By Bart Lenaerts-Bergmans, Senior Product Marketing Manager, Threat Intelligence, CrowdStrike
Businesses spanning all sizes and verticals are familiar with the challenges of responding to security incidents. These difficulties are growing, largely driven by three factors: an overload of security data stemming from an abundance of tools and larger attack surface; the pressure of time caused by fast-moving adversaries; and a global shortage of skilled security employees.
Threat intelligence can help security operations center (SOC) teams face these challenges. Intelligence data is different from security data because it offers new context on the who, why and how behind a security alert. It gives meaning to each alert that an analyst works on, helping them to prioritize which alerts to handle first and understand detailed insights on the attacker, motivation and methods.
The questions many SOC teams have are: How can they apply timely relevant threat intelligence, and how can they put this information in front of every team member in their daily workflow? What is the best way to efficiently operationalize threat intelligence? How much effort will it take to integrate threat intelligence into the existing workflow?
It takes investment and dedication to mature an organization’s threat intelligence capabilities. While time, resources and data quality can be common issues along the way, there are other obstacles that can impede progress in operationalizing threat intelligence:
- Fragmented intelligence data hinders SOC effectiveness. Demand for threat intelligence is quickly growing across multiple SOC functions and business asset owners: The Forrester Wave™: External Threat Intelligence Services, Q1 2021 and Forrester Analytics’ Business Technographics ® survey found security decision-makers subscribe to an average of 7.5 commercial external threat intelligence services — up from an average of 4.2 in 2018. There is a growing number of use cases for threat data, which come from different stakeholders across the business and drive up the number of feeds implemented. Because these use cases aim to solve different problems, they may lead to disconnected SOC initiatives and lower overall SOC effectiveness as threat management objectives are broad and lack focus.
- Poor data quality can heighten risk. While it is easy to find threat feeds to implement, the timeliness and specific purpose of the indicators provided may not be relevant to your organization. This can create a false sense of risk and even heighten risk as businesses look at past threats generated by adversaries not actively targeting their industry, geographic region or organization.
- Lack of expertise impedes observability. Indicators alone don’t tell the full story. Getting the full picture of an attack, including the adversary’s motivation or global attack behaviors, requires a strong, complementary data collection that eliminates blind spots, plus analytic processes leveraging this data to support attribution. Observability, which measures how well attackers’ capabilities can be inferred from their external behavior, must come into play. Few organizations have the knowledge and expertise needed to generate internally collected data that provides full observability. As a result, they won’t have a complete end-to-end view of the threat actor.
- Time-to-value and cost of homegrown automation can be pricey and time consuming. The process of analyzing, extracting and integrating intelligence feeds takes time and effort. For teams overloaded with security tools, the additional complexity and management required to implement and maintain these integrations may not be feasible. Homegrown automation takes time that organizations may not have the resources or patience for. Because the workload is greater than their capacity, all they can do is triage and react.
A Different Approach to Automating Threat Intelligence
SOC teams using threat intelligence must understand the context of a potential threat. Intelligence collection should not be measured by volume, but by its ability to provide views that illustrate the actor, attack type, common tactics, post-breach activity, attack infrastructure and applicable threat surfaces.
To do this, threat intelligence must rely on a broad and deep collection of sources: events from enterprise telemetry, in-depth file analysis, incident forensics, threat hunt results, dark web collection, open-source intelligence, and human intelligence derived from adversarial pursuits. Combined, this data can help security teams achieve 360-degree observability of the threat.
While there is certainly no shortage of security information or tools, the constant switching between disparate tools and dashboards is distracting to analysts and prolongs threat evaluation and investigation. Threat intelligence must be integrated into the SOC’s daily workflow and, more importantly, be available as soon as new evidence is discovered. Having the latest information immediately at hand and integrated reduces the time and complexity of investigation and remediation efforts.
To address the issues holding security teams back from operationalizing threat intelligence, seek an automated threat intelligence solution that enables your security team to pivot from endpoint detection to the most recent data on today’s attackers and their motivations and tradecraft.
Today’s attackers are studying businesses, creating victim profiles long before they try to attack networks. They are aware of enterprise security technologies and weaknesses, who is on the IT staff, and what technical questions employees are asking on IT forums. By using threat intelligence to gain knowledge about the adversary, you can adjust cyber defenses and turn the tables on them before they attack.