Threat Intelligence and SIEM (Part 3) — Combining for Better Security
February 18, 2016 • Guillaume Dupont
Previously, in part one and part two of this series, I explained how threat intelligence (TI) provides defenders better insight into the type of malware, delivery mechanisms, exploits, and overall situational awareness of threats and attack strategies faced by other companies.
Using such intelligence with security products enhances the threat landscape visibility, and as a result security teams are able to respond more quickly and accurately.
How Companies Are Leveraging Threat Intelligence
In a SANS Institute survey,1 Dave Shackleford asked companies around the world how they were using TI. A total of 326 companies of all sizes and from various industries, such as government, banking/finance, and IT, participated, resulting in the following findings:
Figure 1: Tools for aggregating and using threat intelligence. (Source: SANS Institute)
Up to 55% of the survey’s respondents are using SIEM to aggregate and analyze TI data from diverse sources. According to the way SIEM solutions work as we saw in the first part of this series, TI and SIEM are indeed meant to be combined.
Let us consider the following flowchart to understand how TI can be combined with a SIEM:
Figure 2: Security monitoring workflow. (Source: Securosis.com)
We already explained the upper right-side of the above diagram in the first part of this series when we discussed reactive security with SIEM. Let’s now focus on the remaining boxes.
The upper left side depicts the collection of TI. Before collecting threat intelligence, we first must define and profile our adversaries who represent business risks. Then we can select the right TI that will truly leverage our security posture. We can then start collecting and analyzing intelligence, which means reviewing the intelligence to make sure it is actionable. Finally we can proceed to integrating TI with the SIEM.
In the above figure, in the Security Analytics portion, we can start analyzing our environment like it is done in the standard SIEM approach, but this time correlating our detection mechanisms (signature and anomaly based) with the TI relevant to our business.
Upon detection, we prioritize alerts “based on the number, frequency, and types of indicators which triggered them.2” According to their priority, we may want to collect deeper — which is collecting more information from the devices involved by querying the databases; this makes it easier for further forensics investigations.
Finally, as shown in the Action box, once alerts are reviewed by the security operations team, they can be validated if it’s a true positive or discarded in case of a false positive. In the latter case, the intelligence can be evaluated and the policies tuned to avoid further false alerts. After validation, the alerts can be escalated to the IR team via a ticketing mechanism as described in the first blog post.
4 Qualities of Actionable Threat Intelligence
The advantages of using TI with SIEM is indisputable: nowadays a good SIEM solution ships with support for threat intelligence integration. All vendors are well aware that, to be taken seriously, they have to answer the growing demand for easier and better TI integration. Gartner’s security analyst Lawrence Pingree says, “by 2017, at least 50% of technology providers will use intelligence-sharing capabilities between disparate technologies and across different vendors to support orchestrated security policy responses across protected environments.3”
As shown in the flowchart above, the collected TI will have to be assessed in terms of quality and effectiveness. Sergio Caltagirone, Chief Scientist of the Center for Cyber Intelligence Analysis and Threat Research, identified four qualities that intelligence has to meet to be actionable:4
- Relevance: TI teams must ensure the intelligence is pertinent to the business; measurable by positive hits or real alerts once deployed in the environment.
- Completeness: Threat intelligence must be detailed enough, and provide sufficient context, to guarantee effective detection.
- Timeliness: To have a valuable impact, intelligence must be retrieved and processed as fast as possible.
- Accuracy: To ensure effective detection, the TI must have few false positives and be highly accurate.
All these aspects can be assessed at different levels by parties involved in a complete security lifecycle, as detailed according to the Active Cyber Defense Cycle. These qualities can be used as criteria to acknowledge the efficiency and usefulness of the retrieved TI.
Finally, by combining internal and external threat intelligence, defenders have a way to empower real-time threat identification; for instance, it now becomes easier to detect malware that is communicating with C&C servers belonging to a certain campaign, to match past/historical internal log data with current threat intelligence, or even to validate correlation rules and improve baselining alerts, therefore reducing false positive and the waste of time and money.
In the next part of this blog series, we’ll focus on the various threat intelligence standards, and how to share threat intelligence.
1 Dave Shackleford, “Who’s Using Cyberthreat Intelligence and How?” (Technical Report, February 2015).
2 Securosis LLC., “Leveraging Threat Intelligence in Security Monitoring” (2014).
3 Lawrence Pingree, “Context-Aware Security and Intelligence-Sharing Concepts Merge to Create Intelligence-Aware Security Controls” (Technical Report, 2014).
4 Sergio Caltagirone, “The 4 Qualities of Good Threat Intelligence” (July 2015; www.activeresponse.org).