January 31, 2024

Anomali Introduces AI-powered Security Operations Driving Significant SOC and CTI Analyst Effectiveness

Anomali is announcing a significant expansion of its existing offering for enterprise security teams. We have a long and established presence in the threat intelligence domain with our market-leading ThreatStream platform, and today we are introducing an AI-Powered Security Operations Platform that combines SIEM, SOAR, and TIP advanced functionality to deliver on use cases for the SOC analyst, CTI analyst, and threat hunter.

The Anomali Security Operations Platform combines the largest threat intelligence repository in the world with the industry’s fastest, most scalable, intelligent SIEM. This integrated solution enables Anomali to deliver near real-time correlations at petabyte scale with threat-driven insights across identity, endpoint, network, cloud, and email detections. This release also includes the formal release of Anomali Copilot. Specific components of this product release include:

  • Anomali Copilot
  • Updated SIEM functionality
  • Updated SOAR functionality
  • Updated Dashboard/UI
  • Network Analytics
  • Endpoint Analytics

Anomali Copilot enhances the speed and efficiency of incident response by cybersecurity analysts. Incorporating Anomali Copilot’s generative AI into the Anomali Security Operations Platform significantly accelerates performance across all systems resources. Enabling Anomali to, for example, search petabytes of data in seconds, instead of the current legacy standard of hours or days to run a search - assuming the search doesn’t time out.

Enhance Cyber Threat Visibility and Analyst Efficiency with Anomali Copilot's AI-enabled Platform

Businesses can immediately and comprehensively extend their visibility into cyber threats across the entire organization using Anomali Copilot’s generative AI enablement. Copilot uses cybersecurity-specific large language models to understand suspicious activities, with orders of magnitude improvements in speed and accuracy.

Anomali Copilot helps analysts save time with summarization capabilities across the platform, supported by real-time chat about intelligence specific to the analyst’s organization. Copilot is also used in event search AQL (Anomali Query Language) generation, ingestion, and summarization. This includes a real-time NLP chat interface with intelligence-backed responses, a semantic search for related content, and multi-language support. The analyst effectively has sophisticated help available from an AI engine that is always available. Data is securely stored and transmitted and is never used to train AI datasets.

Anomali Copilot’s browser plug-in identifies potential threats or security risks. It provides an immediate and comprehensive perspective on threat activity using natural language processing (NLP) to analyze and interpret large amounts of data from various sources within ThreatStream and other sources. Copilot uses NLP to interpret text from blogs, forums, and social media to identify threat actors and potential future threats. A dense, 40-page technical document can be processed in seconds into a short summary, prepared for either executive leadership or practitioners.

Phishing detection becomes easier with NLP. Anomali Copilot can analyze emails and other communications to identify phishing attempts. It can analyze the language used in an email to identify potential red flags that indicate a phishing attempt, including urgency, requests for personal information, or other suspicious language.

SIEM functionality

Beyond making data ingestion fast, simple, and cost-effective storage, this release includes incident management capability to dive deep into investigations and responses, all while mapping every detection to MITRE TTPs to ensure comprehensive threat coverage. This capability will introduce over 1,000 different detections across all log types, supported by alerts with multiple integrations. Detections can also be risk-scored (automatically or manually) and aligned to the MITRE ATT&CK framework while supporting detections across a broad range of log types.

SOAR Capability 

This release will also amplify the effectiveness of threat detection and response efforts through the integration of threat intelligence with Security Orchestration, Automation, and Response (SOAR). Anomali’s SOAR capability is not bolted on but instead meticulously built from the ground up, bringing unparalleled automation and efficiency to security operations.

Designed to scale with any organization's automation and response needs, our new SOAR functionality allows the creation and execution of actions via query language syntaxes/natural language, enabling highly customizable responses to security incidents. Faster and more informed decision-making is supported by the seamless enrichment of threat data via ThreatStream and VT/Shodan/AbuseIPDB.

Incident response is improved by automating ticketing processes, which reduces manual overhead and ensures tickets are tracked and resolved promptly. Our goal is not just improving response, but to help with remediation.

UI/Dashboarding function 

Customers can view their security landscape holistically through dynamic visualization that highlights key metrics and trends. This allows the transformation of raw data into meaningful insights that can immediately identify threats and security vulnerabilities while monitoring compliance. This also fosters improvement in communication and decision-making by allowing the sharing of these AQL/NLP-powered customized dashboards among team members and stakeholders.

