Using natural language searches for fast incident response

Posted by Grant Wernick on January 17, 2018

During any large malware infection or outbreak, seconds matter. Security operations teams need fast, frictionless access to all security-relevant data, in order to assess, analyze, and act quickly, as part of incident response. Unless a threat is eradicated quickly, it will move laterally, infect more machines, and accomplish its mission, whether it be installing ransomware software or locating and exfiltrating confidential data.

Most security operations teams lack complete tools or skills needed when moving beyond dashboards to quickly dive deep into threat detection, as data collection can take hours or days to complete. Using big data platforms such as Splunk can help centralize intelligence, but most analysts still struggle to write optimal, ad-hoc search queries across their data sets to detect threats because these queries rely on knowledge of complex, proprietary query languages.

The Insight Engines Cyber Security Investigator (CSI) for Splunk is a Splunk App that enables analysts at any level to use natural language, or plain English, searches in Splunk to make them significantly more fast and productive, think strategically, and find elusive relationships as they investigate complex machine generated textual data to solve cyber security-specific problems including threat response.

With CSI, it is easy to take the Indicators of Compromise (IOCs) for a specific type of malware or advanced threat, and then use natural language searches in Splunk to quickly search through your logs to see if these IOCs are present. These IOCs could be file hashes, executable names, IP addresses, domain names, and more. Anyone in the organization, even if not technical, can run these natural language searches in CSI to detect if the IOC or threat exists in their environment. For example, a natural language search to look for WannaCry ransomware could be:  Show me systems with filesystem changes involving filename “*.WNCRY*”    Easy!

In two detailed white papers, we illustrate via case studies how CSI can be used to quickly and easily detect WannaCry and Petya ransomware infections via their IOCs. Click here for the WannaCry white paper and click here for the Petya white paper. While these two threats are not new, the basic logic and approach in these papers would still be used to rapidly detect the latest forms of malware or threats for which IOCs exist.



If you are interested in learning more about natural language, or plain English, search or the Insight Engines Cyber Security Investigator for Splunk (CSI), please see a short demo, read about the ROI of CSI, or contact to speak with a representative. Thanks!