From Threat Intelligence to Data-Driven Use Cases, the Evolution of Security AutomationJulia Weifenbach
Dave Krasik, Director of Product Management at ThreatQuotient, recently had a chance to speak with Ed Amoroso, CEO and founder of TAG Cyber, a leading cybersecurity advisory group, about the state of cybersecurity automation. They covered a lot of ground, and you can listen to the full interview here. Following are a few of the highlights:
Security automation, the early years
As Dave describes, ThreatQuotient’s DNA stems from the threat intelligence area, where our journey to creating the ThreatQ Platform and becoming a leading provider of data-driven security automation began. The founders were at the forefront of working with threat data and wanted a better way, than spreadsheets, to understand and make use of data. At the time there were no standard formats, protocols and practices for sharing threat intelligence, so gathering it and using it efficiently and effectively was a challenge. They decided to build a solution to address this need and enhance security operations.
Enabling data-driven security operations
The initial challenges included ingesting, aggregating and normalizing data from different sources, formats and languages into a single object. Each of these steps were prime candidates for automation, eliminating much of the manual and repetitive work that bog down analysts, are prone to human error, and delay analysis and action. As security teams began to work with and combine larger and more diverse data sets the need for automation grew.
The maturation of security automation
The next step in the evolution of data-driven security automation was to determine how to apply automation to be proactive and make data actionable. That means gathering information from disparate tools and teams that might be important and, based on analysis, translating data and pushing information back out for enforcement and to start to block things that might be critical. Tighter integration and automation are required to drive efficiency, standardization, and scale.
The objective is to identify commonalities or relationships across that data and then build it into the data model to reduce time to detect and respond. For example, when analysts conduct investigations, they are able to quickly pivot across different objects to see the complete picture of what is happening.
Integration with tools like MITRE ATT&CK, which is both a solid threat intel data source and a framework for categorizing different events and activities based on tactics, techniques, and procedures (TTPs), enables analysts to make correlations and connections. They can start to understand behaviorally what might be happening, see patterns and learn to proactively prevent attacks in the future.
Data prioritization and the OODA loop
When discussing top skills for security analysts, the topic of the OODA loop (which stands for Observe, Orient, Decide and Act) often comes up. Dave points out that data is foundational to the OODA Loop – the more organizations can invest in the Observe and Orient phases, the more effective they can be in the Decide and Act phases. Focusing on rich contextual data to inform decisions and action is essential. This requires the ability to separate noise from the signal which is increasingly difficult as the market has matured and is flooded with threat intelligence sources that generate more data to consume and analyze. Organizations also have vast amounts of past data stored that is helpful for historical analysis. ThreatQ automatically sifts through and prioritizes billions of objects, based on parameters analysts set, so analysts can focus on what is important to their organization.
What the future holds: adopting security automation for multiple use cases
AI and machine learning (ML) are capturing a lot of attention, which makes it difficult to separate hype from reality and can cause the market to get ahead of itself. According to Dave, “This isn’t a world where you can let an algorithm run and do all the work for you. I’m not sure we’ll ever get to that point, or even should. Instead, it’s about identifying targeted areas to augment users with ML capabilities. For instance, pulling contextualized and prioritized data points out of stacks of text and giving users suggestions about next actions to take, but not removing them from the process. There’s a lot of value there because the data challenges are so vast.”
Once data is actionable, the next opportunity organizations have is to expand the use of data in an automated fashion and do more detailed analytics around it for more use cases. These include alert triage, threat hunting, spear phishing analysis, incident response and vulnerability prioritization. It comes down to supporting multiple teams with situational awareness in the areas they are responsible for, and providing a common language so they can share data to enable strategic and tactical decision-making and response. By making threat intelligence actionable for a variety of use cases, we have an immediate opportunity to optimize security operations through automation.
You can listen to the full discussion here.