Endpoint Analytics 

This capability delivers immediate visibility and action on anomalies, reduced dwell time, improved accuracy to minimize false positives and negatives, comprehensive analysis to uncover hidden patterns, and enhanced forensics to aid post-attack analysis. Anomali’s endpoint analytics feature provides continuous real-time threat detection by monitoring endpoint telemetry across the organization. Machine Learning powers our endpoint analytics to assess file hash risks for proactive threat detection. This delivers detailed insights into the threat nature and severity beyond binary classification (malicious/not malicious) for incident prioritization. Overall, this new feature enables customers to improve the accuracy of endpoint detections to minimize false positives and perform a comprehensive analysis to uncover hidden patterns within data.

Network Analytics 

Our new network analytics feature continuously analyzes flow data to deliver comprehensive insights into east-west network traffic patterns, monitoring, and alerting on threats as they happen. The solution takes an "inside out" approach rather than focusing solely on external threats. Anomali network analytics scrutinizes internal traffic to look for hidden threats/lateral movement/zero-day exploits across all network telemetry.

How do SOC teams benefit from this release?

An Anomali Security Operations Platform that combines SIEM, SOAR, endpoint/network analytics, and AI will address several key security issues:

  • Data overload: The non-stop volume of security data entering any system increases storage costs and hampers the analyst's ability to process critical events quickly. AI-driven analytics helps analysts detect anomalies faster and more efficiently, and quickly surface and action the highest priority threats.
  • Slow response: Manual processes and complex workflows slow investigation and containment of threats, andSOAR-enabled automation accelerates a more cohesive and effective response.
  • Skills shortage: Lack of cybersecurity talent makes it hard to protect organizations from the increasing number and sophistication of threats. The augmentation delivered by Anomali Copilot allows small teams to achieve more in a shorter time frame. This isn’t about working harder, it's about being more efficient.
  • Limited visibility: Siloed tools only provide partial visibility. Customers can now have comprehensive, real-time contextual monitoring by providing an AI-driven dashboard that enables unified analytics and data aggregation.
  • Compliance risks: Inability to prove diligence across security data against standards like SEC Form 8K, HIPAA, or PCI DSS can often lead to non-trivial fines (not to mention a very public faceplant). Anomali’s immediate and detailed reporting can reduce responding to compliance mandates from days/weeks to minutes.

Anomali now offers the industry’s only SIEM that fully leverages and integrates unmatched threat intelligence capabilities, and we have a significant advantage in making AI-powered Security Operations a reality for SOC teams. By combining Anomali’s understanding of both IoCs and IoAs during the detection and investigation process, Anomali’s Security Operations Platform is set to exceed current market offerings.

Current SIEMs also struggle to solve the analyst’s pain point of identifying key information and intelligence around internal assets, meaning hostnames, identities, etc. By adding asset intelligence scanning into the Copilot product alongside threat intelligence scanning, an analyst can quickly deduce whether an IP, hostname, or identity exists inside their security analytics logs. The scan can produce asset or identity surveillance, reports, and insights allowing for faster detection and investigation triage and removing the first 10-20 minutes of an analyst attempting to answer the question, “What is this IP/asset/user and how critical is it?”

Anomali's Enhanced SIEM Functionality for Next-Level Security Operations

With its latest release, Anomali has increased its Security Operations Platform by introducing enhanced SIEM functionality. This advanced capability enables businesses to tackle the challenges of data overload, slow response times, limited visibility, and compliance risks head-on.

By leveraging AI-driven analytics, Anomali's SIEM functionality empowers analysts to detect anomalies rapidly, automate processes through SOAR, gain comprehensive and real-time visibility, and easily ensure compliance. Anomali's commitment to delivering cutting-edge SIEM functionality is revolutionizing security operations and paving the way for proactive threat detection and incident response.

This release is a game-changer for both Anomali and the industry we serve. We’re expanding our market-leading presence in Threat Intelligence into the Security Operations domain with a very competitive solution that directly addresses pain points that are both broad and deep. Don't miss out on the opportunity to learn more about our product! Contact us now to schedule a demo and see how it can transform your business.

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.