Every day we seem to hear of new and interesting linkages discovered by the medical and scientific communities. Just yesterday there was a report that young people who vape are 3.5 times more likely to try or use marijuana, compared to those who don’t. Today, I heard another report on the radio stating if a person can keep their blood pressure in check, especially in middle age, it could lower the risk of developing dementia. Researchers are constantly analyzing data and searching for patterns to identify and solve important problems. Sounds a lot like what we do as security professionals.
Whether investigating an event, engaged in threat hunting or responding to an incident, we search for threads to pull that will lead us to what is happening or has occurred. The process starts with a trigger – an alert or report. Then threat intelligence, which includes global threat feeds, some from commercial sources, some open source, some industry and some from existing security vendors, is used to add context. A critical, but not fully utilized source, is threat and event data from internal systems, including intelligence from attacks you’ve seen or managed. Data from the MITRE ATT&CK framework is another great knowledge base for intelligence on techniques, tactics and indicators. For example, knowing the techniques that APT28 applies, you can look for potential indicators of compromise or possible related system events in your organization and determine if your sensor grid is detecting those techniques.
In order to use all this intelligence efficiently and effectively as part of your security operations you need a way to collect and manage it. Having a platform that serves as a central repository – aggregating all the sources of threat intelligence, translating it into a useable format, and augmenting and enriching it with context – allows you to begin to analyze data and discover the threads. But there’s a challenge: there are always multiple threads and we’re always operating under time constraints, so we need the ability to look for patterns to accelerate investigations and hunts.
Visualization helps you see patterns and linkages so you can quickly determine which threads to pull. Think about searching for patterns in numbers, like 55, 89, 144, 233. Unless you have the list of numbers in front of you, it can be difficult to figure out the pattern. When you can visualize it, you can quickly see that it’s the Fibonacci Sequence and the next number is 377 (the sum of the previous two numbers).
With a platform that also embeds visualization in a collaborative environment so that analysts and teams can share intelligence and work together, you can see patterns more clearly. Investigations, threat hunting and incident response improve because rather than being overwhelmed by all the possible threads it becomes easier to see key commonalities you may have otherwise missed. Linkages between threat data and evidence, and visibility into incident, adversary and campaign timelines provide valuable insights that accelerate your work. With shared visibility, teams can discover attack patterns more quickly and coordinate next steps to remediate malicious activity.
History is also crucial in identifying patterns, so the platform must store investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs). Analysts can search for and compare indicators across the infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. As new data and learnings are added to the platform, new threads and patterns are revealed that enrich ongoing investigations and response and trigger new security operations activity.
Just as researchers in the scientific and medical communities constantly search for linkages to identify and solve important problems, security professionals do too. Visualization holds the key for quickly understanding patterns and determining which threads to pull. Ultimately, it enables us to act faster – whether defending against adversaries or responding when an event occurs.