Data Abundance

Summary

By using new technologies in our everyday lives, enormous amounts of data are produced. 59 Zettabytes of data were produced in 2020 in comparison to 2 Zettabytes a decade ago. It is estimated that in 2021 this number will increase by 25%. Just to provide you with a better picture – 1 Zettabyte equals to a trillion of GB. Fancy terms such as “Big Data” do not necessarily mean better information. According to the famous saying “Less is More,” at our SOC (Security Operations Center), we strive to monitor and filter enormous amounts of data in a smart way, so that we can spot any suspicious data which could indicate danger. Our “filters” are of course specific software tools, but the most important is still human knowledge. Analysts of different levels (so-called Tier Analysts) perform specific analytic filtering roles in order to “catch” any suspicious events. But how do they manage that? Just keep on reading.

Story

Remember the well-known and popular Lego bricks which we all probably played with when we were kids? Actually, entire generations have been growing up with them. Some still have them at home, and some have new Lego bricks that can be used for building a dream image. Mine, for instance, is the Star Destroyer. The forgotten Lego bricks in the basement are like a huge pile of data, which you do not know what to do with, what it is telling you, and how you put it together – because you don’t have the instructions anymore or you’re missing some parts. Let’s say you received a Lego set for the best Star Wars spaceship. It has 4784 pieces which came in different packets so that you could build it easily. All you need is time and you can make it, as well as a lot of Lego bricks (“Data”) to build a Star Destroyer (“Structured Information”). When you finish, you can see the result. It is a 7.5 x 5 cm Star Destroyer, or in this case, a piece of useful information. You have put so much of your time, resources, coffees, happy and sad moments into building Lego bricks (managing data), so that you could admire the result. For instance – you had more than four thousand pieces, you made everything right and used all the pieces, now everyone can see it, and most of all even touch it, which means that there is no place for making mistakes, but at the end, you made one – someone touched it and it suddenly broke into pieces. You don’t have the pieces separated in packets anymore, you do not now where some of them belong, and you just have too many Lego bricks (“data”). After this incident, you don’t know what to do with it because it all looks the same. Now you only have one option; you must ask for help. In “Lego world,” that means that you go to the Lego website, write down the Lego set ID, and it turns out that they can help you with a different set of instructions. The beauty of the Lego bricks is that you’re not restricted to building just one thing with one package. There are plenty of options. The instructions can give you some guidelines but then you can figure out what else can be created and which Lego bricks should be used. As a parallel, in Information technology or Data world, we can ask experts for help. The approach requires gathering all data in order to apply the solution to a problem. Data quality is key. There is no sense in making bad decisions just to make them fast. Experts of Security Operational Centers (SOC) are constantly receiving a lot of different data, sometimes too much, and that is why there are many Data Analysts on different tiers. The Tier 1 Analyst is the level 1 analyst who receives and checks the data, decides which information will help him/her to resolve the incident, and puts all pieces of information he/she gets together to see the whole picture, and then the puzzle is solved. The tools that help the analysts to perform their job, such as an antivirus program, SIEM (Security Information and Event Management), and EDR (Endpoint Detection and Response) just send the data. The Tier 1 Analyst is the main hero who knows how to read the collected data and interpret the information in the correct way to answer the question we are most interested in – “Is it an incident or not?” When the Tier 1 Analyst completes his/her job and notices that there’s a problem or an incident, he/she sends the information with all the data to Tier 2 and Tier 3 Analysts, who then check the findings and start gathering new data and new information from a customer. It’s just like when you break and lose some Lego bricks of your Lego final product, check what you can do with the rest of them, and you decide to build something new. But when you are watching it, you notice that you could do something even better, so you start gathering different Lego shapes and upgrading your product. As I have already mentioned before, SOC only tends to receive quality data. Some data is indicative, some is not related or indicative yet. SOC analysts are experts who know which data belongs together and what kind of information they can give us. If you would receive too much data or that data was mixed, you also wouldn’t know what you are looking at and what you can do with all of it if you’re not using the right equipment. That is why we use different applications, rules, queries, and analytic tools that show where the data came from and what it is telling us. The point is to collect enough data and only the right one, therefore if it is mixed or some of it is lost, we can still use it, read it, and get the message. But to collect the right one and build the information, we produce billions of other data and information that must be saved somewhere in the world on our smart phones, computers, servers, and clouds. Therefore, it is not a coincidence that the quantity of data grows so fast. And it will keep growing. To have a better picture about the SOC Analysts Roles, you can check their tasks in the table below.

Table 1: The tasks of SOC Analysts (source)

Tier 1 Analyst
  • Reviews the incident alerts and evaluates their urgency and relevance
  • Creates a trouble ticket for alerting Tier 2
  • Runs vulnerability scan and reviews the assessment reports
  • Manages and configures security monitoring tools
Tier 2 Analyst
  • Reviews the trouble ticket generated by Tier 1 analysts
  • Uses Threat Intelligence to identify infected/affected systems and scope of the attack
  • Collects data for further investigation
  • Remediates and determines recovery efforts
Tier 3 Analyst
  • Reviews the asset discovery and vulnerability assessment report
  • Uses advanced threat intelligence techniques to identify cyberthreats which might have found their way into the network
  • Conducts pen testing to gauge resilience and find vulnerable entry points
  • Recommends ways to optimize security monitoring tools – uses threat hunting findings
Tier 4 – SOC Manager
  • Supervises the SOC team
  • Maintains and manages the entire team (recruitment and training)
  • Reviews incident reports and manages the escalation process
  • Develops and executes the crisis communication plan to all of the stakeholders
  • Deals with compliance reports and supports the audit process
  • Evaluates the SOC performance metrics and communicates with business leaders

Conclusion

Let me ask you this – how much data do you think you produce in one day? Thanks to the invention of mobile technology such as smartphones and tablets along with innovations in mobile networks and Wi-Fi networks, the creation and consumption of data is constantly growing. 2.5 quintillion bytes (a billion multiplied by a billion) of data is produced by humans every day and the question that arises is “how to handle all this data?” Therefore, the ability to extract important data and get useful information is key and there is a lack of such expert knowledge in the world.

Author: Suzana Kužnik, Security Operations Center Analysts at NIL

 

Cybersecurity Diagnostics: Machine versus Human

Without ML and AI, data cannot be analyzed and understood, but on the other hand we cannot decide if the detected actions are malicious, what is going to be the next step of the threat actor, and how to block access of an adversary to your network without human interaction.

Read the blog