Arm Your Threat Hunters with Self-Service Analytics

811

This post was originally published here by Sqrrl Team.

The new Sqrrl Enterprise 2.8 introduces an enhanced risk framework and powerful new analytic tools to simplify, accelerate, and amplify threat hunting. The new framework empowers analysts to create their own custom-built threat hunting analytics (“risk triggers”) without having to write any code. The extensible framework also now includes triggers which enrich Sqrrl’s built-in analytics by incorporating correlated information from external sources of risk like SIEM alerts and threat intelligence feeds for every user, IP address, host, and domain inside the organization.

The enhanced Risk Trigger framework calculates risk scores on every entity by fusing together Sqrrl’s detections with external sources of risk and analyst-defined analytics.

Create and automate your own custom-built risk triggers

Successful threat hunting investigations (ones where you ask a good question that produces results) yield valuable lessons learned about patterns of suspicious behavior that pose particular risk to your unique environment. But until now, it was difficult to operationalize such domain knowledge about what you learned. If you wanted to automatically hunt for these patterns on a continuous basis, you needed advanced data science skills to build customized hunting algorithms. Otherwise, you were forced to “re-invent the wheel” each and every investigation because  blackbox vendor tools with pre-packaged, rigid algorithms aren’t looking for these patterns.

Custom-defined risk triggers automatically run in the background for future threat hunting analysis, with results appearing on the Entities Identified by Triggers list.

But now you can easily create—just fill in a couple of pop-up boxes, zero coding required—“risk triggers” that identify these behaviors that should be uncovered automatically on a continuous basis via automated analytics. Risk triggers use Sqrrl’s graph query syntax to automatically find activity that matches these patterns, and you can integrate  anomaly detection capabilities into the triggers—again, without having to write any special code. You can create risk triggers to do such things as detect threat intelligence matches, identify abnormal user or asset activity, and uncover suspicious connections between entities.

“The best threat hunters see the big picture of security in the business context,” says Eric Ogren, senior security analysts at 451 Research. “It is essential to be able to evaluate business risks while hunting threats—a key feature of risk triggers. Risk triggers enable an analyst to more easily initiate a hunt and to capture the findings of a completed hunt.”

Get a comprehensive view of risk scores across the entire organization

With more detection results, alerts, and threat intelligence feeds coming at you than you can handle, it’s all too easy to miss something important. An individual alert or IoC, taken by itself, may not reveal anything worth investigating and so you dismiss it and move on down the queue. But when you see it within the fuller context of other information and how it evolves over time, you may uncover previously hidden relationships, patterns, or anomalies indicating that there is in fact something to investigate.

“Expert analysts accelerate hunts by focusing on the relationship between alerts, threat intelligence, and user/asset data,” says Ogren.

With its new extensible risk framework, Sqrrl’s link analysis provides a comprehensive view of risk across the organization. Now Sqrrl pulls together more disparate data sources—including integrating third-party threat intelligence feeds about hits on IP addresses, URLs, and DNS domains—and correlates them to calculate risk scores on every user, IP address, host, and domain inside the organization. Fusing together Sqrrl machine learning analytics and all logically related, or “clustered,” risk triggers, SIEM alerts, threat intelligence, and other datasets (such as vulnerability scans) is a powerful way to detect a broader range of adversary Tactics, Techniques and Procedures (TTP) and uncover relationships, patterns, or anomalies that may not surface when looking at individual pieces of evidence one by one.

Sqrrl pulls all the data about related activities and entities into a single view that allows analysts to pivot quickly without having to perform multiple queries.

These risk scores are now displayed as a timeline on each user, asset, and entity to give you a view of how risks and security postures evolve over time.

In the past, to get this degree of evidence in context you needed to perform multiple queries. Each query would have a different data source, and back and forth between views. Now you can pivot quickly and easily across data sources from a single investigation view.

For example, say you are investigating a QRadar alert. Looking at the individual alert in isolation doesn’t indicate anything to be concerned about. But Sqrrl’s advanced data correlation and visualization capabilities pull in all related information from a wide variety of data sources into one unified view—so you don’t have to query disparate data sets one by one but rather have all relevant alerts, detection results, and threat intelligence at your fingertips, ready for further analysis. The Behavior Graph “map” visualizes the neighborhood of the alert, and Sqrrl’s enhanced link analysis identifies that it belongs to a cluster of other alerts and detections coming off that entity. Simply expanding the graph (no need to switch views or perform two different queries) reveals that two separate alerts involve two separate IP addresses that are talking to each other and that both IPs have been associated with beaconing activity.

The Behavior Graph visualizes the “neighborhood” of 4 individual QRadar alerts and related detections. Each individual alert doesn’t indicate anything worth investigating.

But an expanded view shows two separate alerts involve two separate IP addresses that are talking to each other and that both IPs have been associated with beaconing activity.

A one-click pivot—again, no need to exit out and query elsewhere—identifies that both IPs are sending beacons to a common external host.

A single-click drill-down reveals that both beacons are sent to a single external host.

All relevant metrics about that host are immediately available in the same single-pane-of-glass view, which further shows that the host is involved with a couple of additional beacons in your environment.

And clicking into the host details shows other beaconing activity. Now there’s something worth investigating!

With Sqrrl’s built-in threat intelligence data store, you’d immediately know whether this external host is associated with any adversarial activity.

Now you have more quickly than ever the full context of the threat with a much clearer picture of what’s going on to investigate exactly what’s coming and going from that host to your network.

Sqrrl in a nutshell: watch this 2-minute video to learn how Sqrrl’s Threat Hunting Platform transforms your data into actionable intelligence that empowers analysts while hunting.

Threat hunting is all about drawing conclusions from evidence, and evidence means data. But having all the data in the world won’t help you if it’s buried across disconnected silos and doesn’t allow you to see the covert connections that indicate a hidden threat. Improvements to the backend of Sqrrl’s Security Behavior Graph enable you to more easily extract the most important data from a wider variety of sources, integrate new sources, and automatically fuse the data into hunting models. A streamlined interface makes it much easier for analysts to pivot through data, build attack narratives more quickly, and enables more junior analysts to take on advanced hunting.

As Eric Ogren put it, “ You want hunters quickly referencing data sets, working out what the data is telling them, and not thinking about how to get the data.”

Photo:Seeking Alpha

Ad

No posts to display