Still driving the cyber highway crowded with white sedans?


It’s no secret that I have an affinity for cars. Some will say I need an intervention. If you asked me what my favorite car is, I would have a hard time finding an answer. But what I do know is this: my blue Porsche 911 is beautiful. Without forgetting to do 0 to 60 mph in 4 seconds.

Driving one of these on the 183 freeway in Austin any day makes my heart race. Even if you don’t care about cars, you’ll notice how a blue sports car stands out on the highway filled with white sedans. Not that there’s anything wrong with white sedans, but they’re everywhere – to the point that you don’t even notice them anymore.

Over the past two years, I’ve tried very hard to think differently: How can IronNet build a cybersecurity engine that digs out important threat alerts in the vast cyber ocean of false positives?

Needless to say, I’m thrilled that my team achieved this goal. IronNet’s incredible engineers, elite cybersecurity practitioners, cloud architects, data scientists, and I have successfully delivered our advanced detection correlation engine. Even if it’s under the hood of our network detection and response (NDR) solutionthis unique engine will make the heart of any cybersecurity analyst race.

What is the Correlation Engine?

The engine automatically correlates detections and alerts that are essentially infused with the CODE-ified expertise of IronNet’s elite, Tier 3 analysts and threat hunters. So when our NDR tool creates an event, it doesn’t just generate an alert based on a single scan (or “One-off analysis” as described by our Vice President of Prioritization and Discovery, Dean Teffer). Instead, this event was automatically linked to other events generated in our system. From there, this alert now stands out from all other alerts fired from the cannon.

How it works?

It’s important to understand that the power of IronNet’s integrations with top detection tools such as CrowdStrike EDR, PaloAlto firewalls, Splunk SIEM, etc., all speaking together through the AWS cloud, allows our NDR to examine network data (deep within the network), log data, and endpoint data to automatically correlate events.

For example, let’s take a rudimentary attack scenario. Before IronNet created the correlation engine, our scans detected phishing activity, followed by DGA activity. Then it would quietly detect what appeared to be C2 activity. We would triage these alerts independently, building connective tissue using a lot of investigative elbow grease. As with most NDR solutions, this approach meant this: in the SOC game of warning gun versus analyst, the gun always won. Analysts were exhausted and tired, not to mention worried about the number of alerts that were never triaged and the potential impact on their business.

Today, the correlation engine automatically pre-packages these events so they tell a clear and relevant story as quickly as 0-60 mph in 4 seconds. Consider an activity that resembles C2 communications. Could it really be a harmless system update instead? Is the alert related to another suspicious activity, such as an unusual email with a strange link or attachment? And now? A lighthouse ? While it’s often normal to see a beacon in your network activity, if you chain it with the other two alerts, you have a problem. A bad story stands out, allowing analysts to step up a gear – straight to triage.

This technology allows us to expand the aperture to capture more unknown unknowns – without flooding the SOC – and provide our customers with better alerting efficiency, better detections and ultimately better understanding being given that they now have the ability to leverage information from their other security tools. Next month, I’ll go into more detail on how to get the most out of your existing security infrastructure by integrating event and entity resolution from these tools.

The C-model

Speaking of cars… did you know that the Ford Model T actually comes in red, not just black? But I digress.

IronNet, the collective defense industry leader, continues to develop cutting-edge innovative technology that is transforming cybersecurity as we know it (know it). Integrated into the IronNet Collective Defense platform, this innovative engine has no standalone name; however, I like to call it the C model. Be patient: C for correlation and “see” for all those alerts that will now stand out among all those white sedans cluttering your lane.

Learn more about the correlation engine.

Previous By 2026, the global satellite IoT subscriber base will reach 21.2 million – SatNews
Next How a Snapchat feud led to the murder of 13-year-old Olly Stephens