Threat Intelligence: The Foundation of Your Security Operations Center Strategy

February 3, 2017 • RFSID

Key Takeaways

  • 93 percent of SOCs are unable to triage all potential threats because the volume of incoming alerts is overwhelming. As a result, high-volume/low-context sources such as firewall logs are only utilized for forensic investigation.
  • Under laboratory conditions, Recorded Future cut analyst time taken to triage a security incident from three minutes to just 1.2 seconds, and dramatically enhanced threat detection.
  • After integrating Recorded Future with Splunk SIEM, St. Jude Medical realized a 50 percent saving in analyst time for malicious IOC investigation, as well as a 63 percent drop in exploit kit traffic within their networks.
  • Global security leaders Intel Security use Recorded Future to speed production of threat reports by 25 percent. Rob Gresham, Senior Consultant with Intel Security, believes large organizations can save between $300,000 and $500,000 in OPEX funding by relying on Recorded Future and Foundstone.

For many organizations, threat intelligence has become an essential part of their cyber strategy. With the number of incoming attacks increasing every year, most organizations’ security operations center (SOC) strategy is increasingly reliant on threat intelligence to improve the speed and reliability of threat detection and prevention.

In fact, in a 2016 study conducted by the Ponemon Institute, 66 percent of respondents had either implemented or were planning to implement a threat intelligence solution within the next year.

Unfortunately, there’s a problem. Where many organizations are relying on purely open source intelligence (OSINT), combined with network activity and telemetry monitoring, operational staff are being overwhelmed by the volume of incoming threats.

According to Intel Security’s McAfee Labs Threats Report, released in December 2016, a combination of increased attacks and enhanced monitoring had led to 67 percent of respondents seeing an increase in security incidents. The report, which surveyed almost 400 security professionals across multiple countries, industries, and organization sizes, also found that a massive 93 percent of security operations centers are unable to triage all of their potential threats because the volume of incoming alerts is unmanageable.

Naturally, this poses a real concern for security-conscious organizations. Despite implementing advanced security controls and maintaining a fully functioning operations center, they’re still at risk of missing vital threats.

But it doesn’t stop there. In an ideal world, security operations teams could proactively focus their strategy on identifying and remediating their organization’s most significant threats. Due to the overwhelming number of incoming alerts, however, most are forced onto the defensive, spending the vast majority of their time reacting instead.

Augmenting Security Information and Event Management

Last year, we commissioned an independent test to measure the impact of real-time threat intelligence powered by machine learning.

The test, conducted by Codis Technologies, focused on high-volume/low-context sources such as firewall logs. Security information and event management (SIEM) systems typically rate these log sources as low priority, primarily because there are too many events for most SOCs to triage.

A seasoned analyst will take up to three minutes to process an event, and a small organization with just 100 devices could generate over 2,500 outbound connections each hour. Even after pre-processing and filtering, the number of incidents would be well beyond what even a small team of analysts could cope with. It’s unsurprising, then, that most organizations rank these types of data sources as low priority, and only consider them during forensic investigations.

Doing so, however, is far from ideal.

While high in volume, these types of log sources can provide a vital early-warning system for incoming threats, and ignoring them places organizations at significant risk. And while purely OSINT solutions can provide valuable threat insights, they do very little to alleviate this problem.

Integrating Recorded Future with a SIEM enables organizations of all sizes to easily monitor high-volume/low-context log sources in real time. By enriching events with up-to-the-minute risk indicators, malware attribution, related intelligence, and risk scores, Recorded Future goes well beyond the scope of any typical threat intelligence provider. By automatically providing context to all security incidents, Recorded Future prioritizes the most meaningful security events, enabling analysts to reach critical decisions much more quickly and analyze a far greater number of events.

For its testing, Codes Technologies created a controlled environment of four PCs (one infected with malware), a firewall, and a SIEM.

Two reports were generated by the SIEM showing all outbound connections during a one-hour period, one of which was enriched by Recorded Future. Each report contained 210 unique IPs, which were to be triaged by a single analyst within a 60-minute time limit.

The results speak for themselves.

Without the help of Recorded Future, the cyber threat analyst was able to check 20 IPs before running out of time. In order to review all 210 IPs manually, he or she would have required over 10 hours. By contrast, with the support of Recorded Future, the same analyst was able to triage all 210 IPs in just four minutes.

To put that in context, the average time required to triage a security event fell from three minutes to just 1.2 seconds.

