You’ll become a lot more efficient at triaging alerts, meaning SOC.OS will save you time. SOC.OS takes care of the mundane, repetitive level/tier 1 alert triage process, which means you’ll have more time to spend on higher value tasks such as making critical remediation decisions based on specific threats and business context, rather than swivel chairing across multiple screens to try and find the most important alert to triage in the first place.
SOC.OS enriches alerts with business context and external threat intelligence, activities which are usually conducted by analysts manually and typically involves swivel chairing. After enriching alerts with this extra context, SOC.OS correlates and groups related alerts into clusters and automatically scores/prioritises these.
So when the analyst logs in to start investigating, instead of trying to dig through a bunch of raw (un-enriched) alerts across multiple tools/screens, their starting point with SOC.OS is an already prioritised list of alert clusters.
The result? Huge efficiency savings.
One of our customers who sees approximately 1,000 threat logs per day across 5 tools has reduced their triage time down from 2 hours per day before implementing SOC.OS to about 30 minutes per day using SOC.OS.
That’s 1.5hr time saving per day, or 7.5hrs per week. We love the fact that SOC.OS gives back an entire day per week.
Your remediation will become a lot more effective due to enhanced, time-based visibility. No more addressing alerts in isolation and playing alert whack-a-mole.
SOC.OS presents you a coherent, grouped together and time-based view of your alerts.
Grouping alerts together is analogous to completing a jigsaw puzzle. If you only have 2 or 3 pieces of a large puzzle, how do you know what the full picture is telling you? SOC.OS pulls all the pieces of the puzzle together and presents this to you in an intuitive fashion.
This full picture means you have greater visibility of what is actually taking place, which in turn means your remediation steps become a lot more effective.
Consolidating all your alerts across all your tools into one place greatly enhances visibility and reporting capability. SOC.OS highlights things such as your most frequent MITRE ATT&CK® techniques/tactics, alerts, hostnames, IP addresses and your most critical alerts taking place across your business for a given time period.
SOC.OS does a great job at normalising and standardising all your security data, which is a big benefit in its own right.
Every alert generated from a specific vendor tool will come with its own threat message and scoring within the metadata. It’s challenging to compare alerts and know how best to respond when 5 of them are scored in the following way: “1”, “high severity”, “5”, “very critical”, “8”. Not only will SOC.OS take all of the vendor specific scoring and normalise these, giving them a value somewhere between 0.1-10, it also reads every threat message and interprets/maps this message to the MITRE ATT&CK framework.
The following threat message:
ThinkPHP.HTTP.VARS.S.Remote.Code.Injection, which is contained within an alert’s metadata, in SOC.OS is translated to
Exploitation for Client Execution. This is a powerful translation tool as it facilitates effective communication between SOC analysts and business leaders.
SOC.OS has a very simple and visual UI, meaning you won’t need loads of training and support nor will you have to learn another (complex) query language in order to use and get value from the tool day-day.
Combine this with the fact that SOC.OS is natively aligned to MITRE ATT&CK and the result is a powerful upskilling platform for junior analysts.