April 6, 2023
Find out how the quality of threat intelligence feeds contributes to the success of security operations.
Threat intelligence plays an important role in the detection and response workflow. To accurately launch and conclude investigations, analysts must know what sort of behaviors indicate malicious activity.
At first glance, this seems obvious. Anyone who doesn’t know what they’re looking for will have a hard time finding it. This is especially true for analysts responding to alerts telling them certain users, assets, or applications are behaving unusually.
But quantifying the difference in value between threat intelligence feeds isn’t so simple. Why should security leaders pay for threat intelligence data feeds when public, open-source data feeds are widely available?
The truth is that curated threat intelligence transforms the investigative process and unlocks value in ways generic feeds cannot. Analysts equipped with curated, high-quality threat intelligence can launch and complete investigations into suspicious activities faster and more accurately than analysts who rely on generic threat exchange data.
The Generic Threat Intelligence Workflow Doesn’t Always Work
It’s true that anyone can subscribe to a public open-source threat exchange and instantly gain access to tens of millions of emerging threat indicators daily. This is a valuable service that cybersecurity developers rely on to understand emerging threats and create innovative technologies in response.
But for corporate security teams and individual analysts, it’s an overwhelming flood of data. Security operations center personnel are already overwhelmed with managing an enormous volume of alerts. Very few have the time to add time-consuming, resource-intensive threat intelligence processes on top – so they don’t.
Gartner Report: 3 Ways to Apply a Risk-Based Approach to Threat Detection, Investigation and Response
That’s because the typical method of extracting insight from a generic threat intelligence data feed involves manually writing queries and reviewing responses. There is no way to tell how long it will take before analysts successfully find the right needle in the right haystack.
Of the tens of millions of new threat indicators uploaded daily to public threat intelligence exchanges, only a select few actually apply to your organization’s security profile. The vast majority concern IT infrastructure and architecture that isn’t your own – which means they concern threats you are not vulnerable to.
It only takes a few unsuccessful query attempts for analysts to figure that out. When they do, they wisely decide to avoid spending valuable time on dead-end searches through millions of non-compatible threat indicators, and the generic threat intelligence workflow essentially breaks down entirely.
Curated Threat Intelligence Makes a Real Difference
Threat intelligence still offers extraordinary value to analysts. The problem is that value needs to be unlocked first.
Curated threat intelligence feeds like Anomali ThreatStream eliminate the inefficiencies that drag down analyst performance and reduce the value of emerging threat insights. When paired with a properly configured security information and event management (SIEM) platform, curated threat intelligence enables analysts to detect, investigate, and respond to emerging threats with unparalleled speed and accuracy.
Here are some of the specific benefits that curated threat intelligence offers organizations:
- In the case of the regional Bank of Hope, Anomali ThreatStream brought the time it takes to analyze threats down from 30 minutes to just a few minutes, on average.
- For Blackhawk Network Holdings, curated threat intelligence gave analysts a central view into threat context, helping to reduce false positives by an astonishing 95%.
This is especially important for organizations with growing non-patchable attack surfaces. These represent vulnerabilities that can’t be handled by automated remediation tools. Only human analysts equipped with accurate, up-to-date threat intelligence data can coordinate a successful response to these kinds of threats.
Gartner predicts that non-patchable attack surfaces will grow from less than 10% of the average enterprise’s exposure to more than 50% by the end of 2026. Forward-thinking cybersecurity leaders need to look beyond automation and empower human analysts to make critical decisions when faced with novel threats.
Make Curated Threat Intelligence Part of Your SIEM Deployment
Castra leverages years of expertise working with SIEM platforms like Exabeam and USM Anywhere to provide its customers with optimized, efficient deployments that generate predictable returns while protecting sensitive assets from cyberattacks.
Our team can help you integrate Anomali’s curated threat intelligence data into your SIEM workflow so that analysts have immediate access to prioritized threat indicators that match your industry’s unique security profile. Schedule a demo to find out how Castra expertise can help you detect and respond to emerging threats successfully.