Editor’s note: This is the final installment of a blog series exploring the technologies powering the ReliaQuest GreyMatter security operations platform and the future of security operations in general.
- Part one: Exploring the Future of Security Operations: Bi-Directional API Integrations, Data Stitching, and Automation
- Part two: Bridging Data to Action: Leveraging Bi-Directional APIs for Efficient SecOps
- Part three: Connecting the Dots: Data Stitching for Comprehensive Security
With the increasing frequency and complexity of cyber-attacks, manual security operations will struggle to keep up, leaving critical vulnerabilities exposed and response times lagging. To close these gaps and stay ahead of adversaries, organizations must adopt a security operations platform that applies automation to the entire threat detection, investigation, and response (DIR) process. Automation streamlines and accelerates the DIR process, enabling organizations to detect threats rapidly, conduct thorough investigations, and execute timely and effective response actions.
What Is Detection, Investigation, and Response (DIR)?
The threat detection, investigation, and response (DIR) process is the foundation for security operations. Its three phases act as the universal framework for handling security incidents. While specific organizations or industries may have variations in how they implement the DIR process, the fundamental stages remain unchanged. Every organization must detect threats, investigate the threats that they’ve detected, and effectively respond based on their investigation results. For an efficient DIR process, security operations must adopt a security operations platform that applies automation to each phase of the DIR process.
Applying Automation to Threat Detection
The detection phase involves continuous monitoring of networks, systems, and endpoints to identify potential indicators of compromise (IoCs) and anomalies that could indicate malicious activity. The goal of this phase is to promptly spot and alert on security threats to initiate the investigation and response process. A security operations platform can make this phase more efficient by applying automation to log correlation and the integration of threat intelligence.
Various systems, applications, and network devices generate vast amounts of log data that often is ingested unconnected. A security operations platform can automatically connect that data using automated log correlation. This allows security teams to quickly spot suspicious activities, abnormal user behavior, or known attack signatures found within disparate logs, helping to identify potential threats in real time.
The ReliaQuest GreyMatter security operations platform continuously analyzes incoming log entries from various systems and devices across a customer’s network infrastructure—such as servers, firewalls, IDS/IPS, and endpoints—in real time to identify correlations and relationships between different events as they occur. By applying these predefined correlation rules, GreyMatter can detect suspicious patterns, sequences, or combinations of events that may indicate a security incident. For example, GreyMatter can detect a successful brute-force attack by correlating a series of failed login attempts followed by unauthorized access to a sensitive server.
Threat Intelligence Integration
Enriching correlated log data with threat intelligence can help to increase the fidelity of the detection. A security operations platform can automatically ingest and analyze threat intelligence from various sources, such as open-source feeds or commercial threat intelligence platforms, so organizations can compare their network and system activities against known malicious IP addresses, domains, or malware signatures.
The GreyMatter platform comes with standard detections that reference 40+ threat intel feeds. In the previous successful brute-force example, GreyMatter can check threat intelligence to see if the source host and IP of the login are known malicious IoCs. Additionally, GreyMatter provides emergency detections that use the results from our threat research team to provide immediate coverage against global high-risk cyber threats, well-known threat actors, and zero-day vulnerabilities such as WannaCry, 3CX, and Clop’s recent MOVEit attack. This enables proactive identification and blocking of threats based on up-to-date threat intelligence.
By applying automation to threat detection, organizations can benefit from faster and more accurate identification of potential threats, reducing their MTTD to jumpstart the investigation phase of the DIR process.
Applying Automation to Investigation
Once a potential security incident is detected, it needs to be investigated to determine potential impact and the correct corresponding response. The investigation phase involves a thorough analysis of the security incident to understand its nature, scope, and impact. It entails gathering relevant data, including logs, system artifacts, network traffic captures, and other sources of evidence. Manually doing this can be time-consuming and resource-intensive, often leading to delayed response times and increased incident impact. A security operations platform can significantly speed up investigations by using automation to apply a consistent analysis methodology for each investigation, automatically enrich the investigations with threat intelligence and historical context and preform automated analysis write-ups for each incident.
Consistent Analysis Methodology
Having a consistent analysis methodology for the investigation phase is crucial for security operations as it ensures efficiency, thoroughness, and reproducibility. Collecting data and correlating events to consistently provide a comprehensive view of the incident is something that a security operations platform can automate. The ReliaQuest GreyMatter platform automatically investigates detections using a well-defined methodology that ensures all relevant investigative questions are answered for each cyber event and IoC found within the alert. For example, let’s say a malware detection triggered in GreyMatter. The GreyMatter Intelligent Analysis (GMIA) capability will use its bi-directional APIs to automatically query all the technologies within an organization’s ecosystem for relevant information to that detection such as the type of host the malware was found on and its associated user, the entry point of the malware like a phishing email, and whether the malware has spread to other machines. Automating this for investigations ensures all essential aspects are covered and no crucial evidence or potential threats are overlooked.
