Cyberattacks are Evolving. How to Accelerate Detection and Response with ThreatQLEON WARD
You don’t have to look far for proof that cybercrime is soaring to new heights. Early in the pandemic the U.N. reported cybercrime had increased 600% and other experts estimate damages from global cybercrime to reach $10.5 trillion annually by 2025, up from $3 trillion in 2015. Last year alone, we started 2021 in the fog of the SolarWinds attack and finished with the infamous Log4j vulnerabilities, the full impact of which will take years to understand. During the intervening months, supply chain and ransomware attacks made headline news. Attacks against Microsoft Exchange and Windows Print Spooler, CodeCov, Kesaya, Colonial Pipeline and other critical infrastructure impacted thousands of organizations and individuals. And more than 80% of ransomware attacks also involved the threat to leak data if the ransom isn’t paid.
For some time now, the mantra for security operations centers (SOCs) has been: “It’s not a matter of if, but when and how we’ll be attacked.” These attacks were affirmation and sent a clear message; for SOCs that have not yet narrowed the focus of their mission to become detection and response organizations, it’s time to get started.
The center of gravity of the SOC used to be the SIEM. But to become a detection and response organization, this must shift. SIEMs have been around for decades, designed to replace manual log correlation to identify suspicious network activity by normalizing alerts across multiple technology vendors. SIEMs were never designed to handle the full threat intelligence management use case or integrate with and handle the volume of data from modern security tools and technologies, including but not limited to Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Cloud Detection and Response (CDR).
Detection and response capabilities are not siloed in single tools but extend across the entire ecosystem. Which is why organizations need a platform that can integrate with multiple, different internal and external threat and event data sources (including from the SIEM) and support bi-directional integration with the sensor grid. A platform with this type of capability, in effect an open and extensible architecture that supports Extended Detection and Response (XDR), enables the SOC to update its mission.
How it works
We can look at the SolarWinds Orion security breach, a.k.a. SUNBURST, and the ThreatQ Platform for an example of how this plays out.
When SUNBURST made the headlines, security teams around the globe were flooded with questions from their leadership team: What do we know about the breach? Were we impacted? If so, how can we mitigate risk? If not, what can we do to protect ourselves moving forward? Information and preventative measures flooded the security community, from a variety of sources and in a variety of formats—including news articles, blogs and security industry reports, MITRE ATT&CK techniques, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules and Snort signatures. It was also important to understand the context of the available information. Given the organization’s environment, technology stack, network architecture and risk profile, what was the most relevant and high priority information to focus on to mitigate risk?
Let’s start with detection. Security teams needed to gain an understanding of the threat quickly, investigate the impact, make decisions and determine what actions to take. Using the ThreatQ Platform to automatically aggregate, normalize and deduplicate data from any source – structured or unstructured, internal or external – they could create a central repository of what was known. Correlating events and associated indicators from inside their environment (from sources including the SIEM, log management repository, case management system and security infrastructure) with external data on indicators, adversaries and their methods, provided context to understand the who, what, where, when, why and how of an attack. The ThreatQ Platform allows them to change risk scores and prioritize threat intelligence based on parameters they set around indicator source, type, attributes and context, as well as adversary attributes. This allowed them to automatically filter out what’s noise and focus on what really matters to the organization rather than wasting time and resources chasing ghosts.
Now for response. With a complete picture of the attack with context, security teams could enable the data as part of their infrastructure and operations, with the flexibility to do so manually, automatically or some combination. They could see who else within the organization needed to consume and understand this data – the network security team, threat intelligence analysts, threat hunters, forensics and investigations, management, etc. – and share it. They could export the data to their existing infrastructure allowing those technologies to perform more efficiently and effectively – delivering fewer false positives. And they could send the right data back to the right tools across the sensor grid (firewalls, IPS/IDS, routers, web and email security, NDR, EDR, etc.) to generate and apply updated policies and rules to mitigate risk.
In the following days, weeks and months, security teams knew they could rely on the platform to continuously and automatically reevaluate and reprioritize as new data, learnings and observations came in. From tactical intelligence that could be used to create block lists or deploy signatures, to operational intelligence on what techniques are used and tools to watch for, and strategic intelligence to identify possible threat actors and what they are after. SOC analysts remained confident they were focused on the right priorities, addressing incidents faster, and making more informed decisions.
The ThreatQ Platform is designed for integrating, automating and operationalizing intelligence, so that the SOC can efficiently and effectively detect and respond to threats across their environment. With the undeniable rise in volume and velocity of malicious attacks, it’s what SOCs need right now so they can shift their mission and answer the inevitable wave of questions from their leadership team.
Ready to get started? Schedule your live demo of the ThreatQ Platform today.