May 4, 2023
Translating threat insights into actionable data is an obstacle – but not an insurmountable one.
In late March 2023, Google hosted a virtual event focusing on multiple high-profile security topics. The keynote speakers included top researchers from across its security product tech stack.
Only six months prior, that tech stack expanded to include the cybersecurity company Mandiant, which Google acquired for $5.4 billion. The event covered topics like managing open-source software security, stopping DDoS attacks targeting election infrastructure, and successfully implementing threat intelligence solutions.
The Threat Intelligence panel made headlines claiming that threat intelligence technology isn’t for everyone. Specifically, they noted that smaller organizations may not have the resources necessary to translate threat insights into action and that security spending is often better allocated elsewhere.
As a managed detection and response provider who uses threat intelligence for customers that include a wide range of small businesses, we’d like to offer a more nuanced opinion.
Facing the Challenge: Translating Threat Insight into Action
Threat intelligence reports provide deep insight into the tactics, techniques, and procedures threat actors use to bypass security controls. These include deeply technical attack vectors and emerging threats leveraging little-known exploits as well as common threats.
Jayce Nichols, Director of Adversary Operations, is correct in saying that these insights only generate value when they result in operational changes to incident response workflows. There is a difference between knowing what cybercriminals are doing and actually deploying resources to address those risks.
For organizations with small security teams, incorporating threat intelligence insights into business and security processes is rarely straightforward. No organization is susceptible to every threat. In fact, most organizations are only susceptible to a small subset of threats that apply to their unique industry risk profile, their IT infrastructure, and overall security posture.
When Nichols says that security teams don’t have the time to read a ten-page threat intelligence report and craft new policies in response, he is right. Security professionals have more pressing tactical needs.
However, this doesn’t mean the report lacks value. It means analysts don’t have enough time to put that value into practice.
SIEM-Enabled Automation Amplifies Threat Intelligence Value
Having analysts manually sift through threat intelligence reports is not a good example of operational efficiency. Manually querying threat intelligence feeds for insight into emerging threats takes too long to generate meaningful value in today’s fast-moving cybersecurity environment.
In a highly automated Security Information and Event Management environment, manual threat intelligence may not be necessary. A well-configured SIEM platform can automatically draw insights from curated threat intelligence feeds, providing analysts with on-demand data during investigations.
Crucially, this data is not the result of a lengthy manual discovery process. It is fed directly into the SIEM platform based on the unique characteristics of the security event itself. Analysts no longer need to qualify their findings by reading a ten-page report. They simply leverage the data made available to them through their SIEM.
This approach enables threat intelligence to generate significant value, even for small organizations with tight security budgets. However, it differs from the implementation described in the Google Cloud Report in several ways:
- It filters out noise in the feed. Generic open-source threat intelligence data feeds contain much more data than analysts actually need. A focused, curated solution prioritizes meaningful data first and foremost.
- It relies on intelligent automation. Improperly implemented threat intelligence automation can backfire in unexpected ways. Threat intelligence is no exception, so security leaders must carefully assess their automation strategy.
- It requires extensive product expertise. Integrating automated threat intelligence with your SIEM requires in-depth knowledge of both security technologies. Putting industry experts at the helm ensures successful deployment.
These outcomes are not limited to large enterprises with enormous security budgets.
Growing organizations can deploy highly automated threat intelligence workflows by having reputable service providers implement curated intelligence feeds from industry leaders like Anomali.
Threat intelligence is vital to maintaining a resilient security posture in uncertain times, but those insights must be timely, accurate, and accessible to truly prove their value. Castra’s partnership with Anomali ensures that data is available when it’s needed and avoids overwhelming analysts with data they don’t need. -Grant Leonard, Co-Founder, Castra
Improve Your Security Posture with Curated Threat Intelligence
Threat intelligence is not a luxury security feature designed exclusively for large enterprise security teams. It provides valuable insight that can dramatically impact the way analysts address security incidents and identify emerging threats.
Extensive product knowledge and configuration expertise is crucial to demonstrating the value that threat intelligence offers, especially to growing organizations.
Contact Castra to find out how our team can help you integrate these insights into your security processes.