Security in the Age of Maybe

Posted by Leo Meyerovich on May 14, 2018


Security is in the midst of a transformation that is putting extreme pressure on security analysts and hunt teams. One shift that is causing teams a lot of pain in their daily work is that as threats have gotten more sophisticated, security products have gotten much less sure of themselves. Security products increasingly detect the u201canomalousu201d and report threats on a sliding scale of confidence. Not only must staff deal with advanced threats, but they must spend an increasing amount of time navigating the grey areas and ambiguities of modern threat detections to determine and deliver the right actions.

Welcome to the Age of Maybe, where it is critical that we arm analysts for dealing with the indicators that are diverse, widespread…and uncertain.

inline_265_ in the Age of Maybe

It wasn’t so long ago that most of our security solutions were signature-based, network intrusions were relatively rare, and incident response was reserved for the few truly exceptional events.

But today, persistent attacks are the norm, not the exception. That means that IR has likewise become the norm, and many organizations proactively hunt for threats based on the statistically valid assumption that they are already compromised.

The problem is that while threats have gotten smarter and more common, security products have gotten less certain. Data science, machine learning, and AI have enabled security to see threats that would avoid traditional signatures, but the results are rarely cut and dry. Modern security products are increasingly powered by black-box algorithms that generate uncertain results. Is this anomalous behavior a threat or just an anomaly?

It falls to IR teams and hunters to turn this ambiguity into action. Security products report u201clikelyu201d or u201csuspectedu201d infections, give hints at a symptom of a greater incident, and report confidence in terms of percentages: these are too fuzzy to rely solely on automated actions. Despite all the progress in data-driven algorithms for finding hidden threats, almost no organization is willing to block and walk away without an analyst reviewing the incident and making the call. The net result is that every day more and more of the enterprise security stack is assuming their fuzzy alerts will go into the SIEM and someone will successfully pick it up and connect it to other activity: a human in the loop. As threats get ever more complex and security products follow suit, this is a problem that will keep is getting worse long before it gets better.

As a result, most IR teams are chronically overwhelmed with incidents and most organizations have realized they can’t hire enough staff to keep pace. Teams have naturally sought out ways to make IR more efficient often by automating and orchestrating IR process. This makes intuitive sense – if you are facing a manual bottleneck, then figure out how to automate it.

The challenge however is that IR and threat hunting aren’t just a robotic process of connecting logs and analytics to firewalls for enforcement. The critical step is still about human understanding and making smart decisions. Whether it is the team writing and maintaining the automations, or the responders dealing with what gets flagged, automation loops still involve an analyst loop.

It’s this human-in-the-loop part of the investigation where the magic happens, and it remains the most valuable in terms of stopping initial intrusions from turning into headline news, and the most time-consuming part of the IR process. It is also where innovation is needed the most. This is where Graphistry comes in. Instead of trying to turn analysts into bots, we arm analysts to get to better answers in a fraction of the time of a normal investigation. We add tooling to the human-in-the-loop flow to restore right balance between analyst and machine.

Getting a Grip on Fuzzy Data

The idea behind Graphistry is to provide analysts with a visual environment that brings together all of your security investments in unified and streamlined investigation. Graphistry is on a mission to knock out data bottlenecks in the human-in-the-loop analyst flow, one by one. Analysts can bring in as much or as little data as they need, see it all automatically correlated and mapped out, follow connections and pivot to new data sources on the fly, and drill down into event details when they need it. Using the power of graph visualizations, analysts get one-click visibility into event progression, correlations, and outliers in your data. Data is interactively visualized in analyst-friendly terms such as in the context of a kill-chain, timelines, network boundaries, and other perspectives that go beyond low-fidelity search and dashboard views

Our platform automatically handles the backend querying so that analysts can see connections across all of their security products, logs, SIEMs, threat feeds, and data sources without the need for complex manual queries.

Once we have the right answers, then Graphistry turns to automating the process. Investigations can be saved as repeatable best practices through the use of visual playbooks. These playbooks can act as a sort of interactive map to guide an analyst through a logical investigative flow. With each step an analyst can bring in new data sources and correlate or pivot using customized views of the data. Or instead of going step-by-step, analysts can run the entire investigation at once and render it all as single interactive visual flow. For investigations this often means vastly accelerating the u201ca-hau201d moment. Over time, more and more of a team’s investigations become fast, comprehensive, and reliable by covering them with Graphistry fastpaths.

This really only scratches the surface of what we do at Graphistry, and we haven’t yet talked about the technology that makes it all work. We’ll save that for another blog, but suffice it to say when you raise the visualization bar by 100x and deliver it all through commodity browsers, there is some interesting stuff going on on the backend. But ultimately the point of all that technology is to make life easier on the analyst. The role of the analyst is growing in organizations for a reason. Let’s focus on making analysts better instead of making them into bots.