The Anomali Blog
FEATURED BLOGS
Get the Anomali Newsletter
The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.
The ability to quickly detect and remediate threats has become the primary challenge across the substantial global technology ecosystem. To protect sensitive data and critical systems, organizations must adopt a curated cybersecurity ecosystem that leverages the power of artificial intelligence (AI).
This blog explores the essential role of AI in a cybersecurity ecosystem that includes Threat Intelligence Platforms (TIPs), Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR) technologies. We'll discuss the technical aspects while drawing connections to practical business-level security use cases.
Part 1: The Foundation – Threat Intelligence Platforms (TIPs)
A curated cybersecurity ecosystem begins with threat intelligence, a collection of data and information about cybersecurity threats and vulnerabilities. Threat Intelligence Platforms (TIPs) are the cornerstone of this foundation.
Technical Perspective
- TIPs aggregate threat data from various sources, including open-source intelligence (OSINT), commercial feeds (including premium feeds), and internal telemetry data. The challenge lies in analyzing and correlating these vast datasets to identify relevant threats and ideally doing it in seconds.
- AI-driven analytics engines can process massive datasets quickly and accurately identify patterns and anomalies. Machine learning models can categorize threat data and assess its relevance to the organization. Using natural language models, SOC analysts can sidestep the need to learn complex query languages and, instead, focus on the matter at hand - protecting the organization against threats.
- Natural Language Processing (NLP) can extract threat indicators and insights from unstructured data sources such as blogs, forums, and news articles. This text analysis allows organizations to stay updated and respond quickly to emerging threats.
Business-Level Use Case
Imagine a large financial institution facing an emerging threat of credential stuffing attacks. By integrating AI-driven TIPs, the organization can automatically identify compromised credential patterns in real-time. This proactive threat intelligence enables them to strengthen authentication mechanisms and safeguard customer accounts.
Part 2: The Nervous System – SIEM and AI Synergy
With threat intelligence as the foundation, the nervous system of our curated ecosystem is the Security Information and Event Management (SIEM) system, enhanced by AI.
Technical Perspective
- SIEMs collect and analyze log data from various sources within the organization. The challenge here is dealing with the sheer volume (often measured in petabytes) and variety of logs, which are impossible to analyze manually.
- AI can assist in log analysis by correlating events, detecting anomalies, and identifying potential security incidents. It can often do it quickly enough to stop the threat before it gains traction. It can create baselines of normal behavior and provide immediate and actionable alerts when deviations occur.
- Predictive analytics can help organizations predict potential threats by using historical data and emerging patterns to address vulnerabilities in their security posture preemptively.
Business-Level Use Case
Consider a healthcare provider that must protect electronic health records from insider threats. Integrating AI-enhanced SIEM enables the organization to detect anomalous access patterns to patient records and respond in real-time to prevent data breaches. It not only ensures compliance with regulations such as HIPAA but also safeguards patient privacy.
Part 3: The Executor - SOAR Technologies with AI Superpowers
Completing the cybersecurity ecosystem is the Security Orchestration, Automation, and Response (SOAR) system, armed with the depth and capabilities of AI.
Technical Perspective
- SOAR systems streamline incident response by automating repetitive tasks and orchestrating workflows. AI comes into play by making these processes far more intelligent and efficient.
- Machine learning algorithms can categorize incidents based on severity and potential impact, enabling automated triage. Natural Language Processing can extract relevant information from incident reports and threat intelligence feeds, addressing executive and practitioner reporting requirements and facilitating compliance with timeframe mandates like SEC Form 8K.
- AI-driven automated playbooks can recommend response actions and predict the most effective containment and mitigation strategies for specific threats.
Business-Level Use Case
Imagine a retail giant facing a distributed denial-of-service (DDoS) attack during a major sales event. AI-powered SOAR can detect the attack, assess its severity, and automatically trigger a playbook that redirects traffic, isolates affected servers and communicates with the internet service provider to block malicious traffic. This ensures minimal disruption to the business and maintains customer trust.
Part 4: The Unifying Force - AI in a Curated Ecosystem
In this interconnected cybersecurity ecosystem, AI serves as the unifying force. Its capabilities span threat intelligence, log analysis, and automated incident response, making the entire system more robust and resilient.
Technical Perspective
- AI enables the sharing of threat intelligence data across the organization's security ecosystem. It can automatically categorize threats, prioritize them, and distribute relevant information to SIEM and SOAR systems.
- Machine learning models can evolve and adapt to new threats, learning from past incidents and continuously improving their detection capabilities.
- AI can facilitate communication between different ecosystem components, ensuring a coordinated response to emerging threats and vulnerabilities.
Business-Level Use Case
Consider a global e-commerce company that operates in multiple regions. By implementing AI as the unifying force in their cybersecurity ecosystem, they can ensure that threat intelligence from one region benefits the security posture of all other regions. AI-driven communication enables a swift response to threats that may simultaneously target different parts of the business.
A Future-Proof Cybersecurity Ecosystem
A curated cybersecurity ecosystem, empowered by artificial intelligence, is not only a good answer, but it will evolve on its own to address a changing set of requirements. Organizations must build future-proof defenses to strengthen threat intelligence, log analysis, and incident response and ensure that these components work seamlessly together to provide protection.
As we move forward, the critical role of AI in cybersecurity will only become more pronounced. Its ability to learn, adapt, and predict threats is a game-changer for businesses seeking to stay one step ahead of cyber adversaries. Embracing AI in your curated cybersecurity ecosystem is not just a technical necessity but a strategic imperative for safeguarding your organization's digital assets and maintaining the trust of your stakeholders.
Cyber threat intelligence is a Zero Trust Architecture (ZTA) core component. ZTA is a security concept and framework that assumes all network traffic is untrusted and requires strong authentication and authorization. Zero-trust policies and controls can be developed and implemented with the support of cyber threat intelligence.
Threat intelligence can help an organization identify and better assess potential threats and risks to systems and networks, as well as help to identify previously known threat actors and the tactics, techniques, and procedures (TTPs) they use. It can also identify emerging threats that may not have been previously identifiable, which is valuable information that can be used to enhance security controls further to better monitor for related suspicious activity within the network.
Using Cyber Threat Intelligence in the NIST SP 800-207 Zero Trust Framework
The NIST SP 800-207 guideline, focusing on the Zero Trust Architecture Framework, highlights the vital significance of threat intelligence within this architecture. According to NIST SP 800-207, threat intelligence is an integral element of the Zero Trust framework.
A straightforward illustration would involve an organization leveraging threat intelligence to pinpoint a threat actor and the malicious malware tools they employ, allowing the existing security measures to incorporate this threat intelligence. The network can be protected from infiltration by enabling users to identify and block malware.
Additionally, threat intelligence serves as an educational resource for training employees on identifying and responding to potential threats. Within a Zero Trust network environment, all network traffic is viewed as untrusted, necessitating employees to remain vigilant for any signs of suspicious activity. Zero Trust aids organizations in recognizing and preempting threats at an earlier stage, thereby influencing the development and deployment of more robust security controls.
According to NIST SP 800-207, titled "Zero Trust Architecture," threat intelligence is crucial in helping organizations gain insights into potential threats and implementing adequate security controls. The guideline underscores that "threat intelligence can be employed to identify known malicious actors and their Tactics, Techniques, and Procedures (TTPs), as well as previously undisclosed emerging threats."
In Figure 2 of NIST SP 800-207, you can observe that threat intelligence is prominently featured as a fundamental logical component within the Zero Trust framework.
Enhancing Zero Trust Security with Anomali's Integrated Threat Intelligence
Anomali's threat intelligence plays a pivotal role in bolstering the implementation of a zero-trust architecture within organizations. It achieves this by furnishing real-time insights into potential threats lurking in its systems and networks. This is made possible through the use of threat feeds, which constantly provide updated information on known malicious actors and their tactics, techniques, and procedures (TTPs). Armed with this wealth of threat feed data, organizations can craft and put in place security controls that effectively identify and thwart potential threats from infiltrating their network.
Anomali ThreatStream brings together external threat intelligence feeds and internal threat intelligence, data, or research to enable analysis and investigations of threats in a single interface and to integrate the threat intelligence with the organization’s security systems (SIEMs, EDR, FWs, etc.) to enable the efficient mitigation of threats.
Importantly, this enables security operations to work with stakeholders to prioritize and remediate threats according to their impact on the business services. Similarly, it allows threat intelligence and incident response functions to prioritize their research/investigative efforts according to the same information in a more coordinated and informed approach across all security teams and stakeholders focused on threats to the organization.
In this manner, ThreatStream provides a technical realization of one of the key objectives of establishing a CTI function: Understanding and mitigating business risk from cyber threats using an automated and integrated Threat Intelligence Platform.
Leveraging MITRE ATT&CK and Anomali Lens for Enhanced Cyber Threat Analysis
The MITRE ATT&CK framework and other threat intelligence models are built into an advanced Investigations Workbench for users to leverage, research, and produce finished intelligence reports for further action.
Anomali Lens is the first natural language processing (NLP) based web content parser that highlights all cyber threat information for further investigation, thereby supercharging Threat Research and Reporting.
Attackers inevitably set the agenda for cybersecurity analysts. Yet CISOs want answers and actions from those same analysts—and they want them now. Analysts are constantly racing against the clock to understand attacks and how to prevent threats from harming their networks.
