One of the primary challenges facing information security teams is information overload. As organisations have deployed various cybersecurity infrastructures the number of security events they generate can be quite significant. According to ESG Research, 38 percent of organisations collect, process and analyze over 10 Terabytes of data per month1. In a recent survey conducted by Imperva of 179 IT professionals, 55 percent indicated that their organisations have to handle over ten thousand security alerts every day and 27 percent said their organisations deal with over one million security alerts on a daily basis2.
So how are security teams addressing this challenge today? This is not an area where most security teams excel. Based on Cisco’s findings, 44 percent of security alerts are left uninvestigated, and of the 56 percent investigated, only 28 percent are deemed legitimate, and only 46 percent of those are being remediated3, 4. These findings indicate that security teams are exhausting their available resources while attempting to keep up.
The time and resource intensive aspects of an information security professional’s job when investigating security events are reconstructing the context in which those events occurred. What activities resulted in the security alert, how they transpired, who initiated those activities and when those events occurred? The clearer the context the more effective the security professional will be in inferring why it may or may not pose a security risk. With a clear security context, the security professional can also comprehend the nature and magnitude of the risk. Getting a complete picture of the context of a security incident can be complex given the presence of multiple entities and understanding their behavior over an extended period of time. In addition, the presence of a tremendous amount of noise in the data collected can make resolving the context difficult.
Reconstructing context from disparate set of security events is highly involved and resource intensive as will be described in more detail shortly. If, however, organizations could monitor contexts continuously instead of trying to reconstruct it then not only can security analysis be more responsive and accurate in assessing security alerts but it can also be proactive in identifying risks and address them before alerts arise.
First, a closer look at the investigative process many organisations employ today in assessing security risk by attempting to reconstruct the incident context. Then it can be explored how contexts can be modeled and monitored in real time for improved security outcomes.
Reconstructing Context to Assess Security Risk
The first step in reconstructing the context of a security risk is the availability and accessibility of data that allows for tracing actions, identifying entities involved, monitoring communications and possibly visibility into the content of interactions. This data could be log data, network traffic information, and documents themselves. Today many organisations leverage security data lakes or Security Information and Event Management (SIEM) solutions to achieve this aggregation of raw data.
Next, the data collected needs to be mapped to one or more data models to facilitate data correlation. This also allows for disparate data sets to be viewed holistically and analyzed in a standardized manner. This may be done a priori when aggregating data or during investigation time. Several security solutions today employ a graph-based visualization to represent all the entities, and associated links among them represented in the security events being assessed for risk.
Subsequently, it needs to be assessed if certain entities or the links among them are irrelevant to the investigation. This may require domain or subject matter expertise and therefore involve either the development of heuristics or manual action to refine the analysis.
The fourth step is to research the entities, whether they are individuals, systems, applications or other artifacts, and to determine the nature of the relationships among the entities. For entities internal to an organisation, user or asset profiles can be leveraged and for entities beyond the purview of the organisation various external resources including threat intelligence feeds may be used. While some of this can be automated, many organisations have their security analysts perform this manually.
Time duration of the context reconstruction is an important factor for security analysts to consider. An attack if present may be identified during one of its phases – reconnaissance, scanning, exploit, exfiltration or obfuscation/disguise and each of these phases may occur during a different time range. There may even be periods of dormancy. Determining the appropriate time duration for reconstructing the incident context is among the most arduous tasks for a security analyst and contributes to security incidents going undetected for long periods of time.
Context reconstruction is not an exact science reliant on analyst experience, prone to errors in judgment, and highly manual even with the support of numerous security solutions. Instead of reconstructing the context, if context could be maintained then security analysis would center on assessing if any given context is suspicious or malicious and what degree of risk it poses for the organisation.
Context monitoring requires modeling entities a priori, their roles, and behaviors. For example, a sales employee is issued a computing device, sends emails, accesses product pricing documents, and submits quotes. Note that organizational or departmental security policies can be used for modeling security constraints. Once context is modeled for a set of entities, the context can be monitored.
The context of each instance of that entity is maintained and updated as that entity engages in authorized activities. When security events or security alerts occur they can be automatically mapped to all related entities’ contexts. By defining and maintaining the context over time security analysts no longer have to spend significant time and effort reconstructing relevant context for a security incident. They merely have to review the impacted security contexts and assess if the model has to be updated or a security risk needs to be addressed. Given that each entity’s context now maintains a historical record, the investigation no longer requires guesswork on determining the appropriate time period to analyze.
Context monitoring is not without its challenges. Manual modeling can be restrictive and limited for dynamic business operations. Model maintenance can be hard to synchronize and if not managed properly across all assessments can lead to security gaps. Additionally, matching security events and security alerts to context can require more nuanced analysis than simple mapping of keywords or values as more unstructured data is leveraged in security operations. Also, for sophisticated attacks that involve multiple entities, individual contexts may not reveal the complete context and the security analyst has to once again revert back to reconstructing the aggregate context.
To overcome these limitations of manual context monitoring, artificial intelligence concepts can be applied. Instead of modeling manually, organisations can use machine learning to model entities similar to how anomaly detection solutions today create baseline models for users, assets or applications using historical data. These models can be formalized and necessary security controls can be reinforced using real-time data. Additionally, as security assessments are performed any implicit or explicit feedback from security analysts can be seamlessly incorporated into updating the model for continuous learning. Continuous learning has the added benefit of learning relationships between individual models to derive aggregate models.
Once intelligent context monitoring has been instituted, it can be used to predict or simulate threats to proactively identify security gaps or surface policy conflicts that can lead to security risks.
Context is the Key for Security
It is well known that knowing the context around security events is essential to qualify if those events are false positives or worthy of a security response. However, today security operations are predominantly focused on event monitoring and rely on security analysts to reconstruct the context of a security incident upon notification of a security alert. By maintaining and monitoring the context of entities and their activities over time organisations will be able to more efficiently scale their security operations.