Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

The Power of Visualization to Accelerate Security Operations

Every day we seem to hear of new and interesting linkages discovered by the medical and scientific communities. Just yesterday there was a report that young people who vape are 3.5 times more likely to try or use marijuana, compared to those who don’t. Today, I heard another report on the radio stating if a person can keep their blood pressure in check, especially in middle age, it could lower the risk of developing dementia.

Every day we seem to hear of new and interesting linkages discovered by the medical and scientific communities. Just yesterday there was a report that young people who vape are 3.5 times more likely to try or use marijuana, compared to those who don’t. Today, I heard another report on the radio stating if a person can keep their blood pressure in check, especially in middle age, it could lower the risk of developing dementia. Researchers are constantly analyzing data and searching for patterns to identify and solve important problems. Sounds a lot like what we do as security professionals.

Whether investigating an event, engaged in threat hunting or responding to an incident, we search for threads to pull that will lead us to what is happening or has occurred. The process starts with a trigger – an alert or report.  Then threat intelligence, which includes global threat feeds, some from commercial sources, some open source, some industry and some from existing security vendors, is used to add context. A critical, but not fully utilized source, is threat and event data from internal systems, including intelligence from attacks you’ve seen or managed. Data from the MITRE ATT&CK framework is another great knowledge base for intelligence on techniques, tactics and indicators. For example, knowing the techniques that APT28 applies, you can look for potential indicators of compromise or possible related system events in your organization and determine if your sensor grid is detecting those techniques. 

In order to use all this intelligence efficiently and effectively as part of your security operations you need a way to collect and manage it. Having a platform that serves as a central repository – aggregating all the sources of threat intelligence, translating it into a useable format, and augmenting and enriching it with context – allows you to begin to analyze data and discover the threads. But there’s a challenge: there are always multiple threads and we’re always operating under time constraints, so we need the ability to look for patterns to accelerate investigations and hunts. 

Visualization helps you see patterns and linkages so you can quickly determine which threads to pull. Think about searching for patterns in numbers, like 55, 89, 144, 233. Unless you have the list of numbers in front of you, it can be difficult to figure out the pattern. When you can visualize it, you can quickly see that it’s the Fibonacci Sequence and the next number is 377 (the sum of the previous two numbers).

With a platform that also embeds visualization in a collaborative environment so that analysts and teams can share intelligence and work together, you can see patterns more clearly. Investigations, threat hunting and incident response improve because rather than being overwhelmed by all the possible threads it becomes easier to see key commonalities you may have otherwise missed. Linkages between threat data and evidence, and visibility into incident, adversary and campaign timelines provide valuable insights that accelerate your work. With shared visibility, teams can discover attack patterns more quickly and coordinate next steps to remediate malicious activity.

History is also crucial in identifying patterns, so the platform must store investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs). Analysts can search for and compare indicators across the infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. As new data and learnings are added to the platform, new threads and patterns are revealed that enrich ongoing investigations and response and trigger new security operations activity. 

Just as researchers in the scientific and medical communities constantly search for linkages to identify and solve important problems, security professionals do too. Visualization holds the key for quickly understanding patterns and determining which threads to pull. Ultimately, it enables us to act faster – whether defending against adversaries or responding when an event occurs.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.