Noise and Value: What Your Threat Intelligence Program Should Have in Common with Quality Advertising

Like our real world, the virtual world you and I live in every day can be exceptionally noisy, with hundreds of advertisements vying for our attention in a single day. Hundreds ? Rather thousands: The average American consumer sees approximately 5,000 advertisements every day, whether online or through other channels such as radio, television and print media.

Of course, what to one person might be publicity noise is to another the answer to a question they were desperately hoping to answer. Dave Winer, software developer and blogging pioneer, weighed in on this more than fifteen years ago when he wrote, “Perfectly targeted advertising is just information. It reduces or distills noise down to information that is welcomed by the recipient.

What does this have to do with your threat intelligence program? All.

There is no organization today that is happy with the amount of noise coming from their collection of visibility technologies, especially those in the security information and event management (SIEM) space. The “noise” in this context, which most often shows up as false positives, is exacerbated by correlation rules that were either poorly constructed or don’t exist at all, other rules running in your production environment that made sense years ago but are irrelevant in tracking and fighting today’s adversaries, a monitoring infrastructure that was only tuned once at launch but never updated, and a poor internal understanding of the relative criticality of the monitored systems.

The more noise in your environment, the harder it is for your Security Operations Center (SOC) and the talented human beings working on that team to find that needle in the haystack. In a noisy environment, this entire dataset can exclusively look like a haystack, or more dangerously, it can look like a pile of needles, where each data point collected can represent a threat that needs to be investigated and worked on. This is not the recipe for success.

Threat intelligence feeds, especially external feeds, tend to compound this noise problem. Organizations invest in these data streams in hopes that they (or the partner managing their threat detection and response capabilities) can combine this external data with the internal data they already collect.

What are some of the markers of threat intelligence success within organizations that have figured out how to get their threat intelligence out of the noise and convert that raw data into the information, knowledge, wisdom the SOC needs to make the right decisions in the shortest amount of time?

  • This must be accessible. Consider the analyst’s experience in how they interact with data. Will your threat detection and response team be working with the raw threat intelligence or (much more likely) will they be a step or two away from the original data? Marrying raw data with other information in your environment is what creates the context to help your team cut through the noise. When determining how best to integrate this data into your existing workflows, remember what the experience will look like (or should be like) at the end of that funnel, when it’s time for a human to do something with this information. .
  • This must be adapted to your unique operating environment. No environment is identical to another. Discovering this additional context, enriching the data you have already collected about your own environment, is the shortest path to demonstrating the operational value of your threat intelligence. Adapting a threat intelligence feed from internal source data is generally considered easier than doing it from an external source feed, but sometimes it’s just the opposite. Adaptation is not a one-time tuning exercise – as your operating environment changes, your attack surface expands, adversaries deploy new exploits, you must constantly adapt to those changes.
  • This must be exploitable. If an alert does not require you to act immediately, does this alert have to exist? Ask yourself the same question about your threat intelligence. Are you measuring the positive impact of threat intelligence on your threat detection and response capabilities? Think about metrics such as the percentage of discoveries attributable to threat intelligence, or the number of tactics, techniques, and procedures (TTPs) generated by threat intelligence that have been added to your existing SOC workflow, or the number of incidents where threat information directly influenced the severity of the incident. .

Effectively combining threat intelligence with your surveillance infrastructure is the path to realizing the full value of your investment in threat intelligence. Start with the one technology that underpins any successful extended detection and response (XDR) capability: network detection and response (NDR). NDR consistently outweighs other ingestion methods: it improves threat detection and incident response, it supports threat hunting, and it can extend your traffic visibility model from the inside out. outside (“north-south”) to also include the internal data center. traffic to the data center (“east-west”).

Once you have your NDR base in place, move on to other key components of your XDR infrastructure: log-focused Security Incident and Event Management (SIEM) and Endpoint Detection and Response (EDR). ) tend to be the next levels to integrate into a threat intelligence. aptitude. Amplify your visibility into potentially harmful behavior with User and Entity Behavior Analysis (UEBA). And perhaps most importantly, when considering how to integrate threat intelligence into your workflows, know that successful security, orchestration, and response (SOAR) implementations rely on an ability to Threat Intelligence Platform (TIP).

Your existing visibility technology toolkit can and should leverage threat intelligence as a force multiplier for your security operations team: it makes the information you’ve already gathered about your environment smarter and more precious.

Who wants to pay to create information that is rejected? As a consumer of #threatintelligence: who wants to pay for a feed of threat intelligence if most of it is ignored? #cybersecurity #respectdataClick to tweet

Let’s bring Dave Winer back once again with a final thought: “If it’s perfectly targeted, it’s not advertising, it’s information. Information is welcome, advertising is offensive. Who wants to pay to create information that is thrown away? This last sentence is from the advertiser’s point of view. But that should also resonate if you’re a consumer of threat intelligence: who wants to pay for a stream of threat intelligence if most of it is ignored?

About Deborah Wilson

Check Also

Advertising function | How the BMW M3 Competition Touring was born

Convince the bosses Despite a whirlwind of rumors, the BMW M3 Touring Concept remained resolutely …