Results of the summarizing process for the arXiv paper: 2302.06648v2

In response to the increasing trend of organizations turning to managed services for cyber defense, Security Operations Centers (SOCs) have emerged as specialized units responsible for safeguarding organizations against cyber threats. However, the centralization of threat detection has led to a phenomenon known as alert fatigue within SOCs, where analysts are overwhelmed by a high volume of false positive alerts. This issue is exacerbated by imprecise sensors, an inability to adapt to known false positives, the evolving threat landscape, and inefficient use of analyst time. To address these challenges, a machine learning framework called That Escalated Quickly (TEQ) has been developed. TEQ aims to reduce alert fatigue by predicting the actionability of alerts at both the alert-level and incident-level, with minimal disruption to SOC workflows. In real-world testing, TEQ has demonstrated significant improvements in incident response times, false positive suppression rates, and incident resolution times. The contributions of this work include feasibility demonstration of a hands-off featurization system for handling semi-structured data from various sensors; development of an ensemble of models that leverage a wide range of alert and temporal features; in-depth evaluation of alert prioritization performance and feature importance over time in response to an evolving threat landscape; introduction of a system that utilizes both alert-level and incident-level scores for enhanced incident prioritization; and implementation of a triage system that reduces queue times for actionable incidents by 22.9%, suppresses 54% of false positives with a 95.1% detection rate, and decreases incident resolution times by 14%. The paper is organized into sections covering related work, methodology and design decisions based on real-world data nuances, experimental setup with results analysis and discussion, and final thoughts on the proposed solution's effectiveness in combating alert fatigue within SOCs. Overall, TEQ offers a holistic approach to addressing alert fatigue in SOCs by integrating expert knowledge through a feedback loop while adapting to changes in sensor data automatically. By leveraging machine learning models on different sets of signals and incorporating temporal firing patterns into the analysis process, TEQ presents a promising solution for enhancing cybersecurity defense mechanisms within organizations.

• - Organizations are increasingly turning to managed services for cyber defense, leading to the emergence of Security Operations Centers (SOCs) as specialized units responsible for safeguarding against cyber threats.
• - Centralization of threat detection in SOCs has resulted in alert fatigue, where analysts are overwhelmed by a high volume of false positive alerts due to imprecise sensors, an inability to adapt to known false positives, the evolving threat landscape, and inefficient use of analyst time.
• - To address these challenges, a machine learning framework called That Escalated Quickly (TEQ) has been developed to reduce alert fatigue by predicting the actionability of alerts at both the alert-level and incident-level with minimal disruption to SOC workflows.
• - TEQ has shown significant improvements in incident response times, false positive suppression rates, and incident resolution times through features such as hands-off featurization system for handling semi-structured data, ensemble models leveraging various alert and temporal features, enhanced incident prioritization using alert-level and incident-level scores, and a triage system reducing queue times for actionable incidents by 22.9%, suppressing 54% of false positives with a 95.1% detection rate, and decreasing incident resolution times by 14%.
• - The paper is structured into sections covering related work, methodology based on real-world data nuances, experimental setup with results analysis and discussion, and final thoughts on TEQ's effectiveness in combating alert fatigue within SOCs.
• - TEQ offers a holistic approach by integrating expert knowledge through feedback loops while adapting automatically to changes in sensor data using machine learning models on different sets of signals and incorporating temporal firing patterns into the analysis process.

Summary1. Companies use managed services for protection against online threats, and Security Operations Centers (SOCs) are special teams that keep them safe. 2. SOCs can get too many false alarms, making it hard for analysts to find real problems among all the alerts. 3. A new system called That Escalated Quickly (TEQ) uses machine learning to help SOC teams handle alerts better without disrupting their work. 4. TEQ has made a big difference in how quickly incidents are resolved and how many false alarms are ignored by using smart features like hands-off data handling and alert prioritization. 5. The paper talks about TEQ's benefits, how it was tested with real data, and why it's important for keeping SOCs efficient. Definitions- Managed services: Services provided by an external company to manage specific tasks or processes on behalf of another organization. - Cyber defense: Measures taken to protect computer systems, networks, and data from cyber attacks or unauthorized access. - Security Operations Center (SOC): A specialized unit within an organization responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents. - Alert fatigue: Feeling overwhelmed by a large number of notifications or warnings that may not be relevant or actionable. - Machine learning: A type of artificial intelligence that enables computers to learn from data and improve performance on specific tasks without being explicitly programmed. - Incident response: The process of reacting to and managing security incidents when they occur in order to limit damage and restore normal operations. -

Introduction: In today's digital landscape, organizations are facing an ever-increasing number of cyber threats. As a result, many companies have turned to managed services for their cybersecurity defense needs. This has led to the emergence of specialized units known as Security Operations Centers (SOCs). These centers are responsible for safeguarding organizations against cyber attacks and mitigating potential risks. However, with the centralization of threat detection in SOCs, a new issue has arisen – alert fatigue. Alert fatigue occurs when analysts become overwhelmed by a high volume of false positive alerts. This problem is further compounded by imprecise sensors, an inability to adapt to known false positives, the evolving threat landscape, and inefficient use of analyst time. To address these challenges and improve SOC efficiency, researchers have developed a machine learning framework called That Escalated Quickly (TEQ). TEQ aims to reduce alert fatigue by predicting the actionability of alerts at both the alert-level and incident-level while minimizing disruption to SOC workflows. Methodology: The development of TEQ involved several key steps. First, researchers conducted extensive research on related work in this field. They then used real-world data nuances to inform their methodology and design decisions. Next, they set up experiments using various datasets and evaluated the results through analysis and discussion. Finally, they presented their findings on TEQ's effectiveness in combating alert fatigue within SOCs. Design Decisions: One crucial aspect that informed TEQ's design was its ability to handle semi-structured data from different sensors effectively. To achieve this goal without disrupting existing workflows or requiring significant manual effort from analysts, researchers developed a hands-off featurization system. This system leverages expert knowledge through a feedback loop while also adapting automatically to changes in sensor data over time. By incorporating temporal firing patterns into its analysis process and utilizing machine learning models on different sets of signals simultaneously, TEQ presents a holistic approach towards addressing alert fatigue within SOCs. Experimental Setup and Results: To evaluate TEQ's performance, researchers conducted real-world testing using various datasets. The results showed significant improvements in incident response times, false positive suppression rates, and incident resolution times. One notable contribution of this work is the introduction of a system that utilizes both alert-level and incident-level scores for enhanced incident prioritization. This approach reduces queue times for actionable incidents by 22.9%, suppresses 54% of false positives with a 95.1% detection rate, and decreases incident resolution times by 14%. Conclusion: In conclusion, TEQ offers a promising solution to combat alert fatigue within SOCs. By integrating expert knowledge through a feedback loop while also adapting to changes in sensor data automatically, TEQ presents a holistic approach towards addressing this issue. The use of machine learning models on different sets of signals and incorporating temporal firing patterns into the analysis process further enhances its effectiveness. With its ability to reduce queue times for actionable incidents, suppress false positives at high rates, and decrease incident resolution times significantly, TEQ has demonstrated its potential to improve cybersecurity defense mechanisms within organizations. Final Thoughts: TEQ's development marks an important step towards addressing alert fatigue within SOCs. However, there is still room for improvement as the threat landscape continues to evolve rapidly. Future research could focus on expanding TEQ's capabilities to handle new types of threats effectively. Additionally, more extensive testing on larger datasets from diverse industries could provide further insights into its performance across different environments. Overall, TEQ presents a promising solution for enhancing SOC efficiency and reducing alert fatigue in today's ever-changing digital landscape.