Most modern security operations centers (SOCs) face a problem of speed and volume of data collection. While collecting data is no longer the issue in many cases, analyzing it is — especially during high-priority incidents.
To collect forensic evidence in many cases, analysts manually run multiple tools: Volatility for memory dumps, YARA for malware signatures, and strings for basic text search. Each tool creates a different output. The combination of all of those outputs is required for meaningful analysis. Manual correlation of these outputs is time-consuming and error-prone. Manual correlation of forensic outputs also contributes to alert fatigue — when the number of alerts becomes so large that they cannot be reasonably processed by humans.
Read the original article: