We are excited to announce the next generation of our XDR detection engine.
With the tightening of security budgets as cyber-attacks continue to soar, everyone is feeling the pressure to get the most out of security investments and make their operations more efficient. We have been listening to our partners desire to scale their business and protect more customers with the same number of resources.
This has led us to investigate how we can use automation and Artificial Intelligence to reduce detection volumes while maintaining security value.
Our most requested feature was Accepted Behavior where partners can configure suppression rules to silence Broad Context Detections (BCDs) which they know to be false positives.
However, we have taken this initiative one step further to introduce automatic, dynamic risk score that uses closure codes to improves the risk score accuracy of BCDs we present in the Elements Security Centre.
After 6 months of research, development and testing between our W/Intelligence and own internal threat hunting teams, we are delighted to release the next generation of our detection engine. Unlike Accepted Behavior which requires additional configuration for the partner, the new score relies on end user’s investigation results. Therefore, the benefits are gained automatically from day-to-day operations which means a more efficient method of tackling the age-old problem of false positives.
The new model learns from your environment by using closure codes to determine how well our detection logic is performing. This allows us to identify areas of enhancement by highlighting detection logic that should be optimized. We use the new implementation to guide our detection engineering team to refine and improve the ‘noise makers’ and strive towards a signal to noise ratio our users appreciate not tolerate.
Most importantly, we wanted to cut down on the number of false positives, without reducing the detection efficiency of our engine.
We have achieved a significant reduction in reported BCDs, in some cases this could be up to half. Therefore, you can look forward to proactive improvements for your detection, and response teams who should now be able to focus on the right detections.
With the reduction in BCDs, organizations which have been focusing on High and Severe alerts, may also want to consider monitoring Medium level alerts also.
These improvements are part of our XDR strategy to make your work more efficient with automation, Artificial Intelligence, and easy to interpret and understand User Interfaces.
As a customer, what do I need to do to utilize the benefits of the improved engine?
In short, you don’t need to do anything to enable the new risk score. Just continue closing incidents as either “confirmed” or “false positive/accepted behavior/” as normal and we will automatically do the rest.
This has been a massive effort on our part and we look forward to sharing this success with you.
Please note, that Confident and Criticality are no longer used in the calculation of the risk score, and therefore will be removed from the user guides, portal and email notifications over the upcoming weeks. For more information regarding the risk score, please find the latest information:
https://www.withsecure.com/userguides/product.html?business/edr/latest/en/concept_3FEF66C8BBE2409CB2030767FD719BF3-latest-en