We've previously written about the importance of setting organisational goals when considering data enrichment as well as why combining it with automation is something of a Holy Grail for security operators. In this post, we'll focus on two use cases that can help improve your team's responsive time when reviewing application logs.
Manual Review of Logs without Data Enrichment
The traditional way for security operators to review logs has been to perform the entire process manually. This includes retrieving the logs from their apps, reviewing them by hand, highlighting suspicious activities, cross referencing the data in the logs with data from additional sources, and finally passing judgement calls on each individual case.
Fortunately, almost no medium-to-large organisation does the entire process manually - most organisations have some level of automation or deploy platforms that can automatically flag suspicious cases for operators. However, even when cases are singled out, there still remains a large amount of manual work (such as pairing data from multiple sources) before it can be positively identified as a threat or confirmed that it was a false positive.
Reviewing Logs using Data Enrichment with Automation
Integration automation between your organisation's various apps ensures that the manual work performed by your operators is kept to a minimum. Here are two cases where automated data enrichment can reduce response times and improve the workflows of your team:
Use Case 1 - Filling in the Blanks for Incomplete Logs
Your team is reviewing application logs and discovers a user's footprint in there at an odd time of day. If your data is automatically being enriched and connected between apps, your team can quickly reference that username against a central system to pull their name, role, privileges, and any additional information that is typically stored. They can then verify that this user was in fact a legitimate entry (perhaps that user is situated in a different office in a different timezone) rather than a malicious actor who broke in using stolen credentials.
Use Case 2 - Providing Additional Context for Missed Threats
Your team is again reviewing logs, but a large amount of time has passed since an unusual entry was detected. Your traditional log will maintain the IP address of the user, but your team knows that IP addresses that are collected and stored via the Dynamic Host Configuration Protocol (DHCP) are not necessarily going to be the same at the time of the entry as at the time of the investigation. By integrating their logs with real-time SIEM platforms, however, they are able to gather additional contextual data concerning the entry and what actions were taken since then that can ease their burden of analysis.
As you can see, in either of those cases, enriched data that is automatically paired from additional apps has the potential to knock out one or more of the steps that teams would have to resort to manually. The best part is that this is just the tip of the data enrichment iceberg - the possibilities are almost endless. As they say: when there's a will, there's a way.
Considering venturing into security automation and building data enrichment processes? Metron has experience integrating multiple SOAR platforms and building custom playbooks that rely on automation.
If you are considering any custom cybersecurity solution that focuses on the resources and needs of your organisation, please send a note to firstname.lastname@example.org.