Last month at the Gartner Security and Risk Management conference, I had the opportunity to speak with many CISOs, analysts and other security professionals. One of the common threads through many of these conversations was how to use threat intelligence more effectively to understand and act upon the highest priority threats facing their organizations. They have acquired multiple data feeds from multiple sources, but without the ability to sift through the data it has just become noise. In addition, applying unfiltered threat data to their defenses is generating significant false positives. And now many are left scratching their heads – surely this isn’t the end game.
For many organizations, threat intelligence is at an inflection point; it can either add to the complexity security teams struggle with on a daily basis, or it can provide clarity and enable a more secure future. Which way it goes will depend on your ability to turn threat intelligence into a threat operations program. Mike Rothman, analyst and president of Securosis writes that the inability to learn from attacks, prioritize risk and automate remediation, particularly given the security skills gap, isn’t acceptable. “We have to start thinking differently…building an operational process to more effectively handle the campaigns of adversaries,” Rothman recommends.
In light of this advice, here are five steps to guide you in this journey from threat intelligence to a threat operations program.
1. Aggregate – Establishing a solid foundation for a threat operations program begins with changing how we collect and manage the millions of threat-focused datapoints that analysts are bombarded with every day. What’s needed is a way to bring all this global data together – some from commercial sources, some open source, some industry and some from their existing security vendors – in one manageable location and translate it into a uniform format to achieve a single source of truth. With all your external threat data aggregated for analysis and exporting, you’ve taken a big first step in operationalizing threat intelligence.
2. Contextualize – You then need to augment and add context to the data. One critical, yet not fully utilized resource to ensure relevance to your environment is internal threat and event data. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack. Now you’re in a position to begin to analyze and determine which intelligence to focus on first and which can be kept as peripheral.
3. Prioritize – All this data is great but due to the volumes, it generates a great bit of noise. Some threat data feeds and security vendors try to help reduce by publishing risk scores. However, those scores are universal. What you really need is to prioritize based on relevance to your environment. And who is best to determine that for you – a vendor or yourself? What’s noise and a low priority for one business, may be exactly the opposite for another. Changing risk scores so that you can prioritize threat intelligence based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes, allows you to filter out what’s noise for you. Now you can focus on what really matters to your organization rather than wasting time and resources chasing ghosts.
4. Utilize – Next comes using that prioritized threat intelligence to detect, respond, anticipate and prevent threats to your organization. When a threat does get through your layers of defense, you now have a single source of truth for better decisions and action. Applying this subset of threat data, specific to your environment, to your existing case management or SIEM solution allows these technologies to perform more efficiently and effectively – delivering fewer false positives. You can also use your curated threat intelligence to be anticipatory and prevent attacks in the future – automatically sending intelligence to your sensor grid (firewalls, IPS, IDS, NetFlow, etc.) to generate and apply updated policies and rules to mitigate risk.
5. Learn – The value of a threat operations program doesn’t stop there. Going back to step one, you can keep all this data and context in your repository, add more data and context over time and continuously tune your threat library. Regular updates with pre-processed, contextual and prioritized data, along with the ability for security teams to add comments about their observations into the repository, allow you to capture what you’ve learned about adversaries and their tactics, techniques and procedures (TTPs). Continuous threat assessment – recalculating and reevaluating priorities based on a continuous flow of new data and learnings – helps ensure you’re staying focused on what matters in a highly dynamic environment and getting the most value from your threat intelligence.
As organizations hone in on threat intelligence as a cornerstone to their security posture, they are creating their own Security Operations Centers, incident response capabilities and threat intelligence teams. By turning threat intelligence into a threat operations program not only are you in a better position to reduce risk – now and in the future – but you can also increase protection through an integrated defense and scale, not just threat operations but your entire security operations.