When security information and event management (SIEM) systems were invented, they filled an incredible need in cybersecurity. At the time, enterprises were installing lots of perimeter security devices, but needed to log into each one to get alerts. A typical security operations center (SOC) might have 20 monitors, each one focused on a different piece of security hardware or software, and with no coordination between them. SIEMs combined all of those security information consoles into a single place, while also incorporating event management, which is basically logfile capture and the recording of network happenings that don’t have a direct, or at least an obvious, impact on security.
For many years, the SIEM was the pinnacle of defensive technologies, and the keystone of many SOCs and security operations teams. But then things got even more complicated. Networks expanded. Endpoints moved to the cloud. Mobility exploded. Digital transformation demanded that users and customers have full access to every service from any device at any time. Specialized cybersecurity programs followed in the wake of all those trends and, of course, were designed to feed into whatever SIEM an organization fielded.
But it was all too much. Suddenly, that single pane of glass seemed hopelessly inadequate to track thousands, or hundreds of thousands, or even millions of alerts all streaming in over a very short period of time. SOCs were a lot less physically cluttered, but arguably much less effective. Today, overworked IT teams necessarily concentrate their efforts on so-called critical alerts elevated by the SIEM itself or a connected security program. They fix what they can, have to deal with many false positives, and let even high-level alerts ranked just below critical languish for months. Millions of lower priority warnings are left unanswered.
The JASK Autonomous Security Operations Center (ASOC) was designed as an intelligent SIEM that could operate in even the noisiest and largest enterprise networks without overloading IT teams with false positives. It can also take much of the burden off of analysts by providing context and evidence each time it raises an issue.
Everything about the JASK ASOC is different from how a traditional SIEM operates. For one, the entire ASOC infrastructure exists inside a secure Amazon Web Services cloud. Network administrators only need to install a JASK software sensor to help facilitate the link between the local console and the brains of the platform in the cloud. The ASOC can interface with nearly any existing cybersecurity program and works to protect both on-premises and cloud-based assets — including those running under a different cloud provider.
Even the pricing model is unusual. It is a tiered subscription model based on the number of employees at an organization. There are no limits or restrictions on the amount of data an organization can send for processing, so the ASOC can look at everything being collected by any other security or logging program in their network.
What keeps the JASK ASOC from becoming just another overloaded SIEM is its reliance on artificial intelligence and machine learning. Because the core JASK ASOC engine is processing millions of alerts and events all the time, it has seen quite a lot of attacks and attack indicators. But beyond pattern matching, it knows how to coordinate various elements into a picture of an ongoing threat or attack, even when an attacker is moving low and slow to avoid traditional detection methods and those elements are weeks or months apart. These are the kinds of techniques that advanced human threat hunters employ, only the ASOC can work so much faster.