When it comes to sorting alerts after the phase of conducting threat detection – accuracy is key. Imagine that you have performed a detection routine that gave you about 100 alerts. Which of them are true positives and which of them are false positives? Maybe some of them are false negatives? The security of the whole organization depends on whether or not analysts are able to identify the real threat somewhere among the piles of data that generally look quite similar.
That’s why baselining comes in handy. When you’re creating baselines, you set a proper standard for the specific behavior which can be considered either good or bad inside your organization. Frankly, experts argue that there is no one-size-fits-all detection rule and SOC teams should tailor each of them to fit their unique context. Creating baselines is like step one in this process.
Another question is, what software solution should you choose for baselining in threat detection? There would be no surprise if the functions of security products that you use overlap. Therefore, you should choose the best place for creating baselines. For example, your SIEM might offer baselining, as well as more specific solutions, including MITRE ATT&CK coverage at SOC Prime’s Detection as Code platform which continuously supplies Sigma-based threat detection content, or Uncoder.IO, a free online translator for queries, rules, and API requests. So let’s dive deeper and explore some basic things about creating baselines (forgive us the pun).
What is good and what is bad in your network?
Baselines are good for implementing everywhere, whether you want to hunt for threats in endpoints’ environments, networks, or hosts. The main purpose of creating baselines is for you to clearly distinguish between what is okay and what is not okay in your systems. As you might discover in the process, it’s all not as obvious as it seems.
Case in point. Let’s say that, most of your employees work from the office, during business hours, all in the same geographical location. Typically, it is highly unusual for them to go online from a workstation machine at 3:00 AM in the morning. Such behavior can potentially mean a breach, thus, should generate a security alert and be sent to further investigation and remediation if the threat appears to be true.
However, there is a bunch of folks in your office in the call center and system administration departments, who might work night shifts, each one according to their personal schedule. So, what do we get here? An anomalous behavior that occurs irregularly. This type of event can cause tons of false positives, so as you can see, configuring baselines is crucial if you don’t want to drown in false alerts, missing the potentially dangerous ones.
It’s also useful to perform extensive analytics and then set up baselines according to certain parameters. Get to know the inner and outer environment. The latter can be assessed by examining threat intelligence and deep analytics of the latest threats. By doing this, you’ll be able to understand a current threat landscape, what the attackers are typically targeting, which vulnerabilities they exploit, and so forth. Then, you can scan your system to check if you have any probability of encountering the most “popular” vulnerabilities. After that, proper baselines can be set, according to newly found goals and specific behavior.
Historical Data and Baselines
Most security experts admit that in the excessive amounts of data that are generated daily by logging algorithms, context is a king. It is barely possible to understand the nature of a particular event if you don’t know where it’s coming from. For instance, this could be a client’s request to a server. On a network protocol level, it looks like a legitimate request. But in actuality, it could be a malicious request from a spoofed IP address. Then, it’s necessary to understand if it is a new event or has it been happening regularly for a long time? What is the initial access technique that’s being used? For effective detection and mitigation of a threat and, especially, a full-fledged cyber-attack, you absolutely need to know how it behaves on different levels. The only way to know that is through logical analysis because, on a technical level, automated correlation might not bring desired results in specific use cases.
To figure out the frequency and nature of a certain event, analysts would typically look back over a 30-day timeframe. They would ask questions like when was the first time this event has happened? How regularly did it happen and is there any pattern? What else happened during that time, as well as before, and after the reviewed event? If there is no single pattern occurring, maybe it makes sense to review events over a fiscal quarter. Search for cycles. It could also be a weekly or a daily pattern. Another approach is to assess the historical data of each department separately. Because, the billing department can have its own context, while the development team might have a completely different context.
It’s extremely important to set up baselines for threat detection to avoid alert fatigue and heightened rates of false positives. At the same time, this practice requires a lot of effort and expertise from high-profile security experts. Some of them prefer using automation for achieving their baselining goals, while others prefer to do everything by hand. One thing is for sure, baselines should be configured not only for users’ behavior but also for endpoints. Networks, assets, and systems as a whole.