In my last article I shared five steps you can take to turn threat intelligence into a threat operations program, putting yourself in a better position to reduce risk – now and in the future. When done right, a threat operations program also allows you to integrate your defenses and scale – not only your threat operations, but your entire security operations since threat intelligence is integral to most aspects of security.
You might be thinking: “Slow down a minute. I just launched my threat operations program. Now you want me to scale too? Why the rush and what’s that going to take?”
Security teams are under pressure to justify intelligence feeds, manpower, tools and budgets. Developing a threat operations program probably required some level of investment in people, process and technology. Scaling your operations allows you to get more from these investments and demonstrate even greater value to the organization – and you already have what you need to get going. Let me explain.
People. Your existing people are key to your operations. We all know there’s a shortage of skilled security professionals, so to do more you need to get more from the team you have. That means helping security analysts focus on what’s important so they can make better decisions faster. The first step is to reduce the noise from the overload of threat data and focus only what is important and relevant to your organization. Relying on “global” scores from intelligence feed vendors can create not only noise, but also false positives since the score is not within the context of your company’s specific environment. Security operators using these global scores find themselves chasing ghosts.
What’s more, many security professionals suffer from a phenomenon called ‘alert fatigue’ – getting overwhelmed by the volume of alerts from SIEMs, ticketing systems and other security technologies. A threat operations program that enables customized threat intelligence scores based on parameters you set, coupled with context, allows for prioritization based on what’s relevant to your specific environment. Systems can now look for the most important and relevant threats, minimizing alerts that are just noise or are false positives.
Technology. Security tools can only handle so much data before performance begins to suffer. Latency increases, packets drop and costs rise. Getting more from your existing infrastructure requires getting the right intelligence to the right tools at the right time. This helps your control points within the network, cloud and endpoint operate at peak efficiency as they receive only the important threat data as part of their protections. With a threat operations program you can automatically send your curated threat intelligence directly to your sensor grid (firewalls, IPS, IDS, NetFlow, etc.) to generate and apply updated policies and rules to mitigate risk. In effect, you’re using curated threat intelligence as the glue to integrate layers of defenses and scale.
In addition, rather than applying threat data from outside feeds directly to your SIEM, you can apply a subset of threat data that has been curated into threat intelligence. Your SIEM generates fewer false positives and encounters fewer scalability issues. With a threat operations program your people are focusing on the right things, and your security infrastructure is too – allowing it to perform more efficiently and effectively as you scale without requiring additional investment.
Process. As with the technologies I talked about above, people have limited capacity as well. Automating processes can help them scale, but you need to understand how and where to best apply automation within existing workflows. In a recent blog, Mike Rothman, analyst and president of Securosis said, “With all the focus on orchestration and automation in security circles, it’s easy to conclude that carbon-based entities (yes, people!) are on the way out for executing security programs. That couldn’t be further from reality.”
I couldn’t agree more. A recent experience test-driving a car with a self-park feature was a reminder of the limitations of automation. In my first attempt to try the feature in the dealership parking lot, the car looked for a parking spot, found one and asked if I wanted to park. I said ‘yes’ but there was a problem. A flag pole was blocking the rear portion of the spot. The car used it’s intelligence to find the spot, but it couldn’t see the flag pole that was in the way. I needed to intervene and look for another spot. Once I did find a suitable spot the car parked flawlessly.
You can encounter similar hazards when applying automation to security operations; you can automate a subset of the steps in the process, those that are repetitive or administrative, but you can’t extract humans entirely. Automation can allow one analyst to accomplish what traditionally might have required four or five analysts to do. It can also free up highly trained analysts to focus on more strategic and meaningful aspects of threat defense and be used to assist less trained practitioners. Automation helps the process to scale and the people to scale, but humans have to remain in the loop at the right steps and time.
With no end in sight to the velocity and volume of internal and external events, data and indicators, when it comes to scaling your security operations the question isn’t: “What’s the rush?” The question is: “Why wait?” Your threat operations program has what you need to scale and get more from your people, processes and technology.