IOTA in Action: Process – Analysis Workflow

Your SOC’s analysis workflows mitigate most of the risks from intelligent actors. They also comprise your front-line staff’s most frequently executed work. As we stated in our Process overview, most analyses will not result in actionable findings. However, this underscores the need for high-quality alerts and quickly moving on from non-actionable events.

We have split the main analytical workload into two core processes – one that makes sense out of alerts (Triage), and one that creates the logic for generating alerts (Use Case Development). We lift these two processes out of the typical investigation loop to focus on their effectiveness for generating and dispatching work. Both emphasize an awareness of organizing the right data for investigating what happened and predicting the data you will need in future investigations.

Security analytics resemble a mini scientific process: you develop a theory, generate hypotheses, and collect data (Use Case Development). Then, you spend most of the time panning through data (Triage) to validate, refute, or refine those theories. This iterative nature of analytical development can distort your perception as you bring certain activities into focus. Your analytics are error-prone, so error control becomes the base requirement for both Use Case Development and Triage.

Triage

The Triage process assigns alerts to a few pre-defined model categories and levels of urgency based on the needs for further action. Analysts make sense out of an alert through inference from evidence at hand and deduction from general guidelines. The analyst can select one or more “Courses of Action” (CoAs) to take based on the results of sensemaking. Analysts should have the tools and data necessary to complete this first stage of analysis quickly and confidently.

The Model Taxonomy should codify the CoAs by designating each with a unique identifier so they can be reused across workflows. The CoAs can consist of automated tools or procedural “playbooks” that have fixed inputs and outcomes. Good CoAs have a simple first step that captures the information necessary to complete subsequent stages without taking the analyst off-task, and without creating a need to re-investigate the event.

Establishing these constraints supports the overall process goal of reducing the number of decisions. The constraints also help reinforce the need to provide automated and procedural tooling to create consistency in frequently-taken actions. To put a finer point on it, you do not want analysts to improvise their active responses. Further, having well-worn tools equips them with the confidence that they need to take (sometimes dramatic) action.

	Needs Action	Needs Immediate Action	No Further Action Needed
Security	Hostile: Follow Procedure	Hostile: Breach	Benign: Tuned Out
Engineering	Malfunction: Investigate	Malfunction: Escalate	Malfunction: Corrected
Policy	Violation: Investigate	Violation: Follow Procedure	Violation: Corrective Action Taken
Unknown	Develop New Use Case	Undetected Hostile Event	Transient Error

Triaged alerts should create structured records of adjudications and actions on alarms. Your SOC will need this resulting dataset to perform retrospective analysis and review the efficacy of the automated analytics that generate the alarms. In one study of data-intensive analytical tasks, researchers made an insightful conclusion regarding the design of systems that support analysis [1]:

There is an inherent importance of capturing and tracking the analytic provenance[2]. Analytic provenance encompasses the interactive steps, intermediate results, and hypotheses considered throughout analysis. The participants of our study commented that recalling their process after a focused data analysis session is difficult. Analytic provenance support in such tools needs to strike a fine balance between allowing users to maintain this “cognitive zone”[3] during analysis, and encouraging users to record and annotate their process.

Having well-formed records of Event Analysis can also directly supply the information needed to build and improve future automated analytics through the Analytical Use Case Development process.

_{[1] Jolaoso S., Burtner R., Endert A. (2015) Toward a Deeper Understanding of Data Analysis, Sensemaking, and Signature Discovery In: INTERACT 2015. Lecture Notes in Computer Science, vol 9297. Springer, Cham}

_{[2] North,C., Chang, R., Endert, A., Dou, W., May, R., Pike, B., Fink, G.: Analytic provenance: process+ interaction+ insight. In:  CHI  2011 Extended Abstracts on Human Factors in Computing Systems, pp. 33–36 (2011)}

_{[3] Green, T.M., Ribarsky, W., Fisher, B.: Building and applying a human cognition model forvisual analytics. Inf. Vis. 8, 1–13 (2009)}

Key Takeaways

1. Putting a triage step at the beginning of an event analysis workflow ensures that the SOC can act as quickly as it can complete an initial disposition
2. Reducing decisions in triage creates more mental bandwidth for processing alerts
3. Keeping analysts “in the zone” requires a well-worn menu of actions for quickly dispatching alerts
4. Organizations examining Security Orchestration Automation Response (SOAR) solutions should not allow out-of-the-box processes define their CoAs in the triage process. Conversely, your organization’s frequently-exercised triage processes should generate primary requirements for and drive your adoption of said technology.

What’s Next

We have published the framework in high level detail on our Blog, and hope to engage you in a collaborative discussion of the challenges you are experiencing and the solutions we have developed. Please contact us to continue the dialog.

• SRA – Solution: https://www.theta-point.com/solutions/security-reference-architecture/
• SRA – Blog Series: https://www.theta-point.com/blog/category/security-reference-architecture/
• SRA – IOTA in Action Blog Series: https://www.theta-point.com/blog/category/security-reference-architecture/iota-in-action/

About ThetaPoint, Inc.

ThetaPoint is a leading provider of strategic consulting and managed security services. We help clients plan, build and run successful SIEM and Log Management platforms and work with the leading technology providers to properly align capabilities to client’s needs. Recognized for our unique technical experience, in addition to our ability to quickly and rapidly solve complex customer challenges, ThetaPoint partners with some of the largest and most demanding clients in the commercial and public sector. For more information, visit www.theta-point.com or follow us on Twitter or Linked-In.