on

How incident response teams and orchestration SOCs benefit from threat intelligence

The work of a security analyst is more frustrating than it should be when there is too much information and never enough time. Incident response (IR) teams can find themselves similarly hamstrung; primed to jump on and mitigate cyber emergencies but not always arriving fast enough or having the right information; sometimes missing incidents altogether.

The ability of an organization to defend itself from cyber attacks is less to do with in-house skills and resources, and more about having the best intelligence on which to make decisions. Whether your SecOps are internal or outsourced to an MSSP, threat intelligence is proven to enhance the effectiveness of critical cyber defense functions.

Escalating the right threats in priority order

Threats are happening all the time but dealing with the sheer weight of artefacts makes finding the ones that matter like searching for a needle in a haystack. Recent Ponemon Institute research found more than half (53 percent) of cybersecurity pros rated their own SOC’s ability to gather evidence, investigate and locate the source of threats as ‘ineffective’. It’s the same old story: too many IOCs to track, too much data to correlate, too many false positives – and all while increasing threat complexity makes the challenge harder and harder. No wonder almost two-thirds (65 percent) of those asked feel so overworked and stressed out that they’ve considered leaving their current job, or even changing careers.

Good threat intelligence is the antidote to false positives, and makes SOCs far better at quickly and accurately identifying the most pressing cyber concerns that IR teams need to act on. One study found around half of organizations report false positive rates of over 50%, while another calculated that for every 1 hour running time of a SOC organization, on average 15 minutes is wasted  chasing them down. Being able to get that time back adds up to significant business value, either through increasing the productivity of previously overstretched SOC personnel or directly cashing-out spare capacity.

Threat intelligence that operates in real time with full contextual awareness negates the nightmare scenario of missing emerging threats as they evolve into critical incidents. This enables IR teams to be mobilized when required, and only when required.

Accelerating incident response

Aside from the need for accuracy, optimum IR effectiveness is about speed. Resolution times had been growing longer for several years, with the median time to resolution (MTTR) measured at 4 days in the 2019 Verizon DBIR.  Its 2020 report does not refer to MTTR but a general reversal in the dwell time trend is evident, with 81% of breaches now (in 2020) resolved in days versus 56% of breaches that were resolved in months (in 2019).  However, Verizon’s own analysis  ascribes this to the increase in breaches reported by MSSPs covered in its research (i.e. MSSPs are more likely to employ effective threat intelligence infrastructure/services) and the high incidence of ransomware attacks, which – by their very nature – tend to be self-reported rather than ‘discovered’.

In any case, the race continues and every second counts in an incident response situation in order to mitigate the impact and apply learnings to prevent future attacks and inform evolving cyber strategy.

IR teams that harness threat intelligence benefit from huge sources of fresh information across a wide range of threat vectors, refined according to the unique profile of the defending organization, its sector and relevant internal and external circumstances. So, by combining threat intelligence with incident response, organizations can detect and respond to threats faster and more effectively, with less disruption and rapidly enough to greatly minimise their impact.

Threat intelligence can also enable IR teams to become less reactive. It’s hard to get around the fact that incident response is all about reacting. What threat intelligence does is get teams ready with highly relevant preparation so that the response process is optimized. For example, shaping a practised understanding of the parts of the threat landscape relevant to their industry and area, including specific threat actors. Familiarity with the tactics, techniques and procedures (TTPs) these are most likely to present enables playbooks and scenarios to be developed and refined.

It also adds significant value to triaging and investigation capabilities  from any point in the kill-chain, using threat context and correlation to enhance proactive capabilities like threat hunting – and all without investing in specialist, hard-to-come-by skills.

Enhancing SOC orchestration and beyond

IR is just one of the functions of a security team, but threat intelligence can be leveraged to optimize them all and make them more valuable than the sum of their parts.

For example, the trend toward enterprise adoption of security orchestration and SOAR (security orchestration, automation and response) owes much to the evolution of advanced threat intelligence capabilities.

According to Gartner,  “…a large number of security controls on the market today benefit from threat intelligence. SOAR tools allow for the centralized collection, aggregation, deduplication, enrichment of existing data with threat intelligence and, importantly, conversion of intelligence into action.”

However, not all threat intelligence reach the same high standard envisaged by the leading analysts, MSSPs and enterprise cybersecurity leaders. Some threat intelligence solutions lack robust APIs and plug-ins to integrate seamlessly with SIEM, SOAR and other platforms, creating complex middleware layers that inject latency and diminish feature sets. Some are ‘all-or-nothing’ platforms with no capacity to modularize according to the needs of the organization, making them unnecessarily expensive for defined subset requirements or SOCs looking to scale up threat intelligence adoption incrementally. Others have poor UX, which exacerbates the time pressure and information overload that SOC analysts experience, and gives poor insight to CISO and Board-level decision makers. And a great many simply don’t have the coverage; providing ‘dumb’ data feeds from incomplete sources instead of contextually enriched intelligence from across the dark, deep and public webs.

Blueliv’s approach is different, which is why our solutions are chosen by leading enterprise organizations and MSSPs alike.

Contact us to speak with an expert or find out more about our flagship Threat Compass product here.

Demo Free Trial MSSP
Program