In Feb 2024, Infoblox announced the launch of SOC Insights, an industry-first, AI-driven security operations capability, that boosts the company’s DNS Detection and Response solution, BloxOne® Threat Defense. SOC Insights empowers security analysts to jump-start investigations that truly matter and dramatically reduce response time by turning vast amounts of security events, network, ecosystem, and unique DNS intelligence data into a manageable set of immediate, actionable insights at AI-speed.
Mohammed Al-Moneer, Senior Regional Director, META at Infoblox shares his views on the launch.
Can you please explain how SOC Insights works and how does it empower security analysts?
SOC Insights applies AI-driven analytics to analyze massive alert, network, device, user and DNS threat intelligence data to quickly correlate events, prioritize them based on more than just ‘malware risk ranking’, and provide recommendations and tools to quickly resolve the threats that truly matter most. This helps reduce alert fatigue, analyst burnout, and improve SecOps efficiency, enabling them to do more with available resources. This extends to the rest of the security ecosystem as these AI-driven insights can be used to trigger automated responses or shared with other tools in the security stack to make them more effective as well.
For example, when an analyst starts work in the morning, they dont need to dig through hundreds & thousands of alerts to find the one that needs most attention. The SOC Insights UI has already analyzed these events, correlating them with network and other data, and grouped them into a much more manageable set of ‘insights’. These can be reviewed in a fraction of the time. (i.e. one customer received over ½ million events which SOC Insights distilled down to only 2 dozen.)
Once the analysts have identified the insight they want to work on next, they click on ‘Investigate Insight’ and are immediately taken to a portal where they can pivot around network, event, threat intelligence, and other data in whatever order they wish. This makes it much faster and easier to understand the full context around the insight to weigh its true risk, and better understand the work required to address it. A simple example is to consider an attack with high-impact malware, but it is only seen on the guest network. Another is when two types of phishing attacks are identified, and immediate, on-demand access to rich context data can help identify which of these could impact a larger number of users.
How is Infoblox utilizing AI, humans and data dynamics to work together for actionable insights?
Infoblox uses a combination of AI, human expertise, and data dynamics to identify and deliver actionable insights. The AI-driven analytics are trained by DNS experts (humans) who are skilled in cybersecurity and the nuances of DNS. Thus, providing our customers with the AI tools autocollect network, ecosystem, event, and DNS threat intelligence while filtering out irrelevant information and recognizing patterns that highlight what is most important. This process is done quickly and automatically within BloxOne Threat Defense, giving the SOC back the hours it could take a human analyst to collect, filter, parse, sort, and otherwise manipulate the data in other tools.
Finally, by intelligently collecting only relevant data into threat research and insight investigation portals, our customers’ analysts can start their investigation immediately. They can leverage available information on-demand, without digging through individual alerts or waiting on NetOps for user and device information for context around threat activity. This way, Infoblox ensures that the insights delivered are both useful and actionable.
Can you share the importance of SOC Insights feature?
Alert Fatigue, analyst burnout, the skill shortage, and similar issues for the SOC, all come from the challenge of having too many security events every day, and too much data to dig through to make sense of it all. SOC Insights is important because it helps security teams by automating much of the important yet time consuming gathering and filtering of data. It then applies AI-driven analytics to this vast amount of data to distill and correlate hundreds of thousands of events into a more manageable set of ‘insights’, each connected to relevant asset, event, threat and other data. This helps the analysts quickly understand threats and make informed, effective decisions… fast.
How does SOC Insights work with your security ecosystem today, and are there any long term plans?
In a world where most vendor ecosystems involve little more than sharing alert data with SIEMS or triggering a ticketing system (like ServiceNow), BloxOne Threat Defense breaks this mold in several ways:
- Proactively: Infoblox can collect, filter, normalize, and distribute threat intelligence across the security stack (NGFW, SWG, EDR, etc.) to uplift their own detection and protection capabilities. It can also easily integrate with existing Threat Intelligence Platforms (TIP) if they exist.
- Visibility: Infoblox can share event, network, DNS threat intelligence, and other data with tools that desire more context around alerts like SIEM or SOAR.
- Automation: Infoblox can automatically trigger actions by other tools, such as having a vulnerability scanner check a device connected to an alert to see if the alert can be ignored (if necessary patches are in place) or if there is need for more action.
When will SOC Insights feature be available in the Middle East or global markets?
SOC Insights was launched globally on February 14 this year, and is currently available across all regions. Existing customers of BloxOne Threat Defense ‘Business Cloud’ and ‘Advanced’ will receive new ‘Configuration’ insights as part of their base product license. The SOC Insights ‘Security’ add-on package will be available for those same ‘Business Cloud’ and ‘Advanced’ customers, as an optional, separate purchase. SOC insights is licensed based on the number of users, which by default is the number of employees available in a tiered pricing structure.
