Search

US-12621312-B2 - Incident descriptions for extended detection and response to security anomalies

US12621312B2US 12621312 B2US12621312 B2US 12621312B2US-12621312-B2

Abstract

Techniques described herein for extended detection and response to security anomalies in computing networks can perform automated analysis of anomalies occurring in different telemetry sources in a computer network, in order to synthesize the anomalies into analyst work units that are surfaced for further analysis by security response teams. Anomalies can initially be processed in order to identify and collect extended anomaly data. The extended anomaly data can then be used to group the anomalies according to a multi-stage grouping process which produces analyst work units. The analyst work units can be processed to produce analyst summaries that assist with analysis and response. Furthermore, the analyst work units can be prioritized for further analysis, and analyst interactions with the prioritized analyst work units can be used to influence subsequent anomaly grouping operations.

Inventors

  • Martin Kopp
  • Cenek Skarda

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260505
Application Date
20230809

Claims (17)

  1. 1 . A method comprising: receiving an analyst work unit, the analyst work unit comprising one or more related threat occurrence groups which are related by association with a common group of assets, and each of the one or more related threat occurrence groups comprising multiple detected anomalies detected in a network comprising multiple different computing assets; identifying, within a data store comprising computing threat information, at least one similar threat that has higher similarity to the analyst work unit than one or more other threats identified in the data store, wherein identifying the at least one similar threat comprises performing a nearest neighbor search on the data store; and generating an analyst summary of the analyst work unit, wherein generating the analyst summary comprises using a neural network-based generator to process the analyst work unit and the at least one similar threat, and wherein using the neural network-based generator comprises providing, to the neural network-based generator: a natural language command; one or more first events based on the analyst work unit; one or more second events based on the at least one similar threat; and a risk level based on the at least one similar threat.
  2. 2 . The method of claim 1 , wherein the data store further comprises threat response playbook information, and wherein generating the analyst summary further comprises generating, based on the threat response playbook information, a next action recommendation associated with the analyst work unit.
  3. 3 . The method of claim 1 , wherein at least generating the analyst summary of the analyst work unit is performed by a server coupled to a local area network, and wherein the local area network further comprises the data store comprising computing threat information.
  4. 4 . The method of claim 1 , wherein the neural network-based generator is configured to use at least one of natural language processing or a large language model.
  5. 5 . The method of claim 1 , wherein the analyst summary of the analyst work unit comprises one or more different sections corresponding to the one or more first events.
  6. 6 . A device comprising: one or more processors; one or more computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving an analyst work unit, the analyst work unit comprising one or more related threat occurrence groups which are related by association with a common group of assets, and each of the one or more related threat occurrence groups comprising multiple detected anomalies detected in a network comprising multiple different computing assets; identifying, within a data store comprising computing threat information, at least one similar threat that has higher similarity to the analyst work unit than one or more other threats identified in the data store, wherein identifying the at least one similar threat comprises performing a nearest neighbor search on the data store; and generating an analyst summary of the analyst work unit, wherein generating the analyst summary comprises using a neural network-based generator to process the analyst work unit and the at least one similar threat, and wherein using the neural network-based generator comprises providing, to the neural network-based generator: a natural language command; one or more first events based on the analyst work unit; one or more second events based on the at least one similar threat; and a risk level based on the at least one similar threat.
  7. 7 . The device of claim 6 , wherein the data store further comprises threat response playbook information, and wherein generating the analyst summary further comprises generating, based on the threat response playbook information, a next action recommendation associated with the analyst work unit.
  8. 8 . The device of claim 6 , wherein at least generating the analyst summary of the analyst work unit is performed by a server coupled to a local area network, and wherein the local area network further comprises the data store comprising computing threat information.
  9. 9 . The device of claim 6 , wherein the neural network-based generator is configured to use at least one of natural language processing or a large language model.
  10. 10 . The device of claim 6 , wherein the analyst summary of the analyst work unit comprises one or more different sections corresponding to the one or more first events.
  11. 11 . A method comprising: receiving anomaly data associated with a security threat in a network, the anomaly data comprising one or more related threat occurrence groups which are related by association with a common group of assets, and each of the one or more related threat occurrence groups comprising multiple detected anomalies detected in a network comprising multiple different computing assets; identifying, within a threat intelligence data store, at least one similar threat that has higher similarity to the security threat than one or more other threats identified in the threat intelligence data store, wherein identifying the at least one similar threat comprises performing a nearest neighbor search for the security threat in the threat intelligence data store; and generating an analyst summary of the security threat, wherein generating the analyst summary comprises using a large language model-based generator to process the security threat and the at least one similar threat, and wherein using the large language model-based generator comprises providing, to the large language model-based generator: a natural language command; first data based on the security threat; second data based on the at least one similar threat; and a risk level based on the at least one similar threat.
  12. 12 . The method of claim 11 , wherein the analyst summary comprises one or more different sections corresponding to the second data.
  13. 13 . The method of claim 11 , wherein generating the analyst summary further comprises generating a next action recommendation associated with the security threat.
  14. 14 . The method of claim 11 , wherein the analyst summary comprises a risk level associated with the security threat.
  15. 15 . The method of claim 14 , wherein the risk level associated with the security threat is based at least in part of the risk level associated with the at least one similar threat.
  16. 16 . The method of claim 1 , wherein the multiple detected anomalies comprise anomalies detected from at least two different telemetry sources.
  17. 17 . The method of claim 1 , wherein the multiple detected anomalies comprise anomalies detected by multiple anomaly detection systems.

