ThreatAI delivers refined, actionable threat intelligence content and knowledge to empower and operationalise your current security monitoring capabilities, without having to invest heavily in new technologies.
ThreatAI is delivered as a subscription based service where SkyBlue Security’s expert security analysts continually refine and update Threat Advisories, Security Operations Knowledge Bases, ‘How-To’ Articles, Assured Content and Adversary Tools, Techniques and Procedures (TTP) Indicators; enabling your security monitoring and incident response teams to be fully armed and one step ahead in the ever-evolving cyber threat landscape.
Supporting Arcsight, Splunk, QRadar, Hadoop and Elastic Search, ThreatAI truly enables your SOC with optional automation of defined processes, procedures and business relevant incident transcripts.
The 5 Service Elements
The major elements of ThreatAI breakdown as follows:
- Actionable Threat Intelligence
- Assured Content
- Malware Analysis
- SOC Enablement
- SOC Automation
- Business Reporting
Adversary Intelligence: understanding who the attackers are, which organisations they are targeting, what systems and data they are targeting.
Malware Intelligence: How malware operates at a technical level once it’s in place.
We often find the missing link in organisations’ Threat Intelligence strategy is the lack, or misuse of Attack Intelligence. This intelligence plays a critical role in completing the picture by helping us understand the Techniques and Procedures likely to be used to embed the malware in your systems.
Being forearmed with the knowledge of your adversary’s specific Techniques and Procedures through their Attack Lifecycle – such as Establishing Persistence, Lateral Movement and Privilege Escalation – we can significantly increase the chances of detecting and stopping the threat before the malware is in place and active.
This knowledge is is of vital importance and underpins the Kill Chain aligned methodology used in developing SkyBlue Security’s Assured Content.
ThreatAI leverages all three types of Threat Intelligence to deliver actionable Hunt Team Indicators and SIEM Content to your SOC. You are alerted when there is a new threat and are able to download relevant SIEM Content enabling you to rapidly deploy the tools you need to ensure early stage detection and eradication of live threats to your organisation.
With the power of SkyBlue Security’s expertise and the ThreatAI platform as a virtual extension of your SOC, we will significantly accelerate your journey to mature, truly effective Security Monitoring Capabilities.
TO find out how, let’s have a look at today’s SOC and ask the question why aren’t we well prepared for the battle, and why have so many compromises occurred within companies which have monitoring solutions in place?
“24% of SOCs are not providing minimum security monitoring capabilities and 85% not achieving recommended Maturity Levels”HPE State Of Security Operations Report 2016
Today’s Typical SOC
Based on the NIST Information Security Maturity Model applied directly to Security Monitoring, we see SOCs are largely limited to the inner circles (typically SOCs today have an average CMMI based score of less than 3). Although a good sign is many organisations are now introducing more advanced capability with Hunt Teams, Technical Threat Intelligence and Metrics being more widely implemented.
This is certainly helping improve detection capabilities but SOCs are still weighed down by the same old problems: lack of highly experienced analysts, poorly deployed SIEM tools, poor quality tool content, too much noise in the monitoring console, lack of defined processes and poor interaction with the wider organisation.
It’s therefore not a surprise that we are still seeing a significant number of high profile breaches. Your adversaries are now typically highly organised, extremely well funded and fully equipped, and with mandatory breach disclosure on the horizon across the EU we’re likely to start seeing a lot more.
ThreatAI delivers rapid, demonstrable improvements to your security monitoring capability and enables you to get get one step ahead of your adversaries.
Most organizations are overwhelmed by alerts, and 93% are unable to triage all relevant threats.McAfee Labs Threats Report - Dec 2016
The ThreatAI Enabled SOC
ThreatAI enables organisations to rapidly increase their SOC capability levels realising real, measurable reduction in risk and TCO.
Significantly increase the effectiveness of existing security monitoring technologies and people investments.
Deliver immediate results without having to rip and replace technology or invest heavily in new skills.
Augment current skills or build a 24*7 SOC with limited resources.
“Foundational security processes [sic] (such as IR or alert triage) maturity must be in place for the SOC to function properly.” Gartner
ThreatAI provides a highly cost effective solution to the common problems SOCs face today
Actionable Threat, Attack and Malware Intelligence combine to deliver ‘On Demand’, Threat Relevant Managed SIEM Content keeping your monitoring capability fully up to date and putting you one step ahead.
Managed SIEM Content also gives you full access to a library of expertly written, business aligned SIEM Content designed to significantly reduce False Positives and only put meaningful events in front of your analysts.
Analysts are also supported by a vast knowledge base of Security Operations best practices, defined triage processes, ‘how-to’ guides and other relevant content.
Support where analysts are unavailable (outside of 9*5, illness cover etc) is delivered by SOC triage and workflow automation capability.
The Hunting and Incident Knowledge Bases provide access to regularly updated TTP based hunting scripts giving your analysts the ability to automate threat hunting tasks.