How to Empower Your SOC With Security Intelligence

Posted: 21st January 2020

Editor’s Note: Over the next several weeks, we’ll be sharing excerpts from the newly released second edition of our popular book, “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program.” Here, we’re looking at the third chapter, “Threat Intelligence for Security Operations.” To read the entire chapter, download your free copy of the handbook.

Recent industry statistics underscore the acute need for a shift toward a security intelligence approach to help security teams amplify and streamline efforts while accelerating risk reduction. This is particularly true for the security operations center (SOC), which is often an organization’s first line of defense against cyber threats.

SOC analysts perform a host of vital functions — log monitoring, incident response, compliance, penetration and vulnerability testing, key and access management, and more — many of which run on disconnected systems. Even the most experienced security practitioner cannot effectively research and triage the thousands of alerts that come from these disparate feeds each day.

In fact, most SOC teams can only investigate 56% of the alerts they receive, and only 34% of investigated alerts are deemed legitimate. As much as 25% of a security analyst’s time is spent investigating false positives, meaning for every hour an analyst works, they waste 15 minutes chasing false positives instead of addressing real threats that put their organization at risk. In 2019, this has led five times as many SOC analysts to believe their primary job responsibility is to “reduce the time it takes to investigate alerts.” That approach is taking a serious toll on an already overworked and understaffed workforce. Eight out of 10 security teams report that their SOC has experienced at least 10% and up to more than 50% analyst churn in the past year.

To help turn the tide, analysts need a “single pane of glass” solution — one place where all the tasks they have to deal with show up with the context and timeliness they need to prioritize their work. Intelligence is key to making this a reality, by providing the right context at the right time to help SOC analysts work faster and smarter — not harder. Armed with real-time threat intelligence, organizations can empower a more productive and engaged workforce, attract and retain top talent, and close the gap between end-user expectations and experiences — without adding a burden on IT security.

The following excerpt from “The Threat Intelligence Handbook: Moving Toward a Security Intelligence Program” has been edited and condensed for clarity.

Threat Intelligence for Security Operations

Most security operations center (SOC) teams find themselves hostages to the huge volumes of alerts generated by the networks they monitor. Triaging these alerts takes too long, and many are never investigated at all. “Alert fatigue” leads analysts to take alerts less seriously than they should.

Threat intelligence provides an antidote to many of these problems. Among other uses, it can be employed to filter out false alarms, speed up triage, and simplify incident analysis.

Responsibilities of the SOC Team

On paper, the responsibilities of the SOC team seem simple:

  • Monitor for potential threats
  • Detect suspicious network activity
  • Contain active threats
  • Remediate using available technology

When a suspicious event is detected, the SOC team investigates, then works with other security teams to reduce the impact and severity of the attack. You can think of the roles and responsibilities within a SOC as being similar to those of emergency services teams responding to 911 calls.

The Overwhelming Volume of Alerts

Over the past several years, most enterprises have added new types of threat detection technologies to their networks. Every tool sounds the alarm when it sees anomalous or suspicious behavior. In combination, these tools can create a cacophony of security alerts. Security analysts are simply unable to review, prioritize, and investigate all these alerts on their own. Because of alert fatigue, all too often they ignore alerts, chase false positives, and make mistakes.

Research confirms the magnitude of these problems. Industry analyst firm ESG asked cybersecurity professionals about their biggest security operations challenge, and 35 percent said it was “keeping up with the volume of security alerts.” In its 2018 State of the SOC report, SIEM provider Exabeam revealed that SOCs are understaffed according to 45 percent of professionals who work in them, and of those, 63 percent think they could use anywhere from two to 10 additional employees. Cisco’s 2018 Security Capabilities Benchmark study found that organizations can investigate only 56 percent of the security alerts they receive on a given day, and of those investigated alerts, only 34 percent are deemed legitimate.

Context Is King

At its heart, threat intelligence for the SOC is about enriching internal alerts with the external information and context necessary to make risk-based decisions. Context is critical for rapid triage, and also very important for scoping and containing incidents.

Triage Requires Lots of Context

A huge part of an average SOC analyst’s day is spent responding to alerts generated by internal security systems, such as SIEM or EDR technologies. Sources of internal data are vital in identifying potentially malicious network activity or a data breach.

Unfortunately, this data is often difficult to interpret in isolation. Determining if an alert is relevant and urgent requires gathering related information (context) from a wide variety of internal system logs, network devices, and security tools, and from external threat databases. Searching all of these threat data sources for context around each alert is hugely time consuming.

Security Monitoring

Key aspects of security monitoring and internal sources of context. (Source: UK NCSC)

Improving the 'Time to No'

As important as it is for SOC analysts to gather information about real threats more quickly and accurately, there is an argument to be made that the ability to rapidly rule out false alarms is even more important.

Threat intelligence provides SOC staff with additional information and context needed to triage alerts promptly and with far less effort. It can prevent analysts from wasting hours pursuing alerts based on:

  • Actions that are more likely to be innocuous rather than malicious
  • Attacks that are not relevant to that enterprise
  • Attacks for which defenses and controls are already in place

Some threat intelligence solutions automatically perform much of this filtering by customizing risk feeds to ignore or downgrade alerts that do not match organization- and industry-specific criteria.

Beyond Triage

As well as accelerating triage, threat intelligence can help SOC teams simplify incident analysis and containment.

For example, by revealing that a certain piece of malware is often used by cybercriminals as the first step in an attack on financial applications, the SOC team can start monitoring those applications more closely and home in on other evidence of that attack type.

Get 'The Threat Intelligence Handbook'

The full chapter of the book also features an extensive use case looking at the value of enriching your data (as well as more helpful images and diagrams). Raw threat feeds don’t offer the context needed to evaluate whether an alert is critical to respond to or irrelevant (or a false positive). For analysts who have to respond to countless alerts daily, trying to triage an initial alert without access to enough context is like a person trying to understand a news story after reading just the headline.

To read the full chapter, including this use case, download your free copy of “The Threat Intelligence Handbook” today.