If you are an incident responder, a SOC analyst or a threat hunter, you know how a well-designed EDR solution can augment your visibility, detection, and reaction capabilities. However, in many organizations, a single blue teamer, or how we like to call them, an “all around defender,” may wear all these hats. Even when all these roles are performed by the same person, a different approach is required for each of these different security operations workflows. While an incident responder spends most of his time containing impact, scoping, collecting and analyzing new artifacts, threat hunters look for the needle in the haystack, finding the presence of advanced adversaries through proactive queries, analytics and investigations based on hypothesis that often end up in the declaration of an incident.
Compare that work with the role of a security analyst. Whether it’s an analyst working in an internal SOC, an analyst working for an MSSP or MDR service, or simply somebody reacting to security alerts that show up in the EDR monitoring screen, in a SIEM or in an orchestration tool.
How is that different? First, neither the incident responder nor the threat hunter is concerned with false positives or the so called ‘noise’. For an incident responder or a threat hunter the priority is to have low false negatives. In other words, not to miss anything. For them, visibility is a priority, even if that means dealing with a lot of data. For that purpose, a well-designed EDR solution must have a powerful real time query language as well as the ability to provide fast reaction to newly discovered threats.
A security analyst, on the other hand, works primarily off the monitoring screen, reacting to alarms that may result in the declaration of an incident. In this role, having a low rate of false positives is critical. Traditionally, poorly configured detection tools have overwhelmed analysts with alerts to the point where the analyst can’t trust the product anymore.
But having a low rate of false positives is not enough. The quality of those alarms is paramount too. How do we define quality in this context? Using Forrester’s definition, “from a detection perspective, an ideal solution would alert once and correlate all other detections to that initial alert. […] The more alerts you’re generating, the less efficient you are at helping a SOC surface true adversarial behavior.”
Notice how this is aligned to the Time-Based Security model described in our previous blog post. To be successful as a defender, it is essential to react in the fastest possible way, raising an alarm as early as possible on the attack chain, while correlating, aggregating and summarizing all subsequent activity to preserve actionability.
To illustrate: imagine that you have installed a security camera that not only provides you continuous visibility through 24×7 video recording, but that is also equipped with a motion sensor to alert when somebody approaches your front door. If an intruder approaches your home in the middle of the night, you not only want to have a full recording of the event, to share with law enforcement in an investigation, but you also want to be alerted. But having an alert is not enough. You don’t want to be alerted when the thief is out of the door with your TV, but as early as possible, ideally, before he can cause any harm. And think about the quality of the alerts. Do you want your phone to be flooded with several messages per second coming from the same sensor, for the same event? Or would you rather have one single alarm with enough actionable context, like one single screenshot of the intruder, leaving your device available so you can respond appropriate, for example calling 911 asap?
At McAfee, we know how security operations work, and that’s why we have designed MVISION EDR with ‘Human Machine Teaming’ in mind. In this paradigm, our expert system monitors, tracks, detects, summarizes, and aggregates individual alerts that are presented to the analysts as correlated Threats. The analyst is presented with all this context that allows her to triage, validate and determine whether this activity represents an incident, based on their organizational policies. In that case, the analyst creates an investigation to assess the scope and severity of the incident across the organization, while the threat can be contained. Furthermore, investigations are expanded automatically using expert investigation guides.
Consider the example of MITRE’s APT29 evaluation. During Day 1 attack, MVISION EDR generated 61 detections throughout the attack chain. Imagine you are the analyst sitting in front of the console. Do you really need to see 61 individual alarms? Clearly not. In fact, MVISION EDR correlated, aggregated and summarized these detections while continuing to track attacker’s activities, presenting only 4 correlated ‘Threats’ in the UI.
These correlated Threats were ranked automatically according to its severity as seen in Figures below.
As shown in Figure 4, this aggregation doesn’t mean losing context. In fact, these correlated Threats provide high actionability, allowing the analyst to have a quick overview of the behavior of the threat, mapped to MITRE ATT&CK, as well as a plethora or response actions that empower the analyst to choose the most appropriate response for their environment within seconds.
In conclusion, MVISION EDR was able to aggregate and summarize MITRE’s APT29 attack emulation into 4 threats. At the same time, rich and contextualized telemetry allows security operations teams to implement and optimize additional key security operations workflows, such as incident response, investigations and threat hunting.