TruSTAR Intel Workflows Series: Shifting from App-Centric to Data-Centric Security Operations

Over the past two decades, SOC teams have grown by adding people, tools, and threat intelligence sources that were needed “in the moment.” Today, security leaders are struggling to integrate and automate to capitalize on their investments and keep up with the alerts. A recent survey indicated that 50% of organizations use more than 25 security tools, with a whopping 28% using more than 50 tools. Combine the tool sprawl with almost as many disparate sources of enrichment data and you have a security program that operates in fragmented siloes, relying on skilled professionals to wrangle the data to ‘make it work’ on a daily basis. In talking with TruSTAR customers, here’s some of the challenges they’ve brought up in the fight against cybercriminals.

Signal to Noise

The promise of threat intelligence was supposed to help us detect better and faster, but this promise is yet to be realized. Without proper curation, these open and premium external data sources create more false positives than true detections and overwhelm your SOC. 42% of cybersecurity professionals say that their organizations simply ignore a significant number of security alerts because they can’t keep up with the volume of data that their tools generate. [i]

Disparate Sources of Enrichment

Many organizations subscribe to an average of 3-6 third-party intelligence sources that provide some level of context for observables, ranging from IP addresses to emails and hashes. But each source scores their data differently. One source uses a 1-100 scale while another, like VirusTotal, provides a count like 52/71, and a third will use a High/Medium/Low framework. How can any organization make sense of those scales at the speed of automation?

Sharing Across Teams

Sharing data internally can be a challenge when the detection or response tools used within one group differ from another within the same organization. Figuring out how to connect valuable data across teams becomes a nightmare of ad-hoc emails and sprawling orchestration playbooks - not to mention sharing vetted data with external organizations and sharing groups.

As one recent TruSTAR customer told us:

Common Challenges

Surprisingly, challenges with intelligence management haven’t changed in my decade-long career in the CTI space. Maybe the expectation of which tool or industry category needs to solve may have shifted but the challenges themselves remain painfully consistent:

• Hands-on human effort is required to wrangle external threat intelligence - cleaning and curating data before it can be ‘safely’ integrated with detection, orchestration and response tools.
• Enterprises have valuable data in historical investigations - alerts and cases - but are unable to use these to prevent ‘re-investigation’ or to provide future enrichment without clunky, sprawling playbooks or custom code.
• Disseminating information to others is still manually intensive and seen as an ‘far-flug ambition’ even for Global 2000 enterprises.

The current situation finds us spending more money to fight cyber-criminals but the data we really need to do the job is still trapped in silos and so we miss critical signals. Teams get frustrated and management demands faster, more effective solutions.

Teams need a better way to identify that malicious “needle in the haystack” that might be an email, web page, or log event.

Managing Intelligence

The intelligence management space has been playing catch-up with the volumes of data needed to be handled in order to provide good cybersecurity protection. The space has diverged into two major categories and how they deal with intelligence data: threat intelligence platforms (TIP) and Security Orchestration, Automation, and Response (SOAR).

TIP Tools

TIP tools were developed to manage the massive amounts of data generated by external sources but they have defaulted to providing a ‘faster horse’ when the industry needs a bigger change. Current TIPs have invested in user interfaces and business models that are built on one single fact → the human should do the data-wrangling. These tools are application-centric, creating yet another manually intensive data silo, missing the opportunity to provide extensive intel sharing and automation across tools and teams.

SOAR Tools

SOAR platforms focus on automating responses to security events. Using IF-THEN logic, they offer the ability to create playbooks for different events and responses with customized handling of different data sources to work around data disparity. Over time, however, those playbooks can become extremely complicated and difficult to manage, especially when using multiple third-party data sources or attempting to prioritize observables across those different sources.

Moving from App-Focused to Data-Focused

TruSTAR believes that by moving away from the current application-centric infrastructure to fully data-driven security, triaging and managing threats becomes more efficient. TIP tools provide a scoring framework for intelligence sources, but they can’t be tailored for different destinations or specific use cases. SOAR tools leverage playbooks to manage data and automate responses to security threats but those playbooks can quickly grow in complexity and are limited in how they handle intelligence sources. By focusing on data rather than applications, TruSTAR Intel Workflows extend the power of SIEM, SOAR and XDR tools.

Watch the below video to see how it works.

YouTube video player

In part 2 of this series, we’ll dive into the TruSTAR Intel Workflow and how they can be tailored for your use cases, intelligence sources, and destinations.

----------------------------------------------------
Thanks!
Elvis Hovor