Automating Threat Intelligence Prioritization Allows You to Proactively Deploy Appropriate Intelligence to the Right Tools
As a security analyst, you’re probably stuck in the security operations doldrums. You spend 80 percent of your time doing repetitive, administrative tasks and only 20 percent (if you’re lucky!) on investigative, challenging and rewarding work that stops the bad guys and keeps your organization more secure. Security leaders suffer the effects of the security operations doldrums as well. Here’s an all too familiar scenario.
Every day security teams are bombarded with a massive amount of log and event data from each point product within your layers of defense and/or your SIEM. Not to mention the millions of threat-focused data points from commercial sources, open source, industry and existing security vendors that can be used to contextualize and prioritize these alerts. The noise level is deafening. You can’t – nor should you – investigate everything. So, you go with your gut, and pursue what seems high priority. You start the tedious and time-consuming process of manually correlating logs and events to see what is relevant and merits further investigation. Inevitably you uncover conflicting information, and confusion mounts as data and activity is referred to differently by different systems and teams across your security operations. This happens all day, every day.
Security leaders must deal with the fallout. From a security perspective, your teams are bogged down in mundane tasks and reacting to alerts. They don’t have the time to combat real threats and conduct investigations quickly to mitigate risk, or to proactively strengthen defenses. From a human resources perspective, you also feel the pain. The existing cybersecurity talent shortage makes it difficult to hire more people to share the burden and equally difficult to retain the talent you have. As employees become less engaged they are less productive and more likely to leave. Turnover is expensive – costing companies up to 200 percent of an employee’s annual salary. So how do you overcome the security operations doldrums? Flip the equation so security teams spend 80 percent of their time on investigative, challenging and rewarding work and only 20 percent on repetitive, administrative tasks. To do this you need automation.
There’s a lot of talk in the security industry about automation. It helps you get more from the people you have – handling time-intensive manual tasks so they can focus on high-value, analytical activities. But if you automate too late in the security lifecycle your efforts could backfire. You need to introduce automation early, beginning with contextualizing alerts and events for prioritization. And how do you add context? Through threat intelligence, which has become the foundation to the activities your security operations center handles.
By starting with prioritization of threat intelligence to ensure relevance to your company and your environment, you can then understand which alerts are higher in priority than others. Because you need to use multiple sources of threat intelligence, you need a single platform to manage and automate the process. Applying automation to score and prioritize the massive amounts of threat data teams are bombarded with continuously not only eliminates a lot of the manual tasks to determine relevance, it also helps cut down on the noise. Intelligence feed vendors may provide “global” scores but, in fact, these can contribute to the noise since the score is not within the context of your company’s specific environment. Worse yet, when uploaded to your SIEM or sensor grid they can generate more noise in the form of false positives and security operators end up chasing ghosts. By applying automation early, security analysts have the context they need to understand real threats faster and can investigate only the high priority alerts.
Automating threat intelligence prioritization also allows you to proactively deploy the right intelligence to the right tools with greater speed and confidence. You can immediately and automatically update your sensor grid (i.e., firewalls, IPS/IDS, routers, web and email security, endpoint, etc.) and alleviate much of the manual and fragmented effort typically required. Security personnel can stay focused on their priorities instead of having to stop what they are doing to log into each tool to upload, test and deploy the latest intelligence. Depending on the amount of data and your security infrastructure, automation can optimize processes that would otherwise require a small army of full-time security analysts to do manually.
When security teams and automation come together early in the security lifecycle, you’re positioned for success. You spend less time in alert triage and more time using threat intelligence to accelerate security operations. That 20 percent becomes 50, 60 or even 80 percent, allowing you to do more with the talent you have – and do it better and faster. With security effectiveness measured by mean time to detection (MTTD) and mean time to response (MTTR), shedding the security operations doldrums mitigates risk to your organization and your team.