What’s the difference between IT and Security analysis and a game of Shoots and Ladders? You might stand a better chance of winning at Shoots and Ladders. Why? Because you can see the whole board and think about what spaces you want to land on in advance to win the game. That doesn’t mean that all root cause analysis investigations are doomed to fail. However, in IT operations root cause analysis and security investigations, you don’t have the benefit of seeing all the squares on the whole board. This makes the analysis outcome much less certain.
For most IT operations or security analysis, the process can be broken down into four steps:
- Decide — The analyst must first decide what data object to start with. For performing alert triage, the analyst looks at the data objects in the alert or log and selects one to to start a data search. The object selected can be an IP address, MD5 Hash, CVE, or other piece of information contained in the alert. For the threat hunter, the data object could originate in threat intelligence or as a review of access of sensitive corporate data.
- Search — The analyst next runs a search for the data object across data types. This is an effort to start putting together the story of what happened by reviewing and keeping in mind the relationships between the data types.
- Pivot — In furtherance of the investigation, the analyst selects a new data type with logs that contained the original data object. In addition, the analyst may select a different data object (pivot) to use in continuing the investigation.
- **Review — Once a new or existing analysis path is selected, (using either the original data object or a new data object), the analyst reviews existing data.
These four steps, or a process closely resembling them, are repeated as analysis progresses along a single-threaded track to root cause, or as security incident cause and intent are determined. Unfortunately, this process can contain human bias and is heavily dependent on human memory. Without a systematic approach, notes taken during the process can leave out key details and context.
AI Assisted Analysis
AI assisted analysis, (machine reasoning specifically), has the potential to add analysis efficiency and increase accuracy. Using a learned relationship ontology, the AI engine reads IT operations, security, identity, and application data and inserts the relevant relationship between data objects such as IP addresses, identities, MD5 Hashes, error messages, and data objects. These relationships are stored in in a graph database and displayed on an analysis canvass that the analyst can use to manipulate the data object(s).
At each decision cycle in an alert triage scenario, when the analyst selects a data object, AI inserts the appropriate contextual relationships in the analysis path and offers related data objects as possible next steps.
This approach allows the analyst to focus on all obvious investigation paths simultaneously. The Pivot step is removed and the Search step is made optional in the analysis process. At any point, the analyst may stop the investigation once a coherent narrative can be built around the connected data objects.
Using AI-assisted analysis means the analyst can see their entire Shoots and Ladders “analysis board.” This makes the obvious investigation choices clear, and plotting a path to root cause much easier.
Get an overview of Gemini Enterprise [https://www.geminidata.com/products/gemini-enterprise/] software.