SOC Fundamentals for Your Threat Intelligence Program

November 29, 2016 • Greg Barrette

In a recent webinar, Chris Crowley, Principal SANS Instructor, highlighted several fundamental components of a security operations center (SOC), the challenges SOC teams face, and how to get the most out of threat intelligence.

Security Operations Center Roles and Responsibilities

There are several functional components to a security operations center architecture, which in the words of Chris Crowley come together to create the “notion of a command center where direction of action occurs, as well as [the] maintenance of situational awareness.”

These components include:

  • The network security monitoring team is tasked with observing an environment and reviewing the available data.
  • The threat intelligence team gathers available information from within the organization and through open source selection. This data is then organized to create actionable reports.
  • The incident response team focuses on performing remediation, containment, and mitigation steps that are based on the information gathered and analyzed. As part of this team there’s a self-assessment capability, which monitors the status of internal organizational assets to determine a desired reaction to perceived threats.
  • The steering committee ties together all of the functional capabilities of the SOC so that they maximize available resources and are effectively aligned with the business’s security needs.

For these teams to be effective, detailed and actionable data is critical. When used properly, threat intelligence helps the security command center defend against current and future attacks. In this vein, threat intelligence is vital to the identification of the highest-risk threats, as well as the subsequent preparedness measures that must be adopted to protect business assets.

Let’s look at some key terms associated with threat intelligence.

Threat Intelligence Key Terms

Threat intelligence is a strategic component that must be properly implemented if businesses want to protect their assets. Understanding key terms within the threat intelligence industry will help you to understand how certain methodologies can be implemented to proactively guard your business against adversaries:

  • Correlation refers to how items, or in this case threats, relate to each other; it’s the identification of these relationships, not the analysis of their independent and related capabilities, that matter.
  • Analysis is defined as the interpretation of the identified correlation. The basic who, what, where, when, why, and how questions must be answered during analysis.
  • Attribution is the task of assigning cause to a specific entity. In terms of threat intelligence, the intrusion set will be named so that the type of attack as well as the attacker can be properly attributed.

As seen in the above definitions, correlation, analysis, and attribution are three entities that work together to create the framework needed to defend an organization from an attack.

After all, that’s one of the critical components of threat intelligence — gaining valuable insights into the mindset and attack methods of adversaries to interrupt activities, disrupt communication chains, resolve weaknesses, and strengthen business assets against future attacks.

According to Chris Crowley, “When we’re doing threat intelligence, we have specific artifacts or outputs that we would produce. Indicators of compromise, TTPs, campaign reporting, strategic threat modeling and, finally, one of the artifacts in threat intelligence should be actions that our organization is taking in order to defend its assets. This isn’t just lofting a report over the partition wall, this is making sure that we do things.”

Security Operations Center Challenges

There are several challenges that SOC teams face. Recorded Future aims to eliminate these challenges with real-time intelligence that helps organizations proactively defend against cyber attacks. A few of the challenges that can be overcome include:

Infiltrating the dark web and hacker forums.

Recorded Future offers a secure environment and does the “heavy lifting” for clients. This means that Recorded Future is responsible for gathering information from remote and potentially dangerous portions of the web. This information is then made accessible to clients, so that they can use it as a resource to further analyze, strategize, and put together a proactive security stance.

High volumes of alerts and information without context.

All too often a SOC encounters the problem of too much information with relatively little to no context. Generally speaking, this information comes from simply looking at the telemetry of network devices and log files, setting up rules to examine anomalous behavior, and other rule sets that deliver a high quantity of raw data. Recorded Future provides situation-specific advice to more effectively provide context to the data and subsequently implement a strategic response.

Alert fatigue.

Alert fatigue caused by a large number of frequent alarms can lead to lapses in security best practices. Fortunately, Recorded Future has created automated solutions to empower faster research and an intimate understanding of the various alerts. Ideally, an environment with fewer but better alerts is created to improve the effectiveness with which the security team can provide threat analysis.

Succinct, Actionable Insights

Recorded Future is designed to not only gather threat intelligence, but to sort the gathered data and information into structured content. To put this task into perspective, keep in mind that gathered data tends to be displayed in a wide variety of sources. Assembling the technological information will provide some sense of its geolocation, however assembling everything and assigning context to the gathered data can be both time consuming and challenging.

This is where comprehensive real-time threat intelligence comes into play.

The mission is simple: gather the information, organize it, and deliver it to the security analysts and researchers in a format that is relevant. The keyword being “relevant.” Natural language processing and machine learning are two of the tactics that Recorded Future uses to organize the information into a format that can be used to complete proactive assessments.

Closing Thoughts

Properly implemented threat intelligence and security operations center best practices produce a multitude of benefits, and is probably best summed up in the following anecdote from Glenn Wong, Director of Technology Partnerships at Recorded Future:

We recently asked an independent security lab to come by and do a test where they set up a lab, infected a machine, ran legitimate traffic, and then had an analyst look at some of the log files generated from that lab environment. [The files were] then compared [with] what they could do with Recorded Future’s real-time threat intelligence layered on top of it. With our information, this analyst was able to see a 10 times increase in productivity, which itself is hugely valuable, because as we know, there’s a lot that goes on in the security operations center and getting time is one of the things that everyone wants to do.

Learn More

To learn more about the benefits of real-time threat intelligence from Recorded Future, be sure to watch the full webinar.

To discover how Recorded Future can save you time and resources, while more accurately assessing cyber threats, request a product demo.