Using Natural Language Searches for Fast Incident Response

Posted by Darien Kindlund on January 17, 2018

During any large malware infection or outbreak, seconds matter. Security operations teams need fast, frictionless access to all security-relevant data in order to assess, analyze, and act quickly as part of incident response. Unless a threat is eradicated quickly, it will move laterally, infect more machines, and accomplish its mission, whether it be installing ransomware software or locating and exfiltrating confidential data.

Most security operations teams lack complete tools or skills needed when moving beyond dashboards to quickly dive deep into threat detection, as data collection can take hours or days to complete. Using big data platforms such as Splunk can help centralize intelligence, but most analysts still struggle to write optimal, ad-hoc search queries across their data sets to detect threats because these queries rely on knowledge of complex, proprietary query languages.

Not only are the queries cumbersome and meticulous, the number of people who have the training to write them doesn’t fulfill the demand. The National Initiative for Cybersecurity Education released a study showing that 285,000 cyber security roles went unfilled in 2017 in the U.S. alone. So to address the ever growing gap, firms are turning to training programs that focus on developing inexperienced analysts to perform an already difficult task.

But what if cybersecurity was simpler and intuitive? — Instead of spending countless hours writing and refining queries, what if it could be as simple as asking questions of your data?

Natural language search enables analysts at any level to use plain English searches in Splunk to make them significantly quicker and more productive. Using a natural language interface empowers security analysts with the ability to think strategically, and find elusive relationships to possible threats as they investigate complex machine generated textual data. Security teams can apply human intelligence by asking very specific questions of the data without spending time writing long, labor intensive queries. Instead analysts can find real threats faster, and have more time and resources to explore their systems and environments in completely new ways.

Natural language search makes it easier than ever to take the Indicators of Compromise (IOCs) for a specific type of malware or advanced threat, and then use natural language searches in Splunk to quickly search through your logs to see if IOCs are present. These IOCs could be file hashes, executable names, IP addresses, domain names, and more.

Furthermore, using natural language search enables anyone in the organization, even if they’re not technical, to run searches to detect if the IOC or threat exists in their environment. For example, a natural language search could be: “Show me systems with filesystem changes involving filename “*.WNCRY*”” or “Show me vulnerable systems with failed updates.”

When organizations are able to discover threats in a way that takes a fraction of the time and the training, their security analysts will be empowered to flex their creative muscles and test ideas, as well as experiment at a much faster frequency — resulting in more effective cybersecurity operations. Natural language search can completely change the way cybersecurity is managed. Gone are the days of long, complex queries that take up hours of time that could otherwise be used hunting threats.