Security Reference Architecture - Process - Analysis Workflow

Your SOC’s analysis workflows mitigate most of the risks from intelligent actors. They also comprise your front-line staff’s most frequently executed work. As we stated in our framework overview, most analyses will not result in actionable findings. However, this underscores the need for high-quality alerts and quickly moving on from non-actionable events.

We have split the main analytical workload into two core processes – one that makes sense out of alerts (Triage), and one that creates the logic for generating alerts (Use Case Development). We lift these two processes out of the typical investigation loop to focus on their effectiveness for generating and dispatching work. Both emphasize an awareness of organizing the right data for investigating what happened and predicting the data you will need in future investigations.

Security analytics resemble a mini scientific process: you develop a theory, generate hypotheses, and collect data (Use Case Development). Then, you spend most of the time panning through data (Triage) to validate, refute, or refine those theories. This iterative nature of analytical development can distort your perception as you bring certain activities into focus. Your analytics are error-prone, so error control becomes the base requirement for both Use Case Development and Triage.

Triage

The Triage process assigns alerts to a few pre-defined model categories and levels of urgency based on the needs for further action. Analysts make sense out of an alert through inference from evidence at hand and deduction from general guidelines. The analyst can select one or more “Courses of Action” (CoAs) to take based on the results of sensemaking. Analysts should have the tools and data necessary to complete this first stage of analysis quickly and confidently.

The Model Taxonomy should codify the CoAs by designating each with a unique identifier so they can be reused across workflows. The CoAs can consist of automated tools or procedural “playbooks” that have fixed inputs and outcomes. Good CoAs have a simple first step that captures the information necessary to complete subsequent stages without taking the analyst off-task, and without creating a need to re-investigate the event.

Establishing these constraints supports the overall process goal of reducing the number of decisions. The constraints also help reinforce the need to provide automated and procedural tooling to create consistency in frequently-taken actions. To put a finer point on it, you do not want analysts to improvise their active responses. Further, having well-worn tools equips them with the confidence that they need to take (sometimes dramatic) action.

  Needs Action Needs Immediate Action No Further Action Needed
Security Hostile: Follow Procedure Hostile: Breach Benign: Tuned Out
Engineering Malfunction: Investigate Malfunction: Escalate Malfunction: Corrected
Policy Violation: Investigate Violation: Follow Procedure Violation: Corrective Action Taken
Unknown Develop New Use Case Undetected Hostile Event Transient Error

Triaged alerts should create structured records of adjudications and actions on alarms. Your SOC will need this resulting dataset to perform retrospective analysis and review the efficacy of the automated analytics that generate the alarms. In one study of data-intensive analytical tasks, researchers made an insightful conclusion regarding the design of systems that support analysis [1]:

There is an inherent importance of capturing and tracking the analytic provenance[2]. Analytic provenance encompasses the interactive steps, intermediate results, and hypotheses considered throughout analysis. The participants of our study commented that recalling their process after a focused data analysis session is difficult. Analytic provenance support in such tools needs to strike a fine balance between allowing users to maintain this “cognitive zone”[3] during analysis, and encouraging users to record and annotate their process.

Having well-formed records of Event Analysis can also directly supply the information needed to build and improve future automated analytics through the Analytical Use Case Development process.

[1] Jolaoso S., Burtner R., Endert A. (2015) Toward a Deeper Understanding of Data Analysis, Sensemaking, and Signature Discovery In: INTERACT 2015. Lecture Notes in Computer Science, vol 9297. Springer, Cham

[2] North,C., Chang, R., Endert, A., Dou, W., May, R., Pike, B., Fink, G.: Analytic provenance: process+ interaction+ insight. In:  CHI  2011 Extended Abstracts on Human Factors in Computing Systems, pp. 33–36 (2011)

[3] Green, T.M., Ribarsky, W., Fisher, B.: Building and applying a human cognition model forvisual analytics. Inf. Vis. 8, 1–13 (2009)

Key Takeaways

  1. Putting a triage step at the beginning of an event analysis workflow ensures that the SOC can act as quickly as it can complete an initial disposition
  2. Reducing decisions in triage creates more mental bandwidth for processing alerts
  3. Keeping analysts “in the zone” requires a well-worn menu of actions for quickly dispatching alerts
  4. Organizations examining Security Orchestration Automation Response (SOAR) solutions should not allow out-of-the-box processes define their CoAs in the triage process. Conversely, your organization’s frequently-exercised triage processes should generate primary requirements for and drive your adoption of said technology.

What’s Next

Over the coming weeks, we will be publishing the framework in more detail, and we hope to engage you in a collaborative discussion of the challenges we have encountered and the solutions we have developed.

In addition if you’d like to engage directly, ThetaPoint can partner with your organization to develop tailored solutions to meet your unique needs in the following areas:

  1. SOC Engineering Services
  2. Touch-Free SIEM Operations and Maintenance Support
  3. SIEM Value Assessment and Consulting Services
  4. SOC Workflow Automation

About ThetaPoint, Inc.

ThetaPoint is a leading provider of strategic consulting and managed security services. We help clients plan, build and run successful SIEM and Log Management platforms and work with the leading technology providers to properly align capabilities to client’s needs. Recognized for our unique technical experience, in addition to our ability to quickly and rapidly solve complex customer challenges, ThetaPoint partners with some of the largest and most demanding clients in the commercial and public sector. For more information, visit www.theta-point.com or follow us on Twitter or Linked-In.

Join the Discussion