Next-Gen is Cool… Right?

Security analysts have long known that network traffic can be a tremendous source of insight when paired with the right advanced security analytics. The standard capabilities that exist in many of today’s network detection solutions, however, can cause more harm than good. One such concern is alert fatigue, often caused by tens of thousands of alerts coming from a variety of different platforms all with ranging levels of fidelity and correlation. Any meaningful alert prompts an urgent and often difficult work effort —cue the “needle in a haystack” spiel here.

Many “next-gen” network detection solutions commonly apply machine learning algorithms to sift through the barrage of alerts to identify only the most meaningful ones—needle in the haystack found. Or is it? I beg to differ. The issue with this approach, though, is that when we start with alerts with all sorts of levels of fidelity and correlation, even “meaningful alerts” are just one point of a larger timeline that may or may not have security relevance. Or in other words garbage ingarbage out

It’s as if you were dropped into The Magic School Bus while it’s exploring the human body: Look! Some gnarly-looking cells! Are they good? Bad? Are they actually fending off an infection? Having just a glimpse of the full story–or a baseline pattern–leads to making potentially disastrous decisions. (In related news, the immune system gets things wrong all the time.)

You may ask, “What am I supposed to do about it? This is what the industry has to offer.” Great question, and a mostly accurate observation—until now.

A Case for Advanced Security Analytics

To make my point, let’s consider an example. Imagine you open $SIEM and see:

Advanced Security Analytics & SIEM

This is an interesting starting point and actually gives us some actionable information. But receiving this “best of breed” alert leaves so many pieces of information unknown:

  • Is the receiving device a user’s system, a server, or some other sort of system (IoT, phone, etc.)? What about the device being accessed?
  • Is this behavior normal for the enterprise? For these two devices?
  • What data is being accessed? Is it one large file, multiple files/directories, etc.?
  • Who is the user doing this, and does this user usually use this device?
  • Has anything else out of the ordinary happened lately with this device?

Answering each of these questions—which I contend is what is truly required to have high confidence that the right decision is made—requires a lot of legwork by the analyst. In fact, there are so many steps to take that it’s likely that they’ll never occur: the inter-group communications may be too hard to facilitate, the information may not exist, custom scripts may need to be created; the list goes on. And still, which security team even has the time to go to that level of detail for each alert?

What began as the needle in the haystack turned into a ticket closure for “not actionable or malicious.”

A Requirements Spec

The true advanced security analytics platforms need to answer these questions as completely and as accurately as possible – and in real-time. In addition, they need to be correlated for even more clarity.

For instance, it’s helpful to know that some behavior is anomalous for a user and their device, but work and life are full of anomalies. Perhaps the user just joined a new internal project and they needed to access and read a full directory of documents by the end of the day. Instead of alerting that the SMB transfer happened, the alert should be connected to other, relevant information; for example, flagging that a non-corporate email sent externally has a similar size, or that a thumb drive was recently inserted.

Improving the context of these individual behaviors (both in the past and the present) helps to identify the actual intent behind these actions in a way beyond any of the first generation of anomaly detection system’s capabilities. This gives any analyst the ability to very quickly make a decision on “innocence or guilt” without having to escalate to a more senior analyst or spend time trying to get to the answer manually. But more importantly, this kind of correlation gets us to the point where we can start looking for these patterns and, dare I say, predict future attacks very early in the kill chain.

By David Pearson
Principal Threat Researcher