp, payload, automated analysis and investigation results, and investigation evidence, and offers detailed metrics for comparison with historical baselines.
To obtain further details, kindly reach out to us or inquire about a demonstration.