In dealing with various amounts of cyberattacks on a daily basis, especially in sifting through false positives in its detection logic, the Kaspersky Security Operation Center noted that the process can be done more seamlessly with the use of automation, including the use of machine learning (ML), deep learning, and artificial intelligence (AI).
In the MDR analytical report for 2023, the Kaspersky Security Operations Center (SOC) team processed 431,512 security alerts. However, only 32,294 of these alerts were classified out of 14,160 incidents reported to customers.
Sergey Soldatov, Head of the Security Operation Center at Kaspersky, highlighted the benefits of using AI or ML to detect cyber incidents. By using a supervised machine, such as the AI-based Autoanalyst, it delivers efficient filtering of false positives and optimizes team resources.
The Autoanalyst used in Managed Detection and Response (MDR) processed about 30% of false positives on average in 2023, which reduced the load on the SOC team by approximately 25%.
Of course, that is not to say it is by no means an imperfect solution. It is also worth noting that by increasing the filtering rate, there is the likelihood of its classification error increasing. Misclassifications of true cyber attacks as false positives can happen, and vice versa. On the other hand, reducing classification errors can lead to a higher rate of false positives.
But on one hand, statistics show that human mistakes are unavoidable, so a small margin of error is acceptable for the Autoanalyst. For Kaspersky’s MDR, the error probability does not exceed 2%, which defines the volume of the false positive alerts that Autoanalyst can filter while maintaining acceptable quality.
Overall, AI or ML can help the team focus on in-depth cases without burning out, which could degrade work quality. It strikes the balance between covering all the bases of threat detection while maintaining the quality standards.
“In practice, as a rule, it is possible to strike a balance between these extremes, achieving high-quality detection of hidden attacks and reducing the number of false positives simultaneously,” said Soldatov.
Leave a comment