Anomali Lens enables analysts to work and stay in any single web-content location for faster research and better communicate cyber risk to the executive leadership, which is especially critical in high-pressure environments such as widespread cyber-attacks and high-profile data breaches.
Anomali Lens scans and converts unstructured data, such as news stories, social media, research papers, blogs, paste sites, coding repositories, and internal content sources like SIEM user interfaces, into actionable intelligence. Anomali Lens leverages natural language programming (NLP) that takes unstructured data and identifies threat actors, malware families, and attack techniques as they relate to threat intelligence.
Fortifying Cybersecurity with Zero Trust and Strategic Cyber Threat Intelligence
The NIST SP 800-207 guidelines emphasize the importance of cyber threat intelligence as a vital component of Zero Trust Architecture (ZTA). This strategic incorporation of threat intelligence is essential for organizations to identify and mitigate cyber threats effectively. With tools like Anomali ThreatStream, organizations are equipped with real-time, accurate threat data for crafting proactive and responsive security strategies.
Additionally, the use of frameworks like MITRE ATT&CK and technologies such as Anomali Lens significantly empowers cybersecurity teams. These tools facilitate in-depth threat analysis and expedite the reporting process, enabling swift and effective countermeasures against cyber threats. Combining comprehensive threat intelligence with the disciplined zero-trust approach is crucial in addressing current security challenges and reinforcing defenses against future threats. This approach is key to maintaining a secure, resilient, and well-protected digital infrastructure in the face of increasingly sophisticated and targeted cyber threats.
For more information on the Anomali Threat Intelligence Platform and Lens+, visit their respective pages at Anomali ThreatStream and Anomali Lens.
Security teams have long relied on traditional SIEM solutions as a core element of their cyber defense posture. But limited storage, slow query times, and expensive and complex licensing increasingly constrain legacy SIEMs as an effective defense in today's threat landscape. Rapid data growth leads to exclusions that open blind spots in your attack surface. Furthermore, most SIEMs lack contextual awareness or intelligent correlation to reveal the full scope of attacks.
These limitations become acute during investigations when analysts need to query across months or years of history. Traditional SIEMs often can't scan such wide time horizons when a response is needed in minutes. This leads to missed links between events, incomplete understanding of compromises, and security gaps.
Meanwhile, legacy SIEMs carry exorbitant price tags, often scaling into the millions annually for licenses, storage, and support. Much of this pays for unneeded complexity rather than security outcomes, leading to a growing disconnect between costs and value delivered.
Fortunately, Anomali is introducing a next-gen alternative that modernizes SIEM capabilities. This approach delivers:
- Instant access to all historical data for threat hunting. Lightning-fast searches across petabytes of logs in seconds.
- Attack surface modeling for enterprise-wide visibility. Asset discovery, vulnerability scans, and config data are integrated into a single contextual view.
- Automated correlation of threats across environments. Links global IOCs with internal security events to uncover stealthy attacks.
- Real-time updates on threats at operational and executive levels. Customizable dashboards spanning security operations to the boardroom.
- Affordable pricing starting at a fraction of the cost of legacy systems. Lower TCO by an order of magnitude compared to traditional SIEMs.
This modern architecture provides the speed, scale, and integration needed for data-driven security. It supercharges detection and response while streamlining workflows. Analyst productivity is unleashed to focus on high-value tasks instead of spending days separating signal from noise.
With enterprise-tailored pricing, it finally brings SIEM capabilities within reach of mid-size players. The value delivered far outweighs the costs, freeing up budgets for other security initiatives.
In today's threat landscape, aging SIEMs are a risky liability. Slow hunt times and blind spots introduced by data exclusion leave the door open to breaches. Resource-constrained security teams need every advantage in detection speed, visibility, and productivity.
By adopting next-gen platforms purpose-built for security in the 2020s, organizations can realize order-of-magnitude improvements. This will accelerate threat disruption, reduce dwell times, and minimize business impact of compromises. The choice is clear for CISOs looking to modernize their security foundations.
To learn more about retiring legacy SIEMs for faster threat detection and response, contact us today. We're ready to demo our solution tailored to your use cases and infrastructure.
<p id="">Security teams have long relied on traditional SIEM solutions as a core element of their cyber defense posture. But limited storage, slow query times, and expensive and complex licensing increasingly constrain legacy SIEMs as an effective defense in today's threat landscape. Rapid data growth leads to exclusions that open blind spots in your attack surface. Furthermore, most SIEMS lack contextual awareness or intelligent correlation to reveal the full scope of attacks.<br/></p><p id="">These limitations become acute during investigations when analysts need to query across months or years of history. Traditional SIEMs often can't scan such wide time horizons when a response is needed in minutes. This leads to missed links between events, incomplete understanding of compromises, and security gaps.<br/></p><p id="">Meanwhile, legacy SIEMs carry exorbitant price tags, often scaling into the millions annually for licenses, storage, and support. Much of this pays for unneeded complexity rather than security outcomes, leading to a growing disconnect between costs and value delivered.<br/></p><p id="">Fortunately, Anomali is introducing a next-gen alternative that modernizes SIEM capabilities. This approach delivers:<br/></p><ul id=""><li id="">Instant access to all historical data for threat hunting. Lightning-fast searches across petabytes of logs in seconds.</li><li id="">Attack surface modeling for enterprise-wide visibility. Asset discovery, vulnerability scans, and config data are integrated into a single contextual view.</li><li id="">Automated correlation of threats across environments. Links global IOCs with internal security events to uncover stealthy attacks.</li><li id="">Real-time updates on threats at operational and executive levels. Customizable dashboards spanning security operations to the boardroom.</li><li id="">Affordable pricing starting at a fraction of the cost of legacy systems. Lower TCO by an order of magnitude compared to traditional SIEMs.<br/></li></ul><p id="">This modern architecture provides the speed, scale, and integration needed for data-driven security. It supercharges detection and response while streamlining workflows. Analyst productivity is unleashed to focus on high-value tasks instead of spending days separating signal from noise.<br/></p><p id="">With enterprise-tailored pricing, it finally brings SIEM capabilities within reach of mid-size players. The value delivered far outweighs the costs, freeing up budgets for other security initiatives.<br/></p><p id="">In today's threat landscape, aging SIEMs are a risky liability. Slow hunt times and blind spots introduced by data exclusion leave the door open to breaches. Resource-constrained security teams need every advantage in detection speed, visibility, and productivity.<br/></p><p id="">By adopting next-gen platforms purpose-built for security in the 2020s, organizations can realize order-of-magnitude improvements. This will accelerate threat disruption, reduce dwell times, and minimize business impact of compromises. The choice is clear for CISOs looking to modernize their security foundations.</p><p id="">To learn more about retiring legacy SIEMs for faster threat detection and response, contact us today. We're ready to demo our solution tailored to your use cases and infrastructure.</p><p id=""><br/></p>
The Securities and Exchange Commission on July 26, 2023, approved and adopted a new rule within the Framework of Form 8K reporting - which requires public companies to report on material events that affect shareholders or investors - which has now been expanded to include cybersecurity breaches.
The new rule requires companies to disclose information within four business days after determining whether the cybersecurity incident is considered material. Also included in the ruling is the disclosure on an annual basis of the following measures; cybersecurity risk management, strategy, and governance.
This ruling is meant to protect investors and provide more transparency as many breaches go unreported. This is fine, but it also puts a very short timeframe for most companies to 1) determine the extent of the breach, and 2) report out on it. And all of this is separate from actually responding to the breach itself.
So how can Anomali help?
Let’s start with preventing the breach by leveraging the Anomali platform to identify risk, hunt and mitigate threats, and leverage Intelligence and big data at scale and speed.
Anomali Attack Surface Management
A single security gap can leave your organization’s data open to attack. To fortify your attack surface, you must discover all your exposed assets, prioritize them based on the risk they pose to your business, and remediate them quickly.
Modern hybrid environments, distributed workforces, multi-vendor security, and shadow IT make it hard to gain complete visibility and understanding across the enterprise attack surface. To work faster and smarter, security teams need both comprehensive visibility and data-driven insight into each vulnerability and the risk it presents.
Anomali Attack Surface Management continuously inventories and monitors your entire digital footprint, including hardware, applications, SaaS deployments, cloud resources, websites, subdomains, IP addresses, social media accounts, and vendors’ infrastructures— as well as the shadow IT assets that leave many organizations exposed.
Ongoing visibility, scanning, and discovery on both sides of the firewall help you track:
- Internet-facing hosts
- Unreachable assets
- SSH services
- Open ports
- CVEs
- CVE exploits
- End-of-life software
- Expired certificates
Anomali Match - Advanced Security Analytics
When a new threat emerges, security teams need answers fast: Have we been impacted? Are we protected? How are we responding? What are we doing to prevent this kind of breach in the future? Match helps improve organizational efficiencies and productivity by automating detection activities to immediately profile a threat and its impact on the organization to enable an effective response. Match collects security telemetry from across your organization – SIEM, EDR, Messaging, and network – and integrates layered threat detection to pinpoint relevant threats and provide analysts with the actionable intelligence required to investigate the root cause or a precise confirmation of an attack to respond immediately.
