Running a 24/7 security operations center (SOC) can be cost prohibitive for any business, but it's a necessity for MSSPs. One of the promises of AI is to help make operations more efficient, and that can be applied to SOC, too.
Intezer, a New York City-based cybersecurity company that recently brought to market an Autonomous SOC Platform, has said that only about 4% of alerts it ingests and investigates with AI are escalated as “critical” and need immediate attention from the MSSPs’ human analysts. By applying AI to triage alerts from integrated security tools, such tools can save technicians' time.
Autonomous SOC technology is not unique to Intezer. For instance, Palo Alto Networks’ Cortex XSIAM offers technology in the same category.
In the last year, Intezer has added multi-tenant capabilities to the platform for MSSP customers.
How Intezer Delivers SOC Automation
For its market play, Intezer for MSSP uses AI to fully automate all Tier 1 SOC tasks and decision-making for MSSPs. Intezer said the capability allows onboarding of new clients without having to hire additional analysts to manage triage of additional alerts.
Intezer’s platform is tailored specifically for MSSPs. The platform enables MSSPs to ingest high volumes of endpoint, SIEM and phishing alerts.
“Speed and consistency are two things that technology can always do better than us humans,” Intezer CEO and co-founder Itai Tevet told MSSP Alert. “We get burned out or forget things because we are tired at the end of a shift.”
Tevet explained that the Autonomous SOC Platform collects and analyzes multiple pieces of evidence, including memory forensics, files, URLs, scripts, etc., using Intezer’s AI framework to make decisions and produce fast, high-quality investigation results.
“It can deeply investigate and triage every single alert, around the clock, without needing a break,” he said.
MSSP Use Case: Legato Security
Offering a customer use case, Tevet explained how the Legato Security received an alert about potential ransomware detection.
“The team relied on Intezer to gather and analyze evidence, including memory forensics from remote endpoints,” he said. “Intezer provided them with the deep analysis and forensics information they needed to confirm and respond to the ransomware incident, resulting in a faster time to respond.”
Jesse Stoltz, SOC manager at Legato Security, related that his team receives a large volume of alerts every day. Thus, manually performing analysis on all of these threats was incredibly time consuming.
“Intezer has given us the ability to provide in-depth reporting in a timely manner,” he said. “Moreover, having a private instance for us to securely evaluate potentially sensitive data was a must-have.”
Legato Security, which provides its clients with 24/7 monitoring and incident response services, successfully integrated Intezer to triage endpoint alerts from CrowdStrike.
Customer Support Central to Success
Building the engine that powers its AI technology for analysis and automation has taken years, Tevet said. Tevet noted how the company hit several big milestones in the last year with product metrics and customer growth. Among them was the release of new multi-tenant capabilities for their MSSP customers.
“We have a ‘Contact an Expert’ option because we know that there are times our customers need an opinion from another security analyst,” he said. “We really care about customer support, making sure everything works in their environment and they’re able to configure Intezer to fit their team’s needs.
Tevet added that a popular feature of the platform among their MSSP customers is the platform’s ability to quickly and accurately triage vague suspicious activity alerts. The Autonomous SOC platform also has built-in malware analysis tools.
Pricing by Endpoints and Alerts
Intezer stresses that since MSSPs don’t need special engineering to adjust settings in the platform to meet their needs and unique client environments, they can realize a fast return on investment.
“We price by endpoints and alert sources, so we can scale to handle high alert volumes and keep costs predictable for our customers,” Tevet said. “For MSSPs, it depends on how many customers or alert sources they want to start onboarding with Intezer. But the ROI means they’re able to take on even more clients and offer coverage for additional services.”
Highlights of the Intezer Autonomous SOC Platform
- Automatically ingests alerts from connected endpoint, user-reported phishing, and SIEM tools
- Collects and analyzes evidence (including files, URLs, scripts, network data, logs, memory dumps, and more) to provide fast, comprehensive context about every incident
- Correlates the information with other alerts in order to enrich the decision-making process
- Identifies benign alerts and auto-resolves false positives to eliminate alert fatigue
- Escalates findings about high-priority serious threats that were uncovered and generates remediation suggestions
- Clusters threats across multiple environments while ensuring data privacy for clients
