SIEMs have been around for decades, designed to replace manual log correlation to identify suspicious network activity by normalizing alerts across multiple technology vendors. SIEMs correlate massive amounts of data from the sensor grid (your internal security solutions, mission-critical applications and IT infrastructure). As organizations are looking at ways to mine through SIEM data to find threats and breaches, they are bringing in threat intelligence feeds to help. 

Connecting a single feed directly to a SIEM can be useful, and the popular feeds typically have connectors written to popular SIEMs so you can perform the integration. However, once the threat feed data starts coming into the SIEM, a few challenges quickly emerge.

• Noise/false positives: SIEMs can only apply limited (if any) context to logs and events. Context comes from correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods. Without context it is impossible to determine the “who, what, where, when, why and how” of an attack, in order to assess the relevance to your environment. As a result, SIEMs generate frequent false positives. Security operators end up wasting valuable resources and time chasing problems that don’t matter.
• Number and variety of external threat intelligence sources: Organizations don’t subscribe to just one feed. The average is anywhere from five to eight from a variety of sources – commercial, industry, government and open source – and these numbers are rising. The SANS 2021 Cyber Threat Intelligence Survey finds an increase in participation in Information Sharing and Analysis Centers (ISACs) to nearly 50% and 61% of respondents use government CTI. Moving up the pyramid of pain from indicators of compromise (IoCs) organizations are bringing in adversary and campaign information from other sources. For example, integrating news and media reporting as well as intelligence from other sources like the MITRE ATT&CK framework as part of their CTI program. All this data is structure and unstructured (i.e., PDFs, text files, spreadsheets) and SIEMs were never designed to handle the volume and variety.
• Volume of data from external feeds: New research presented at the 29th USENIX Security Symposium finds there is almost no overlap in data between two leading vendors of threat intelligence nor with four large open source threat intelligence feeds. Even for 22 specific threat actors – which both vendors claim to track – there was only 2.5% to 4.0% overlap between indicator feeds. With no way to filter all this disparate content, this adds to analysts’ data overload challenge.
• Integration with other security tools: To operationalize threat intelligence via integration with tools like a sandbox, vulnerability assessment tool, firewall, SOAR solution, EDR etc., most threat feeds will charge on the basis of API connections. This can become a cost and multiplicity problem and the equation becomes quite complicated in terms of where the data is coming from and where it is being consumed. 

These challenges and others beg the question: How do you solve the problem of bringing together data from multiple sources, contextualize, prioritize and remove noise, so you can focus on what is relevant to your organization and accelerate detection and response?

In a recent webcast, “Amplify your SIEM: Integrations with a Threat Intelligence Platform,” ThreatQuotient’s Anthony Stitt and Robert Streamer show how the ThreatQ platform can help.

Watch the webcast on-demand and see the 20-minute demo of how ThreatQ:

• Connects to all the different external threat data sources available and normalizes, deduplicates and aggregates that data, thereby doing data management.
• Serves as a long-term repository and leverages a comprehensive data model to store tactical, operational and strategic intelligence.
• Performs scoring, prioritization and lifecycle management, sending only focused, subsets of data to the SIEM to eliminate noise and reduce false positives.
• Integrates with any SIEM (in this demo, Splunk) and supports bi-directional integration.
• Enriches logs and internal event data from the SIEM with relevant intelligence.
• Provides a range of operations – through automation, workflows and visualizations – to streamline investigations and decision making and share information with various tools in your security stack.
• Captures feedback from tools along with analysts’ observations and learnings to create organizational memory. 

It’s time to start amplifying the value from your SIEM with effective and efficient threat intelligence management. Watch the demo now.