Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats are Among the Benefits Threat Intelligence Platforms or TIPs Provide
When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was just two years ago.
While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent.
As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available.
Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” and this was due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?”
It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. For security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures.
But there are many significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the greatest hurdles.
Big Data Conundrum with Threat Intelligence Platforms
The first challenge is that the sheer volume of threat intelligence made available to security teams has become a big data problem, one that can't be solved by just filtering out the feeds that are in use, which would defeat the purpose of acquiring varied and relevant feeds in the first place. Organizations don't want to ingest millions or billions of evolving threat indicators into their security information and event manager (SIEM), which would be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in, with a TIP doing the work on the front end, interesting and pre-curated threat “matches” can be integrated directly into your SIEM. These matches present inside users’ networks can then be handed off to downstream tools like the SIEM and security orchestration, automation, and response tools (SOAR), where SOC and threat analysts can take necessary actions to address them.
The Security Analyst Context Gap
Whether it’s experienced analysts who bring a broad base of knowledge and language about threats to the table or very smart but green analysts who bring drive and curiosity to their work, every security analyst craves more context from their threat intelligence. Context about threats is what helps ops teams make connections between new threat intel reports and environmental conditions, and between different threat feeds and how they refer to the same threat actors and activities.
A TIP can help speed up the process for analysts seeking to contextualize their intelligence. One of our proven features, Anomali Lens, makes it possible to overlay contextualized information from numerous threat intel sources on whatever threat bulletin or online research an analyst is currently reading, giving them a single view into what multiple sources are saying about a given threat. This includes synonyms for threat actors, their attack methods mapped according to MITRE ATT&CK’s Tactics, Techniques, and Procedures or TTPs, their motivations, and so on. It's a powerful tool that makes it possible for analysts at any level of experience to tap into information that would otherwise take them hours of manual research to surface up.
Security Tool Disconnect
Threat intelligence integration is consistently one of the top requirements tracked by analysts when organizations develop their security operations architectures. To truly operationalize threat intelligence, security teams are increasingly realizing that they need to simplify and strengthen the integrations between their intelligence feeds and a wide range of security tools.
Security automation depends on these integrations, which have to be easy enough for security teams that don’t have advanced developer skills. Anomali understands this principle, which is why we've built deep integrations with all the major SIEMs, next-gen firewalls, and a whole breadth of SOAR-related products. This is in addition to the very complimentary layer of automation built into our own tools.
Whether it’s COVID-19, SolarWinds, or Russian influence ops, there is always going to be a new, major threat that emerges out of nowhere, which every security operations team will have to face. Analysts tasked with communicating security statuses across an organization, know that they are expected nowadays to be as quick on their response as the headlines are to crop up. With access to a platform that enables users to manage the information available to them, team members can be more accurate about how threats impact their organizations.
A TIP is one piece of the security stack necessary to overcome security operations' biggest challenges. However, the sooner organizations tap into the power of a threat intel platform, the easier it is to recognize the advantages and capabilities, which allows you to become more efficient and proactive in tackling your key security hurdles.
For information about the ROI Anomali delivers, read: ESG ROI Study: Economic Validation Report of the Anomali Threat Intelligence Platform