The Role of Threat Intelligence in SOAR Performance (Part 3)

April 19, 2019 • The Recorded Future Team

Earlier in this series, we examined how security orchestration, automation, and response (SOAR) technology is emerging as an evolution to SIEM solutions in helping IT security teams automate incident response processes. We also presented several security response use cases in which a SOAR platform can streamline and accelerate how quickly threats are discovered, contained, and mitigated.

In this blog, we’ll discuss how a key factor to building an effective SOAR solution is to connect the platform with the right threat intelligence sources that automate the delivery of information. This combination ensures IT security teams work together more efficiently so that they can identify threats earlier and resolve security incidents faster.

Automated Threat Intelligence Plays a Vital Role in Protecting Digital Assets

All the security alerts generated from logs and data feeds can be overwhelming. There may be potentially valuable insights into active and emerging cyber threats present in those logs and feeds, but if the key indicators of compromise are hidden among the barrage of data, the vital information is easily missed.

As noted in the first blog in this series, a SOAR platform can help by receiving vulnerability and threat data from multiple sources, and then enriching the data with threat intelligence. This generates unique insights and context that help rapidly assess risks from new indicators of compromise.

But there’s also a key variable: The SOAR platform may not be receiving the right data. It may also not be processing the data in the right way relative to the IT environment. That means the data is not truly meaningful, and therefore not useful — it’s just more data.

It’s thus critical to pair a SOAR solution with technology that automatically aggregates, normalizes, and correlates the data with multiple threat intelligence sources deliberately selected to produce a single, validated, relevant, and timely feed. Only then can the security team respond effectively to the many cyber threats that put digital assets at risk.

How Threat Intelligence Elevates SOAR Performance

In the previous blog in this series, we presented a series of use cases that illustrate the importance of connecting SOAR platforms to the right threat intelligence feeds. These include phishing, endpoint diagnostics, vulnerability management, compromised indicator hunting, and malware analysis. Here are some additional details about how automated threat intelligence impacts each of these SOAR use cases:

Phishing Attacks

Tactical threat intelligence provides information about the specific phishing strategies, techniques, and procedures employed by threat actors to breach user accounts, typically through email. By leveraging threat intelligence that automatically analyzes the attack vectors, tools, infrastructure, and forensic avoidance strategies that are used against targets in a particular industry or location, a SOAR solution helps manage defenses and allocate resources more effectively. The process to identify which systems have been breached and how to mitigate the breach is greatly accelerated.

Endpoint Diagnostics

Real-time, contextualized threat intelligence delivered automatically to a SOAR solution enables security teams to more efficiently manage the overwhelming number of alerts from logs and various data feeds. This makes it possible to rapidly assess the risk of new indicators and respond to endpoint threats proactively so that devices and applications are patched before a widespread outbreak occurs.

Vulnerability Management

Vulnerability databases often lag behind vendor announcements, exploit chatter, and proof-of-concept malware that are all available for purchase on the dark web. By tapping into these hard-to-reach sources using automated threat intelligence, a SOAR platform can rapidly identify emerging threats before they actually hit all of their intended targets. This makes it possible to deploy additional network defenses so that some threats are rendered ineffective before they attempt to breach digital assets.

Compromised Indicator Hunting

Threat intelligence analysis of emerging threats identifies the relationships among threat actors, their methods, and their targets. With this information automatically integrating with a SOAR platform, it’s much easier to see how IT vulnerabilities are exploited and weaponized, as well as the real risk they pose to digital assets. The SOAR platform can then dynamically prioritize the assets to which they will first apply additional protective measures.

Malware Analysis

Relevant, up-to-date threat intelligence that’s aggregated and normalized from a range of data feeds creates threat context in real time. A SOAR solution can then automatically receive this information to uncover malware focused on damaging the company’s brand, industry, and technologies. This creates the ability to focus security measures on the vulnerable systems that are the most valuable to the company and its reputation.

The Benefits of Integrating SOAR With Automated Threat Intelligence

The common thread that runs through all of these use cases is that SOAR solutions derive several key benefits when connected to automated threat intelligence.

  • Detect Threats Earlier: Real-time alerts on active and emerging threats drive proactive defense efforts by identifying threats earlier and providing insight into risk sources, relevance, context, and severity. One study by IDC found that organizations who use Recorded Future identify threats up to 10 times faster — when integrating that threat intelligence into your SOAR solutions, you can be even more proactive in identifying and mitigating threats.
  • Increase Security Team Efficiency: Direct access to source material gives IT security teams the context needed to act fast when making remediation decisions — and the confidence that they are taking the right path. This confidence extends to determining how best to proceed with containment, mitigation, and ongoing protection efforts. That same IDC study found that IT security teams increased their efficiency by 32 percent on average with threat intelligence from Recorded Future. Integration with a SOAR solution would similarly increase efficiency.
  • Resolve Incidents Faster: Access to contextualized intelligence replaces manual research that can drain IT resources. SOAR solutions, combined with the right threat intelligence, can resolve incidents faster by reducing research time and improving security team efficiencies. Many IT security teams have improved threat resolution times by 63 percent after integrating Recorded Future into their workflows — and incident response times would only drop further when incorporating threat intelligence into a SOAR solution.

The Power to Make Effective Security Decisions

The power to make effective security decisions based on potential indicators of compromise depends heavily on the usefulness of the available intelligence. Real-time, contextualized threat intelligence, delivered automatically when and where it’s needed, provides a SOAR solution with the power it needs to automate and orchestrate on behalf of the security team.

Armed with the right threat intelligence platform and feeds, SOAR solutions can collect and analyze vast amounts of data from technical, open web, and dark web sources. Combining this data with expert research sources generates relevant cyber threat insights in real time.

The aggregated intelligence can also be integrated with other threat data sources to facilitate collaboration between the security team and other parts of the organization, thereby accelerating threat detection, analysis, recovery, and remediation. This all adds up to much stronger abilities when it comes to protecting vital digital assets.

For more information on how to integrate your SOAR solution with effective threat intelligence, request a personalized demo today.