Jill Cagliostro
During my time as a SOC analyst, triaging and correlating alerts often felt like solving a puzzle without the box or knowing if you had all the pieces.
My days consisted of investigating alerts in an always-growing incident queue. Investigations could start with a single high or critical alert and then hunt through other log sources to piece together what happened. I had to ask myself (and my team) if this alert and that alert had any identifiable relationships or patterns with the ones they investigated that day, even though the alerts looked unrelated by themselves. Most investigations inevitably relied on institutional knowledge to find the pieces of your puzzle, searching by IP for one data source and the computer name in another. Finding the connections between the low and slow attacks in near real-time was a matter of chance and often discovered via threat-hunting efforts, slipping through the cracks of security operations. This isn’t an uncommon story and it's not new either – it’s the same problems faced during the Target 2013 breach and the National Public Data Network 2024 breach.
That’s why we launched automated detection chaining as part of the DataBee for Security Threats solution. Using a patent-pending approach to entity resolution, the security data fabric platform can chain together alerts from disjointed tools that could be potentially tied to an advanced persistent threat, insider threat, or compromised asset. What I like to call a “super alert” is presented in DataBee EntityViews™, which aggregates alerts into a time-series, or chronological, view. Now it’s easier to find attacks that span security tools and the MITRE ATT&CK framework. With our out-of-the-box detection chain, you can automatically create a super alert before the adversary reaches the command-and-control phase.
Break free from vendor-specific detections with Sigma Rules
Once a security tool is fully deployed in the network and environment, it becomes near impossible to change out vendors without significant operational impact. The impact is more than just replacing the existing solution, it's also updating all upstream and downstream integration points, such as custom detection content or log parsers. This leads to potential gaps in coverage due to limitations in the tooling deployed and the tools desired. Standard logging is done to a vendor-agnostic schema, and then an open-source detection framework is applied.
The DataBee Platform automated migrating to the Open Cybersecurity Schema Framework (OCSF), which has become increasingly popular with security professionals and is gaining adoption in some tools. Its vendor-agnostic approach standardizes disparate security logs and data feeds, giving SOC teams the ability to use their security data more effectively. Active detection streams in DataBee apply Sigma formatted rules over security data that is mapped to a DataBee-extended version of OCSF to integrate into the existing security ecosystem with minimal customizations. DataBee handles the translation from the Sigma taxonomy to OCSF to help lower the level of effort needed to adopt and support organizations on their journey to vendor-agnostic security operations. Sigma-formatted detections are imported and managed via GitHub to enable treating detections as code. By breaking free of proprietary formats, teams can more easily use vendor-agnostic Sigma rules to gain security insights from across all their tools, including data stored in security data lakes and warehouses.
The accidental insider threat
Accidental insider threats often begin with a phishing attack containing a malicious link or download that tricks the user. The malware is too new or has morphed to evade your end point detection. Then it spreads to whatever other devices it can authenticate to. Detecting the scope of the lateral movement of the malware is challenging because there is so much noise to search through. With DataBee EntityViews, SOC teams can easily review the historical information connected to the organization’s real-world people and devices, giving them a way to trace the progression of events.
Looking at a user’s profile shows relevant business contexts that can aid the investigation:
-
Job Title to hint at what is normal behavior
-
Manager to know who to go to for questions or if action needs to be taken
-
Owned assets that may be worth investigating further
The Event Timeline shows the various types of OCSF findings associated with the user.
By scrolling through the list of findings, a SOC analyst can quickly identify several potential issues, including malware present within the workstation. Most notable, the MITRE ATT&CK detection chain has triggered. In this instance, we had multiple data sources that alerted on different parts of the ATT&CK chain producing a super alert. The originating events are maintained as evidence and easily accessible to the analyst:
EntityViews allow for bringing the events from devices that the current user owns to help simplify the process of pulling together the whole story. In our example the device is the user’s laptop so it's likely that all of the activity is carried out by the user:
The first thing of note is the unusual number of authentication attempts to devices that seem atypical for a developer such as a finance server. As we continue to scroll through the user’s timeline, reviewing events from a variety of data sources, we finally come across our smoking gun. In this instance, we are able to see the phishing email that user clicked the link on that is our initial point of compromise:
It’s clear the device has malware on it, and the authentication attempts imply that the malware was looking to spread further in the network. To visualize this activity, we can leverage the Related Entities graphical view in the Activity section of EntityViews. SOC analysts can use a graphical representation and animation of the activity to visualize the connections between the compromised user and the organization. The graph displays other users and devices that have appearances in security findings, authentication, and ownership events. In our example, we can see that the user has attempted to authenticate to some atypical devices such as an HR system:
Filtering enables more targeted investigations, like focusing on only the successful authentication attempts:
Visualizations such as this in DataBee enable more accurate, timely and complete investigations. From this view, the SOC analysts can select any entity to see their EntityView with the activity associated with the related users and devices. Rather than pivoting between multiple applications or waiting for data to be reprocessed, they have real-time access to information in an easy to consume format.
Customizing detection chains to achieve organizational objectives
Detection Chains are designed to enable advanced threat modeling in a simple solution. Detection Chains can be created in the DataBee platform leveraging all kinds of events that flow through the security data fabric. DataBee ships with 2 detection chains to get you started:
-
MITRE ATT&CK Chain: Detect advanced low and slow attacks that span the MITRE ATT&CK chain before reaching Command & Control.
-
Potential Insider Threat: Detect insider threats who are printing out documents, emailing personal accounts, and messing with files in the file share.
These chains serve as a starting point. The intent is that organizations add and remove chains based on their specific needs. For example, you may want to extend the potential insider threat rule to include more potential email domains or limit file share behavior to accessing files that contain trade secrets or sales information.
Automated detection chains are nearly infinity flexible. By chaining together detections from the different data sources that align to different parts of the attack chain specific to a user or device, DataBee enables building advanced security analytics for hunting the elusive APTs and getting ahead of pesky ransomware attacks.
Building a better way forward with DataBee
Every organization is different, and every SOC team has unique needs. DataBee’s automated detection chaining feature gives SOC analysts a faster way to investigate complex security incidents, enabling them to rapidly and intuitively move through vast quantities of historical data.
If you’re ready to gain the full value of your security data with an enterprise-ready security, risk, and compliance data fabric, request a custom demo to see how DataBe for Security Threats can turn static detections into dynamic insights.
