With cyber security breaches making headline news on a regular basis, the need for sustained and actionable threat intelligence becomes more and more critical.
Organizations are struggling with the amount of threat information available from hundreds of sources, with many different types and formats to collect and decipher. The lack of consistency in an effective threat intelligence program places great pressure on the analyst at the coalface trying to collect and use intelligence from hundreds of sources. It also affects the overall activity of security operations and the effort diverted from identification and triage using tools that need attention. The CISO needs to show the effectiveness of the entire security effort, but how much value is there in reporting blocked intrusions when the ones that have been missed may be the ones that cause the most damage?
There is a lot of pressure on the security analyst to be able to provide effective threat intelligence that is actionable and automated. On one hand a vast amount of data from ‘Intelligence’ Sources, and on the other hand a lot of data hitting the Monitoring Console.
Dumping lots more data onto an already overwhelmed analyst isn’t going to help.
There are different views on what needs to be included in a threat intelligence capability. Identifying the rogue email that carried the payload is one way. The greater value is in finding where the payload originated from, implementing a means to identify indicators that relate to that information, and implementing an actionable response that performs detection, triage and prevention. But how to we do all this and get to the information that counts whilst still dealing with the day to day of our monitoring and hunting tasks?
Let’s look at the analyst and the challenges that exist for the analyst to support an effective threat intelligence capability….
Identification and collection
There are so many places to look. Threat feeds from organizations, vendor notifications, vulnerabilities, paid subscriptions, bulletin boards, twitter, security blogs and news agencies all provide information as to the latest threats and hacks. In many cases, the dark web is overlooked and the analyst is left to reply on the advice of these sources as to information on pending and relevant activities by hacking groups. There is even more information to sort through, each and every day. Identifying the right information becomes a hard task when there is so much information to collect and review.
Determining what is important to the organization will help direct the effort. I have seen many instances in organizations using ISAC threat feeds for their industry be distracted by other feeds because they contained more information. A financial organization may have threat feeds full of credit card breaches. Are these applicable to a health care organization? Or does that require different intelligence applicable to health? Does it matter where the threats originate? A focus on deciphering what is important to the organization will help look for applicable threat intelligence.
Already the analyst is challenged by the amount and type of data before any tangible response can be effected. Selecting the right intelligence to action is hard enough. Creating a way to identify, triage and block any activity based on the selected intelligence is a bigger task. The appropriate action relies on creating effective use cases against the intelligence selected, and then creating processes to effect a response using available tools and capabilities. For the SOC, this becomes an issue of how quickly can the desired response be devised and whether the technologies and manpower exist to create the response, automate the response and alerting mechanisms, and implement.
At this point, the threat intelligence program ends with reliance on availability of skilled personnel, to identify collect and apply effective responses to threats. For a SOC that is running lean, or does not have 24×7 monitoring, this becomes the point where responses become fragmented and exposures remain to the identified threat.
It is one thing to spend so much time identifying threats… but what is the actionable and applicable response required for the organization? And can that response be developed quickly and with quality to ensure effective protection against the threat?
The Cyber Security Industry is still playing catch-up. There are thousands of sources to attain threat feeds but it takes more than collecting these and consolidating them. The industry needs a way to provide consolidation and relevance to these threat feeds in order to product intelligence that is relevant as well as actionable to the organisation. The intelligence needs to relate to the requirements and specifications of the organization and then needs to be implemented quickly before the threat is realized within the organization’s environment.
Cycept can help
Cycept provides methodologies, technologies and support from highly skilled and respected people from the Security Operations theater, who recognize the difficulty in developing relevant content and solutions to address the needs of every industry. Cycept can develop automated capabilities for the organisation to harness threat information to develop relevant and actionable intelligence and provide the content needed to identify alerts against that content for every SOC.