Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

The Best Treatment Plan for Your Security Pain Starts with a Data-Driven Diagnosis

The Value of Threat Intelligence Comes Down to Relevance and Accessibility

The Value of Threat Intelligence Comes Down to Relevance and Accessibility

I’m amazed by the advancements in medicine for better diagnostics and treatment that are becoming almost common place. From DNA swab tests to see which drugs will be most effective for an individual patient, to targeted gene therapy and immunotherapy that tailor treatments accordingly. Medical centers now have programs dedicated to individualized medicine and there’s an entire field called “pharmacogenic testing” to determine the right drug at the right dose at the right time. 

I hope this approach of data-driven, customized treatments will make its way more broadly into the field of security. Many CISOs I speak with are growing weary of searching for the next “silver bullet” security technology or another threat feed to improve their security posture. Clearly, this approach hasn’t worked as the velocity of attacks increases and the cost of a data breach continues to rise  – from $3.86 million last year to $3.92 million in 2019, according to the 2019 Ponemon Cost of a Data Breach Study. 

One newer area of investment aimed at accelerating response and mitigating risk is Security Orchestration, Automation and Response (SOAR) tools, specifically playbooks. Playbooks are good for automating known processes when you have high confidence in the data being used and the decisions that need to be made. Unfortunately, the confidence level for full automation is not there most of the time. Why? Data, especially with the increasingly large data sets we use, can be extremely noisy. If you start automating noise, the result will be amplified noise. 

Security operations – teams, tools and processes – become more efficient and effective when decisions and actions are based on the right data. So how can you ensure you have the right data? Not all threat intelligence is equal: threat intelligence that is of value to your organization, may not be of value to another. Value comes down to relevance and accessibility, which requires curation into a customized enrichment source, aggregating data filtered by a range of factors, including: 

Industry/Geography – Threat feeds focused on attacks and vulnerabilities specific to your industry and geography are much more relevant than generic data that include threats that target a specific sector and/or region you are not in.

Internal threat and event data – An often-overlooked source of threat intelligence is data housed within various systems and tools across your organization, including the security information and event management (SIEM) system, log management repository, case management systems and security infrastructure.

Environment – Depending on your environment, some indicators are more relevant than others. For example, if your workforce is highly distributed and endpoint protection is key, hashes are important because they enable you to detect malicious files on those devices. On the network, domain names and IPs are more relevant indicators allowing you to track suspicious traffic.

Advertisement. Scroll to continue reading.

Ecosystem – Threat feeds relevant to third parties your organization works with may alert you to adversaries and campaigns that may be actively targeting them and then, in turn, can potentially infiltrate your organization.

Risk profile – The level of risk each organization is willing to assume also varies. Assigning risk scores to threat feeds based on parameters you set helps to filter out the noise so you can act quickly upon the most relevant threats facing your organization.

Customized enrichment sources are foundational to the top use cases security professionals are focused on today. Aggregating and correlating all this data provides context, which is critical to understanding the who, what, where, when, why and how of an attack. And by using the same database for multiple use cases, teams have the benefit of sharing learnings automatically and immediately.

With the ability to analyze intelligence, understand relevance and collaborate, you can begin to prioritize what use case to focus on next – spear phishing, threat hunting, fraud detection, vulnerability management, or incident response. Whether the use case points you to technology for case management, ticketing, log management, SIEM, detection and prevention, vulnerability scanning, or SOAR tools, curated intelligence will allow these technologies to perform as promised, and help security teams make decisions and take action with greater confidence.

The medical community is seeing tremendous gains through individualized diagnostics and treatment. It’s time we customize our enrichment sources so we can customize defenses and better treat what ails us.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.