Like detections, a security operations platform can automatically enrich investigations by applying threat intelligence for enhanced situational awareness and better accuracy. This provides valuable insights into threat actors, attack patterns, and motivations without leaving the platform. Additionally, it can seamlessly integrate with an organization’s ticketing system to provide historical context for each investigation. This enables a more effective incident response by contextualizing past events and trends to anticipate and proactively defend against new and evolving threats.
In addition to querying various technologies to provide a thorough analysis, The GMIA capability will also automatically query GreyMatter’s 40+ threat intelligence feeds to enrich the investigation. All external IPs, domains, hashes, etc., will be compared against the latest threat intel to help qualify the investigation. GMIA will also automatically gather and correlate historical contextual information and trends from previously triggered detections, enabling analysts to form a comprehensive opinion and facilitate a more informed decision.
Writing an analysis for each investigation helps document the root-cause, scope, and impacted assets, which in turns helps an incident responder understand the appropriate actions needed. Although critical to the investigation phase, manually writing an analysis for every investigation is not only time-consuming but it’s prone to human error and it’s difficult to scale as the number of incidents grow. Automation within a security operation platform ensures a consistent format and structure for analysis write-ups across different investigations. Streamlining this process saves time and reduces bottlenecks, allowing investigators to focus on high-value tasks like incident analysis and remediation which ensures scalability. After GreyMatter’s GMIA capability completes the investigative queries for a detection alert, it uses data stitching to automatically combine all of the data it found from technology queries, threat intel, and historical data in a standardized analysis write-up.
Applying Automation to Response
Based on the findings from the investigation phase, an analyst may need to execute incident response actions to contain, eradicate, and recover from the security incident. Response actions may include isolating compromised systems, patching vulnerabilities, blocking malicious activities, resetting credentials, restoring data from backups, and implementing remediation measures to prevent future incidents. If the investigation results determined the issue was benign, the response actions could be to denote the detection a false positive and update the detection logic and reference lists. Or, to notify the right points of contacts. No matter the response type, it should be automated using a security operations platform to decrease the organizations mean time to respond (MTTR) and the dwell time of the potentially malicious activity.
If the investigations reveal the detected activity is benign, the corresponding steps for this classification should be automated to give incident responders more time to focus on confirmed malicious activity. A security operations platform can take the information from an investigation, determine it needs no further examination, and close the ticket with fitting closure information for auditing purposes. If any updates to the detection logic such as a threshold change, reference list update or just a notification to the group responsible for updating detections, a security operations platform can automate that process. Let’s say our previous malware example turned out to be safe software that was created internally and flagged as unknown and suspicious. GMIA will complete the analysis write-up for that investigation, close the investigation ticket as a false positive, and create a new request for GreyMatter’s Detection Engineers to update the detection.
If the response calls for remediation, it’s best to use a security operations platform with predefined automated playbooks that outline step-by-step procedures and actions to be taken during different types of incidents. Organizations can rapidly initiate automated response actions such as isolating compromised systems, blocking malicious traffic, or quarantining affected assets, preventing further spread of the incident. With automation applied to remediation, security operations can increase their speed and efficiency while reducing human mistakes. Every technology integrated to the GreyMatter security operations platform comes with prepackaged playbooks. GreyMatter uses its bi-directional APIs to the technology to ingest data for investigation but also to execute remediation commands. To conclude the previous malware detection example, let’s say it was determined that the software was malicious and it came from a phishing email. GreyMatter can use its bi-directional APIs to isolate the infected host using the company’s EDR, delete the phishing email from all recipients inboxes using their email security tool, and block any websites associated with the malware using the their proxy or firewall all from GreyMatter’s investigation screen.
Using a security operations platform that applies a comprehensive automation approach across the entire threat detection, investigation, and response lifecycle is essential for building robust defenses and staying one step ahead of adversaries. By automating the DIR process, organizations can proactively identify threats, respond promptly, and uncover valuable insights to strengthen their cyber defense strategies. This also reduces the risk of human error and provides a way to handle a larger volume of incidents without proportionally increasing staffing. As cyber threats continue to evolve, embracing automation will create a more efficient cybersecurity program and build a stronger cybersecurity posture.