How Intelligence Accelerates Threat Diagnosis and Mitigation for Security Operations Teams (Part 3)

June 25, 2019 • The Recorded Future Team

This is the third blog in a three-part series examining the impact of threat intelligence on security operations teams. In our first blog, we discussed how the overwhelming number of threat alerts that security operations teams receive can cause alert fatigue to set in, and how threat intelligence provides the antidote to mitigate the situation. Our second blog presented the security incident triage challenges faced by security operations teams and how context streamlines the scoping of security incidents.

In this blog, we explain how external intelligence provides the threat context needed to help increase efficiency when diagnosing, prioritizing, and mitigating security threats.

The Value of External Intelligence

External threat intelligence is the elixir for IT security threat diagnosis and mitigation. The impact is first felt by security operations teams during the triage stage — if the intelligence is collected from the right external sources and then integrated with data produced by internal security systems.

This combination improves security incident triage because threat intelligence provides additional information and context. Security operations teams can then triage alerts promptly and with much less effort.

Security operations teams can also rapidly rule out false positives and avoid wasting hours on pursuing alerts related to innocuous actions and irrelevant attacks. It’s also easier to identify any attacks for which sufficient defenses and controls are already deployed to protect at-risk digital assets.

Recorded Future’s Allan Liska and Levi Gundert explain more here:

Measuring the Impact of Threat Intelligence

With a solid triage process — backed by the right external threat intelligence integrated with internal security alerts — it becomes much simpler for security operations to analyze incident attributes. The team can also accelerate threat containment over any digital assets that have been breached and prioritize which unaffected systems and applications need to be closely monitored.

Just how impactful is threat intelligence? An IDC survey found that an effective threat intelligence platform can enable security operations teams to reduce time spent on threat investigation, resolution, and report compilation by as much as 32%.

For enterprise teams, that can add up to huge resource cost savings — about $640,000 annually on average. IDC also discovered that a threat intelligence platform can enable security operations teams to detect 22% more threats before they impact their organizations and resolve incidents 63% faster.

Threat Intelligence in Action

Here’s an example of a real-world scenario in which a Recorded Future client correlated external threat intelligence to enrich alerts generated by their internal security systems. The security operations team for this client received an alert when an unknown external IP address attempted to connect over TCP Port 445. At the same time, external threat intelligence indicated that a recent Server Message Block (SMB) exploit was being used by ransomware to propagate itself.

By correlating the two sources of information through Recorded Future Fusion, the client’s security operations team identified the IP address as likely being compromised. The team could also see that the new exploit and ransomware were associated with that particular IP address based on the owner, the location, and open source data.

With the contextualized threat intelligence, security operations then identified other devices on the network using SMB on Port 445 to transfer files and data between servers. The team took the necessary measures to make sure those devices were protected from this weaponized threat.

The Need for More Information

Trying to assess internal alerts without access to the context enabled by external threat intelligence is like a doctor trying to treat a patient based only on the symptoms that the patient presents that day. The doctor also needs to take into consideration the history of the patient and what has been happening to other patients with similar symptoms. Family history can also play an important role.

Just the same, security operations teams need more intelligence information to truly understand the context of alerts and to know how to react to each alert in relation to other alerts. When the threat intelligence is delivered through a platform like Recorded Future Fusion, security operations teams can completely transform their triage process. They can automatically enrich threat data with intelligence and correlate it to alerts. The enrichment process enables security operations to quickly identify the most significant threats and take immediate, informed actions to resolve them.

For more information on how to leverage external threat intelligence to help your security operations team conduct security alert triage and mitigate threats more efficiently, request a personalized demo of Recorded Future today.