Description

CROSS REFERENCE TO RELATED APPLICATION This application claims the benefit of U.S. Provisional Application No. 63/461,374 filed Apr. 24, 2023, and entitled “EVENT DESCRIPTIONS AND ALERTS FOR EXTENDED DETECTION AND RESPONSE (XDR) SYSTEMS,” the contents of which are hereby incorporated herein by reference in their entirety. TECHNICAL FIELD The present disclosure relates generally to computer and network security, and to threat detection, analysis, and alerts in particular. BACKGROUND Security analytics products struggle with the trade-off between the number of alerts that can be generated and the capacity of security response teams to process them. The problem is most acute at larger enterprises with multiple security products which can generate thousands of alerts daily, thus overwhelming the security response team's capacity to act. Simple countermeasures like filtering or suppressing alerts based on existing policies or customer feedback do not solve the problem well, as they may lead to missed important alerts and elevated security risks. A more universal solution is needed to surface relevant security alerts without overwhelming the security response teams. BRIEF DESCRIPTION OF THE DRAWINGS The detailed description is set forth below with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other. FIG. 1 illustrates an example overview of techniques according to this disclosure, including anomaly detection in a network, anomaly data enhancement, multi-stage grouping to generate analyst work units, analyst work unit data enhancement, analyst work unit data prioritization and presentation, and security team interactions with the analyst work units, in accordance with various aspects of the technologies disclosed herein. FIG. 2 illustrates example anomaly data enhancement, in accordance with various aspects of the technologies disclosed herein. FIG. 3 illustrates a detailed example of the anomaly data enhancement introduced in FIG. 2, in accordance with various aspects of the technologies disclosed herein. FIG. 4 illustrates example multi-stage grouping to generate analyst work units, analyst work unit data enhancement, analyst work unit data prioritization and presentation, and security team interactions with the analyst work units, in accordance with various aspects of the technologies disclosed herein. FIG. 5 illustrates example analyst work unit data enhancement, in accordance with various aspects of the technologies disclosed herein. FIG. 6 illustrates an example computer hardware architecture that can implement the techniques disclosed herein, in accordance with various aspects of the technologies disclosed herein. FIG. 7 is a flow diagram that illustrates an example method performed by a computing device in connection with anomaly data enhancement, in accordance with various aspects of the technologies disclosed herein. FIG. 8 is a flow diagram that illustrates an example method performed by a computing device in connection with multi-stage grouping to generate analyst work units, analyst work unit data prioritization and presentation, and security team interactions with the analyst work units, in accordance with various aspects of the technologies disclosed herein. FIG. 9 is a flow diagram that illustrates an example method performed by a computing device in connection with analyst work unit data enhancement, in accordance with various aspects of the technologies disclosed herein. DESCRIPTION OF EXAMPLE EMBODIMENTS Overview This disclosure describes techniques that can be performed in connection with extended detection and response to security anomalies in computing networks. Any one of the disclosed techniques, or any group of the disclosed techniques, can optionally be implemented via computing devices that provide automated processing of security-related events in a computing network, such as a network owned by a company, university, or government agency. In general, processing of security-related events can result in information that is presented to a security response team, e.g., a team of human analysts, for further analysis and resolution. According to example embodiments, one or more methods can be performed by a computing device, e.g., a server device coupled to a network. The network can comprise, e.g., multiple different domains and multiple different computing assets. The different computing assets may be associated with different asset criticality values. Example methods can optionally include detecting anomalies in the network. Alternatively, anomalies can be detected using third-party anomaly detection systems. Different anomalies may be det