Intelligence Pivoting Allows You to Build a Broader Picture and is Pivotal to Detection and Response
Pivot. It’s a word we’re hearing more frequently since the pandemic and I find it interesting for its dual meaning. One on the one hand it means “turn.” Schools are pivoting to online learning. Businesses are pivoting to a remote workforce. Retailers are pivoting to contactless commerce. But it also means “crucial.” Measures like these are pivotal to keeping Covid-19 infection rates down. While it may be a trendy term, in cybersecurity, intelligence pivoting is pivotal to detection and response.
The first step is detection, having the right data from the right tools at the right time. But what is the right data? Each product within your security infrastructure creates its own logs and events, generating a massive amount of data – IP addresses, URLs, hash values, etc. These indicators are the lowest common denominator of all these disparate logs, and each of these indicators could reveal malicious behavior. For instance, you may see an IP address you don’t recognize in your intrusion prevention system (IPS). So, you decide to query other systems to see if any of your other security tools have detected communication back to that IP address, which is valuable information. But an indicator is just one piece of data. Without context you can’t have a full picture of what is happening.