What is context cybersecurity and why is it important?
The Oxford Dictionary defines “context” as “the circumstances that form the setting around an event, statement, or idea and through which it can be fully understood and assessed.” The definition fully reflects its importance in the analysis of cybersecurity events: it is contextual information that provides insight into the circumstances of an event, and it is this insight that often determines the correct classification of a given event as an incident or – false-positive.
The importance of context in analyzing events and neutralizing vulnerabilities is paramount.
The main goal of security analysis in an organization is to gain knowledge that will enable effective IT asset security.
This means two things:
- Fewer false-positives in incidents generated by existing technologies.
- Adapting new technologies to cover “blind spots” – places where attackers can infiltrate your environment without being detected, or where an additional event could lead to creation of an incident more quickly.
Unfortunately, many security activities fail to achieve these benefits due to a lack of contextual information. Their absence ultimately leaves the analyst with the need to undertake the so-called educated guess. This is why experience in IT Security is worth its weight in gold – but the changing landscape of cyber threats depreciates its value. A single piece of information rarely provides clarity on security incidents, and historical event analysis fails for new attacker tactics.
There has recently been a major trend towards deeper integration of data blacklists and other artifacts within the terminology of “security intelligence integration”. While this data is invaluable, it lacks context and, if not properly used, may be the cause of inefficiency in security operations rather than a solution.
- Take, for example, IP-based information that comes from organizations that publish black lists.
- The information captured by these organizations is the direct result of a process that includes detecting threats, determining their target, determining their origin, determining the methodology used by threats, etc.
- Often, the result of an investigation is limited to single bits of information, such as an IP address or DNS name.
- The result is a process ineffective for those using this information – due to the lack of context, professionals using this data do not know how much to consider it compared to other signals from their environment or how relevant it is to them.
Heavy-to-process information – like the one based on IP above – is widely encountered mainly because creating context-sensitive knowledge is extremely difficult. Security teams using this type of ‘generic’ message need to create their own context and gain visibility through teamwork, transparent communication and knowledge of the specific environment in which they work.
It is worth mentioning here how to divide information into direct and contextual:
Direct information:
- What alarm was triggered?
- What is the source of the event?
- What are the details of the traffic that generated the alert? Is it a real attack or a false-positive?
Contextual information
- Is the alert plausible? Is the solution known to have false positives?
- Is this event common? Whether a similar event has been previously reported as false-positive?
- What is known about the source? Is it blacklisted for visible traffic reasons?
- Whether there were other events that might have provided the attacker with the insight they needed to do perform this attack?
- Were there related events in the system?
- Has the user involved in the incident caused other incidents that raise suspicions?
- Was there an anomaly in network traffic before or after the attack?
- Is the system known to be vulnerable to this type of attack?
- Is there any additional information that would be useful?
As a result of the need to have as many answers as possible to the above, there are moves towards centralizing and integrating security technology and automating manual processes. Systems such as SIEM and SOAR allow you to correlate messages from several sources and provide the security team with the necessary insight into the circumstances of an incident. Taking into account the fact that the vast majority of adopted technologies focus primarily on warning about specific technical aspects of an attack and not about the root cause of an attack – the work remains a challenge anyway.
The key to achieving a deeper level of detection through automation is to combine multiple security events with environmental information to give them context.