Lab Test Reveals 10x Productivity Gain From Real-Time Threat Intelligence for SIEMs

Posted: 13th September 2016

Industry's first lab test measuring productivity gains from threat intelligence. Do you want to read the full report? Download your free copy now.

Key Takeaways

  • Independent test shows applying real-time threat intelligence powered by machine learning cuts analyst time to triage a security event from a firewall log from three minutes to 1.2 seconds on average (in a controlled environment), resulting in a 10 times gain in productivity.
  • A typical organization with only 100 devices could generate over 2,500 outbound logs per hour. These numbers quickly add up as the organization size increases. SOCs are unable to effectively examine some logs, such as firewall logs, as it is too much data with insufficient context to identify relevant threats hidden within them.
  • Real-time threat intelligence can be automatically applied to potential indicators of compromise in these logs by enriching them with external context and quantifying risk. These decisions can be made by a machine-learning engine that generates relevant intelligence in real time from the entire web, across all languages.

Operational defenders want threat intelligence to add tangible and quantifiable value to their organization’s security. As a provider of real-time threat intelligence, we strive to provide measurable benefits to our customers, who have reported back some impressive results.

For example, one customer went on record to say that Recorded Future helped reduced the amount of malicious traffic entering their network by 63 percent.

Inspired by the anecdotal feedback from our customers, we commissioned Codis Technologies, an information security consulting firm specializing in incident detection, incident recognition, and process automation, to conduct a lab test to measure the quantifiable value — in terms of productivity and security — that a SOC (security operations center) analyst gains from integrating Recorded Future with a SIEM (security information and event management) solution.

The results showed that one SOC analyst, in a controlled environment, experienced a 10 times gain in productivity after Recorded Future real-time threat intelligence was integrated with a SIEM.

For the lab test use case, Codis Technologies chose to apply threat intelligence to firewall logs in a SIEM. Effective monitoring of firewall logs enables organizations to detect relevant threats that could otherwise be missed.

However, creating actionable security events from these high-volume/low-context log sources is a time-consuming challenge, especially when firewalls usually account for 50 percent or more of daily log volume. The lab test compared the effort required to triage the same report both with and without Recorded Future and and found an increase in analyst productivity and additional security benefit when Recorded Future was used.

To make the test more realistic Codis Technologies also enriched the same report with free OSINT (open source intelligence) feeds which did not significantly change our findings with Recorded Future. What makes this possible is Recorded Future’s threat intelligence powered by machine learning which provides automation, rich context, and risk prioritization — this is unmatched by predominantly manual means and existing technologies.

To review the full independent lab test, download the report.

We would love to hear your questions, comments, and suggestions on the report so feel free to email us at info [at] recordedfuture [dot] com. You can also request a personalized live demo.