The Road to a Next Generation Security Operations CapabilityPOSTED BY ANTHONY STITT
Groups like SANS, MITRE, Gartner, Frost & Sullivan, Forrester and IDC all discuss the central role that threat intelligence plays in a modern SOC. Understanding who is attacking you and how they are going about it, is a critical capability. But the focus is often on external sources, supported by the idea that the most valuable threat intelligence comes from outside your organization. These sources compile their information by analysing attacks against other organizations around the world. The fact is, the further these targets are from your organization, your industry, your country or your area, the less likely the intelligence is going to be relevant. Organizations routinely report that the best intelligence comes from organizations like themselves with whom they have some kind of intelligence sharing relationship.
Surprisingly, many businesses ignore internally gathered intelligence, or at the very least, do not leverage it fully. Yet, from the perspective of relevance and context, internal intelligence is about the best you can get because it represents the adversaries, malware, attacks and vulnerabilities your organization is experiencing day-to-day. It is probably already being collected in the form of artefacts from incident response, threat hunting, spear phishing analysis, alert triage, sandboxing, and the like.
Simply leveraging what you already know makes logical sense, both technically and operationally. But internal sources are often missing the context required to fully action the information. So the real power comes from correlating internal sources with the additional context from external sources. It expands the set of related IoC’s to watch for, adds information like CVEs to compare with your vulnerabilities, and can even lead to adversary attribution. Armed with this information, frameworks like MITRE ATT&CK will show you the other techniques used by your adversaries that you should be on the lookout for.
A threat intelligence platform (TIP) is an easy place to collect this information and automatically share it with the systems that can use it to make better decisions. There are four common alternatives to deploying a commercial platform that most organizations consider:
- Open source malware information sharing platform, MISP: MISP is a useful tool for information sharing. ThreatQ has an API for MISP because it is used for intelligence sharing by many organizations. The most common complaint from organizations using MISP as a threat intelligence platform is the high level of scripting and development overhead required to get it working for a broad range of use cases and functions. Some of the out-of-the-box functions like scoring, deduplication, indicator expiry, etc, require scripting customisation in MISP. Organizations often find they reach a crossroad after using MISP regarding the development time required to move forward with the platform.
- SIEMs: Sending a single, well curated, threat feed to a SIEM is probably a workable option. But threat intelligence tends to come from multiple sources of varying quality. Often, there are duplicates, false positives, and high volumes of low-relevance indicators that trigger multiple false alerts in the SIEM or choke performance. A threat intelligence platform acts as a pre-processor for threat indicators by only sending the most relevant and correlated intelligence to the SIEM. A threat intelligence platform will store threat intelligence over much longer time horizons, adding connections between related intelligence from disparate sources over any time period. Finally, the threat intelligence platform will treat the SIEM as an intelligence source by using log records from the SIEM, which helps provide context to incident response and threat hunting.
- Threat intelligence feeds that also include a platform: Vendors providing threat intelligence as a service need to make their data actionable within their customer’s environment. Some have developed platforms to act on the data and perform some of the functions of a standalone TIP. Outside of leveraging their own intelligence, they tend to be limited to a few of the more common open sources. By contrast, the cyber threat intelligence market is dominated by proprietary APIs and data formats beyond just STIX and TAXII, and even those standards are not implemented consistently. Commercial TIPs like ThreatQ support a wider range of options for commercial feeds, open source feeds, enforcement solutions, enrichment, and related systems. Furthermore, API agility is a major issue even among commercial TIPs either because they are slow to develop APIs or expensive when they do so. ThreatQuotient scores well in customer evaluations for API agility and we include support for all connectors into our base licensing model.
- SOAR platforms: SOAR vendors often mention threat intelligence when discussing their capabilities. SOAR platforms will collect and store threat indicators during playbook execution by making calls to threat intelligence sources for scoring and enrichment. SOAR platforms are complementary to TIPs because they can help orchestrate the flow of indicators between a threat intelligence platform, SIEM, vulnerability assessment, sandboxes and other security solutions like EDR, DNS or firewalls. SOARs are very useful – they help make your typical security operations center (SOC) faster and more efficient, saving a lot of money in the process. But they are not designed to ingest, store, correlate and curate millions of indicators over long time periods like a TIP. They also require an upfront investment to document and program SOC “plays” so it’s worth investigating where your analysts are spending their time. Ultimately, if a SOAR platform is the right decision for your organization, rest assured the two systems work well together to leverage threat intelligence decision making to the widest extent possible.
We can all agree that threat intelligence plays a central role in the SOC. As you look for a solution to help you collect and correlate external and internal threat intelligence for analysis and action, there are many factors to consider. Be sure you weigh the pros and cons of each option with an eye towards your teams’ current capabilities and capacity and how you expect your needs to evolve over the next few years. Make a choice that works for you now and in the future, as the volume of threat data, range of use cases and security infrastructure you need to manage continues to grow.