Like our real world, the virtual world you and I live in every day can be exceptionally noisy, with hundreds of ads vying for our attention over the course of just one day. Hundreds? More like thousands: the average American consumer experiences roughly 5,000 ads every day, whether online or delivered through other channels such as radio, television and print.
Of course, what to one person might be advertising noise is to another person the answer to a question they have desperately been hoping to answer. Dave Winer, the software developer and blogging pioneer, weighed in on this point more than fifteen years ago when he wrote, “Perfectly targeted advertising is just information.” It reduces or distills the noise down to information which is welcomed by the recipient.
What does this have to do with your threat intelligence program? Everything.
There is no organization out there today which is happy with the amount of noise originating from their collection of visibility technologies, especially those in the security information and event management (SIEM) space. The “noise” in this context, which most frequently presents as false positives, is exacerbated by correlation rules which either were built poorly or don’t exist at all, other rules running in your production environment which made sense years ago but are not relevant in tracking and combating today’s adversaries, a monitoring infrastructure which was tuned just once at launch but never updated, and a poor internal understanding of the relative criticality of the systems being monitored.
The more noise there is within your environment, the harder it is for your security operations center (SOC) and the talented human beings working on that team to find that needle in the haystack. In a noisy environment, that entire data set can exclusively look like just a haystack, or more dangerously, it can look like just a stack of needles, where every single collected data point could represent a threat that has to be investigated and worked. This is not a recipe for success.
Threat intelligence feeds, especially externally sourced feeds, tend to multiply this noise problem. Organizations invest in these data feeds in the hopes that they (or the partner who is managing their threat detection and response capabilities) can marry up that external data with the internal data they are already collecting.
What are some markers of threat intelligence success within organizations who have figured out how to bring their threat intelligence out of the noise, and convert that raw data into the information, the knowledge, the wisdom that the SOC needs to make the right decisions in the shortest amount of time?
It must be accessible. Think about the analyst experience in how they interact with the data. Will your threat detection and response team be working with the raw threat intelligence, or (much more likely) will they be a step or two removed from the original data? Marrying up the raw data with other information from your environment is what creates the context to help your team cut through the noise. As you figure out how to best bring that data into your existing workflows, don’t forget what the experience will be like (or should be like) at the end of that funnel, when it’s time for a human to do something with that information.
It must be adapted to your unique operational environment. No one’s environment is identical to any other. Uncovering that additional context, enriching the data you have already collected about your own environment, is the shortest path to demonstrating the operational value of your threat intelligence. Adapting a threat intelligence feed from internally-sourced data is typically considered easier than doing so from an externally-sourced feed, but sometimes it’s the exact opposite. Adaptation isn’t a one-time tuning exercise – as your operating environment changes, as your attack surface expands, as adversaries deploy new exploits, you must tune for these changes constantly.
It must be actionable. If an alert doesn’t require you to act right now, does that alert need to exist? Ask yourself the same question about your threat intelligence. Are you measuring how threat intelligence positively impacts your threat detection and response capabilities? Think about metrics like the percentage of finds attributable to threat intelligence, or the number of threat intelligence-originated tactics, techniques and procedures (TTPs) which were added into your existing SOC workflow, or the number of incidents where threat intelligence directly influenced incident severity.
Effectively combining threat intelligence with your monitoring infrastructure is the path to realizing the full value of your threat intelligence investment. Start with the one technology which is foundational to any successful extended detection and response (XDR) capability: network detection and response (NDR). NDR consistently punches above its weight versus other ingestion methods: it improves threat detection and incident response, it supports threat hunting, and it can expand your visibility model from inside-out traffic (“north-south”) to also include internal data center-to-data center traffic (“east-west”).
Once you have your NDR foundation in place, move onto other key components of your XDR infrastructure: logs-focused security incident and event management (SIEM) and endpoint detection and response (EDR) tend to be the next tiers to integrate with a threat intelligence capability. Amplify your visibility into potentially dangerous behaviors with user and entity behavior analytics (UEBA). And perhaps most importantly when thinking about how to integrate threat intelligence into your workflows, know that successful security, orchestration and response (SOAR) implementations have at their very heart a threat intelligence platform (TIP) capability.
Your toolbox of existing visibility technologies can and should leverage threat intelligence as a force multiplier for your security operations team: it makes the information you’ve already gathered about your environment smarter and more valuable.
Let’s bring back Dave Winer once again with a final thought: “If it’s perfectly targeted, it isn’t advertising, it’s information. Information is welcome, advertising is offensive. Who wants to pay to create information that’s discarded?” That last sentence is from the perspective of the advertiser. But it should also resonate if you are a consumer of threat intelligence: who wants to pay for a threat intelligence feed if the bulk of that information will be ignored?