Pinpoint Relevant Threats Learn in seconds if a threat indicator is present in your historical event logs going back years, including asset data, vulnerability scan data, and threat intelligence.
Elevate Strategic Intelligence View alerts enriched with comprehensive threat intelligence context, MITRE ATT&CK framework IDs, asset criticality, and risk scores.
Accelerate Threat Hunting Proactively identify threats in your environment based on MITRE ATT&CK TTPs, actors, campaigns, threat bulletins, and vulnerabilities.
Predict the Next Attack Gain relevant visibility through continuous intelligence monitoring to uncover threats and prioritize response.
ThreatStream
Anomali ThreatStream transforms raw data into actionable threat intelligence and insights so you can make informed decisions, respond quickly, and block threats in real-time.
Threat intelligence from hundreds of diverse sources is curated, centralized, and enriched to provide context for SOC alerts and investigations. Relevant intelligence is distributed automatically across your existing security controls to stop breaches and strengthen your attack surface. An integrated investigations workbench deepens insight and accelerates threat research.
Connecting the Anomali Security Operations Platform to the global community of cybersecurity researchers, ThreatStream puts the world’s largest repository of actioned intelligence at your fingertips. High-quality data helps teams investigate security events and assess threats in real time. Filtered for relevance and pushed into Anomali Match, ThreatStream intelligence can be correlated automatically with vulnerabilities in your own environment to enable analytics-powered security operations.
Anomali Lens
Unstructured threat intelligence is a vital resource for analysts and executives, but searching through page after page of documents for relevant information can be arduous and time-consuming—especially when reports of a new cyberattack, data breach, and the associated regulatory response increase the urgency.
Anomali Lens is a powerful Natural Language Processing engine that helps operationalize threat intelligence by automatically scanning digital content (PDF, HTML, Office 365 (Word, Excel, Outlook)) to identify relevant threats and streamline the lifecycle of researching and reporting on them. Available as a browser extension or Office 365 plug-in, Lens automatically highlights information that matters in news articles, threat bulletins, social media, research papers, blogs, coding repositories, and internal content sources, then helps you quickly communicate to inform executives and operationalize this intelligence across your organization to reduce risk. For security analysts: Quickly capture the full significance and context of a threat, then provide an executive summary with a clear analysis and risk assessment for the organization.
For executives: Gain immediate context for online cyberattack reports with one‐click visibility into the presence or absence of the threat in the organization’s own historic security event logs.
With only a 4-day window to react Anomali Solutions can not only help prevent a breach but also report quickly when one occurs providing timely information to CIOS's, SOC Teams, Hunt teams, and regulators.
To see a brief demo video of this capability in action, click here.
<p id="">The Securities and Exchange Commission on July 26, 2023, approved and adopted a new rule within the Framework of Form 8K reporting - which requires public companies to report on material events that affect shareholders or investors - which has now been expanded to include cybersecurity breaches. </p><p id="">The new rule requires companies to disclose information within <em id="">four</em> business days after determining whether the cybersecurity incident is considered material. Also included in the ruling is the disclosure on an annual basis of the following measures; cybersecurity risk management, strategy, and governance.</p><p id="">This ruling is meant to protect investors and provide more transparency as many breaches go unreported. This is fine, but it also puts a very short timeframe for most companies to 1) determine the extent of the breach, and 2) report out on it. And all of this is separate from actually responding to the breach itself. </p><p id="">So how can Anomali help? </p><p id="">Let’s start with preventing the breach by leveraging the Anomali platform to identify risk, hunt and mitigate threats, and leverage Intelligence and big data at scale and speed.<br/></p><p id=""><strong id="">Anomali Attack Surface Management</strong></p><p id=""></p><p id="">A single security gap can leave your organization’s data open to attack. To fortify your attack surface, you must discover all your exposed assets, prioritize them based on the risk they pose to your business, and remediate them quickly. </p><p id="">Modern hybrid environments, distributed workforces, multi-vendor security, and shadow IT make it hard to gain complete visibility and understanding across the enterprise attack surface. To work faster and smarter, security teams need both comprehensive visibility and data-driven insight into each vulnerability and the risk it presents. <br/></p><p id="">Anomali Attack Surface Management continuously inventories and monitors your entire digital footprint, including hardware, applications, SaaS deployments, cloud resources, websites, subdomains, IP addresses, social media accounts, and vendors’ infrastructures— as well as the shadow IT assets that leave many organizations exposed. <br/></p><p id="">Ongoing visibility, scanning, and discovery on both sides of the firewall help you track: <br/></p><ul id=""><li id="">Internet-facing hosts </li><li id="">Unreachable assets</li><li id="">SSH services</li><li id="">Open ports </li><li id="">CVEs</li><li id="">CVE exploits</li><li id="">End-of-life software </li><li id="">Expired certificates </li></ul><p id=""></p><p id=""><strong id="">Anomali Match - Advanced Security Analytics</strong></p><p id=""></p><p id="">When a new threat emerges, security teams need answers fast: Have we been impacted? Are we protected? How are we responding? What are we doing to prevent this kind of breach in the future? Match helps improve organizational efficiencies and productivity by automating detection activities to immediately profile a threat and its impact on the organization to enable an effective response. Match collects security telemetry from across your organization – SIEM, EDR, Messaging, and network – and integrates layered threat detection to pinpoint relevant threats and provide analysts with the actionable intelligence required to investigate the root cause or a precise confirmation of an attack to respond immediately.<br/></p><p id=""><strong id="">Pinpoint Relevant Threats </strong>Learn in seconds if a threat indicator is present in your historical event logs going back years, including asset data, vulnerability scan data, and threat intelligence.</p><p id=""></p><p id=""><strong id="">Elevate Strategic Intelligence </strong>View alerts enriched with comprehensive threat intelligence context, MITRE ATT&CK framework IDs, asset criticality, and risk scores.</p><p id=""></p><p id=""><strong id="">Accelerate Threat Hunting</strong> Proactively identify threats in your environment based on MITRE ATT&CK TTPs, actors, campaigns, threat bulletins, and vulnerabilities.</p><p id=""></p><p id=""><strong id="">Predict the Next Attack </strong>Gain relevant visibility through continuous intelligence monitoring to uncover threats and prioritize response.</p><p id=""></p><p id=""><strong id="">ThreatStream </strong></p><p id=""></p><p id="">Anomali ThreatStream transforms raw data into actionable threat intelligence and insights so you can make informed decisions, respond quickly, and block threats in real-time. </p><p id="">Threat intelligence from hundreds of diverse sources is curated, centralized, and enriched to provide context for SOC alerts and investigations. Relevant intelligence is distributed automatically across your existing security controls to stop breaches and strengthen your attack surface. An integrated investigations workbench deepens insight and accelerates threat research. </p><p id="">Connecting the Anomali Security Operations Platform to the global community of cybersecurity researchers, ThreatStream puts the world’s largest repository of actioned intelligence at your fingertips. High-quality data helps teams investigate security events and assess threats in real time. Filtered for relevance and pushed into Anomali Match, ThreatStream intelligence can be correlated automatically with vulnerabilities in your own environment to enable analytics-powered security operations. </p><p id=""></p><p id=""><strong id="">Anomali Lens</strong></p><p id=""></p><p id="">Unstructured threat intelligence is a vital resource for analysts and executives, but searching through page after page of documents for relevant information can be arduous and time-consuming—especially when reports of a new cyberattack, data breach, and the associated regulatory response increase the urgency. </p><p id="">Anomali Lens is a powerful Natural Language Processing engine that helps operationalize threat intelligence by automatically scanning digital content (PDF, HTML, Office 365 (Word, Excel, Outlook)) to identify relevant threats and streamline the lifecycle of researching and reporting on them. Available as a browser extension or Office 365 plug-in, Lens automatically highlights information that matters in news articles, threat bulletins, social media, research papers, blogs, coding repositories, and internal content sources, then helps you quickly communicate to inform executives and operationalize this intelligence across your organization to reduce risk. For security analysts: Quickly capture the full significance and context of a threat, then provide an executive summary with a clear analysis and risk assessment for the organization. </p><p id="">For executives: Gain immediate context for online cyberattack reports with one‐click visibility into the presence or absence of the threat in the organization’s own historic security event logs.</p><p id="">With only a 4-day window to react Anomali Solutions can not only help prevent a breach but also report quickly when one occurs providing timely information to CIOS's, SOC Teams, Hunt teams, and regulators. </p><p id="">To see a brief demo video of this capability in action, <a href="http://www.anomali.com/resources/videos/anomali-security-operations-platform-reacting-quickly-to-security-compliance-mandates">click here</a>.</p><p id=""></p>
How GPT and Security Analytics accelerates Cybercrime Investigations
Cybercrime has unfortunately become deeply embedded in the current technology landscape. Every single day another enterprise or government entity executes a very public faceplant, and in spite of an endless series of cautionary tales, the dynamic just keeps on executing. This is driven by a broad-based acceleration of attacks, paired with an alarming increase in the sophistication shown by threat actors.
This dynamic hits the CISO most directly, as they are ultimately the ones responsible for cyber security. When their corporate boards start asking sharp questions they’re the ones responsible for an answer, when the regulators show up and run security audits, they’re held accountable, and when budget considerations surface it’s always a good news/bad news scenario. And on top of all this, there is the issue of an overwhelmed support staff, who are required to do more with less at constantly faster speeds. This sector of the market not only suffers from burnout but there is also massive underemployment (3.5 million unfilled positions globally, over 700k just in the US).
