[BreachExchange] Managing Intelligence: Get the Right Threat Data, Not All the Threat Data

Audrey McNeil audrey at riskbasedsecurity.com
Thu Jan 18 18:17:04 EST 2018


https://www.scmagazine.com/managing-intelligence-get-the-
right-threat-data-not-all-the-threat-data/article/734272/

Cybersecurity can look like an arms race at times, with new tools and
threat intelligence feeds popping up to counter every new attack or piece
of malware. At a glance, it seems that there is no limit on the benefits of
threat information sharing. A seemingly infinite supply of indicators is
great in concept (the more we know the better prepared we are, right?), but
the reality is that we only have so much capacity to ingest information.
Raw indicators aren't helping us understand context, so we end up ingesting
all these indicators with no real idea of what a hit on one tells us.
Result: information overload, analyst fatigue, and, at the end of the day,
the really meaningful alerts are lost in the noise.

When your threat feeds become more of a distraction than an enabler, the
tools intended to protect your business can't do their job. Following up on
false positives can send security professionals on a wild goose chase,
wasting your team's time and encumbering triage efforts that could better
root out what data are indicative of potential incidents that might need
addressing. At other times, your team will allocate resources to mitigating
threats that wouldn't have had an impact on the company. Over time, too
much unsorted intel can derail your security regime, as analysts and
tooling are overburdened by unimportant security data.

Instead of reading every report in your threat feed and interpreting all
intel as a threat to your business, it's best to develop an organized
process for curating the data— selecting sources, reviewing intel, and
tagging, organizing, deploying, and monitoring the efficacy of data—so that
it aligns with your organizations visibility and helps guide your (security
operations center) SOC analysts.

8      Tips for Identifying the Threats in Your Intel Feed

1.     Connect your threat model to your business mission. Are the cyber
threats you are focused on the ones that present the greatest risk to the
company's business mission? This might sound obvious until you realize how
much SOC effort is devoted to chasing trivial alerts that don't have much
effect on the company.

2.     Curate your content to eliminate outdated information. False
positives alerting on old threats are an utter distraction and a waste of
space in your threat feed. Attack infrastructure changes over time. Today's
valid threat indicators may be benign come tomorrow. Organize and regularly
review your intel in a way that only relevant and current indicators are
ingested into your network security platform.

3.     Evaluate returns on intel investment. If a particular intel feed
leads to the implementation of specific security controls that block
malware or otherwise prevent incidents, then you have data to back up your
investment. By then eliminating feeds that don't offer measurable value,
you can whittle down a colossal pile of data into a manageable number of
relevant alerts and potentially cut costs and demonstrate investment
returns to your leadership.

4.     Prioritize by protection. When it comes to alerts, some represent
threats and others do not. Identify up front your mission critical
processes and assets, so you know immediately when your organization is
exposed to critical risk, when your analysts have moderate problems to
resolve, and when an alert is just noise. Threats should always be
categorized based on the risk they pose to your environment and prioritized
accordingly.

5.     Fill in the bigger picture. If your indicators are divorced from
context and your team finds itself chasing indicator hits, they may be
missing the forest for the trees. Your team will act more productively if
your content is connected to context. By understanding threats in context,
you'll know when something is actionable and what kind of action it
requires.

6.     Empower the CISO with greater visibility. The CISO needs access to
(visibility into) IT infrastructure, logs, reports, and other information
in order to properly comprehend the state and nature of their attack
surface based on data. They then need to apply that data to know where
their security gaps exist and what to look for. They can also use this data
to realistically gauge their ability to respond to and detect attacks and
to request the resources required to resolve weaknesses and defend
important assets.

7.     Organize your intel based on use-cases. Anything accepted into your
intel feed should be aligned with a use-case methodology that tags and
monitors threats based on attack type. That kind of use-case-driven SOC
organizes your monitoring and detection activities around the most relevant
threat signatures, attack patterns, and methods. How would ransomware hit
your organization? What would specific attacks look like in your security
platform? This kind of analysis can ensure you stay focused on intelligence
that is relevant to the organization.

8.     Play offense as well as defense. Detection tools are great but
security professionals can avoid considerable pain by identifying
weaknesses and proactively reducing that attack surface. This plays into
the suggestions above about reducing the data volume and focusing on
quality intel. Analysts can triage that information, correlate it to
vulnerabilities, and guide the organization to prioritized remediation that
proactively reduces attack surface.

Your threat intelligence capability is only as good as your data
management. By decreasing the total amount of intel and increasing the
density of relevant intel, your team will have an easier time translating
information into insights, and it will have more time to detect and respond
to threats that truly represent the greatest risk to the business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180118/896062b0/attachment.html>


More information about the BreachExchange mailing list