Written by Ajay Kumar, Director for Asia Pacific & Japan (APJ) and Middle East (ME) at Securonix
As organisations work to effectively detect and respond to incidents, investigation plays a major role in uncovering valuable details about incidents.
When investigating an incident, it is mission-critical to have the right contextual information. However, security analysts do not always know what context they need before they need it.
Gathering context throughout the investigation process is vital in order to determine the nature of an incident accurately. Without this understanding, it is nearly impossible to take the precise action needed to mitigate the threat.
Amassing as much context as possible is simple in theory but difficult in practice. Consider the number of entities in the IT environment multiplied by the vast number of systems that can contain context about those entities. The result equates to an unfathomable amount of data that would need to be collected, organised and stored.
However, only a relatively small amount of that data would be needed or used. Besides, investigations are not always sequential in nature.
Organisations also need to build a collective knowledge base across security teams and quickly share insights to accelerate investigations.
To do this, security analysts need to capture information discovered during investigations without pivoting to external tools like ticketing systems, email or instant messengers. This pivoting to external tools delays progress. Additionally, relying on these external tools does not connect insights to specific entities or retain those insights for future use.
As investigations progress, analysts should be able to gain the context they need without having to manually search and correlate it. They should be able to gather context from security operations, threat intelligence, penetration testing, endpoint security, internal data repositories and many more systems that store relevant data.
There is also a need to add details to investigations in flight by automatically gathering new or updated contextual data when and where it is needed.
Threat mitigation can be accelerated by dynamically enriching incidents under investigation with context and intelligence. In that way, enterprises can better understand threats by bringing key context forward through integrating investigations with internal and external data sources.
Below are some useful tips for improving investigations through context and collaboration:
Comment, document and share observations made during investigations to improve efficiency. Use colour-coded best practices to easily see patterns based on data type, urgency and source.
Share specific information across teams or trusted groups through dedicated channels. Examples of these trusted groups include inter-organisation, intra-organisation, red, blues and purple teams. These channels serve as a mechanism to provide relevant details about threat detection, investigation and response activities.
Add or refresh context about alerts or entities at any time to keep details up-to-date and relevant.
Annotate within workflows so as to provide the ability to comment, document and share observations made during investigations to improve efficiency.