A sizable portion of security research has gone into creating security alerts that are effective at informing security analysts when certain events happen. For example:
more than 50 failed SSH login attempts within 10 seconds from the same IP address
But now, let’s address an interesting question: How many of these alerts actually require action or intervention from a security analyst?
Security teams have been haunted by this question for a long time. In the current SIEM market, most organizations have implemented a SIEM solution with log management and compliance reporting in mind. Later on, threat hunting and security analytics are added to the scope, so that organizations can derive more value and ROI from this implementation regardless of whether the existing SIEM implementation can handle these new expectations. This ultimately requires additional effort from the SOC analyst to fine-tune and configure the existing implementation, which needs significant time to mature.
Contextless SIEM Alerts: A Ticking Time Bomb
Generating alerts by simply correlating log data from devices without some sort of validation generally results in a flood of alerts. Because the alerts were generated without validation, security teams must validate the alerts themselves. This massive backlog of alerts leads to stressed security teams with lower morale. On top of that, many of the alerts are likely to be false positives, as SIEMs are known to flag alerts based on so-called indicators of compromise, or IOCs, which need further investigation. This approach, in turn, leads to increased mean times to respond (MTTRs).
If a SOC team is drowning in an endless torrent of alerts, the quality of your investigations will suffer no matter how sophisticated your SIEM solution may be. After all, the most important asset a SOC has is not a tool, but its own people. An implementation that takes the burden of validating mountains of alerts off of the team is essential for every SOC manager. How, then, do you enable your team to focus on mission-critical tasks? There’s only one way: context, context and more context.
For example, imagine a scenario in which a L1 SOC analyst receives an alert about a malicious file download with the signature of the WannaCry ransomware on one of the desktops within an organization. At this point, the SOC analyst knows only that a malicious file has been downloaded. To inform relevant stakeholders (e.g., incident handlers), the analyst needs to investigate further and share the exact location, account user name, system name and IP address of the compromised system.
In case of a traditional SIEM with no contextualization, the only way for an analyst to investigate further is to coordinate with multiple teams to gather the required details. This is cumbersome and leads to increased MTTRs. When an organization has offices all around the world, with employees working different shifts in different time zones, the problem is exacerbated even further. What if your SIEM could add these exact fields to each event as it is ingested? Wouldn’t that shorten MTTRs significantly?
The Benefits of Contextualization
Adding context to data is like adding the who, what and why of each event encountered. It’s a process of applying atomic indicators to real-time data to provide supplemental information, such as username, user location and department. These indicators can be further used to build intelligence. For example, one can always validate a particular user account misuse for “drive by downloads” by monitoring the reputation scores of the websites that users visit.
Externally sourced threat intel can be used to further enrich fields of interest. For example, IP address spoofing can be detected by correlating information such as MAC addresses and reverse IP lookup results to identify discrepancies. Such vital mechanisms make it easy for security analysts to not only identify and triage IOCs, but also to identify the exact environments affected. From there, analysts can forward the required information to incident response teams for further action.
The greatest advantage of a SIEM with automatic enrichment and contextualization is the extra time it buys you during threat mitigation. By having an early warning system with the proper sensitivity, SOC teams can easily pick up emerging and persistent threats.
Does Your SIEM Contextualize Events in Real Time?
Here are features to look for in a SIEM solution to boost contextual awareness:
- Flexible, open architecture: Make sure your SIEM is able to integrate with tools your security team is comfortable with. The ability to integrate with CRMs or response plugins enables not only faster response times, but also facilitates collaboration between multiple teams and analysts based on a single source of truth.
- Automatic enrichment: The ability to automatically enrich data in real time lets analysts triage faster as one of the steps of an investigation. For example, if all the IP addresses involved in an incident have corresponding geolocation and device type data associated with them, identifying and isolating the scope of the investigation is easy.
- Accessibility of threat intel: Validating threats based on a single threat database is insufficient, as some threat intel providers may be unaware of certain indicators of compromise. Validation based on multiple sources is the safest approach.
If you’ve felt the pain of manually investigating a perplexing or vague alert, you know how quickly it can bring an investigation to a halt. Having all this work done for you by your SIEM means all you have to do is view an alert, understand the context and jump into action.