Context is King

06 Aug

Context is King

in Blog, Lessons Learned, Perspectives, Technology

by Nikfar Khaleeli


In the picture above, at first glance it looks like the man is falling down, possibly to his death. Clearly this is an emergency situation that needs immediate attention. However, if you pan out to look at the larger picture and at the situation across time (i.e., the YouTube video below), a different story emerges. What you see is a man attempting to perform a daredevil stunt at a construction site. So what have we gathered now that this emergency situation is no longer what we initially presumed it to be? Context makes a difference.

[embed width="400" height=""][/embed]

When faced with thousands of daily security alerts, analysts need the appropriate context to properly identify what is (and is not) critical. With the large volumes of alerts being generated by IT systems in modern organizations, it’s no longer sufficient for cyber security technologies to just flag suspicious actions and leave security analysts with the onerous task of determining the critical nature of those actions. Given the shortage of qualified security personnel and the time that would be required to investigate all flagged actions, this approach is simply not feasible.

Possessing the right kind of information, made possible by big data security analytics (BDSA), enables the machine assistance that security analysts need to filter through oceans of data and hone in on what’s really important. But it’s not enough to simply do a better job on identifying real threats (though that is extremely important) and assigning a risk score. If an analyst is investigating something, he must be able to delve into what’s contributing to the threat score and be able to determine whether it all makes sense.

Effective cyber security technologies must provide evidence – the context – as to why something was flagged. For example, a user’s download of a 2GB file could be an exfiltration attempt, or could also just be normal behavior for that user. However, cyber security technology that flags a user’s download of a 2GB file as an exfiltration attempt and also provides context by showing the user’s normal behavior where downloads never exceed 10MBs, is immensely valuable in helping to guide where analysts should focus their efforts.

Supporting evidence can come in many forms: packet data, machine logs, computed metadata (e.g., source of a packet, the destination, etc.), the actions preceding the one that’s flagged for further investigation and a user’s risk score over time. Each form can provide the valuable context often needed for incident investigation. Therefore, in the example above, also being able to see the actual content of that download would be the icing on the cake.

Getting this context shouldn’t require analysts to search across multiple silos of data. Remember, the goal is to make things convenient. This forensic trail really should be an intrinsic part of the big data security analytics (BDSA) that provide analysts with the right kind of information to get through the oceans of data. Upon seeing an event of interest, an analyst should be able to, with one click, get to the relevant forensics.

By automatically processing huge volumes of disparate data to surface sophisticated threats, BDSA solutions make the impossible possible. With layered forensics – from raw data, events or a timeline history – integrated into such systems, the context required for proper incident investigations is one click away. And given that BDSA solutions should be leveraging machine learning to adapt to continually evolving threats, context becomes even more important as it allows security analysts to perform spot checks to ensure that the system is working adequately, and not acting like Skynet.

Tags: Blog, Lessons Learned, Perspectives, Technology