What is going on?
While there are a lot of reasons this market is “dynamic”, there are a few core variables that seem to be herding the environment.
First off, a “level” playing field. Adversaries have access to the same technology as the good guys; bad intentions with no skills are suddenly enabled by GPT, while bad intentions with programming skills just became significantly more dangerous. Couple this new capability with (in many instances) deep pockets and no constraints around rules of engagement and the field isn’t actually level, it's titled in the wrong direction.
Second, enterprises and government agencies rely on cybersecurity solutions to protect themselves, but these solutions are often the result of organic infrastructure growth (very similar to the overall IT market). Purchases are often made on tactical needs, and there is very little consideration given to a longer-term view of requirements. This happens regularly within departments, and if you start talking cross-divisional requirements, it gets far less coordinated. The net result is siloed solutions that don’t exchange information well (if at all), leading to a complete lack of actionable visibility across the enterprise. When the fan gets hit, no one is in a position to know with precision and speed what’s going on, and therefore no one is in a position to do anything meaningful about it.
Third, this organic model has a heavy reliance on manual (that is, humans in a SOC) analysis of data. This leads to several issues: the amount of data coming in is well past the ability of even an experienced analyst to keep up, the signal-to-noise ratio is off the charts, burnout and associated mental health issues are a real and growing concern, and the threats they are tasked with identifying are harder to spot and coming in at a higher rate. When a potential threat is identified, there is no context to understand the potential severity of the event; has this happened before, in what context, how recently, and what was done about it? Lack of contextual awareness of threats is a huge gap in the market, creating an enormous risk exposure at the worst possible time.
And why is there a lack of context? Short answer - lack of timely access to historical information that is immediately correlated to external threat data. Anything that happens anywhere on a network generates a log file, which means log files can be generated at a rate of millions per second. These then need to be made available for quick access, but that particular bucket gets filled in a hurry, so after (on average) ninety days it gets archived, which means going back further than 90 days requires accessing long-term storage, which is far slower and more expensive. That critical bit of information can tell an analyst the context of an attack, but taking days or weeks to get a response leaves a lot of time to do damage or hide little snippets of code that can lie unnoticed until needed. Knowing what you don’t know about telemetry data, how that correlates to your external threat landscape, as well as how your security stack is optimized to deal with it, is a critical workflow most organizations are lacking. This is now front and center when the CISO is speaking to their board, and having complete actioned visibility driven by integral GPT-enabled security analytics is the difference between getting hit in the head by a pitch, or knocking it out of the park.
How do you get out of this?
The way forward is not particularly difficult, but it is definitely complicated. There are a couple of key moves that can help, starting with correlation. There are functional areas of your security stack that need to be fully aware of each other; your internal telemetry (all the information from your internal systems captured as logs), which should be accessible going back years (not weeks) and accessible immediately through AI (specifically GPT) enabled Security Analytics, coupled with current data from your external environment, tracked through a massive and properly (GPT) curated threat repository. Bringing those two pieces together results in continuity of vision; you can see what is going on where and why, how it affects you, and ideally identify threats quickly enough to stop attackers in their tracks.
The other helpful capability is being able to translate dense technical information to executive-level information - which lets your SOC drive operational data into the strategic level of the organization, that is, the folks who decide your budget. Being able to take a massive amount of information and quickly reduce and frame it in a human-meaningful way is a value-add GPT construct. The concern with GPT is that everyone has access to some form of this technology, including cyber adversaries, who have quickly learned to poison data sets that are used to feed open-source GPT solutions. The trick, therefore, is to have a curated, vetted threat repository that protects your GPT-enabled threat intelligence from being corrupted by malicious data.
A thoroughly curated intelligence repository (like ThreatStream), driven at GPT speeds by robust Security Analytics (like Match) can provide context, do it when it's needed, (which is immediately), and do it in a fully automated exec-friendly fashion (like Lens+GPT). This is, in fact, how you knock it out of the park and into the next county. If you’d like more information on how Anomali is keeping some of the world’s largest companies and government entities one step ahead of their adversaries, please contact us here.
<h2 id=""><strong id="">How GPT and Security Analytics accelerates Cybercrime Investigations</strong></h2><p id="">Cybercrime has unfortunately become deeply embedded in the current technology landscape. Every single day another enterprise or government entity executes a very public faceplant, and in spite of an endless series of cautionary tales, the dynamic just keeps on executing. This is driven by a broad-based acceleration of attacks, paired with an alarming increase in the sophistication shown by threat actors. </p><p id="">This dynamic hits the CISO most directly, as they are ultimately the ones responsible for cyber security. When their corporate boards start asking sharp questions they’re the ones responsible for an answer, when the regulators show up and run security audits, they’re held accountable, and when budget considerations surface it’s always a good news/bad news scenario. And on top of all this, there is the issue of an overwhelmed support staff, who are required to do more with less at constantly faster speeds. This sector of the market not only suffers from burnout but there is also massive underemployment (3.5 million unfilled positions globally, over 700k just in the US).</p><h2 id=""><strong id="">What is going on?</strong></h2><p id="">While there are a lot of reasons this market is “dynamic”, there are a few core variables that seem to be herding the environment. </p><p id="">First off, a “level” playing field. Adversaries have access to the same technology as the good guys; bad intentions with no skills are suddenly enabled by GPT, while bad intentions with programming skills just became significantly more dangerous. Couple this new capability with (in many instances) deep pockets and no constraints around rules of engagement and the field isn’t actually level, it's titled in the wrong direction. </p><p id="">Second, enterprises and government agencies rely on cybersecurity solutions to protect themselves, but these solutions are often the result of organic infrastructure growth (very similar to the overall IT market). Purchases are often made on tactical needs, and there is very little consideration given to a longer-term view of requirements. This happens regularly within departments, and if you start talking cross-divisional requirements, it gets far less coordinated. The net result is siloed solutions that don’t exchange information well (if at all), leading to a complete lack of actionable visibility across the enterprise. When the fan gets hit, no one is in a position to know with precision and speed what’s going on, and therefore no one is in a position to do anything meaningful about it.</p><p id="">Third, this organic model has a heavy reliance on manual (that is, humans in a SOC) analysis of data. This leads to several issues: the amount of data coming in is well past the ability of even an experienced analyst to keep up, the signal-to-noise ratio is off the charts, burnout and associated mental health issues are a real and growing concern, and the threats they are tasked with identifying are harder to spot and coming in at a higher rate. When a potential threat is identified, there is no context to understand the potential severity of the event; has this happened before, in what context, how recently, and what was done about it? Lack of contextual awareness of threats is a huge gap in the market, creating an enormous risk exposure at the worst possible time.</p><p id="">And why is there a lack of context? Short answer - lack of timely access to historical information that is immediately correlated to external threat data. Anything that happens anywhere on a network generates a log file, which means log files can be generated at a rate of millions per second. These then need to be made available for quick access, but that particular bucket gets filled in a hurry, so after (on average) ninety days it gets archived, which means going back further than 90 days requires accessing long-term storage, which is far slower and more expensive. That critical bit of information can tell an analyst the context of an attack, but taking days or weeks to get a response leaves a lot of time to do damage or hide little snippets of code that can lie unnoticed until needed. Knowing what you don’t know about telemetry data, how that correlates to your external threat landscape, as well as how your security stack is optimized to deal with it, is a critical workflow most organizations are lacking. This is now front and center when the CISO is speaking to their board, and having complete actioned visibility driven by integral GPT-enabled security analytics is the difference between getting hit in the head by a pitch, or knocking it out of the park.</p><h2 id=""><strong id="">How do you get out of this?</strong></h2><p id="">The way forward is not particularly difficult, but it is definitely complicated. There are a couple of key moves that can help, starting with correlation. There are functional areas of your security stack that need to be fully aware of each other; your internal telemetry (all the information from your internal systems captured as logs), which should be accessible going back years (not weeks) and accessible immediately through AI (specifically GPT) enabled Security Analytics, coupled with current data from your external environment, tracked through a massive and properly (GPT) curated threat repository. Bringing those two pieces together results in continuity of vision; you can see what is going on where and why, how it affects you, and ideally identify threats quickly enough to stop attackers in their tracks.</p><p id="">The other helpful capability is being able to translate dense technical information to executive-level information - which lets your SOC drive operational data into the strategic level of the organization, that is, the folks who decide your budget. Being able to take a massive amount of information and <em id="">quickly</em> reduce and frame it in a human-meaningful way is a value-add GPT construct. The concern with GPT is that everyone has access to some form of this technology, including cyber adversaries, who have quickly learned to poison data sets that are used to feed open-source GPT solutions. The trick, therefore, is to have a curated, vetted threat repository that protects your GPT-enabled threat intelligence from being corrupted by malicious data.</p><p id="">A thoroughly curated intelligence repository (like ThreatStream), driven at GPT speeds by robust Security Analytics (like Match) can provide context, do it when it's needed, (which is immediately), and do it in a fully automated exec-friendly fashion (like Lens+GPT). This is, in fact, how you knock it out of the park and into the next county. If you’d like more information on how Anomali is keeping some of the world’s largest companies and government entities one step ahead of their adversaries, please contact us here.</p>
Security Operations Centers (SOC) are the nerve center of cybersecurity defense. The results of both tactical and strategic initiatives are manifested, tracked, and managed at the operational level, and the visualization of that level is the SOC. Despite the critical role they play, SOCs and the people who work there are under tremendous pressure; potential security events are growing exponentially, separating signal from noise is an increasing challenge, analysts are asked to do more with less and are tasked with taking on adversaries who are not constrained by rules of engagement.
