By Joe Travaglini, Director of Products
When it comes to analyzing root cause of an incident, it’s not only a matter of finding the trigger event, but also the the sequence of events that set the stage, and sometimes even the intent. Drawing a comparison to the real world, in the case of a fire, was it some electrical malfunction, a rogue cigarette that wasn’t properly extinguished, or was it arson? In cybersecurity, making this type of assessment is the role of forensic investigations. What did the attack look like and where did it come from? Given the well documented numbers about how long a threat exists in a latent form within a network, we can certainly be doing a better job reducing Mean Time to Know.
When starting with an incident and pivoting to an investigation, there are a number of ways for a cyber analyst to streamline the process of where to look next, one of which is anomaly detection. This post highlights some of Sqrrl’s thoughts around outlier detection and how it can be utilized in cyber investigations.
In order to detect an anomaly (aka an outlier), you must first specify what it means. Generally speaking, an ‘outlier’ is anything sufficiently abnormal from what you would expect. But of course, what you would expect can vary depending upon what you’re looking at and the situation you’re in. For example, if you’re looking at user behavior, there are different measures that are possible to use in order to draw the outlier conclusion. Has this user’s behavior changed based upon its past behavior? Is this user behaving differently than its peer group? The answers to these questions are highly contextual: a chronological picture of behavior is expected to change over time, and a “peer group” for a user can itself be determined in many ways (org chart, similarity in activity, etc.)
How Do I Know It's an Outlier?
One approach that Sqrrl Enterprise exposes for outlier detection is ad hoc baselining of entity activity. Taking advantage of Sqrrl’s collaborative exploration contexts, an analyst can select the entities they’re interested in, supply parameters for fine-tuning what he or she is looking for, and calculate statistical characteristics that flag elements as either inliers or outliers.
Sqrrl can visually flag outliers by flagging them and separating them from normal nodes
The results are then visually distinguished and elevated for prioritization, with the contributing factors highlighted and juxtaposed against their baselines.
It is clear that actual activity, in blue, differs significantly from routine activity
Further, the parameters of the outlier configuration can be saved and re-applied in future investigations over different sets of data. The next time looking at a data set, the previously used outlier configuration and any others that came before it are available at the user’s disposal. By using Sqrrl, the analyst is essentially building a toolbox of reusable filters for streamlining cyber investigation via outlier detection.
Saved filters allow quick access to similar routes of investigation
In the future, we are introducing additional approaches to ad hoc baselining for detecting different types of outliers. In the meantime, let us know if you’d like to follow up with a private briefing and a demo!