The daily security briefing has been an tradition for the U.S. president since World War II. And while the daily break down of classified national security matters has taken different forms for different presidents – President Barack Obama preferred his briefings on a tablet for example while President George W. Bush liked a face-to-face meeting – it has served as the basis for how American leaders respond to a national security threat.
While President Donald Trump prefers his briefings to be short and in bulleted format if possible.
Similarly, threat intelligence is one way for security analysts to respond to different cybersecurity threats they face. Threat intelligence is a way to gather up multiple security threads – from ransomware to malware and more – and then come up an actionable plan to best respond to those threats.
Threat intelligence also provides security analysts with information to help assess the risks, impact and further objectives of an attack and to prioritize a proper response. For example, it is a way for security analysts to identify outbound connections to an external IP address known to be an active command and control server.
Data from threat intelligence can be integrated with a security information and event management (SIEM) platform in the form of watch lists, correlation rules and queries in ways that increase the success rate of early breach detection. Ideally, they should be automatically correlated with event data and added to dashboard views, incidents and reports.
A comprehensive threat intelligence overlay needs to provide support for any threat list, automatically identifying redundant intelligence, identifying and prioritizing threats that have been listed in multiple threat lists, and assigning weights to various threats to identify the real risk they represent to the business. It supports many formats including, STIX/TAXII, OpenIOC, Facebook ThreatExchange, etc.
For those who like a little flexibility in how they view intelligence, a SIEM platform with glass tables features allows organizations to visualize security metrics in an environment in flexible ways.
Further, an analytics-driven SIEM platform allows customers to make use of identity, endpoints, servers, business apps, web and email servers, as well as non-traditional systems such as HVAC access control. An analytics-driven SIEM platform allows machine data to be supplemented with internal and external threat context such as threat intelligence feeds and other contextual information from vulnerability management systems to support incident response and breach detection.
For example, one organization ingests employee badging information to correlate with VPN authentication logs to provide context on employee location within the corporate network.
Do you want to learn more about how to overcome the challenges and meet the requirements of implementing high-coverage threat intelligence? Read our white paper on Operationalizing Threat Intelligence Using Splunk Enterprise Security.