SOCs are at an inflection point; while pressure to do more with less is increasing, supporting technology is also evolving rapidly to support automation, integration, correlation, and streamlining. Automating and providing better visibility into a Security Operations Center is mission-critical for effective cyber security, with the following considerations:
Security Analytics – Start by running data queries against a significantly larger (historical) data set to build more sophisticated and actionable threat models. You should be able to leverage log data going back years (not months) and immediately correlate historical information to new threats, increasing the efficiency and value of your existing SIEM (Security and Information Event Management) investments. By upleveling log management you can improve your SOC performance in multiple ways, including enhanced threat detection, more proactive threat hunting, contextualization and prioritization of alerts, and more comprehensive integration of threat intelligence.
Real-Time Monitoring – Monitor activity across all security telemetry and potential risk exposure, including cloud environments and your supply chain for immediate visibility and response. Real-time monitoring can improve the performance of the SOC by enabling timely detection, response, and mitigation of security incidents. More rapid threat detection also means reduced dwell time, as well as enhanced incident response and investigation, which can drive timely remediation and containment.
Threat Intelligence Correlation – Enrich and prioritize threat intelligence and attacker insights with data from SIEMs, augmented with curated and peer intel. By integrating data on potential internal attack surfaces with external security threats (including advanced threats that could bypass traditional security models), analysts can contextualize and prioritize security incidents. This can decrease MTTD/R and relieve pressure on security analysts. Properly executed threat intelligence correlation is designed to deliver actionable insights.
Network Security Event Telemetry (NSET) – NSET (e.g. Anomali Match) allows the collection of IoCs across a broad range of indicator types, integrated with threat intelligence and correlated to your potential attack surface. Gain detailed, real-time visibility into network security events to drive SOC performance through early threat detection and rapid, proactive mitigation. This can be used to drive security incident response, compliance monitoring, and accelerate remediation efforts.
Threat Hunting – Anomali can automatically prioritize intelligence and historical telemetry to optimize the threat-hunting process and uplevel the performance and scalability of your SOC team. By having an integrated and comprehensive view of your security landscape (IoCs, security gaps, etc.), your analysts can act on prioritized threats and deliver more efficient triage.
Workflow Automation – Automate precision threat detection and intelligence workflows with attacker context to quickly ingest, prioritize, enrich, score, and distribute intel, automating routine analyst tasks and reducing human errors. Workflow automation can streamline processes, enhance analyst efficiency, reduce costs, and drive a faster response to security incidents.
Collaboration and Knowledge Sharing – Fully integrate threat intelligence data into the analysis of operational and supply chain systems. This will improve incident response effectiveness and drive continuous improvements through the application of best practices not only across your organization but across your entire supply chain ecosystem.
There is a wide range of challenges facing every security operations center, both internally and externally, but the right tools backed by the right policies and procedures can comfortably take your operation to the next level. To gain a real-world perspective on how Anomali’s Security Analytics can help you gain immediate, actionable insights into your security challenges, please contact us here.
<p id="">Security Operations Centers (SOC) are the nerve center of cybersecurity defense. The results of both tactical and strategic initiatives are manifested, tracked, and managed at the operational level, and the visualization of that level is the SOC. Despite the critical role they play, SOCs and the people who work there are under tremendous pressure; potential security events are growing exponentially, separating signal from noise is an increasing challenge, analysts are asked to do more with less and are tasked with taking on adversaries who are not constrained by rules of engagement.</p><p id="">SOCs are at an inflection point; while pressure to do more with less is increasing, supporting technology is also evolving rapidly to support automation, integration, correlation, and streamlining. Automating and providing better visibility into a Security Operations Center is mission-critical for effective cyber security, with the following considerations:</p><p id=""><strong id="">Security Analytics</strong> – Start by running data queries against a significantly larger (historical) data set to build more sophisticated and actionable threat models. You should be able to leverage log data going back years (not months) and immediately correlate historical information to new threats, increasing the efficiency and value of your existing SIEM (Security and Information Event Management) investments. By upleveling log management you can improve your SOC performance in multiple ways, including enhanced threat detection, more proactive threat hunting, contextualization and prioritization of alerts, and more comprehensive integration of threat intelligence.</p><p id=""><strong id="">Real-Time Monitoring</strong> – Monitor activity across all security telemetry and potential risk exposure, including cloud environments and your supply chain for immediate visibility and response. Real-time monitoring can improve the performance of the SOC by enabling timely detection, response, and mitigation of security incidents. More rapid threat detection also means reduced dwell time, as well as enhanced incident response and investigation, which can drive timely remediation and containment.</p><p id=""><strong id="">Threat Intelligence Correlation</strong> – Enrich and prioritize threat intelligence and attacker insights with data from SIEMs, augmented with curated and peer intel. By integrating data on potential internal attack surfaces with external security threats (including advanced threats that could bypass traditional security models), analysts can contextualize and prioritize security incidents. This can decrease MTTD/R and relieve pressure on security analysts. Properly executed threat intelligence correlation is designed to deliver actionable insights.</p><p id=""><strong id="">Network Security Event Telemetry (NSET) </strong>– NSET (e.g. Anomali Match) allows the collection of IoCs across a broad range of indicator types, integrated with threat intelligence and correlated to your potential attack surface. Gain detailed, real-time visibility into network security events to drive SOC performance through early threat detection and rapid, proactive mitigation. This can be used to drive security incident response, compliance monitoring, and accelerate remediation efforts.</p><p id=""><strong id="">Threat Hunting</strong> – Anomali can automatically prioritize intelligence and historical telemetry to optimize the threat-hunting process and uplevel the performance and scalability of your SOC team. By having an integrated and comprehensive view of your security landscape (IoCs, security gaps, etc.), your analysts can act on prioritized threats and deliver more efficient triage.</p><p id=""><strong id="">Workflow Automation</strong> – Automate precision threat detection and intelligence workflows with attacker context to quickly ingest, prioritize, enrich, score, and distribute intel, automating routine analyst tasks and reducing human errors. Workflow automation can streamline processes, enhance analyst efficiency, reduce costs, and drive a faster response to security incidents.</p><p id=""><strong id="">Collaboration and Knowledge Sharing </strong>– Fully integrate threat intelligence data into the analysis of operational and supply chain systems. This will improve incident response effectiveness and drive continuous improvements through the application of best practices not only across your organization but across your entire supply chain ecosystem.</p><p id="">There is a wide range of challenges facing every security operations center, both internally and externally, but the right tools backed by the right policies and procedures can comfortably take your operation to the next level. To gain a real-world perspective on how Anomali’s Security Analytics can help you gain immediate, actionable insights into your security challenges, please <a href="/resources">contact us here</a>.</p>
<p>Having the right tool for the right job is obviously important, but knowing the subtleties of how to properly use the tool is what separates the reactives from those who always seem to be one step ahead. While being one step ahead is clearly the desired state, it is particularly challenging when dealing with something as complex and dynamic as a Security Operations Center (SOC).</p> <p>SOCs are pretty much front and center in the endless dynamic with threat actors, and there is a highly competitive market of vendors who offer a myriad of SOC solutions to enterprises that are at risk of cyber attacks. The core premise (and this is not limited to cyber security) is that any technology implementation should be driven by business requirements first, rather than technical requirements. This is particularly relevant for SOCs, as any attack that gets by the SOC can have a significant impact across the entire business (as we see—sadly—every day).</p> <p>SOCs by their nature are enormously complex and are often the result of a range of technology solutions cobbled together by technical teams who are deep in the weeds of security and IT infrastructure requirements. The reality is the SOC is there to serve the business and should be optimized around business requirements. In this model, there is not a one size fits all approach; security requirements need to be an integral part of business workflows. This is the "we all sink or we all swim" approach to securing the business: when one function is breached, everyone suffers. Different functions (operations vs. marketing) will have very different security needs (since they use different workflows), and the SOC team needs to factor that into the implementation of their security mandates.</p> <p>The workflow variable is particularly important since many SOC issues are not subject to technology fixes. Vulnerabilities can often be a function of improper governance, lax security protocols at the employee level, or a lack of alignment between business functions. For SOCs to reach an optimal level of effectiveness, business stakeholders need to be part of the security framework. SOC analysts need to engage with business stakeholders at the executive, operational, and tactical levels (similar to how intelligence requirements are scoped). When security analysts understand the business needs and associated workflows, they are in a much stronger position to deliver intelligence and threat assessments that will make sense to business stakeholders.</p> <p>Identifying the right stakeholders and understanding their process requirements and potential attack surface early in the process is critical. Equally important is ensuring clear communication; non-technical stakeholders (who will have valid concerns) need to be educated by SOC staff to understand what is at stake and why security now needs to be integral to how their functions operate. This means part of the SOC team's purview will be end-user education at multiple levels. Creating a narrative that describes the risk associated with security exposures in terms of a business function's day-to-day operation is a great way to add context and increase alignment between technical and business staff.</p> <p>Creating an effective threat intelligence program means the right resources are allocated properly (security resources focused on maximizing business value), agreed-upon metrics are in place and updated continuously, and there is a security roadmap that everyone understands and has bought into. This also means operating at three levels:</p> <ul> <li>Strategically: what are longer-term security requirements that need to be addressed at the executive level?</li> <li>Operationally: looks at SOC-specific drivers such as threat actor TTPs (tactics, techniques, and procedures) and the correlation of attack surfaces to external threat data</li> <li>Tactically: dealing with specific incidents of concern (IoCs), along with threat detection</li> </ul> <p>This also means security governance requirements and their associated protocols need to be managed on multiple levels, updated continuously, and kept contextually relevant to all stakeholders. To get a more detailed walkthrough of how to align your security and business needs, please check out this <a href="https://www.anomali.com/resources/whitepapers/tips-for-selecting-the-right-tools-for-your-security-operations-center?publisher_status=draft&publisher_key=O3iCzsSu">Gartner report</a>.</p>
