Using the Sherlock Holmes Method for Cyber Defense

For any investigation—going back to centuries-proven, old-fashioned detective work—the comprehensive collection and assessment/analysis of evidence plays an essential role. “It is a capital mistake to theorize before you have all the evidence,” as the great fictional detective, Sherlock Holmes, famously said. “It biases the judgment.”

For cybersecurity teams today, data serves as the source for all evidence of interest.

The Office of Management and Budget’s August 2021 memo and the new federal Zero Trust Strategy underscore this, in calling for agencies to improve their logging practices, emphasizing the need for centralized access to—and visibility of—this evidence.

In the August memo, the OMB directed agencies to demonstrate maturity in three event-logging tiers over the next two years, with required capabilities to include security orchestration, automation and response; user behavior monitoring via machine learning and artificial intelligence; and advanced centralized access.

In addition, agencies must document that they are restricting the viewing, accessing or modifying of log files to only individuals who have a job-related need to do so—a key component of zero trust.

These practices will drive agencies toward the implementation of effective, data-centric security strategies. But agencies should push to go beyond the OMB directives, because simply collecting data isn’t enough. It has to make sense in order to be useful. It has to tie pieces together.

As in the classic Holmes novels, the evidence/data has to tell a story. The story must reveal the “who” behind every incident (the attackers), along with the “what” (what they went after), the “when” (when it happened) and the “where” (which parts of the enterprise they targeted). There’s also the “why” and “how,” so cybersecurity teams acquire full awareness of motives and techniques.

Without this, teams are essentially looking at the cover of a book and perhaps flipping through some pages. But they’re not getting the entire story.

To truly understand what’s happening, team members must make optimal use of their endpoint detection and response and network detection and response solutions. EDR focuses on what teams have to defend. However, hackers are often skilled at covering their tracks to hide their activity from EDR tools. Like a thief in the night, they wear gloves so no fingerprints are left behind.

That’s when NDR steps in to provide key “clues” that are otherwise not captured, while distinguishing accurate evidence from misleading false clues. The host, for example, could say that a suspicious interaction between a user and a server never took place. But NDR—playing the role of lead detective and even a lie detector here—will tell teams that the potentially troublesome interaction did happen.

As part of their investigative efforts, teams should also retain as much historical data as possible. Many purge old data. But this is a mistake. Instead of dismissing old data as useless, think of it as a prequel to the story. It reveals where and how adversaries attacked in the past, which can help predict what will happen in the future.

At this point, the evidence is entirely centralized, and team members have what they need to piece together the whole story. They proceed to compile a comprehensive picture of their cybersecurity posture, expanding their investigative and threat-hunting proficiency. 

To update the wise words of Holmes, it is a capital mistake to theorize before you have all the data. Fortunately, there are readily available EDR and NDR tools that can divulge a complete and accurate story. As a result, agencies won’t simply satisfy the OMB’s directives—they’ll surpass them.

Richard Chitamitre is the federal sales engineer at Corelight.