Unsurprisingly, while working manually the analyst did not identify any malware. Even when running the report against 40 OSINT feeds, there were no improvements; two IPs were flagged, but they provided no significant time savings and failed to identify the infection. With Recorded Future, however, the IP with the highest risk score was investigated first, and consequently the Dridex infection was discovered within 12 seconds.

To analyze all 210 events manually within the 60-minute time limit, at least 10 analysts would be required. With the added context and prioritization from Recorded Future, a single analyst could easily monitor the events in real time, not to mention having a spare 56 minutes to focus on other tasks. Even leaving aside the extra time savings, this equates to a 10 times gain in analyst productivity.

Of course, the reality is that most organizations simply don’t try to triage high-volume/low-context logs. After all, no matter how large an organization may be, it’s never going to be feasible to employ 10 seasoned analysts purely to analyze logs in real time.

Recorded Future provides the context and risk scoring organizations needed to efficiently and reliably monitor data sources that were previously unmanageable. By providing analysts with the highest risk events first, Recorded Future dramatically improves the chances of detecting genuine threats in their early stages.

If you’d like to read the full Codis Technologies report, you can download your free copy.

Powering Security Operations Centers in the Real World

It’s one thing to see huge improvements in a controlled testing environment, but producing results in the real world is what really counts.

St. Jude Medical is a global medical device company focused on transforming the treatment of epidemic diseases by developing breakthrough technologies. Due to the complexity and scale of its operations, the company’s security operations framework relies on threat intelligence to help identify and remediate threats. Specifically, the company has implemented Recorded Future in conjunction with the Splunk SIEM.

Following the implementation, dramatic improvements have been seen. For a start, detections of exploit kit traffic within their networks has failed from 27 each day to less than 10. That amounts to a 63 percent reduction, which in turn has substantially reduced the number of machine rebuilds required.

Along the same lines, St. Jude’s detection of botnet traffic has improved by 28 times.

Perhaps most importantly of all, the company has seen huge savings in analyst time, including 50 percent for malicious IOC (indicator of compromise) investigation.

Analysts are now able to use this time to focus on proactive security measures, rather than constantly reacting to incoming threats.

St. Jude’s SOC uses Recorded Future to gain vital context, identifying correlations within SIEM datasets and gaining a complete picture of emerging threats and IOCs.

Russ Staiger, Lead Analyst with the company’s Cyber Threat Action Center (CTAC), described Recorded Future as:

An extremely well curated collection of some of the hardest to reach, as well as publicly available, sources all brought together to tell one story. It’s a magical moment in technology. They are leaders in terms of having this much to draw from and having this much power.
Russ Staiger, Lead Analyst, St. Jude Medical

To read more about how St. Jude Medical uses Recorded Future, check out the case study.

Like St. Jude Medical, Intel Security has a substantial need for cyber threat intelligence. The company delivers a number of intelligence services via McAfee Professional Services and Foundstone, and uses Recorded Future to facilitate these services.

Rob Gresham, Senior Consultant with Intel Security, explained in a recent webinar that implementing Recorded Future has reduced the time taken to produce threat reports for customers by 25 percent, and has enabled the company to expand its services globally.

Post implementation, Gresham is able to identify trending threats within minutes, compared to hours previously.

Perhaps most significant of all, Rob explained that by taking advantage of Recorded Future in collaboration with Intel Security’s Foundstone team, organizations could save well over $100,000 in annual OPEX funding:

A threat intelligence researcher needs to understand malware, so he has to have malware experience as well as threat intelligence experience. That’s not an inexpensive resource. He also has to have an analytical background, and to know programming. That’s a very specific individual that we’re looking at. On top of that, you’ll have to pay for a tool, and a platform … just to have a reasonable threat intelligence function that isn’t just a threat feed.
Rob Gresham, Senior Consultant, Intel Security

By Rob’s reckoning, an organization could save between $300,000 to $500,000 per year in OPEX.

Making the Transition

Threat intelligence is quickly becoming best practice for any security operations center.

If your SOC is one of the 93 percent unable to keep up with overwhelming numbers of security alerts, Recorded Future could profoundly enhance your organization’s security profile.

Whether it’s enhancing the speed and reliability of triaging security events by 10 times, or slashing exploit kit traffic by 63 percent, strategic use of Recorded Future’s threat intelligence powered by machine learning will dramatically increase the value of your SIEM and the ultimate effectiveness of your security operations center.

From laboratory conditions to a global medical device producer to one of the leading international security vendors, Recorded Future is already powering some of the most forward-thinking organizations in the world.

To find out how Recorded Future can benefit you, or to arrange a demo, get in touch today.