October is National Cybersecurity Awareness Month (NCSAM) and an opportune time to remind every organization of the importance of “awareness” to their cybersecurity programs.
I fully realize you’re already well-aware of the relentless stream of global cyberattacks against organizations and individuals every day. And we all know that security teams are drowning in a sea of alerts in large part driven by a defense-in-depth strategy with layers of protection that aren’t integrated and create a massive amount of logs and events. Not to mention the numerous threat feeds most organizations subscribe to – from commercial sources, open source, government, industry and existing security vendors. What more do we need to be aware of?
What I’m talking about is contextual awareness so that you don’t spend a good portion of your day responding to calls from management about the latest threat in the headlines. Or drown in a sea of alerts. Or ignore half of those threat feeds because the volume of data is simply too overwhelming to consume. Contextual awareness drives value for security teams of all sizes and capabilities so that we can do more with the resources we have to take the right actions faster to better protect and mitigate risk to our organizations.
Context comes from aggregating internal threat and event data along with external threat feeds in a platform that serves as a central repository and normalizes that data so that it is in a usable format. By enriching events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain context to understand the who, what, where, when, why and how of an attack.
Now you can prioritize based on relevance to your environment. But what is relevant to one company may not be for another. Many intelligence feed vendors provide “global” risk scores but, in fact, these can contribute to the noise since the score is not within the context of your company’s specific environment. It is important to be able to assess and change risk scores based on parameters you set. Filtering out what’s noise for you allows you to understand what to work on first. You can focus on what really matters to your organization rather than wasting time and resources chasing ghosts.
This is the kind of awareness companies need to accelerate security tasks that bog down Tier 1 analysts. For example, by finding the signal through the noise you can simplify and accelerate alert triage. And vulnerability management resources can focus on where the risk is greatest by prioritizing vulnerabilities with knowledge about how vulnerabilities are being exploited.
Contextual awareness also benefits Tier2/Tier 3 investigation, response and threat hunting activities. Whether digging deeper into an escalated trouble ticket or investigating suspicious behavior observed in the environment, analysts can pivot to adversary and external sources to learn more about associated indicators. They can then search for and compare indicators across the infrastructure and find matches between high-risk indicators and internal threat and event data that suggest possible connections. When proactively hunting for threats, analysts can use data, such as from the MITRE ATT&CK framework – a knowledge base for intelligence on techniques, tactics and adversaries. For example, if they are interested in malware currently being used to target their industry, they can leverage MITRE ATT&CK data to hunt for potential indicators of compromise or possible related system events within their environment. Finally, as threat hunting is a continuous process, when new data and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized to remain relevant.
Even companies that don’t have their own security operations centers can benefit from contextual awareness through managed security services providers (MSSPs) or managed detection and response (MDR) services. Providers of these services can use the platform to deliver threat intelligence and security monitoring that’s relevant to your organization. They can also offer additional, high value and customized services such as risk assessments, threat hunting and incident response that focus on the threats that matter most to you and improve your overall security operations.
Now in its 16th year, NCSAM is a great vehicle to raise awareness for cybersecurity and to remind every organization that the ability to improve security operations begins with contextual awareness. How aware are you?