Investigation and rapid response is critical for day-to-day alert handling, routine “hunting,” as well as, investigation of a breach situation. In all of the security scenarios, performing the task to quickly respond and understand the context is critical.
The faster a threat and its impact can be detected and investigated, the faster a decision can be made on the impact and the appropriate course of action initiated, and the less likely an attack will impact an organization. That’s why security teams and IT professionals need to find and remediate security problems as soon as possible. However, it is extremely difficult to find something when little or only a single piece of information is known about what to investigate, discover and explore.
The Need for Security Investigation
Whether hunting for an unknown threat or investigating an alert or breach, investigations can prove challenging and time-consuming for anyone— whether a dedicated analyst or person that plays multiple roles. IT and security professionals need to gather the foundational knowledge of alerts or notifications as quickly as possible, to determine the most important issues.
An analyst must quickly find the required information to determine who, what, where, when and how to determine the impact a security threat might have on the company and what action to take.
Specific items to investigate are:
- Who is associated with the alert, attack or both?
- Where the device or activity is located?
- What the alert is trying to say?
- What are the activities associated and related to the attack or alert?
- When did the attack start?
Analysts also need ways to determine:
- If the system has been infected or compromised
- If the attack progressed beyond the infected system
- How far the attack reached
Data can live in different locations and can come from many different security technologies such as, firewalls, intrusion prevention systems, web proxies, email protection systems, anti-malware, endpoint protection suites, endpoint threat detection, identity access management and more.
Data can also come from non-security technologies like asset databases, network infrastructure, document repositories, card readers, servers, applications and more. All this data created is known as machine data and is relevant for security investigations, hunting and rapid response.
Security Investigation Defined
Security investigation requires multi-step analysis. This is the need to interact and explore data to look for evidence of infection or an attack. It often starts with a small clue and then the user must find relationships, common themes, associations and correlations in the data to determine the impact and appropriate course of action. The most common steps include:
- Search for keywords, term or values across any data using a variety of methods – this allows the analyst to locate all relevant activities represented by the presence of the value in logs from the different technologies.
- Change the search criteria quickly by adding or removing the criteria from the search – this allows the analyst to work through a hypothesis on what to hunt.
- Add and remove fields for a particular investigation to find information that is meaningful – this helps the analyst focus on the task and fields that are relevant.
- Customize and describe the parameters of any point on a timeline to help understand activity sequencing and potential cause and affect relationships.
- Apply different statistical operations to the search results to aggregate, count and order the results to determine anomalies.
- Apply different visualization techniques to the search results to look for trends, patterns or both.
These steps are often repeated in any order and in any combination to allow the analyst to find the relationships across activities to determine what is malicious and what is normal. And once any search criteria is established, the analyst can setup a dashboard to monitor for that condition.or setup an alert to be notified when the condition is encountered. This is what we call the Security Analytics Cycle.
When used for security investigation, the Splunk platform helps users gain a range of analytical capabilities, including visual analysis, graphical representation of thresholds, alarms and indicators. Security knowledge and workflow can be extended to broader data sets that can capture and deliver insights to any team using applications that are integral to the platform. This helps teams collaborate and address the shortage of skills and to allow less technical staff to easily find value from all their data.