SIEM/XDR Solutions Need to Contextualize the Attack to be Accurate

Investigations are The Long Pole

Whether you have an existing SIEM solution, or you are looking to accelerate and improve the accuracy of your threat detection capabilities, adding an XDR can improve your overall security operations by improving accuracy and contextualized correlation. Since behavioral and identity analytics are built into Gurucul’s DNA, the platform can detect and prioritize the early stages of any advanced attack well before it progresses to competition.

The challenge that most security teams face is the ability to cut through the noise and get to an actual incident as quickly as possible. This is where security teams not only lament the number of alerts but also the amount of wasted effort chasing false positives and isolated events. Reducing the amount of noise the SIEM solution generates requires a platform that provides a high level of accuracy because it learns and adapts to an organization’s unique characteristics.

An Example of Why Validation of the Attack is Important

Take a typical phishing or spear phishing attack. Spear phishing is the most common way for a successful initial comprise that subsequently results in a threat actor gaining access to an environment.

First, let’s look at the types of functions that a SIEM solution would need to analyze to successfully identify a spear phishing email. Upon receiving the email with a malicious link, most next-gen firewalls and/or sandbox would have analyzed the email looking for malicious content, identified a link to a known malware site, and possibly check the email sender. Likewise, network traffic analysis, when enabled with behavioral anomaly detection, would look for abnormal behavior, such as the unusual email recipient, and suspicious destination website once a user clicks the bogus link within the email. Let’s say the URL is an unknown or uncategorized site, thus it would be considered a zero-day vulnerability. The zero-day will not be detected by the next-gen firewall and sandbox, as the email recipient is spoofed, and the URL goes uncategorized. The network traffic analysis function would highlight that the website is a deviation in host activity, but this would be after the fact and constitute a single point of reference. Unusual events are not necessarily malicious events, so the analyst is left to determine if this unusual activity is legitimate, a threat, or part of a broader attack.

Doesn’t my SIEM Tool or XDR do that now?

SIEM solutions or XDRs traditionally correlate events to paint a picture of the advancement of an attack campaign. At their core, traditional SIEM tools are correlation-based, which means introducing additional functionality, like UEBA for example, must be boiled down to the core capabilities. They do not provide insight into each identified TTP that springs from each set of analytics, causing them to correlate events that often are false. With correlation-based systems, events generated by one component, UEBA or NTA, are received and handled internally the same as any 3rd party silo base device. These modules are not integral parts of the overall platform, providing meaning and context to the other events received. We have already touched on this subject, but to correlate events at this level means they are tied together based on rules, and not through an understanding or contextualization from one event to another.

Hype and Pseudo-Truths on the Effectiveness of ML/AI

As we discussed, a model that is deep-rooted in behavior and identity analytics can provide context between events to rule in or rule out follow-on actions. Let’s take a basic example of this in action. If a would-be hacker swept the DNS server for a particular name, and then used the results to brute force the list of hosts, there is context, a relationship between the search results and the brute force action. Cause and effect. Of course, the detection of the DNS sweep, and the brute force themselves must be, analyzed detected, and classified as those techniques, and analyzing the details there is a relationship based on the results of the DNS queries. If, for example, the brute force was against a host that was not returned in the DNS query, it doesn’t mean that the brute force was not real. It means that the two events are not related, and so the credibility of the brute force is weaker.

While the above is true for behavior-based analytics-based solutions, the same cannot be said for correlation-based solutions using only rules. Rules remove the relationship and the context between events, leaving the user with an abstract viewpoint of each trigger. This means the correlation between the two actions is possible, but you would need additional insight into the results of one and how this services the other triggers. With a correlation-only model, even if you applied analytics to provide context, your risk is based on the correlation of tying these events together. So, what do you do in this scenario? Observed events may not appear to be related, but they could be used by the hacker and go undetected.

This is where the Gurucul model excels. On one hand, the two events mentioned could be used individually, even if they are not related, but the attack risk would only be increased according to the accuracy found. It also means while other events are ingested the context may become clear over time, which is not something that can intuitively or naturally be correlated with manual rules. Using identity and user context greatly reduces false positives and increases accuracy so that the risk score associated with a given entity can be increased or decreased according to what is found, what is configured, and the behavioral characteristics.

Gurucul delivers an integrated Gurucul Security Analytics Platform that provides customers with Gurucul Open XDR. Gurucul Open XDR provides the broadest depth and breadth of security analytics to accelerate the automation of data collection, detection, investigations and improve the accuracy of response and prevent successful breaches based on a risk-driven approach. To learn more, please check out the following resources: