Spreadsheets For Incident Response
Using spreadsheets for incident response (IR) is more common than you might think. Why? Most people have access to Microsoft Excel or Google Sheets already, and it doesn't require any set up or training. While spreadsheets were originally designed for accounting and financial analysis, they've grown to become multi-purpose business tools. Spreadsheets allow responders to merge and normalize varied data/artifacts/logs that come from different systems and may have customized formats.
Jake Nicastro and David Pany over at FireEye Mandiant have written two great how-to articles on using Excel for IR:
There are a number of Excel contortions you'll need to get comfortable with, but after some tedious formula building you can accomplish a lot. First, you'll need to convert logs and artifacts from your systems into a standard set of columns, and ensure the date time stamps align correctly. This allows you to see an accurate time ordered list of events. Once the data is normalized you can begin to analyze the results.
Gigasheet has made those same steps a whole heckuva lot easier - reducing the tedious parsing and concatenation to just a few clicks. Since Gigasheet is built for security investigations, we've streamlined many of these common functions. For example, in Gigasheet you can you merge and summarize columns, standardize the date-time to UTC and get unique counts without the need for writing custom formulas. And because it's a cloud-native SaaS application purpose-built for threat research, it scales incredibly well.
Request Early Access to Gigasheet
Seasoned spreadsheet users will recall that Excel taps out at just a few million rows, and unfortunately Google Sheets starts to slow at just a few hundred thousand rows. When you throw in complex formulas and pivot tables, be prepared for some frustration.
So what do you do if you want to work with million+ row spreadsheets? Your options are surprisingly limited. There are some Excel hacks out there, which aren't great. You could write a custom script and/or use a database to analyze the data, but you need the skills, environment, and time to do so. If these options aren't available to you, you'll likely have to get in line for some help from a data science or engineering team. Or maybe you have these options, but the effort isn't worth the benefit (i.e., voluminous logs but low probability of remarkable findings). In that case you might just skip it and move it on to another task...but you probably won't sleep well at night knowing that there might be additional evidence buried in that data somewhere.
Unlike a typical spreadsheet, Gigasheet allows you to work with massive amounts of data; up to a billion rows in a single sheet. We've optimized the application for forensic security data and logs, so it’s able to accommodate massive data sets and recognize security data types. We achieve this impressive scalability through our patent pending design. The backend data store has been optimized to provide speed enhancements of 10x to 100x over traditional general purpose databases. Meanwhile the horizontally scalable design means processing can be automatically distributed across a pool of servers. The frontend is built for security data transformation and analytics, while the backend has been designed for speed and scale.
We've also made it super-easy to enrich artifacts with threat intelligence from third-party sources. This can help you quickly identify false positives, flag known bad's and add more context to IOCs. Want to try Gigasheet for yourself? Sign up to join our beta!