Security Intelligence Handbook Chapter 4: How Security Intelligence Provides Critical Context for Triage
December 9, 2020 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’re sharing excerpts from the third edition of our popular book, “The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk with Security Intelligence.” Here, we’re looking at chapter four, “SecOps Intelligence, Part 1: Triage.” To read the entire section, download your free copy of the handbook.
SecOps and incident response teams operate under enormous pressure. With too many alerts, and too little time or context, they’re stuck in an infinite reaction loop, unable to triage and contain incidents at the speed of business.
It’s a lot like working non-stop on an emergency response team, first triaging emergency alerts to prioritize which ones need immediate attention; then serving as the first responder to determine the scope of the incident, identify affected systems, and make recommendations on next steps; and finally, investigating the event to determine root causes and shore up defenses to prevent similar attacks.
Precision security intelligence empowers security teams to break this never-ending cycle and make faster, more confident decisions — at scale across vast amounts of data — without manual research.
With security intelligence, teams are empowered to discover unidentified threats and triage internal alerts directly within existing SIEM and SOAR technology with relevant, real-time context from across the open and dark web.
See how alert fatigue risks undoing the hard work of SecOps and incident response teams in the following excerpt from “The Security Intelligence Handbook.” In this section, which has been edited and condensed for clarity, you’ll learn how security intelligence reduces wasted time and improves triage decisions:
Triage is a critical but exhausting job for security operations teams. They find themselves held hostage to the huge volumes of alerts generated by the networks they monitor. According to the Ponemon “Cost of Malware Containment” report, security teams can expect to log nearly 17,000 malware alerts in a typical week. That’s more than 100 alerts per hour for a team that operates 24/7. And those are only the alerts from malware incidents. To put these figures in perspective, all these alerts can force security teams to spend more 21,000 man-hours each year chasing down false positives. That’s 2,625 standard eight-hour shifts needed just to distinguish bad alerts from good ones.
Let’s examine how security intelligence mitigates this overload by filtering out false alarms, speeding up analysis of alerts, and providing context to make better triage decisions.
Responsibilities of the SecOps Team
On paper, the responsibilities of the SecOps team seem simple:
- Monitor for potential threats
- Detect suspicious network activity
- Contain active threats
- Remediate threats using available technology
When a suspicious event is detected, the SecOps team investigates it, then works with other security teams to reduce the impact and severity of the attack. Think of the roles and responsibilities of SecOps as similar to those of emergency services teams responding to 911 calls.
The Overwhelming Volume of Alerts
Over the past several years, most organizations have added new types of threat detection technologies to their networks. Each of these tools sounds an alarm when it sees anomalous or suspicious behavior. In combination, these tools create a cacophony of security alerts. SecOps analysts are simply unable to review, prioritize, and investigate all of these alerts on their own. All too often they ignore alerts, chase false positives, and make mistakes because of alert fatigue.
Research confirms the magnitude of this challenge. In its “2020 State of the SOC” report, SIEM provider Exabeam revealed that security operations centers (SOCs) are understaffed according to 39 percent of professionals who work in them — and of those, 50 percent think they need at least six additional employees. Additionally, Cisco’s “2020 CISO Benchmark Study” found that organizations can investigate only 48 percent of the security alerts they receive on a given day, and of those investigated alerts, only 26 percent are deemed legitimate (Figure 4-2).
Context Is King
SecOps intelligence is security intelligence that is used specifically to support triage by enriching internal alerts with the external information and context necessary to make risk based decisions. Context is critical for rapid triage, and also very important for scoping and containing incidents.
Triage requires lots of context
A huge part of an average SecOps analyst’s day is spent responding to alerts generated by internal security systems, such as SIEM or endpoint detection and response (EDR) technologies. Sources of internal data are vital in identifying potentially malicious network activity or a data breach.
Unfortunately, this data is often difficult to interpret in isolation. Determining if an alert is relevant and urgent requires gathering related information (context) from a wide variety of internal system logs, network devices, and security tools (Figure 4-3), and from external threat databases. Searching all of these threat data sources for context around each alert is hugely time consuming.
Use case: Correlating and enriching alerts An analyst attempting to triage an initial alert without access to enough context is like a person trying to understand a news story after reading just the headline. Even when the analyst has access to external information in the form of threat feeds (Figure 4-4), that information is very hard to assimilate and correlate with other data related to the alert.
SecOps intelligence completely transforms this situation. It has the capability to automatically enrich threat data into intelligence and correlate it with alerts, as illustrated in Figure 4-5. The context provided might include first and most recent references to a piece of malware or a suspicious IP address, the number of sightings, associations with attack types and specific threat actors, and descriptions of the behavior of the malware or the uses of the IP address (say, as part of a botnet).
This enrichment enables SecOps analysts to quickly identify the most significant threats and take immediate, informed actions to resolve them.
Enrichment empowers even relatively junior SecOps analysts to “punch above their weight” by making connections that otherwise would have required more experience than they have. It also provides a form of accelerated on-the-job training by supplying in-depth information about the latest threats.
As an example of this upskilling for relatively junior analysts, suppose an alert is generated when an unknown external IP address attempts to connect over TCP port 445. Experienced analysts might know that a recent exploit for SMB has been used by ransomware to propagate itself and would identify the IP as likely to be compromised based on the owner, location, and open source data. An inexperienced analyst might not be able to make these connections unaided, but contextualized intelligence would show the analyst that other devices on the network use SMB on port 445 to transfer files and data between servers. It would also inform the analyst that the new exploit and ransomware have been associated with that IP address.
Shortening the “Time to No”
As important as it is for SecOps analysts to gather information about real threats more quickly and accurately, there is an argument to be made that the ability to rapidly rule out false alarms is even more important.
Security intelligence provides SecOps staff with the context required to triage alerts promptly and with far less effort. It prevents analysts from wasting hours pursuing alerts based on:
- Actions that are likely to be innocuous rather than malicious
- Attacks that are not relevant to their organization
- Attacks for which defenses and controls are already in place
Some SecOps intelligence solutions automatically perform much of this filtering by customizing risk feeds to ignore or downgrade alerts that do not match organization- and industry-specific criteria.
Get ‘The Security Intelligence Handbook’
This chapter is one of many in our new book that demonstrates how to disrupt adversaries and measurably reduce risk with security intelligence at the center of your security program. Subsequent chapters explore different use cases, including the benefits of security intelligence for brand protection, vulnerability management, threat intelligence, third-party risk management, security leadership, and more.