<p>The state of Maryland is 42nd in size. Pretty small, particularly if you're looking at it from California. However, this small state punches far above its weight when it comes to cybersecurity. There is a very high concentration of both federal agencies and military installations, including the NSA and U.S. CyberCommand, as well as a very high density of defense and intelligence contractors. The cybersecurity talent pool in this state is both broad and deep and is backed by strong education and business ecosystems.</p> <p>Anomali recently conducted an interview with <a href="https://www.linkedin.com/in/thechipstewart/">Chip Stewart</a>, who was the former CISO (Chief Information Security Officer) for the state of Maryland from 2019 to 2023, effectively the person responsible for cybersecurity for the state that has the highest cybersecurity presence in the U.S.</p> <p>Surprisingly, the cybersecurity program for the State of Maryland is relatively new. The program was put in place in 2019 and was officially signed into law in May 2022. This initiative was triggered by events that served as a strong cautionary tale for cybersecurity for government entities, specifically the <a href="https://en.wikipedia.org/wiki/Atlanta_government_ransomware_attack">SamSam ransomware attack</a> in Atlanta in 2018, and the <a href="https://en.wikipedia.org/wiki/2019_Baltimore_ransomware_attack#:~:text=On%20May%207%2C%202019%2C%20most,for%20keys%20to%20restore%20access.">Robbinhood ransomware attack</a> in Baltimore in 2019. Although the ransomware used in both cases was different, they both exploited the same loophole – lax or underfunded security initiatives, and both had essentially the same effect; critical government services were taken down for weeks, resulting in significant business and economic disruptions.</p> <p>Not only are attacks of this type increasing in magnitude and frequency, but the effects of these attacks are also becoming more extensive due to interdependencies in the state's technology infrastructure (which was part of the impetus to codify cybersecurity at the state government level). Very few systems that deliver services to constituents exist in isolation, so when one gets hit, everything downstream is at risk.</p> <p>Another risk variable is how the state's cybersecurity model is implemented. Per Stewart, there are generally three operating models:</p> <ul> <li>Centralized – where management and execution are controlled at the executive branch level.</li> <li>Federated – where cybersecurity services are shared across state entities.</li> <li>Decentralized –where every agency or entity does what it thinks is best.</li> </ul> <p>The same operational models also apply to county and local governments, municipalities, etc. Overall, Mayland (and many other states as well) operate in a very decentralized model. While all three models co-exist, coordinating authority and control of execution in the event of a threat can be complex due to the lack of direct authority. The type of framework mandates strong partnerships but often includes the risk that everyone is doing their own thing. This is very different from the private sector, where cybersecurity is much more tightly controlled.</p> <p>The impact of a cyberattack on a private sector entity is also different; most often a cyber failure has a financial impact (disruption of finances or livelihood). In addition to financial impacts, disruption at the government level can also have a direct impact on people's lives due to the critical nature of government services. This is often exacerbated by what is often a far more complex organizational structure and the more pervasive impact of failure. Because of this, it is critical that cyber-resilience is baked into the public sector's security infrastructure.</p> <p>In both public and private sector instances, the buck generally stops with the CISO, who often does not have direct authority over the range of cybersecurity issues that state and local governments face. This is already a high-visibility position, and when things go off the rails it can be easy for people with a lack of context or understanding to point fingers. This is part of the reason that the CISO's role has recently become more evangelical; these are business issues at their core (whether private or public) and so there is a strong need for contextualization of the business benefits of investing in threat prevention and event remediation.</p> <p>This is similar to the CISO role in the private sector, particularly in large, complex enterprises. Everyone understands the need for security at a basic level, but there is always a tendency to hit the pause button when the costs of new or expanded technologies enter the conversation. This is perhaps somewhat more straightforward in the private sector, most businesses are about making money, and anything that disrupts that (like breaches) is likely to be addressed more quickly. Nevertheless, in most companies, the people who can write big checks are not going to be interested in low-level product details. Focus on the value delivered to the business through better security management, and you're more likely to get buy-in at the executive level.</p> <p>In the case of the State of Maryland, the rationale for building out a cyber threat Intelligence (CTI) program began with the notion that CTI is the core component of operational security; it is a driver of actioned intelligence and can reduce asymmetric engagement with threat actors. Because of recent high-profile incidents, they were able to build out their team quickly, hiring from the local intelligence community, with strong support at the executive level. Their initial focus was on how to curate disparate signals into actionable threat intelligence, and like most early program investments, they needed to show ROI quickly.</p> <p>This, of course, begs one of the quandaries of cybersecurity; if something bad happens, the SOC gets blamed and budgets tend to get reduced. If nothing bad happens (because they were doing their job well), there's no apparent need to keep funding. This particular dynamic is the basis for moving the conversation away from features and even benefits to one of value. It also helps to broaden the conversation to include the community (e.g. ISACs) and technology partners who have a vested interest in their customer's long-term success.</p> <p><em>This blog is the first of a two-part series, and the full video interview is also available <a href="https://www.anomali.com/resources/webcasts/a-ciso-perspective-from-threat-landscape-insights-to-transformation-programs">here</a>.</em></p>
<p>Security Information and Management (SIEM) systems originated as an integration of two separate but parallel systems – Security Information Management (SIM) and Security Event Management (SEM). While SIMs focused primarily on collecting, storing, and analyzing log data from security devices and systems, SEMs focused on real-time monitoring and analysis of security events. The two disciplines merged when Gartner analyst Mark Nicolett coined the term SIEM in a research brief published in 2005. At the time, the merger of the two disciplines made sense; the need for a comprehensive solution was becoming pervasive, and Security and IT vendors leaned in quickly.</p> <p>SIEMs were effective at data collection from sources generating log data, which would be indexed and stored in a log repository (which turned out to be useful for compliance purposes). They were (and still are) effective at using rules, signatures, and analytics to identify known threats when predetermined criteria are met, then feeding that data into workflows, case management, and collaboration solutions. As useful as SIEMs have been, they are now running into hard limitations, including:</p> <h2>Visibility</h2> <ul> <li><strong>Lack of context</strong>: Because SIEM systems typically rely on rules and signatures to identify security events, they provide limited external context about the alerts they generate. A lack of actioned visibility leads to an incomplete or inaccurate understanding of the severity of an incident, challenging security analysts to stay ahead of a complex, dynamic threat environment.</li> <li><strong>Log data source limitations</strong>: SIEM solutions rely on log data from various sources, but they may not collect all relevant logs. They may also fail to capture critical information due to cost or storage limitations in log sources or network configuration/compatibility requirements. These limitations leave blind spots in the security monitoring process.</li> <li><strong>Limited threat intelligence integration</strong>: While SIEM solutions often incorporate threat intelligence feeds, their integration and updating processes with (e.g.) intrusion detection systems, firewalls or vulnerability scanners may not be seamless (or missing entirely), leading to outdated threat intelligence. A real-time solution providing actionable visibility by integrating external threat intelligence with internal attack surface information is mission-critical for any enterprise subject to cyber threats.</li> </ul> <h2>Automation</h2> <ul> <li><strong>Alert Fatigue</strong>: SIEM technologies generate a large number of alerts, many of which are false positives (flagging benign events as malicious), false negatives (missing actual security incidents), or what might be considered low-priority events. This level of noise can overwhelm security teams, making it difficult to identify the signal of genuine threats.</li> <li><strong>Limited automation and response capabilities</strong>: SIEM systems often lack robust automation and response features against complex correlation requirements. Many SIEM systems are also limited in providing monitoring and threat detection in cloud-based environments, which means security teams need to manually investigate and respond to alerts.</li> <li><strong>Inability to handle large-scale data</strong>: SIEM technologies often struggle to handle the volume and velocity of data generated by modern networks and systems. Slow response times lead to delays in processing and analyzing data, potentially missing time-sensitive security events.