Threat Intelligence, Integration and Automation in a Modern SOCLIZ BUSH
As organizations continue to evolve their security operations maturity and the SOC increasingly focuses on detection and response, three capabilities are foundational for success – threat intelligence, integration and automation. In a recent webinar, “Evolution of CTI – Use Case in a Modern SOC,” ThreatQuotient’s Yann Le Borgne, together with Ben van Ditmars of Atos and Martin Ohl from McAfee tackle this topic.
In the webinar, Ben shares how the Atos modern day SOC incorporates and applies threat intelligence, along with its many other security tools, to augment collaboration and automation. Ben takes us through the four phases of cyber defense – Predict, Prevent, Detect and Respond – and the role of best-in-class threat intelligence practices in each.
In the predict phase, threat intelligence enables threat analysis, exposure assessment and the ability to anticipate threats and attacks. From there, threat intelligence is leveraged for vulnerability assessments so you can harden systems and isolate systems to prevent attacks. If you aren’t able to prevent an attack, you need to be able to detect it as soon as possible. Contextualized threat intelligence is extremely important for monitoring feeds and the SIEM, as well as for conducting threat hunting, triage and escalation to the response team if necessary. To deploy an adequate response to contain the attack, threat intelligence is essential to investigating incidents, remediation and retrospective analysis to understand the “what, why and where” of the incident and how to prevent it in the future. Closing the loop, observations and lessons learned are fed back into the platform to continue to augment and enrich the threat intelligence.
Ben explains that the ThreatQ platform serves as the glue between these four phases and helps Atos make threat intelligence actionable by ensuring it is accurate, relevant and timely. This is where integration and automation are foundational. He explains the necessity of deep integrations with internal and external threat sources and applying automation to aggregate and normalize threat and event data, and score and prioritize it based on parameters they set. With the right data analysts are able to make decisions and take action, leveraging integration and automation to share it with other teams and tools for better, faster and more efficient response.
The ThreatQ platform is the backbone, driving smarter practices back to teams and tools for use in security planning, monitoring and detection, incident response, threat hunting, threat assessment and sharing of threat information. By way of example, Ben discusses three ThreatQ platform integrations – with MVISION Cloud, McAfee SIEM and Siemplify – and explains the type of information that it sent back and forth between these tools and the platform.
McAfee’s Martin Ohl then brings these use cases to life. Leveraging the environment in the McAfee Executive Briefing Center in Amsterdam, Martin provides a live demo of a threat hunting scenario that leverages these integrations and others, including integration between the ThreatQ platform and the MITRE ATT&CK framework. Through the eyes of an analyst, you’re able to see how you can interact with various tools in your ecosystem, sharing data and updating defenses automatically in a programmatic way, or manually if you prefer – for example with your endpoints and web gateways – and even block IP addresses with MVISION Cloud. Martin walks you through the data, relationships and timeline of activities to identify when exposure to the campaign started, as well as the techniques used by the attacker, and the scope and impact of the attack.
Watch the webinar on-demand to see a modernized SOC in action.