Looks Can Be Deceiving: Context and the New Normative in Log and Event Analysis

(The following is a guest post written by Alissa Knight, an ethical hacker, entrepreneur and author.)

Is your SIEM or SOAR tool capable of contextual awareness? When a detection system is able to apply context to decisions, it’s taking its situational awareness of the environment, such as its understanding of entities and users, and improving the accuracy of its decisions at the time the decision is made. 

Applying contextual awareness in security can be easily described as situational awareness of the environment –  to include the network, endpoints and users – and use of that information to improve decisions on the applicability of a security event. Whether a solution is capable of applying context to automated detection and response can directly impact the mean time to response (MTTR) and ultimately whether an attack is mitigated or goes unnoticed.

False positives

False positives, a true event that doesn’t apply to the target system or service, is a systemic problem in the world of event analysis that contextual awareness solves. Antithetical to the concept of false positives are true positives, an event that is real and affects the target operating system and service. False negatives are events that the detection system thinks wasn’t an attack but in fact is, while a true negative is an event that the detection system doesn’t think is an attack and isn’t. While one might think false positives are bad, false negatives are in fact worse. While false positives can induce “event fatigue” causing analysts to ignore real attacks, false negatives don’t even show up as events of interest resulting in real attacks going undetected.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Why context matters

Human capital is a precious commodity. The time to analyze and determine if an event is a true or false positive can take many minutes. When the number of events per day can be in the hundreds of thousands for the average enterprise, the more contextual intelligence to reduce the number of false positives can mean hours of cost savings to an organization.

With advancements in machine learning transforming threat detection and response, no organization should be adopting cybersecurity solutions that don’t have contextual awareness of the environment.

In 2012, Gartner foresaw the move of the security landscape in this direction when they urged chief information security officers (CISOs) to retire what has become legacy static security controls, such as firewalls and endpoint protection platforms, to context-aware security controls.

History of event analysis

The timeline of event analysis dates back to the days of Shadow, as I discussed in my last article when I compared and contrasted next-generation SIEM to SOAR.

There was a time when application and operating system log files, and network and host intrusion detection system (IDS) event analysis was univariate — analyzed independently of other events and log types. Manual efforts performed by human analysts, such as telnetting to service ports or remoting into a host, were used to validate version numbers and operating systems to parse out false positives.

Legacy IDS solutions, consisting of both open-source and commercial off-the-shelf (COTS) tools, included Snort IDS, Network Flight Recorder, RealSecure, IntruVert and Top Layer. 

However, these tools produced isomorphic events that provide only a small part of a much bigger picture. They searched for patterns (or signatures) within packet payloads and operated the same way in every environment. This required significant time investments of analytic rigor by humans to find the signal in the noise without much help from the technology.

Then came the rise of security information and event management (SIEM), which introduced a novel concept of correlation engines that could take one event, correlate it with others, and form a story that attempted to reduce false positives.

The idea of context in security hadn’t really been a thing, nor an automated function, until the past decade. The idea that systems could apply context to security events by knowing what version of a service and what operating system the endpoint is running was unheard of. Correlating that knowledge with the behavior of users in how they’ve historically interacted with that endpoint when an alarm is triggered was a similar stretch of the imagination. 

Eventually a new generation of solutions capable of performing user and entity behavior analytics (UEBA) would emerge to baseline the usual behavior of individual users and alert to deviations in those learned patterns.

Unfortunately, what works in one network doesn’t invariably work in another. 

In 2014, Harvard Business Review published a seminal piece on the idea of contextual intelligence as it applies to multinational corporations operating cross-border in different markets and how strategies in one market don’t translate to success in another. The same concept can be applied to threat detection systems in networking. Not every network is the same, thus detection signatures that work in one network doesn’t necessarily mean it will work in another. Enter contextual intelligence.

Context enrichment

Context is defined as “the parts of a written or spoken statement that precede or follow a specific word or passage, usually influencing its meaning or effect.” Thus, context can completely change the meaning of a situation when applied.

What questions should context answer in security event analysis?

     1) Is the source IP address of the event really the adversary’s IP or is it an unwitting third-party system being used?
     2) Is the source IP address involved in other breaches?
     3) What is the time and location of the affected node(s)?
     4) What is the business value of the data affected?
     5) Does the technique being alerted on affect the target operating system?
     6) Does the technique being employed by the adversary affect the target service?
     7) Is the shellcode being used in an exploit the correct shellcode for the target architecture, e.g. x86, x64, ARM, etc.
     8) Is the SQL injection discovered in HTTP traffic relevant to the backend database? e.g. MSSQL queries when the backend database is Oracle.
     9) What does all this context mean? Does the context indicate a targeted attack by an APT?
     10) Does the context indicate gaps in my current security controls?

Network detection and response (NDR) solutions have adopted unsupervised machine learning models to understand the environment and alert on deviations from established user and node traffic patterns. An example of this includes a server suddenly initiating an unusual outbound connection request (SYN request) to the internet. Machine learning-powered solutions have even begun adding more contextual intelligence to events by incorporating UEBA functionality, such as a user initiating a remote desktop protocol (RDP) session to a host they’ve never connected to before. 

Context in SOAR

Referencing back to my previous article, what if SOAR and next-generation SIEM could apply this context automatically through the use of threat intelligence feeds and understanding of endpoints in the user’s environment?

Network and endpoint detection and response (EDR) are not the only tools working to incorporate more contextual intelligence into their detection capabilities. SIEM and SOAR solutions are also confronting the event fatigue problem by incorporating threat intelligence feeds to correlate events to known actors, as well as known indicators of compromise.

Knowing that situational awareness directly impacts MTTD and MTTR, SOAR solutions have also begun implementing contextual awareness into their platforms in order to instrument analysts with context-enriched events that offer a better understanding of the business value of assets and data involved in triaged events.

Summary

It goes without saying that no analyst today expects to have any reasonable response to an incident without security controls that perform contextual enrichment of events. It simply isn’t practical in today’s enterprise now generating terabytes, if not petabytes, of log and event data in a world where data is, indeed, worth its weight in gold.

Alissa Knight is a 20-year veteran in cybersecurity as a penetration tester and vulnerability researcher. She is also a serial entrepreneur having sold two previous startups in cybersecurity in successful M&A transactions and recently reinvented herself as a full-time writer in her impossible recovery as a former hacker.

The post Looks Can Be Deceiving: Context and the New Normative in Log and Event Analysis appeared first on Siemplify.

Recent Articles By Author

• APISecure: The First API Security Conference Makes Its Debut on the World Stage
• The Perils of Overestimating the Security of Your APIs
• All My Stripes: The New Business Imperative of LGBTQ+ Inclusion

More from Alissa Knight

*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Alissa Knight. Read the original post at: https://www.siemplify.co/blog/looks-can-be-deceiving-context-and-the-new-normative-in-log-and-event-analysis/