• We’re Hiring
  • Request Demo
  • Support
  • Log In
  • Product keyboard_arrow_down
  • Solutions keyboard_arrow_down
  • Customers
  • Partners
  • Blog
  • Resources keyboard_arrow_down
  • Get started arrow_forward
  • Product
  • apps
    Overview
    Learn more about threat intelligence powered by machine learning
  • blur_on
    Technology
    See how collection from an unrivaled breadth of sources powers risk insights
  • developer_board
    Integrations
    Combine threat intelligence with your existing security technology
  • announcement
    Services
    Let our team of world-class analysts help you apply threat intelligence
  • device_hub
    API
    Connect to our real-time threat data through a flexible rest API
  • create
    Training
    Become an expert in threat intelligence through our educational programs
  • Solutions
    people By Role
  • Incident Response
  • Security Leadership
  • Security Operations
  • Threat Analysis
  • Vulnerability Management
  • extension By Need
  • Brand Monitoring
  • Dark Web Monitoring
  • Indicator Enrichment
  • Third-Party Risk
  • Threat Hunting
  • Threat Intelligence Platform
  • Threat Intelligence Feeds
  • business By Industry
  • Energy
  • Financial Services
  • Government
  • Healthcare
  • Retail
  • Resources
  • email
    Cyber Daily™
    Join over 35,000 subscribers who get daily threat insights by email
  • mic
    Podcasts
    Listen to our podcast to supercharge your threat intelligence knowledge
  • book
    The Book
    Download our new book to learn everything about threat intelligence
  • ondemand_video
    Webinars
    Watch live and on-demand webinars to hear from industry experts
  • how_to_reg
    Grader
    Take this short survey to assess your threat intelligence maturity
  • chrome_reader_mode
    White Papers
    Read our white papers to keep up with the latest threat intelligence advice
  • video_library
    Videos
    Watch our videos to see firsthand the power of threat intelligence
  • menu
    close
    • Product
      • Overview
      • Technology
      • Services
      • Integrations
      • API
      • Training
    • Solutions
      • Threat Analysis
      • Security Operations
      • Incident Response
      • Vulnerability Management
      • Security Leadership
      • Indicator Enrichment
      • Brand Monitoring
      • Threat Hunting
      • Cyber Risk Trends
      • Threat Intelligence Feeds
      • Financial Services
      • Healthcare
      • Retail
      • Energy
      • Government
    • Customers
    • Partners
    • Resources
      • Cyber Daily
      • Webinars
      • Podcasts
      • White Papers
    • Login
    How to Reinforce Your Security Operations Center With Threat Intelligence
    Recorded Future Blog

    How to Reinforce Your Security Operations Center With Threat Intelligence

    By Nick McNulty on December 7, 2018

    In today’s cybersecurity landscape, security information and event management (SIEM) systems have become table stakes for modern security teams in companies of all sizes. Bombarded with an unprecedented amount of internal logging and telemetry data, it is simply impossible for security teams to manage all of that information without the automation that a SIEM can provide.

    By creating a central repository for log data and creating customizable queries for intuitive arrangement of those logs, SIEMs now enable security teams to gain visibility across their organization’s systems in a timely enough manner to turn that telemetry into actionable data points.

    SIEM Integrations

    Popular SIEM integrations with Recorded Future.

    The SIEM has become the first line of human defense from cyberattacks, where events from malicious traffic infiltrating firewall defenses can first be detected. Telemetry from firewalls, intrusion detection systems (IDS), endpoint protection platforms (EPP), and outputs from vulnerability scanners and netflow collection devices can all be ingested by the SIEM and presented to security operations center (SOC) analysts in virtually real time. It is no exaggeration to say that SIEMs are a more powerful tool today than ever before, collecting more formats of log data and at a greater scale than ever before. This is great news for the SOC — or it was, until the sheer volume of logged data and alerts began to overwhelm analysts.

    LogRhythm Integration

    Recorded Future integration with LogRhythm.

    SOC analysts’ primary problem has now become determining which alerts are truly a priority. Analysts must now ask themselves, “How many of these alerts are accurately reflecting a credible threat to the organization, and am I confident enough in my answer to bet my job on it?”

