Pulling the Right Data to Validate a Detection and Respond Effectively

Data Breach

Verizon’s Data Breach Investigations Study (DBIR) has evolved significantly since it first came out. But one trend that hasn’t changed over the last twelve years is the consistent finding that safety professionals have the ability to identify many of the violations they face. In fact, the very first study back in 2008 showed that, by fair controls, 87 per cent of the violations were deemed avoidable. In various security systems, the indicators are in logs. The problem is that they are hard to see because logs are cluttered, and there are not enough people in most security departments to sift through them and make sense of the data.

Quick forward to the DBIR 2020 and around two-thirds of breaches are reported in days or less. But, the good news is that we are becoming more effective in detecting violations using these techniques. But what happens to the other third? And of the two-thirds detected, have we detected the entire scope of the attack, or have we overlooked those signs and is the attacker still hiding, waiting to re-emerge later?

Definition of detection is very important as extended solutions for detection and response (XDR) become the next hot topic in the security sector. Because the way we interpret detection drives the XDR result and ultimately the other key component – response.

What does Extended Detection mean? Is it detecting something different, or finding all the indications and putting them together so you can get a full picture of what’s going on and respond effectively? If you get back into it, the answer is clear. To be successful it must flow through the entire ecosystem in order to create a truly integrated protection. This points to the second definition: identifying all the indicators across the entire ecosystem so that you can gain a comprehensive understanding of the danger that you face and know what to protect. Pulling the right data from the right tools allows you to effectively verify the identification and address it. How are you doing this, then?

Let’s take a simple example (numbers that were made for easy explanation). Say one of the pieces of data a detection tool finds is an IP address you don’t recognize. More observables will help you build a broader picture to understand what’s going on, but you need to be strategic and concentrate your quest. So look at external intelligence of the threat and see that the IP address is associated with a particular adversary. Now you can turn to that opponent and find that there are 50 additional IP addresses linked to that opponent. Searching across your other tools, you find 20 of the 50 associated IP addresses. That’s a good indication that something may be going on and you need to expand your investigation for a deeper understanding – but that’s a topic for another article.

The point is that your tools are doing their job – they’ve detected indicators of a threat. You really can’t see all of the relevant indicators, bring together the pieces and make sense of them. What you need is a framework that can collect and automatically translate the correct, targeted data in one accessible location into a standardized format for analysis and prioritization. This includes events and associated indicators from within your environment, such as from your SIEM system, repository for log management, case management system and security infrastructure. You can automatically increase and expand this data with threat data from the multiple sources you connect to – commercial, open source, government , industry, existing security vendors – as well as easily and fully integrate it with new frameworks that appear, such as MITRE ATT&CK. Once you have all the pieces of the puzzle together and compare the data, you can see a complete image of the attac.

Now we need to be able to use that information for response, with the versatility to do it manually, automatically or with some combination. Just as detection in single tools is not siloed, answer is not siloed in single tools, but must be distributed across the environment. Tools need to combine appropriate, priority-set threat intelligence with a centralized repository, and with all of the security controls. This enables them to resend the right data to the right ecosystem-wide tools for effective extended response.

Obviously we need to make better use of the data found by our detection tools – and we can. Now we need to look forward to making sure that we use a deeper understanding of threats to leverage both our expanded capabilities in detection and response.

Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.