Manual Labor Mistakes Can Ruin Your Threat Intelligence Program (Part 2)
May 31, 2019 • The Recorded Future Team
A real problem exists in the IT security world today: too much data.
Data is being added to the internet at a frightening rate, with one fairly recent study showing that around 2.5 exabytes are being added daily. That’s 2.5 quintillion bytes. The Library of Congress currently holds a comparatively meager three petabytes of data in its entire digital collection, of which only 10 terabytes is books.
Some (very rough, back-of-the-napkin) calculations show that if you wanted to read all those books in the Library of Congress — just the books — it would take you somewhere around 52,500 years. From that alone, we don’t really need to crunch any more numbers to see that no realistic number of people could ever keep up with all the content being added to the internet.
Certainly, a huge proportion of that data is made up of images, videos, or content that isn’t human-readable, but it’s still the case that a massive amount of new text is being added to the internet just about every moment.
For cybersecurity, the inference is that if you want to stay on top of the ever-changing threat landscape, manually reading some security blogs and checking a few threat feeds will never come close to being comprehensive. What’s needed is real-time, automated threat intelligence.
In the first blog of this three-part series, we covered some mistakes that can be made when defining threat intelligence. Here, we’ll examine three mistakes organizations often make when beginning to use threat intelligence but still mostly relying on the muscle of their human analysts: thinking that alert fatigue can be overcome by hiring more people, not relying on automation for repetitive tasks, and not using automation for correlation to get important context.
Mistake 1: Thinking More Manpower Is the Answer to Alert Fatigue
The answer to alert fatigue is never to hire more analysts.
Why? First, as the numbers above show, dealing with alerts and information by assigning more humans is not scalable.
And beyond that, if you have poor processes and technologies in place, no quantity of analysts will ever be enough to save your threat intelligence program. Not only will you still likely never get the high-quality, actionable outputs you need, but you’ll also find you’re constantly having to replace threat analysts as they become frustrated and find positions elsewhere.
Don’t assume more analysts (even very good ones) can make up for processes and technologies that aren’t fit for purpose. Look to automated threat intelligence solutions that make up for the shortcomings of human analysts and augment their strengths.
Mistake 2: Having Too Many Manual Processes
Even when threat alerts have been augmented and rationalized using technology, manual processes can kill the efficiency of your threat intelligence program.
If a process takes “just a few minutes,” but has to be completed dozens of times each day, it’s a huge time waster for your threat analysts.
Defining (and refining) a strong set of processes is a given. The real key to cutting out manual processes, though, is integration. Powerful threat intelligence solutions integrate with your existing security technologies, and take away the manual burden of completing repetitive tasks such as adding new rules to a firewall or EDM, or highlighting suspicious connection requests.
Mistake 3: Lack of Context
Lack of context is public enemy number one for threat intelligence programs. Without context, it is difficult or impossible to triage alerts, determine which are false positives or redundancies and which need immediate remediation, or evaluate how reliable a risk score or report is. This leads to wasted analyst time, analyst overwhelm, and ultimately, alert fatigue.
To be useful, threat data and information usually needs to be considered in combination with a variety of related insights. Generally, it’s the act of combining a series of data points and information that creates an actionable intelligence output.
Unfortunately, a lot of this work often falls to human analysts. Threat intelligence products made by analysts, like reports, generally have a high level of context but also take a great deal of time to produce. On the other hand, threat feeds produce alerts at a phenomenal rate, but these alerts lack the insight and context to be actionable in isolation.
Powerful threat intelligence programs are produced by a combination of human analysts and modern technologies. Technology takes care of the procedural heavy lifting associated with collecting, categorizing, and correlating threat data, and human analysts do what they do best — draw conclusions from intelligence outputs and take action.
Having high-quality analysts is essential to the success of any threat intelligence program, but there is no avoiding the need for equally high-quality processes and technologies.
In order to truly excel, threat intelligence programs require a threat intelligence solution that is capable of combining outputs from multiple sources to produce pre-contextualized alerts. A variety of technologies make this possible — AI, machine learning, and natural language processing to name a few — and the result is a massive reduction in the time analysts must spend on manual, repetitive tasks.
And when analysts are freed from the shackles of error-prone manual processes, they have a far greater opportunity to add value to their threat intelligence program.
See What a Threat Intelligence Solution Can Do
Recorded Future is a threat intelligence solution that solves these problems. Using machine learning and natural language processing, it gathers data from across the open and dark web, as well as technical sources, and compiles those billions of data points into threat intelligence that’s contextual and easy to interpret, and that updates in real time.
For more information on the Recorded Future® Platform, request a personalized demo today.