Fighting SOC Alert Overload With Effective Threat Intelligence

May 8, 2018 • Chris Pace

Key Takeaways

  • Threat intelligence isn’t just a silo in security and has advantages to bring to many different roles in your organization.
  • Teams triaging alerts in security operations centers (SOCs) are overwhelmed with event data that has no context.
  • Threat intelligence packaged correctly for the SOC analyst can make them 10 times more productive.

The concept of threat intelligence and its potential usefulness to any business that’s serious about cybersecurity is not difficult to grasp. The more you know about potential attacks, how you might be attacked, and what those attacks will target, the better equipped you are to defend and align your resources effectively.

The difficulty seems to arise in deciding how to actually implement threat intelligence. Many cybersecurity professionals appear to be laboring under the misapprehension that intelligence can only be produced or used by an elite team of analysts dedicated to producing packaged intelligence for those at the very top of the security organization. This really couldn’t be further from the truth. Threat intelligence is not simply a siloed team or technology, but can be used by many teams, job functions, or roles in security as long as it’s delivered in the right way.

Chris Crowley is a principal instructor for the SANS Institute and specializes in training how to effectively manage security operations. He highlights how threat intelligence needs to join up across all of security:

When we’re doing threat intelligence, we have specific artifacts or outputs that we would produce: indicators of compromise, TTPs, campaign reporting, strategic threat modeling, and finally, one of the artifacts in threat intelligence should be actions that our organization is taking in order to defend its assets. This isn’t just lofting a report over the partition wall — this is making sure that we do things.

Applying Threat Intelligence to Monitoring and Triaging Alerts

One key role right at the start of the security operations center process is monitoring security alerts from SIEM, IDS, EDR, and other technologies to identify and respond to security events and incidents.

Cisco’s 2018 Security Capabilities Benchmark Study found that organizations can investigate only 56 percent of the security alerts they receive on a given day, and of the investigated alerts, 34 percent are deemed legitimate. We can reasonably assume that the volume of alerts into security operations teams contributes significantly to the number of alerts being investigated.

Cisco 2018 Security Capabilities Benchmark Study Graphic

The faster analysts can triage and make their initial investigations into alerts, the more alerts the SOC will be able to process. Applying the right kinds of intelligence aims to eliminate these challenges, helping organizations proactively defend against cyberattacks. A few of the challenges that can be overcome include:

1. Alert fatigue.

Alert fatigue is caused by a large number of frequent alarms that leads to analysts taking them less seriously — the boy who called wolf, essentially. Threat intelligence applied correctly should enable a level of automation to empower faster research and a more intimate understanding of the various alerts. Ideally, an environment with fewer but better alerts is created to improve the effectiveness with which the security team can provide threat analysis.

2. High volumes of alerts and only internal information.

Often, SOCs encounter the problem of too much information with relatively little to no context. Usually, this information comes from simply looking at the telemetry of network devices and log files, setting up rules to examine anomalous behavior, and other rule sets that deliver a high quantity of raw data. Threat intelligence should be situation-specific advice to more effectively provide context to the data and subsequently implement a strategic response. To enable even faster triage, this intelligence should make its own reasonable assumption about what kind of risk a particular indicator presents. Recorded Future does this by providing a real-time risk score.

3. There’s a lot of external data but it’s hard to find intelligence.

It can be incredibly time consuming for an analyst using manual methods (googling, security news sites, favorited blogs, etc.) to find useful external information. Threat intelligence solutions should help analysts by giving not just fast access to intelligence from this range of sources, but also consolidate that intelligence into a single readable view. The more consumable this intelligence is, the more useful it becomes to teams under significant time constraints.

Recorded Future has previously tested the power of threat intelligence in speeding up SOC analyst efficiency. Our independent test shows that applying real-time threat intelligence powered by machine learning cuts analyst time to triage a security event from a firewall log from three minutes to 1.2 seconds on average, resulting in a 10 times gain in productivity.

And it’s not just SOC analysts that have something to gain. Take a look at our new white paper, “Busting Threat Intelligence Myths: A Guide for Security Professionals” to get an understanding of the difference threat intelligence can make in every role of security.