In general, SIEM’s are great at consolidating, presenting, and managing telemetry from the entire security stack. Unfortunately, when the volume of security events can be measured in the millions, it’s a lot harder to pull meaning out of the flood. While nearly every SIEM has a range of built in and editable rules for parsing meaning out of the data, they don’t all do an exceptionally good job of it. Even ones that include some form of machine learning based analytics don’t deliver the one thing that turns a series of isolated events into an actionable alert. And that is context. Context is king.
It’s useful to know this thing happened, and it’s useful to know this other thing, and this other other thing also happened, but without context they can just be isolated events that don’t actually mean anything. Being able to put all the disparate clues together is what makes a successful detective successful, and the same goes in cybersecurity. Context is king.
Not All the Flags Stand Out
It’s true that some flags are big and bright enough to indicate a problem on their own. I’ve seen a lot of SOC teams that would focus on those big-flag events for investigation, because even as a standalone event in siloed data there was a good chance that flag was important. They would see the event and do what the playbook told them to do. Sometimes it stopped an actual attack, but often it was just an ultimately benign incident that wasn’t as critical as it seemed.
The opposite was just as common, if not more so. There were several minor events that never raised above the “mildly entertaining” level, which got ignored because policy was to handle the X number of High events before even looking at the Mediums. Worse, each of those events was reported from a different silo. While the SIEM could display them on the same front end, it couldn’t deliver context. And context was important, because it would have shown that those seemingly unrelated events were all part of a complex attack. Context is king.
Attackers Know How to Hide
Attackers have known about these limitations forever and have been exploiting it to their advantage. The bad guys know what the most common tools are and how they tend to be deployed, which means they can go in with a fair idea how to stay under the radar. A simple example would be knowing that “X or more events in Y time” triggers an alert, so they keep their rate below that threshold. There are others, of course. Plus, attackers know SOC teams are often overwhelmed with data. So much so that there are stories of penetration testers directly targeting a SOC and only being discovered when they went and knocked on the door.
Without context, the SOC couldn’t stitch together all the separate events the Pen Test team was triggering on their consoles. And, while that was an example of a “perfect storm” of tools, training, process, and priorities configured in a way that led to a wide miss, it’s hardly the only example. A lot of the incidents we see reported in the press today might have turned out very differently if the Security Operations team holding the fort had more contextual information when the intrusion was under way. Context is king.
Context Is King
We say context is king because it lets you interpret the whole picture. Not just see the whole picture. But understand what all the moving parts are doing. By tying everything together in context, individual events become a pattern of events, and from the pattern comes understanding. Basically, your radar is now looking a lot closer to the ground and that gives the bad guys much less room to hide.
Watch the Webinar
If you want to know more, check out our webinar presentation. We look at a couple of historical incidents to show where security analytics and contextual information would have shown the attack before it became a newsworthy event. We also cover a couple of events where we did provide the context needed to keep an attack from becoming a newsworthy event.