    The problem is, the traditional SIEM deals with looking at internal logs — telemetry from systems owned by the organization. What is often missing is the external threat intelligence data that, when paired with that internal telemetry, can paint a more complete picture of a credible threat hiding in all that log data. By applying accurate threat intelligence to the logs coming into the SIEM and setting alerting thresholds to appropriate levels, the SOC can ensure that their analysts are only reacting to credible threats, and that the low-priority or inaccurate alerts never surface.

    There was a time (not more than a few years ago) when the collection, scrubbing, processing, and consumption of external cyber threat intelligence data was so costly and time-consuming as to be prohibitive for most security organizations worldwide, much as internal telemetry was before the advent of the SIEM — but no longer. Threat intelligence feeds, providers, and aggregators have collectively brought the cost of using threat intelligence down while consistently expanding the applications of its use. This democratization of threat intelligence is no more powerfully reflected than by the widespread adoption of threat intelligence-armed SIEMs.

    IP Address

    An IP address enriched within Splunk through the Recorded Future API.

    By arming SOC analysts with an accurate snapshot of the true level of malicious activity known to be attributed to a particular indicator of compromise (IOC) logged by the SIEM, the analysts can approve decisive action at the SOC level, shielding the organization without wasting precious exposure time or needlessly engaging higher-tier engineers. Equipped in real time with the knowledge that an IP address is, for example, of Russian origin and is part of a suspicious subnet that has no legitimate business communicating with the network, a SOC analyst can confidently take actions that would otherwise be cloudy judgment calls fraught with political risk to their jobs.

    Geolocation Information

    Geolocation information about suspicious IPs within Recorded Future.

    Finally, tapping into cyber threat intelligence enables SOC analysts to feed tangible, empirical evidence of malicious activity associated with an IOC into after-actions and incident response workflows. This eliminates massive amounts of manual collection labor and time as this data moves through the rest of the organization’s security ecosystem. When the blocked activity is reported to the next tier, an enormous amount of forensic data gathering has already been executed at the SOC level, and in a timely enough fashion to be actionable during incident response.

    Dark Web Chatter

    Dark web chatter and more context surrounding suspicious IPs detected by the SIEM, enriched by Recorded Future.

    Enabling SOC analysts to take timely and decisive action at key junctures of a cyber event is a force multiplier for all organizations. Equipped with threat intelligence on their SIEM, SOC analysts can greatly reduce the window of time that their organization is exposed to malicious cyber activity, empowering them to confidently take blocking actions and initiate the next phase of forensic investigation. With modern massive data breaches triggered and executed in mere minutes, every second counts, especially on the front line of the modern security operations center.

    To see how Recorded Future can help bring the power of threat intelligence into your SOC with our many technology partners in the SIEM space, request a personalized demo today.

    Nick McNulty

    Nick McNulty is a senior solutions engineer at Recorded Future.

    Up next:
    Who’s Stealing Your Data? Preventing Fraud With Threat Intelligence

    This excerpt from our book explains how threat intelligence can help prevent fraud and give insight into cybercriminal tactics, techniques, and procedures.

    2 months AGO
    Zane Pokorny
    Cyber Daily Banner
    listRecent Posts
    • How to Build Comprehensive Security Processes With Threat Intelligence

      By Andrew Scott

      on February 15, 2019

    • Third-Party Risk: Keeping Your Friends Close and Your Enemies Not as Close

      By Zane Pokorny

      on February 14, 2019

    • 4 Ransomware Trends to Watch in 2019

      By Allan Liska

      on February 13, 2019

    • How Dragos Protects Industrial Control Systems With Threat Hunting

      By The Recorded Future Team

      on February 12, 2019

    • The Value Proposition of Finished Intelligence

      By Zane Pokorny

      on February 11, 2019

    Copyright © 2019 Recorded Future, INC.
    Product
  • Overview
  • Technology
  • Integrations
  • Services
  • API
  • Resources
  • Blog
  • Cyber Daily
  • Podcasts
  • Webinars
  • White Papers
  • Company
  • About
  • Events
  • Press
  • Contact
  • Jobs
  • Information
  • Support
  • FAQ
  • Terms
  • Privacy
  • Cookies
  • Copyright © 2019 Recorded Future, INC.
    closeclose