Blanket Deployment of Intelligence is CounterproductivePOSTED BY RYAN TROST
One of the core workflows within SOC/CIRT Teams these days is automatically consuming intelligence in the form of indicators and deploying them to detection technologies. It seems really easy and simplistic, but it also encompasses one of my biggest operational pet peeves – blanket pushing information to tools without really thinking it through. So many teams don’t really stop to consider the dataflows of information and just PUSH, PUSH, PUSH!!
I have managed a couple of large SOC teams and in most cases in my initial assessment I noticed the team was ingesting about 20K indicators per day including commodity junk, DGA, doppleganger FQDNs, and sexier targeted attacks and then “blanket pushing” everything to everywhere! The result? Some tools drop packets, firewalls and proxies slow to a crawl, and packet capture consistently tips over. Obviously there are a lot of parameters that weigh into the degradation of systems so I cannot conclusively link these issues to the volume of indicators, but it absolutely amplified the problem.
The ThreatQ threat intelligence platform offers a two-step resolution through our new scoring feature. It starts by properly scoring intelligence for your environment, which I’ve discussed in detail in multiple blogs and in a new whitepaper. But it also fine-tunes exports so that they are technology specific (…novel idea right?!). The new scoring feature in ThreatQ drastically improves how customers deploy the right intelligence to the right security technologies.
With the new scoring feature customers can redefine, recalculate and reevaluate threat scores for their specific environment. This capability allows them to quickly become more strategic about WHERE they deploy intelligence! Now customers can export intelligence to specific security technologies with greater confidence and reliability. For example, intelligence with higher threat scores can be deployed to blocking technologies (i.e. firewalls, IPS, DNS, web-proxy, endpoint, etc.), whereas, intelligence that poses less of a threat or is less reliable can be distributed to detection technologies (i.e., IDS, netflow, etc.). This helps minimize false positives while stopping real threats faster.. This is a critical component for companies with limited infrastructure tools already pushed to their health limits, and overburdened teams.