</li> </ul> <h2>Optimization</h2> <ul> <li><strong>Complex configuration and maintenance</strong>: Setting up and maintaining a SIEM system is expensive, complicated, and time-consuming, requiring expertise in configuring log sources, creating correlation rules, and ensuring the system is up to date. An overly complex user experience can also hinder adoption, which limits its use for non-technical staff who may need to interact with SIEM data.</li> <li><strong>Difficulty in identifying advanced threats</strong>: Traditional SIEM technologies focus on known patterns and signatures, making it challenging to quickly identify sophisticated and evolving threats that do not match predefined rules. A lack of advanced search capabilities and intuitive user interfaces can increase the amount of time needed for investigation, particularly if it's outside the scope of known threats.</li> <li><strong>Poor scalability</strong>: Scaling up a SIEM system to handle increased data volumes, additional log sources, or distributed networks can be challenging, requiring significant investments in infrastructure or licensing costs which are amplified for enterprises undergoing digital transformation. A lack of scalability also limits views of past events, giving an incomplete picture of potential risks. SIEMs cannot analyze historical data going back months or years, making it slow and expensive to access archived materials.</li> </ul> <p>SIEMs still have a critical role to play in the security framework of any organization. However, there is a need to include a more forward-leaning approach to stay ahead in the modern threat landscape while maximizing the value of your non-trivial SIEM investment. This requires thinking along three vectors:</p> <p><strong>Actioned Visibility</strong> – Being able to take immediate action across all security telemetry and supply chains to address potential threats before they move into execution mode. This requires visibility that goes beyond the scope of traditional SIEMs by including threat and attacker insights augmented with curated and peer intel, delivering context that can go far beyond current SIEM storage limitations. This effectively reduces cycle times from weeks to minutes. </p> <p><strong>Automated SecOps</strong> – Events are coming in at high speed and higher volume, and security analyst burnout is becoming pervasive. Automated workflows supported by AI engines can deliver high-fidelity, signal-based threat correlation and analytics to automate routine analyst tasks such as intelligence analysis, trigger investigations, security gap identification, and security posture updates. Analysts will be in a much better position to separate signal from noise, handling threat detection with speed (e.g. a 90% reduction in the time required for investigations), precision and context, while reducing the stress associated with unsustainable workloads.</p> <p><strong>Optimized Cyber Stack</strong> – Being able to optimize the value from your existing security infrastructure to understand risk exposure, prioritize security investments, and capture and share intelligence to security controls to identify attacker TTPs and prevent breaches. Enterprises have a significant number of specialized security solutions that are not fully integrated with external defense resources such as ISACs or MITRE ATT&CK. Integrating operational security data with business context enables CISOs to make informed decisions. Correlating dynamic data sources into an actionable framework enables analysts to deliver a more significant impact and is a genuine force multiplier.</p> <p>An approach using these three vectors already exists and is in use in some of the most demanding security environments across a broad range of industries. To learn more about Anomali, please visit <a href="https://www.anomali.com/platform">https://www.anomali.com/platform</a>.</p>
<h1>Background</h1> <p>Multiple vulnerabilities have recently been identified in the managed file transfer (MFT) software MOVEit developed by Ipswitch, Inc. and produced by Progress Software. These include CVE-2023-34362 <sup>[1]</sup>, CVE-2023-35036 <sup>[2]</sup> and CVE-2023-35708 <sup>[3]</sup>. These vulnerabilities allow adversaries to gain unauthorized access and escalate privileges in the environment.</p> <p>MOVEit is a popular tool that is used by thousands of organizations around the world. These include organizations in the public, private, and government sectors. The transfer software can be deployed as on-prem, in the MOVEit Cloud, or on any Microsoft Azure server. Due to the nature of handling potentially sensitive information, MOVEit is a lucrative target from a threat actor’s perspective, granting threat actors the ability to add and remove database content, execute arbitrary code, and steal sensitive information.</p> <h1>What do we know about the exploits?</h1> <p>While this story is still actively playing out and we will know the final count only in the coming weeks, here's what we know about it thus far. </p> <p>The CL0p ransomware gang has been actively exploiting this vulnerability and has claimed to compromise over dozens of organizations across different industries and regions. These include oil & gas, news & media, healthcare, financial services, state and federal governments, and more. Anomali’s own assessment has shown that there are thousands of externally exposed MOVEit instances that could potentially be exploited. </p> <p>Additional public research has revealed that this vulnerability may have been actively exploited even since 2021 <sup>[4]</sup>. More recently, organizations have also released proof of concept (PoC) exploit code for this vulnerability<sup> [5]</sup>, making it likely that other attackers could exploit unpatched systems.<br/> <br/> <img alt="" src="https://cdn.filestackcontent.com/YeWMhzJtR5ucMa4vJ0O3" style="width: 800px; height: 401px;"/><br/> <strong>Anomali MOVEit Vulnerability Dashboard</strong></p> <p>The Anomali Threat Research team has additionally researched and documented additional details on this vulnerability via Threat Bulletin. The team has also identified over 430 relevant indicators and signatures and several sector specific articles to provide more industry-specific details. The dashboard below highlights some of the insights available to Anomali customers via ThreatStream.</p> <h1>What can you do about it?</h1> <p>There are several steps important to reduce the impact of this vulnerability, some of which are also documented in Progress’ knowledge base article <sup>[6]</sup></p> <p><strong>1. Discover your attack surface.</strong> there are several tools that offer this capability, including Anomali Attack Surface Management <sup>[7]</sup><br/> <strong>2. Patch the vulnerable systems at the earliest. </strong>The Progress knowledge base <sup>[6] </sup>article captures this in the following steps<br/> a.Disable HTTP/S traffic to your MOVEit Transfer environment<br/> b.Patch the vulnerable systems<br/> c.Enable HTTP/S access to the MOVEit Transfer environment<br/> <strong>3. Monitor your environment for any known indicators to identify malicious activities.</strong> The Anomali Threat Bulletin captures over 2200 observables that can be used to monitor for malicious activities via a SIEM, firewall, or other technologies. Proactively distribute these indicators to your security controls (firewalls, proxies, etc.) to monitor for any malicious activity.</p> <p><img alt="" src="https://cdn.filestackcontent.com/IO9fea1lQRGDhkLZNOC6" style="width: 800px; height: 418px;"/><br/> <strong>Anomali MOVEit Vulnerability Threat Bulletin</strong></p> <p><strong>4. Hunt for any attacker footprints.</strong> While monitoring looks forward, hunting allows you to look back in the past for any attacker activity. There are several tools that can help you hunt, including Anomali Match <sup>[8]</sup>. Match can help customers search years of data in seconds to understand if any attacker activity has occurred in the past.<br/> <strong>5. Look beyond yourself. </strong>Monitor your industry activity for any malicious activities. Your threat intelligence platform, including Anomali ThreatStream <sup>[9]</sup>, should be able to assist you in monitoring industry trends. Participate in ISACs to ensure you are sharing intelligence with industry peers to develop a collective defense posture.<br/> <strong>6. Have a response plan.</strong> Test your response plan, have your communications plans in place, build & test your automated workflows for a timely response.</p> <h1>Learn More</h1> <p>Anomali will continue to refine our blogs, bulletins and dashboards as we learn more about MOVEit. </p> <p>To learn more about this vulnerability, join our threat intelligence experts for a live webinar on June 21, 2023. <a href="{page_6417}">Register here</a> for attending live or to be notified when the on-demand webinar is available. </p> <p>References</p> <p>[1] <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-34362">https://nvd.nist.gov/vuln/detail/CVE-2023-34362 </a><br/> [2] <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-35036">https://nvd.nist.gov/vuln/detail/CVE-2023-35036 </a><br/> [3] <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-35708">https://nvd.nist.gov/vuln/detail/CVE-2023-35708</a><br/> [4] <a href="https://www.bleepingcomputer.com/news/security/clop-ransomware-likely-testing-moveit-zero-day-since-2021/">https://www.bleepingcomputer.com/news/security/clop-ransomware-likely-testing-moveit-zero-day-since-2021/</a><br/> [5] <a href="https://www.helpnetsecurity.com/2023/06/13/cve-2023-34362-exploit/">https://www.helpnetsecurity.com/2023/06/13/cve-2023-34362-exploit/</a><br/> [6] <a href="https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023">https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023</a><br/> [7] <a href="{page_6257}">https://www.anomali.com/products/attack-surface-management</a><br/> [8] <a href="{page_1883}">https://www.anomali.com/products/match</a><br/> [9] <a href="{page_1882}">https://www.anomali.com/products/threatstream</a><br/> </p>
