Michael PattersonAlmost every day the security team needs to investigate a potential threat and the likely hood of chasing another false positive is considerable. How can they decrease false positives and shorten the investigation time?
Due to the volume of alarms to investigate, the Mean Time To Response (MTTR) on each occurrence is a metric that often falls under scrutiny. Less time is better and the best way to ease the burden is to improve the context surrounding an event. This means the right details related to whatever is being investigated.
If malware is suspected, the traffic patterns surrounding a specific host is almost always investigated:
- How was the incident triggered?
- Who caused it and who or what reported it?
- When did the event take place?
- What part of the business was potentially impacted?
- Where did the event(s) occur?
Simply providing a host name and the alarm description is hardly a lot to go on. The host could be a machine that multiple users log into. It could have used the same IP address that is handed out multiple times per day to different hosts.
Loaded with only this to go on, this is hardly enough clues to expedite a speedy sleuthing effort. What security needs is context.
In the business of network traffic analysis, greater contextual details often come from specialized appliances that can serve up what is commonly called meta data. Information such as username, operating system, URLs visited, physical location, applications being used, history trends, the number of hosts connecting to, etc. can all prove invaluable when tracking down a suspicious event.
With the above data collected, security professionals also need an interface that allows them to finish searches in seconds. They need to drill in on the end system and gain immediate access to the meta data that complements many NetFlow and IPFIX exports.
Shorter investigation times leads to a faster Mean Time To Know (MTTK). Ultimately, time is money and when the organization hosts thousands of network users, knocking a few hours per day off the time needed to follow up on an incident can result in hundreds of thousands of dollars per year in savings. The term “context is key” makes a lot of sense when following up on a potential security breach. Make sure you have the security systems in place that can provide the meta data the team needs.
