Data is a precursor to evidence and is often collected from the network, endpoints, infrastructure (on-premise and cloud), applications in the form of logs, and even people. The scale of collections in large enterprises can prove to be an overwhelming amount of data and can lead to questions like: Where do you store all that data? How long do you need to keep it? How do you correlate it to make sense of it, or turn it into evidence that enables you to speak with confidence about what happened after a cybersecurity incident?
On the other hand, while evidence begins with the data, it extends beyond that and enhances it through contextual enrichment (e.g., GeoIP, blocklist/allowlist, CMDB asset information, CVE information, etc.) and correlation (e.g., what happened before, what happened after, etc.). Evidence, with its context and correlation, is what is needed when revealing details of an agency cyber incident, intrusion or breach.
So how do you turn data into evidence?
A relatively easy example comes from one of the most popular tools used in security operations centers: an SIEM (security information and event management), such as Splunk, Humio, Elastic or Sentinel. In its simplest form, an SIEM is used to collect data from different data sources and sends alerts on potential security threats and vulnerabilities.
A necessary, but not sufficient, data source is network data. Network data can be passively collected — so an adversary wouldn’t know whether their activity is being seen — and is immutable, meaning it can’t be manipulated, bypassed or deleted. The network data is turned into evidence as it is parsed, analyzed, normalized, given context and correlated with previous and following actions. This contextual understanding of what the data means — this evidence — elevates defenders’ capabilities, allowing them to really focus on their higher-risk detections based on their unique environment.
Taking this a bit deeper, raw data can also be turned into evidence, again using network data as the example. Network data can and should be examined and analyzed as it flows, which is usually referred to as network traffic analysis. But what is actually examined? Is it really that useful? The protocols (e.g., HTTP, DNS), the timing of the network sessions, the meta data of encrypted network traffic or even just the identification of various VPNs in use are examples of how network data can be analyzed.
But what now?
Notifications or alerts are sent to the security operations center, but how do they know what to investigate or what is most important/dangerous? It is easy to say that each alert should be investigated, but the reality is that hundreds of these might be received in an hour, and no one has enough manpower to examine them all. Having the context and correlated activities surrounding the alert — the evidence — can greatly speed up the human analysis and can be used to fine-tune and prioritize the actionable alerts.
Comprehensive network evidence supported by machine learning and other data analytics in a fast, intuitive search platform accelerates security operations to the next level. It dramatically simplifies tier one workflows so teams have more time for hunting and response — activities that move faster than ever when coupled with an intuitive log query engine. With the ability to quickly pivot to the raw data, CIOs, CTOs and CISOs have the evidence necessary to authoritatively detail what happened in a given incident and better understand how it occurred.
The takeaway: Agencies need to turn data into evidence. When it comes down to it, the most important thing to ensure is that your agency has the evidence necessary to support effective investigations. Evidence powers detections. Detection results, coupled with evidence, provide an agency with the knowledge for a “defensible disclosure” and the ability to be able to articulate exactly what occurred, when it occurred, how long it lasted and how it can be mitigated moving forward.
Jean Schaffer serves as chief technology officer for the federal arm of Corelight, the leader in open network detection and response. She joined Corelight in March 2021 following 33 years serving the Department of Defense and Intelligence Community, including three decades at the National Security Agency, where she helped the agency implement insider threat detection platforms. She now applies her decades of public-sector experience at all levels of government to Corelight’s data-first approach to cybersecurity.
