July 9, 2019 • Zane Pokorny
Security information and event management (SIEM) platforms have been a great way to pull security event data from across an internal network and put it all in one place for analysts and researchers to dive into. But as networks grow in complexity, it’s getting harder to keep up with the growing number of alerts generated by SIEMs.
To get help, SIEM users need a better way to prioritize all of the alerts, ensuring that they’re investigating high-priority ones first. Here, we’ll look at three common problems SIEM users face and explain how threat intelligence helps with each of them.
The number of interconnected systems and processes in the networks of most organizations today mean that SIEMs often generate somewhere on the order of thousands of alerts daily. Even if it takes as little as a few minutes to resolve an alert — and it often takes longer — that’s way too many alerts for SOC analysts to get through.
So it’s no surprise that many alerts go completely uninvestigated. One Cisco study found that nearly half of alerts go completely ignored and uninvestigated, and further, that of the legitimate alerts that do get looked at, less than half are actually remediated. It’s just unfeasible to resolve every alert when analysts rely on manual processes for research and resolution.
Automated threat intelligence helps analysts quickly triage alerts by cutting down on the time it takes to manually collect the information they need to take action. Using machine learning and natural language processing, a threat intelligence solution like Recorded Future not only gathers data from a wide range of sources, but also aggregates and correlates it into real-time threat intelligence, reducing false positives and redundancies and helping analysts focus on what’s important.
SIEMs bring together internal network data to generate alerts. It’s essential to have systems in place that can detect suspicious internal activity, but that’s only one half of the picture. Without external context, organizations are unaware of threats that might be just a little ways over the horizon.
Attempting to solve this problem can easily lead to another kind of information overload, though. Organizations that have recognized the need to get external context alongside their internal alerting might take the first step of ingesting threat feeds into their systems. That can be a good starting point, but threat feeds also often lack context, which can add to the analyst’s burden (rather than reducing it) by forcing them to spend more time doing manual research.
Threat feeds are usually undifferentiated lists of raw data on a certain topic, such as suspicious IP addresses, and their sourcing can be dubious. So when correlated with SIEM data, they might introduce a lot of false positive alerts and noise to an already noisy environment. And security analysts and researchers who try to manually monitor external sources of information, like online forums, security blogs and other news sources, and social media, will never get comprehensive coverage.
The right threat intelligence solution gathers data from a huge range of places, including not only open web sources like security blogs, news, and social media, but also technical and dark web sources. This high-fidelity data can be correlated with internal network data from your SIEM to quickly and easily identify unknown threats.
True threat intelligence provides context, not just more information. High-fidelity data from Recorded Future is sorted using risk rules with transparent sourcing to provide much more context than threat feeds, like easy-to-read risk scores and the reasons behind them.
Okay, so you’ve identified that you need to reduce the number of alerts you get. You decide the best way to do this is to get external context to correlate with your internal data and find some threat feeds that you trust to provide higher-fidelity data. Is that enough?
Correlation is critical for identifying threats, but this data has a short shelf-life — a matter of hours or even minutes, in some cases. That makes it essential to correlate threat feed data with internal logs in real time, or as close to real time as possible. But this brings us back to the first problem of information overload. It’s just not feasible to do this kind of correlation manually, and analysts who try to will often find themselves making tough decisions about what to focus on and what to ignore without enough context.
For example, if you rely only on threat feeds for external context and correlate data from a few weeks ago with your current internal data, you may not find a match. You would instead need to correlate that threat feed data with your data from weeks before to see if your systems were affected.
An automated threat intelligence solution significantly cuts down research time and provides a much more accurate and comprehensive view of the threat landscape than any researcher could manually map out. When even minutes can make a difference when dealing with a security event, threat intelligence that automatically updates in real time provides an essential edge.
This is just a broad overview of how threat intelligence can help solve many of the problems that SIEM users face. To dive deeper, check out our new solutions brief, “Supercharging SIEM Solutions With Threat Intelligence.”