Get startedGet started for free

Aggregations and correlations

1. Aggregations and correlations

To stay ahead of potential threats and quickly respond to security incidents, organizations need a way to collect vast amounts of data from their infrastructure. In this video, you’ll learn about the power of aggregation and correlation. These concepts can help organizations monitor activities, identify patterns, and detect potential threats. Let’s dive in. An organization can have many data points in their cloud environments, leading to lots of log data generated by user activities, authentication attempts, firewalls, and intrusion detection and prevention systems. All of this data is important to analyze when detecting and managing incidents. So the data needs to be properly gathered and consolidated. That’s where aggregation comes in. Aggregation is the process of collecting and consolidating diverse forms of data. Aggregation is kind of like farming vegetables. Farmers go through several stages to produce their crops, including plowing land, planting seeds, and watering crops. Farmers plant many different types of vegetables, like tomatoes, corn, or lettuce on different sections of their land. Once the vegetables are full grown, it's time to harvest them. During a harvest, all of the different vegetables are gathered or aggregated to a central location. Then, they’re sent to a processing facility to be sorted. During processing, any damaged or rotten vegetables are removed. After they've been sorted, the vegetables are thoroughly washed to remove soil or bugs. The harvested vegetables are then distributed to grocery stores and purchased by consumers. Just like farmers harvest and process different types of vegetables, in cybersecurity, organizations aggregate data from multiple sources in an environment. By aggregating data like logs and alerts, cloud security professionals can access relevant security data, identify patterns, and gain a comprehensive view of an environment. You might remember that a security event and information management, or SIEM tool, collects and analyzes log data to monitor critical activities in an organization. Google Cloud's Chronicle is an example of a SIEM tool that aggregates data from a variety of sources, like logs from firewalls and data loss prevention tools. Aggregation collects massive volumes of data. So, how do organizations make sense of it all? This can be done through correlation. Correlation is the relationship between two or more security events. It involves comparing security events, adding context, and making connections between the events. Normalization involves the processing of raw data for consistent formatting. Normalized events improve the performance of correlation. Remember the farming example? Imagine the farmer has plowed the land, planted the fields, and watered the crops. But, when it comes time to harvest, the land is very dry and the farmer finds that the harvest has produced significantly less vegetables compared to previous years. The farmer makes the connection that an extreme drought must have affected the crops, resulting in fewer vegetables. Just like the farmer correlated low harvest yields with drought, in cybersecurity, correlation is used to draw connections between security events. Correlation can be used to address suspicious login attempts. For example, imagine a user logs into an account using a new device, triggering a security alert. The alert then flags the login as suspicious because the user has never logged into their account on this device before. Correlation can be used to cross reference other relevant data points related to the alert, like the user's commonly used IP address, the date and time of the login, and the user's past login behavior. If the IP address used to log into the device matches the user's IP address, the login was made during regular business hours, and is consistent with the user's login behavior, then the login can be categorized as legitimate instead of a possible breach. Now that you know how to use aggregation and correlation to access data and identify patterns in security events, you can detect and respond to threats more effectively.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.