How to Empower Security Operations With Threat Intelligence

October 31, 2018 • Zane Pokorny

Editor’s Note: Over the next several months, we’ll be sharing excerpts from our new book, “The Threat Intelligence Handbook.” Here, we’re looking at the second chapter, “Threat Intelligence for Security Operations.” To read the full chapter, download your free copy of the handbook.

With the goal of monitoring and analyzing network activity to detect and defeat cybersecurity threats and other anomalies always in mind, the security operations center represents the first line of defense for any organization big enough to have one. And even if your organization is too small to justify the costs of having a dedicated SOC (which can be prodigious), the function of looking out for threats and stopping them is one that nobody can live without.

But the numerous vital functions that SOC analysts perform — tasks like log monitoring, incident response, compliance, penetration and vulnerability testing, key and access management, and so on — can take years of experience to develop competency in. These diverse functions also often run on numerous disconnected systems, leaving analysts to deal with countless streams of data and alert feeds that can overwhelm even the most weathered security practitioner. Analysts yearn for a “single pane of glass” solution — one place where all the tasks they have to deal with show up with the context and timeliness they need to prioritize their work.

Threat intelligence is essential for making this picture a reality. Good threat intelligence provides exactly the context needed to enrich data feeds, reduce alert fatigue, and help SOC analysts work more efficiently and make informed decisions.

The following excerpt on this topic from “The Threat Intelligence Handbook” has been edited and condensed for clarity.

Threat Intelligence for Security Operations

Most security operations center (SOC) teams find themselves hostages to the huge volumes of alerts generated by the networks they monitor. Triaging these alerts takes too long, and many are never investigated at all. “Alert fatigue” leads analysts to take alerts less seriously than they should.

Threat intelligence provides an antidote to many of these problems. Among other uses, it can be employed to filter out false alarms, speed up triage, and simplify incident analysis.

Responsibilities of the SOC Team

On paper, the responsibilities of the SOC team seem simple:

  • Monitor for potential threats
  • Detect suspicious network activity
  • Contain active threats
  • Remediate using available technology

When a suspicious event is detected, the SOC team investigates, then works with other security teams to reduce the impact and severity of the attack. You can think of the roles and responsibilities within a SOC as being similar to those of emergency services teams responding to 911 calls.

The Overwhelming Volume of Alerts

Over the past several years, most enterprises have added new types of threat detection technologies to their networks. Every tool sounds the alarm when it sees anomalous or suspicious behavior. In combination, these tools can create a cacophony of security alerts. Security analysts are simply unable to review, prioritize, and investigate all these alerts on their own. Because of alert fatigue, all too often they ignore alerts, chase false positives, and make mistakes.

Research confirms the magnitude of these problems. Industry analyst firm ESG asked cybersecurity professionals about their biggest security operations challenge, and 35 percent said it was “keeping up with the volume of security alerts.” In its 2018 State of the SOC report, SIEM provider Exabeam revealed that SOCs are understaffed according to 45 percent of professionals who work in them, and of those, 63 percent think they could use anywhere from two to 10 additional employees. Cisco’s 2018 Security Capabilities Benchmark study found that organizations can investigate only 56 percent of the security alerts they receive on a given day, and of those investigated alerts, only 34 percent are deemed legitimate.

Context Is King

At its heart, threat intelligence for the SOC is about enriching internal alerts with the external information and context necessary to make risk-based decisions. Context is critical for rapid triage, and also very important for scoping and containing incidents.

Triage Requires Lots of Context

A huge part of an average SOC analyst’s day is spent responding to alerts generated by internal security systems, such as SIEM or EDR technologies. Sources of internal data are vital in identifying potentially malicious network activity or a data breach.

Unfortunately, this data is often difficult to interpret in isolation. Determining if an alert is relevant and urgent requires gathering related information (context) from a wide variety of internal system logs, network devices, and security tools, and from external threat databases. Searching all of these threat data sources for context around each alert is hugely time consuming.

Security Monitoring

Key aspects of security monitoring and internal sources of context. (Source: UK NCSC)

Improving the “Time to No”

As important as it is for SOC analysts to gather information about real threats more quickly and accurately, there is an argument to be made that the ability to rapidly rule out false alarms is even more important.

Threat intelligence provides SOC staff with additional information and context needed to triage alerts promptly and with far less effort. It can prevent analysts from wasting hours pursuing alerts based on:

  • Actions that are more likely to be innocuous rather than malicious
  • Attacks that are not relevant to that enterprise
  • Attacks for which defenses and controls are already in place

Some threat intelligence solutions automatically perform much of this filtering by customizing risk feeds to ignore or downgrade alerts that do not match organization- and industry-specific criteria.

Beyond Triage

As well as accelerating triage, threat intelligence can help SOC teams simplify incident analysis and containment.

For example, by revealing that a certain piece of malware is often used by cybercriminals as the first step in an attack on financial applications, the SOC team can start monitoring those applications more closely and home in on other evidence of that attack type.

Get The Threat Intelligence Handbook

The full chapter of the book also features an extensive use case looking at the value of enriching your data (as well as more helpful images and diagrams). Raw threat feeds don’t offer the context needed to evaluate whether an alert is critical to respond to or irrelevant (or a false positive). For analysts who have to respond to countless alerts daily, trying to triage an initial alert without access to enough context is like a person trying to understand a news story after reading just the headline.

To read the full chapter, including this use case, download your free copy of “The Threat Intelligence Handbook” today.