 
GDPR Practitioner Guide 2nd Edition now out – click here for special offer
An organisation can have all the security tools in the world. SIEM, UEBA, SOAR, you name it. Ultimately those tools will end up as shelfware if there isn’t a human being looking at the output. Sure, “AI” (or Machine Learning for non-Marketeers) can do a lot of the heavy lifting if properly configured. BUT at some point, a SOC Analyst will need to look at events and make a triage decision. In most models, the Level 1 SOC analyst will be tasked with the initial triaging of events. Sifting through thousands of alerts trying to find indicators of compromise. It’s a thankless task…but what is the SOC Analyst looking for…and how will applying Locard’s Exchange principle help?
CSI Cyber?
Essentially, the SOC Analyst is looking for the Crime Scene. Every single server, every appliance, every router is a potential scene of a crime. Unfortunately, unlike a physical crime scene, it is often more challenging to confirm a computer crime has actually occurred, let alone find out where exactly it occurred. If logging and packet capture are not in place, life just got infinitely harder! A perpetrator can take a copy of a dataset but the original data doesn’t suddenly disappear. A hacker could make changes to records in a database but the records will still look legitimate to the average end-user. A system or service could inexplicably turn itself off or reset but there is no-one standing next to a big red button to arrest. If the SOC Analyst can’t identify a crime scene, Incident Responders and Digital Forensics Specialists won’t be able to do their jobs effectively…and the perpetrator gets away scot-free!
So What is Locard’s Exchange Principle?
Dr Edmund Locard was a French forensic scientist who was kicking around in the late 19th, early 20th century. He came up with a key forensics principle still in use today:
“Every contact leaves a trace”
Basically, when a criminal commits a crime he will either introduce something into the crime scene or take something away. Let’s use the analogy of a physical crime scene, such as murder. The murderer may leave their DNA (introducing something) or, fleeing the scene covered in the victim’s blood (taking something away).
It’s the same when a hacker compromises (or attempts to compromise) a network. When a hacker steals a dataset they leave behind a trace in the form of increased database read volumes. When a hacker is trying to cover their tracks they may leave anomalous gaps in logging. They may even leave your patch queue cleaner than it was as they take steps to prevent others from further compromising “their” pwned machine.
Know your enemy and know yourself
Simply understanding Locard’s exchange principle clearly isn’t enough. In order to apply the principle in practice, their needs to be evidence to investigate and the SOC Analyst must know how to this evidence to identify:
“Absence of the normal
Presence of the abnormal”
The SOC analyst must understand the infrastructure they are monitoring. How else can they say with certainty that an alert relates to benign behaviour or something more sinister? How do they know whether that out-of-hours high read volume is a data breach or just a nightly backup? They can only know if they are trained and given access to knowledge about how the infrastructure operates. Not just at a point in time, but continuously, with every change request.
Élémentaire mon cher…
They say Locard was akin to a French Sherlock Holmes and just like Msrs Holmes & Locard, so too SOC analysts are detectives in their own right. The more they understand the ebbs and flows of the infrastructure they monitor. The more the SOC analysts apply Locard’s exchange principle. The less time will be wasted in the SOC…
…which means more time for the value-add activities!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 application security article 28 awareness bcms BIA business continuity calculating risk change management ciso cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security key risk indicators monitoring operational resilience Outsourced DPO Privacy risk risk appetite risk management ROI security security as a service security awareness small business strategic strategy Subject Access Request tools training vciso vendor risk virtual ciso

