Security professionals generally agree that the demand for threat intelligence is growing. With the ability to focus security teams and tools on the most relevant and high-risk threats, the context and tailored priority that threat intelligence feeds provide are undisputed benefits.
While it sounds like a win/win situation—the threat intel comes in, it’s applied, and the organization becomes less vulnerable—incorporating threat intelligence into security operations has actually led to an increased burden on the security teams that use it. Often incorporating multiple inbound intelligence feeds, the team has to parse through high volumes of multi-formatted data that comes in at disparate times. They must groom the incoming intelligence data, removing duplicate records and those that aren’t applicable to their organization or industry. Finally, the team must then re-distribute the combined and refined intelligence stream out to their internal tools and stakeholders.
Security teams also correlate intelligence across multiple data sources, using algorithms to build a confidence rating for a piece of intelligence in the process. Based on their personal experiences and a feed’s historical accuracy, the team uses a customized weighting system to rank the quality of intelligence by its source. This rating system allows the team to include every indicator or observable in their resulting set, thereby avoiding the elimination of a critical piece of intelligence. It also allows them to present the most trusted and high priority intelligence first, helping to improve downstream efficiency.
While the ingestion, grooming, and rating workflow is going on, the clock continues to tick and the utility of inbound threat intelligence diminishes. The longer it takes to get valuable intelligence into the hands of the people who can take action on it, the longer a bad actor has to carry out an attack.
Fortunately technology exists to relieve the burdens introduced by threat intelligence, extract threat intelligence benefits, and shorten incident response times. Using automated techniques, teams can aggregate data sets, de-duplicate records, and apply scoring algorithms to inbound intelligence. Intelligence that accrues a score above a watermark can be automatically escalated to members of the security team for review. Through automation of this workflow, team resources are freed to focus on the critical intelligence that warrants follow up. Perhaps most importantly, however, is that an organization’s overall security is improved by getting information to the people and systems where it can be actioned upon faster than with manual techniques.
In summary, the automation of these threat intel triage tasks will free up the team to provide more meaningful analysis and expertise—like putting together that Threatscape document the CISO has been asking for.
Tim Condello is a Technical Account Manager at RedOwl. Prior to this he was a founding member of the Threat Intelligence team at BNYM.