Context In Cybersecurity
Let’s start simple. Context is important in the day-to-day when we’re explaining the circumstances behind a concept, situation, or product in order to be fully understood. Without context, our understanding of a situation is limited, and we can easily misinterpret information and draw false conclusions.
Take, for example, statistics or a company’s share price in a way that makes it look appealing. But when the additional context is added around the time horizon or comparison with a benchmark, we’re told a different story.
The more context and information we have, the more we understand the matter at hand. In cybersecurity, context has been vital when it comes to triaging and responding to security alerts. Gartner defines context-aware security as:
“the use of supplemental information to improve security decisions at the time they are made, resulting in more accurate security decisions capable of supporting dynamic business and IT environments”
The most cited context information types are environmental, such as location and time, but let’s cover additional factors which are critical to and understanding security alerts.
When it comes to the abundance of alerts a security operations center (SOC) receives, the more context around the alert, the better the Analysts understanding. Today’s tools are rich with alert context. Information such as, IP address, devices affected, URL, application reputation, similar alerts, source information, network traffic etc. This contextual information around the alert provides insight into the circumstance of the event, and it helps determine whether it is a true incident or a false positive. It is important for Analysts to have access to this consolidated information so that they can make quick, informed decisions on how to respond to potential threats.
To further enrich alerts, the addition of Analyst context is vital in helping Analysts paint a picture around the circumstances of the threat, how severe it is and how to address it for a particular customer.
In addition to alert context, having Analyst context when responding to incidents helps have a more accurate analysis and, in turn, faster and more accurate remediation. In the case of Managed Security Service Providers (MSSP’s) Analyst context also includes customer context, which is information an Analyst possesses around the type of organization the alerts are coming from. Customer context is especially important since they have different clients spanning multiple industries that require unique methods of response.
Analyst context can include recent experience solving similar problems, short-term memory, stress levels, and more. These contextual factors are critical for an Analyst to leverage effectively to perform their duties quickly and accurately. The goal is to create an environment where SOC Analysts are optimized based on their real-time mindset and skillsets to make quick, informed decisions on how to respond to potential threats.
Analyst context includes information that an Analyst possesses and their real-time state that can be leveraged to respond to unique complex incidents for a specific organization at a specific time. Thus, reinforcing the Gartner definition that the use of supplemental information to improves security decisions at the time they are made.
For example, a phishing attack on a financial institution may require different steps than a phishing attack on an oil & gas company. These contextual decisions are why human intervention is absolutely required today and why automation will not replace people in the SOC. It is critical that organizations have a solution which monitors these subtle changes and applies the logic to its decision-making engine.
How to include Analyst context in your SOC?
The problem is, Analyst context is not a data point that traditional SOC tools, like SIEM and SOAR, can collect or leverage. As per the tools used today, it does not matter which Analyst is solving which problem. SOC teams are burdened with determining who is doing what task at any given moment. This often results in random or grab-bag alert assignments and Analysts spending too much time on tasks that are not leveraging their best skills.
By capturing both alert context and Analyst context, SOCs would be able to strategically augment their teams to ensure each Analyst is focused on the most high-leverage work for their unique capability at any given moment in time. By understanding the context of a specific alert and who on the team would be best to resolve it the fastest and most accurately, SOC teams can avoid alert escalations, mistakes being made, and most importantly, stop the attack in its tracks before it gets a foothold in/of the organization.
Automation today is great for static processes, but incident response will continue to require human-in-the-loop feedback and analyst context due to the ever-changing nature of attacks. Therefore, the future of Cybersecurity is augmenting the Cyber-workforce with human-machine intelligence capabilities for faster and more accurate incident response.
To supercharge your SOC and Analysts, read more on how you can introduce real-time contextual coaching and on-the-job training.
To learn more about how Penfield.AI can add Analyst Context to your SOC contact us.