Analysis is NOT data entry…

I’m not going to go look up the definition of “analysis,” because it seems to mean something different in everyday usage than it does in the context of infosec.  Instead, I’m going to propose a basic working definition of analysis, as it applies to what we do.

Analysis is the extrapolation of a conclusion based on often incomplete information.

Note the requirement for forming a conclusion.  If you are a SOC analyst, and you are escalating the majority of your alerts without a conclusion, then you are not performing analysis.  You are simply reviewing, summarizing, and re-stating the information from the alert.

As a DFIR analyst, I should never receive an escalation that says

“On 1/2/03, $corporateEndpoint generated an alert for $nefariousActivity.  The destination URL and IP are listed as non-malicious, per VirusTotal.  No other prior or subsequent alerts have triggered for that user within a 30 day timeframe.  Escalating to DFIR for further analysis.”

You can’t escalate for further analysis if there hasn’t been any analysis already performed.   The above is a simple statement of factual data.  It contains no analysis whatsoever.

Now…I realize this happens because analysts are afraid to form a conclusion and get it wrong.  Get over it.  You have to be wrong if you’re ever going to learn.

Try this instead:

“On 1/2/03, $corporateEndpoint generated an alert for $nefariousActivity.  The destination URL and IP are listed as non-malicious, per VirusTotal.  No other prior or subsequent alerts have triggered for that user within a 30 day timeframe.  The signature for $nefariousActivity is based on a regular expression search, which is visible in query string of the destination URL, however in this context, the traffic is non-malicious, as other necessary indicators of $nefariousActivity are notable absent.  Alert closed as a CAT IX; case escalated to content management team in order to investigate the possibility of tuning the alert.

See the difference?  The SOC analyst had access to all the same data, of course…but was either unwilling or not knowledgeable enough to form a conclusion based on the available data.

Why is this important?  Aside from the obvious fact that a person employed as an analyst should be performing analysis…this impacts others!  When these cases are escalated without analysis, they are generally send to an Incident Responder.  Now…let this sink in:  Incident Responders are not SOC analysts, and are not an escalation point for the SOC.  They are supposed to be responding to actual security incidents, and every badly escalated case takes their time and attention away from the job they are actually paid for.

Article Link: https://biebermalware.wordpress.com/2018/01/18/analysis-is-not-data-entry/