<h2>Introduction</h2> <p>In today's digital age, the threat of cyber-attacks is greater than ever. Traditional security operations, which have focused on reactive measures such as patching vulnerabilities and responding to breaches, are no longer sufficient to meet the challenges of the modern threat landscape. As a result, security organizations are shifting their focus to proactive measures to stay ahead of emerging threats.</p> <p>This shift towards proactive security operations is the focus of a new five-article series written by analysts at TAG Cyber. The series examines the latest trends and challenges for cybersecurity teams and explores the cutting-edge solutions that are helping security organizations become more proactive in their defense against cyber-attacks.</p> <p>Anomali's solutions are important in helping security operations (secops) teams move from a reactive to a proactive security program. Anomali, a leading threat intelligence provider and incident management software, offers a viable solution. Anomali's platform enables security teams to quickly and easily identify and respond to emerging threats by providing real-time visibility into the latest cyber threats and vulnerabilities, allowing organizations to take proactive measures to protect themselves from potential attacks instead of simply reacting to breaches after they have occurred.</p> <p>The series also delves into the strategies and technologies that can help CISOs and secops teams improve their operations. Anomali's platform is a key element in integrating threat intelligence with other technologies, such as Extended Detection and Response (XDR) and Attack Surface Management (ASM), to enhance the overall security posture of an organization. Additionally, Anomali's solutions assist with digital risk protection (DRP) in identifying and mitigating the risks associated with third-party vendors and partners.</p> <p>In summary, the series provides an in-depth look at the latest strategies and technologies to help CISOs and security teams become more proactive in their defense against cyber attacks. Anomali's solutions play a crucial role in this shift and assist organizations in identifying and mitigating emerging threats, integrating with other technologies, while addressing the skills gap.</p> <p> </p> <h1>Article 1: Transforming Threat Data into Actionable Intelligence</h1> <p>Christopher R. Wilder, TAG Cyber </p> <p>This article is the first in a series of guest blogs written by TAG Cyber analysts in conjunction with our colleagues at Anomali. Our five-part series of blogs focus on how threat-intelligence management integrates with extended detection and response (XDR) to increase operational efficiencies in an enterprise security operations environment and drive actionable prevention, detection, and response. The commercial Anomali platform demonstrates how integration between threat intelligence and XDR can work in the field.</p> <p>Threat intelligence is divided into three main categories: strategic, operational, and tactical.</p> <ul> <li>Strategic threat intelligence focuses on understanding the overall threat landscape and identifying long-term trends. It informs strategic decisions and helps organizations understand the potential risks they face.</li> <li>Operational threat intelligence identifies and responds to specific threats in real-time. It informs an organization’s day-to-day operations and helps protect against immediate threats.</li> <li>Tactical threat intelligence provides detailed information about specific threats, such as the tools, techniques, and procedures used by attackers. It also apprises tactical decisions and helps organizations respond to incidents.</li> </ul> <p>Threat intelligence is essential to any security program, providing organizations with the information they need to identify and respond to potential threats proactively. Threat intelligence provides operational and tactical threat intelligence to help organizations respond to specific dangers in real-time and to deliver detailed information on threats, such as the tools, techniques, and procedures (TTP) used by attackers. Tier 1 threat intelligence platforms like Anomali's ThreatStream solution provide all three types of threat intelligence to help organizations understand the overall threat landscape and identify long-term trends. By coalescing all three types of threat intelligence on a single platform, security operations centers (SOC) can make available to analysts at the appropriate time, allowing them to make informed decisions about potential threats. Automation and machine learning helps operationalize threat intelligence by automating certain processes and providing more accurate and efficient analysis. A proactive security strategy should begin with a thorough understanding of the threat landscape.</p> <h2> </h2> <h2>Leveraging Threat Intelligence for Proactive Cybersecurity</h2> <p>We believe cybersecurity leaders need to be more proactive, and threat intelligence is a key component. So, how can security operations teams incorporate contextual, actionable, and, most importantly, trustworthy intelligence information into their organization?</p> <p>Threat data allows businesses to be more proactive when dealing with cybersecurity threats by enabling SOCs to take preemptive actions to detect, avoid and mitigate cyberattacks before they happen. An effective threat intelligence program incorporates information on the threat landscape, including Who, How, and Why organizations are targeted, further enabling security teams to focus on inbound or developing threats, contextualize the consequences, and provide actionable recommendations to mitigate and respond to these attacks. Every business must contend with numerous threat vectors and actors; therefore, SOC teams must identify and address the attack surface and enable continuous monitoring, detection of threats, and response processes to the attack surface to succeed against adversaries.</p> <p> </p> <h2>Not All Threat Intelligence Sources Are Equal</h2> <p>Hundreds of data sources deliver threat intelligence; some are better than others. The importance of quality threat-intelligence data feeds security teams to gain visibility and garner relevant information about adversaries, including their strategies, approaches, and TTP. It assists in mitigating various attack vectors that may occur in different contexts, including malware variants, malicious botnets, vulnerability-based threats, and phishing, to name a few. The goal is to offer vital context and information to the organization, thereby allowing them to proactively identify breaches or indications of compromise (IOCs) in their infrastructure from the core to the edge and endpoints.</p> <p>Traditionally, threat intelligence data is unstructured. To be effective, forward-thinking organizations combine internal sources, such as SIEM, XDR, SOC teams, and customer/supply chain telemetry, with external sources, including professional communities, news, blogs, and the dark web. Parsed data is analyzed and bundled to provide an actionable or contextual feed.</p> <p> </p> <h2>Understanding the Benefits and Challenges of Threat Intelligence in the Enterprise</h2> <p>Threat intelligence is vital to an organization's cybersecurity strategy as it allows businesses to identify and mitigate potential threats proactively. Effective threat intelligence programs enable security teams to focus on inbound or developing threats, contextualize the consequences and provide actionable recommendations for mitigation and response. An effective threat intelligence program includes information on the threat landscape, including the actors behind the threats, their methods, and motivations. A comprehensive threat intelligence program enables teams to identify and address the attack surface and enable continuous monitoring, detection, and response processes.</p> <p>Threat intelligence has many benefits, including identifying direct threats to the enterprise, alerting security teams to competitive dangers, brand reputation, and intellectual property theft, and allowing them to be proactive when dealing with physical, cyber, and political security challenges. However, implementing threat intelligence also brings challenges, such as too much information, choosing the right information sources, and a lack of processes and skills. To be effective, SOC teams must find ways to triage, process, and prioritize the information they receive quickly. Furthermore, security teams must ensure that the data feeds they incorporate relevant, contextual, pertinent, and actionable. Interpreting this data requires trained personnel with the tradecraft to turn data into actionable insights.</p> <p> </p> <h2>Conclusion</h2> <p>Cyber threat intelligence is actionable or contextual information related to threat actors and vulnerabilities presented to enhance security operations, make better decisions, and improve security posture. Actionable threat intelligence increases an organization's ability to increase its situational awareness and countermeasure integration. When discovering vulnerabilities that are dangerous to an organization, threat intelligence goes beyond IOCs and common vulnerabilities and exposures (CVE) scores. It is important for security operation teams to choose their intelligence provider carefully. Security teams must choose a data provider that delivers context, integration, and actionable information for security teams to make well-informed decisions. </p> <p>Anomali's ThreatStream is a viable threat intelligence platform that provides organizations with real-time visibility into cyber threats and enables them to quickly identify, investigate, and respond to potential dangers. Their platform integrates various security tools and data sources, allowing organizations to correlate, enrich, and prioritize threat data. </p> <p>Overall, Anomali's threat intelligence platform is designed to help organizations better understand and respond to the constantly evolving cyber threat landscape.</p>
<p>User research groups contribute significantly to product development through a data-led approach incorporating actual customers’ opinions and ideas. This information ultimately influences a product’s design, capabilities & features.</p> <p>User research groups can also be a source of valuable customer feedback during beta testing and after the product is launched, helping to discover potential problems or areas for improvement. A sense of community and engagement around a product can be fostered via user groups, and this can improve client loyalty and advocacy.</p> <p>Enterprise user research groups are especially crucial to cybersecurity because they allow members to share their knowledge, experiences, and insights while working together to solve common security problems. </p> <h2>Introducing the Program</h2> <p>At Anomali, we’re always finding ways to improve and build innovative solutions that fit your needs. That’s why we set up the Anomali User Research Group.</p> <p>Whether you’re an Anomali Customer or not, as long as you’re a cybersecurity professional, we want to hear from you. </p> <p>We’re seeking Cyber Security Professionals of all types & roles with hands-on experience working with Enterprise Security Products to share their experiences and help shape the future of Anomali products. But we’re especially interested in people who work in Cyber Threat Intelligence (CTI), Security Operations (SecOps), and Incident Response (IR), to name a few. </p> <h2>About the UX Team</h2> <p>Anomali’s UX (User Experience) Team is made up of a combination of UX Designers & Researchers who follow the principles of User-Centered Design (UCD). UCD is an iterative design approach that focuses on understanding users and their needs by involving them at various stages of the design process through a range of research methods & techniques (e.g. surveys, interviews, usability studies, card sorts, etc.) to create highly-usable, accessible and intuitive products that meet their needs.</p> <p>Naturally, user research is at the heart of everything we do in the UX department. We’re constantly conducting various types of research across multiple topics to enhance our understanding of users & the problems they face. We actively use this data to help guide design & development decisions, from initial ideas & concepts to published products. </p> <h2>Research Methods & Topics To Be Covered </h2> <p>The specific research studies we’ll be running throughout 2023 are still being planned, but projects could range from simple survey studies to discovery research using interviews to usability testing new products, features & workflows.</p> <p>All studies are conducted remotely via Zoom with a researcher and a designer, typically lasting between 30 mins to an hour. We’ll handle all the setup and scheduling at a time convenient for you, then after the study is complete, you’ll receive a thank-you gift for your contribution.</p> <h2>How to Get Involved</h2> <p>Click <a href="https://www.anomali.com/learn/anomali-user-research-group-signup">here</a> to fill out the Sign-Up Form, tell us a bit about yourself and we'll get in touch when we have a study we think you’d be a good fit for.</p>