The Industry Needs a Common Understanding of How to Best Put Threat Intelligence Into Practice
“Knowledge is of no value unless you put it into practice.” When Russian author Anton Chekhov said this more than a century ago, he very well could have been speaking of threat intelligence.
More than 80 percent of cybersecurity professionals polled by SANS (PDF) say that threat intelligence is providing them value. Most organizations are seeing value simply by aggregating massive volumes of global threat data into a central repository for sharing. But that’s just scratching the surface of what threat intelligence can do for you. Threat intelligence can accelerate security operations, and that’s when the value really emerges. Here are five common security operations challenges you can address when you put threat intelligence into practice.
1. Alert overload – Multiple studies point to the fact that security professionals are being overwhelmed by alerts. Most recently, the Cisco 2018 Security Capabilities Benchmark Study found that on average, 44 percent of alerts are not investigated and of those investigated and deemed legitimate, nearly half (49 percent) go un-remediated. Typically, it is the security operators within the Security Operations Center (SOC) that find themselves drowning in data as they undertake the onerous task of manually correlating logs and events for investigations and other activities. By augmenting and enriching external data automatically with events and associated indicators from inside your environment, you gain context to understand the who, what, where, when, why and how of an attack. You can use threat scores to whittle down the data set further. However, relying on generic, “global” scores from intelligence feed vendors can actually create noise as well as false positives since the scores are not within the context of your specific environment. Using customized threat scores based on parameters you set (for example around indicator source, type, attributes and context, as well as adversary attributes) allows you to prioritize threat intelligence for great focus and decision making.
2. False positives – Wasting resources chasing ghosts in the form of false positives, is costly. In fact, research by Ponemon ranks false positives as the number one “hidden” cost of endpoint protection. Customized threat scores allow you to focus on what’s relevant to your organization and prioritize threat intelligence to start to reduce false positives, but you can go even further. Automatically sharing relevant and prioritized threat intelligence with your existing case management tool or SIEM allows these systems to perform more efficiently and effectively and deliver fewer false positives.
3. Gaps in defenses – In spite of the multiple point products that organizations deploy as part of a defense-in-depth strategy, the volume and velocity of compromises and breaches continue to increase. These layers of protection are largely unintegrated, operate in silos and are difficult to manage, creating gaps in defenses. Threat intelligence can serve as the glue to integrate these disparate technologies, sharing the right intelligence with the right tools at the right time. Exporting curated threat intelligence directly to your sensor grid, (firewalls, anti-virus, IPS/IDS, web and email security, endpoint detection and response, NetFlow, etc.) allows these tools to generate and apply updated policies to mitigate risk. You can take a proactive and anticipatory approach to defense to more effectively prevent attacks in the future.
4. Knowledge transfer – In addition to security tools, security teams also typically operate in silos which prevents them from being able to share knowledge and work together. However, when team members can work in a single environment, sharing the same pool of threat data and evidence, they can conduct investigations collaboratively. Seeing the work of others and sharing insights, they can detect threats faster and even use that knowledge to pivot and accelerate parallel investigations that are separate but related. They can also store a history of investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs) which can serve as a centralized memory to facilitate future investigations.
5. Chaotic environments – When the time comes to take action, most security operations or investigations occur amidst chaos as teams act independently and inefficiently. A single, shared environment where managers of all the security teams can see the analysis unfolding, allows them to coordinate tasks between teams and monitor timelines and results. Threat intelligence analysts, security operations centers (SOCs) and incident responders can work together to take the right actions faster, reducing the time to response and remediation.
The industry widely shares the belief that threat intelligence provides value. Now what we really need to share is a common understanding of how to put threat intelligence into practice to address some of our thorniest security operations challenges. The answer lies in the ability to use threat intelligence to provide greater focus, better decision making and collaboration throughout the threat analysis and incident response processes.