Threat Intelligence Analysts, SOCs and Incident Responders Can Work Together to Take the Right Actions Faster
Remember the old police shows where the officer pulls someone over and then gets on the car radio to report back to the station, call for backup, maybe request an ambulance if needed? This was the reality for many years and acceptable as recently as 15 or 20 years ago. Traditional Land Mobile Radio (LMR) systems worked well if you were dealing with straightforward situations. But when a larger, complex event would happen that required full-scale, immediate response and investigation, communication and collaboration was difficult at best. As technology evolved, police, firefighters, paramedics and the National Guard all starting using different types of radios that didn’t interoperate. They weren’t aware of the orders various teams were receiving, the actions being taken and new information each team was discovering.
Fortunately, technology has caught up to the needs of first responders and defenders. LMR systems now integrate with newer LTE systems and even out to the Internet, satellite or commercial cellular networks for reliable, integrated and interoperable communications for voice, video and data. Today, state, local and federal agencies are much better equipped to collaborate and coordinate response with real-time situational awareness and actionable situational intelligence.
We’re experiencing a similar evolution in the world of cybersecurity. For years, we’ve relied on a defense-in-depth approach to security where each team uses different point products from different vendors to protect valuable digital assets and systems. The problem is that these disparate technologies don’t interoperate, and each has its own intelligence, making it extremely difficult for tools and teams to share intelligence, collaborate and coordinate response. When security teams are dispersed all over the world, the challenge is even greater.
This is where a threat intelligence platform comes into play. It can serve as the glue to integrate these disparate technologies. Automatically exporting and distributing key intelligence across the many different layers of your defense-in-depth architecture, it offers your different security teams access, as part of their workflow, to the threat intelligence they need to improve security posture and reduce the window of exposure and breach. For example, the incident response team uses forensics and case management tools. The malware team uses sandboxes. The security operations center (SOC) uses the SIEM. The network team uses network monitoring tools and firewalls. The endpoint team uses endpoint detection and response tools.
So now that the tools are tied together, what about the teams? Typically, security teams operate in silos. For example, when a threat intelligence analyst researches an event or alert and doesn’t find information that is relevant to them, they tend to put that information aside and move on to the next task. But what if someone else in the SOC, conducting a separate investigation, could have benefitted from that work? Without the ability to collaborate as part of the workflow, key commonalities are missed, and investigations can stall.
To address this aspect of integration, a threat intelligence platform can act as a virtual cybersecurity situation room where team members, sharing the same pool of threat data and evidence, can conduct investigations collaboratively. Seeing the work of others and sharing insights, they can detect threats faster and even use that knowledge to pivot and accelerate parallel investigations that are separate but related. They can also store a history of investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs) which can serve as a centralized memory to facilitate future investigations.
However, as first responders know all too well, once you’ve quickly and accurately assessed the situation, rapid response becomes your mission. Security operations is in the same boat. Reducing mean time to detection (MTTD) through shared understanding and collaboration is great, but now you need to use that advantage to reduce mean time to response (MTTR). The challenge is that most security operations environments are chaotic, with teams acting independently and inefficiently.
A virtual cybersecurity situation room can help here too. Managers of all the security teams can see the analysis unfolding, allowing them to coordinate tasks between teams and monitor timelines and results. Threat intelligence analysts, SOCs and incident responders can work together to take the right actions faster, reducing the time to response and remediation.
When you think about first responders, the need for collaboration is a no brainer. Thankfully, technology has caught up, making this standard practice. Now it’s time for us to apply the same thinking to cybersecurity. Enabling collaboration and coordination across all security teams to accelerate security operations should also be the norm.