How Relativity Powers Up Their SIEM With Threat Intelligence

Interviewer:

How can security operations, incident response, or vulnerability management teams use threat intelligence to work more effectively, more quickly? What are some challenges they face that are solved by threat intelligence?

Darian Lewis:

All of those teams need access to threat intelligence. Without it, they just don’t understand what they’re looking at. The volumes of data have grown from a couple hundred megabytes a day in logs to terabytes of logs. There’s absolutely no way that individuals can go through that volume of data.

The tools that we use bring it all together in one place, but to understand it, you need the intelligence component. It used to be that we would wonder whether companies were mature enough to actually digest threat intelligence, but these days that’s not even a concern. You simply have to. And it has to be integrated with the data that you have in order to get understanding out of it.

From the ground level, analysts looking at a new IP that’s coming in, or a new domain that people are trying to go out to, need to understand what the actual risk is to the company. And the only way to do that is by having threat intelligence integrated directly into the products that they’re using, because they don’t have the time to go hunt it down.

No analyst can go through thousands of incidents a day. We’ve got to get that down to literally dozens at most, so that they can spend the time to work on the things that are important.

Interviewer:

You brought up this idea of maturity — do organizations, or security practitioners in particular, need a certain level of experience or maturity to effectively tackle these problems?

Darian Lewis:

A lot of the maturity in the industry has grown, like I said, from people needing to understand every technical aspect. It’s been baked into our tool sets. At this point in the game, we’re mostly “toaster” users — people are simply expected to click the button.

However, that’s not what real analysts do. Our goal is to answer questions — specific questions. Sometimes companies ask us very complicated things, like, “Who’s coming after us? What do they want? Where are our weak spots?” Those are not easy questions to answer. They take a lot of research, a lot of time spent to find out what the answers to those kinds of questions are. Threat intelligence is what’s giving us those answers.

As far as maturity goes, the maturity of individual analysts has grown tremendously over the years, as I’ve watched people go from understanding what a firewall does to understanding this next generation set of tools that we have to work with and how everything fits together. So we’re able to paint pictures of who’s coming after us, what do they want, and how are they going about it. Where are our soft spots? How can we harden those? Where can we deflect attacks? Sometimes it’s not about keeping people out, just making it so difficult that they don’t want it anymore, or at least that we know that it’s there because once you know an attack is in place, you can do something more about it.

Interviewer:

You mentioned that you’ve seen a maturity with individual analysts grow over time, but I also understand it’s a pretty persistent problem that there’s just not enough people entering the industry. What are some answers to that? How does threat intelligence help?

Darian Lewis:

We are short of analysts and people who understand what’s going on, and the number is supposed to grow to ridiculous numbers in just the next few years, from a few hundred thousand shortage to a million shortage. We can’t put people through school fast enough. Schools are teaching things that are 10 years old. It’s a difficult and complex problem to solve. There’s no real easy solution to it. So, we have to get better at automation and we have to get better at the things we know that need to be taken care of.

I think there’s enough understanding of what the basics are, but threat intelligence brings to the table something that we’ve never had before, which is visibility into the minds of the bad guys. It lets us understand what they’re after, what we have that they want, why they want it, and what we can do to keep them from it. The maturity of the industry growing is important because we need to be forward thinking. People need to stop being behind the eight ball trying to keep the border safe. We need to move beyond that border and be more proactive, and the only way we can do that is through threat intelligence. That’s really where maturity leads us. It leads us further and further from our perimeter, so that we understand what’s coming down the pike because the right time to fix the vulnerability is before it’s exploited, and not afterwards.

When breaches and other bad things happen, that’s when you realize just exactly where the gold was inside your vault. Right now, a lot of companies don’t realize where their gold is. I think threat intelligence brings that to bear for them. For CISOs that need to be able to relate this back to the board and to others, they need to get a full risk profile, and it’s not just physical risk and their cyber risk, but also who’s out there, where the goods are, because a lot of companies still don’t know. Our asset management is a complex problem in our industry and until they fully understand where that risk surface is, they don’t know where their soft spots are.

Interviewer:

What security problems does Relativity use SIEM platforms to manage? How does threat intelligence from Recorded Future help?

Darian Lewis:

The SIEM that we’ve chosen is Splunk, and we feed all of our internal data into it. So we have our network feeding its information into Splunk — data from our firewall, our cloud solution, our on-premises solution. All of our endpoints also feed their information into it — our endpoint response solution, antivirus, anti-malware, Microsoft Advanced Threat Protection, they all feed into one location. Our analysts use it as a single pane of glass to get their work done.

And then for external context, we have a single repository source of truth in our threat intelligence platform, and intelligence from Recorded Future feeds into there. That means that all of the intelligence Recorded Future provides on a minute-to-minute basis goes from our threat intelligence platform into our SIEM solution so that we can compare anything suspicious that we see there against external context.

We’re also using your hunting packages. Those things are awesome. We use them to hunt threats retroactively within our network by looking at older SIEM data and comparing, and also to look outside of our network. They just pull together a lot of threat intelligence into one useful package.

Interviewer:

And what unique problems does Relativity face in the legal industry? Who targets the organizations you work with?

Darian Lewis:

Well, we’re a softer target. Security just isn’t top of mind for a lot of attorneys and law firms. In fact, they get more phishing attacks than anyone, because organizations in the industry hold on to a lot of valuable and sensitive data, like case data on some of the most prolific cases tried in the U.S. today. So we look carefully at phishing attempts, and at how people are probing networks. We like to go through those and make sure they’re less than harmful.

And that’s where threat intelligence really shines for us. Whenever we get hits for any IPs or domains, hashes, anything else, Recorded Future has great intelligence in the background that helps us make “go/no-go” decisions on that traffic.

Regarding who’s actually targeting legal organizations, if you look at the payloads they attempt to drop, it’s things like Monero cryptocurrency miners, banking trojans like Emotet, backdoor activity, people looking to grow their botnets. These are low threat-vector, usually non-targeted threats, but they’re ongoing and nonstop. And once they get a foothold and they realize you’re a high-value threat, these threat actors will sell you and your data as a much higher-value asset to other cybercriminals. It’s that low and slow bleed of data that harms. In fact, it’s rarely the company itself that knows first whether it’s been affected — it’s usually a third party that alerts them because they notice a breach in their own security.