The Importance of Context in Security Investigations

In today’s security environment, we have both too much information and not enough. Context is the code word for the “right information,” the details that will tell you what you need to know about a security threat without giving you endless swaths of useless data or getting you mired in the mud.

The importance of context in security investigations cannot be understated, as the right information could mean the difference between finding a threat in time and getting there too late. It could also spell the difference between hunting through endless alerts and getting to the ones that matter. And it most definitely means ending up at the right conclusion, instead of spending hours on end investigating dead ends. In short, context is the king-maker in security investigations.

Here are the questions you should be asking, the information you need, and the difference it makes.

The Benefits of Threat Context

There are plenty of benefits to knowing more about the threats that plague your environment. Here are three.

1. Slashing Through False Positives and Alert Fatigue

“Alert fatigue,” as brought on by too much information and an overabundance of false positives, is a prime culprit of security burnout. Gartner revealed that 62% of InfoSec and IT leaders feel pressure to work late nights and/or weekends, ostensibly to keep up with an unrealistic workload. This can come largely from having “too many false positives, too little time,” and spending too much time on investigations. Research from IDC indicates that each false positive takes 30 minutes to look into.

Tempering alert fatigue is possible when you have additional attack context and can eliminate some definite “no’s.” For example, CVS scores hit the radar, and on the first blush, it seems they all need patching now. However, if there is an active campaign coming from a specific geography, you can prioritize those patches first as the likelihood of attack from that region is higher, making that alert more salient.

2. Reducing Enemy Advantage

As Sun Tzu famously said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Context is the art of knowing the enemy, and it drastically improves chances in our favor.

“We have often cited the asymmetry of information as the biggest advantage that threat actors have over the cybersecurity sector,” notes Raj Samani, SVP Chief Scientist at Rapid7. “The ability to track the prevalence of specific threat campaigns and add critical context to known-exploited lists begins to shift the balance in favor of threat analysts and overworked security teams.”

For example, knowing which threat vulnerabilities are being actively exploited can help us disrupt attacks earlier in the kill chain.

Even the best burglars leave clues behind. It is the security analyst’s job to decipher those clues, but first, it is the job of the security architect, the SOC, or whoever’s in charge to set up solutions that can catch those clues in the first place. AI-based solutions are getting better at vetting alerts and sifting out false positives, leaving only the “good ones” behind for your analysts to dig into. Managed Detection and Response (MDR) vendors can do the same thing, acting as a net to catch and scrutinize swaths of alerts before sending vetted ones on to your team. 

3. Context Cuts Variables – and Time

With only one piece of threat information – a CVSS score, for example – possibilities could be endless. Just ask a SOC analyst. However, once you provide additional context, those possibilities narrow down. This additional context includes traffic metadata, such as:

  • Source and destination IP
  • Protocol
  • Timestamps
  • Source and destination ports

And more, to get you to the right answers more quickly. We know that the time from vulnerability discovery to exploitation has been in decline, as CISA warned. With that in mind, any information that can hasten discovery in investigation is a welcome boon.

How to Gain Context? Ask the Right Questions.

A key to getting the right context is asking the right questions. These are queries an experienced analyst would use to quickly assess the severity of an incident and ones a less-experienced analyst might miss.  

Grant Oviatt, Head of Security Operations at Prophet Security, notes, “I often find that inexperienced analysts pull back the same sources of evidence, regardless of their investigative lead. Usually, it’s because there’s no process to guide the way they triage an alert and ensure they get a complete picture.” This process involves asking questions like:

  • What triggered the alert? (A basic question, but an essential one).

And, in the case of Identity and Access Management (IAM) alerts, for example:
  • Did the user log on with MFA?
  • Did the user’s behavior differ from their norm?
  • What is the reputation of the Source IP address?
  • Is this activity ongoing or a one-off?

Again, asking intelligent questions is the best way to gain relevant context for triaging the event.

Conclusion

Living in the information age, getting enough data is not the problem. It’s determining how much of that data is usable and which is most important to the situation at hand. Doing so can cut down false positives, give teams a knowledge advantage over adversarial tactics, and eliminate options on the decision tree, all leading to streamlined investigations and quicker remediation. The key comes down to asking the right questions, knowing which questions to ask, and having the resources in place to pull those answers up when you need them.

Today’s analysts need to be finders, not farmers, as knowing how to find the “needle in the informational haystack” can make all the difference when it comes to successful security investigations. 


About the author:

An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.

Post a Comment

0 Comments