Every organization will, one way or another, land on the radar of cybercriminals or hackers who have an incentive to compromise their systems. Threat intelligence has therefore become a top priority for many organizations around the world.
Some of the top security challenges organizations have faced over the last few years include:
◉ Identifying the right frameworks to implement
◉ Choosing from varying vendor solutions to fill gaps in technology
◉ Mitigating supply chain risks
◉ Managing vulnerabilities and patches
◉ Addressing insufficient skill sets within cybersecurity teams
◉ Handling inadequate threat intelligence and visibility
◉ Securing third-party engagement and integration
◉ Promoting general awareness of cyber resilience among staff
Cybersecurity: A Growing Concern in Digital Transformations
The COVID-19 pandemic prompted a number of mindset shifts. Many organizations started moving to the cloud, and others started to activate digital transformation playbooks that had been shelved for many years.
Organizations that did not think the time would ever come for remote work had to activate many work-from-home programs. Affected businesses ranged from small and medium-sized enterprises to large corporations that had to rework their entire security fabrics to stay resilient as attacks rose.
The Limitations of Existing Cybersecurity Solutions
Top-tier companies are continuously buying new solutions in hopes of solving contemporaneous security issues that arise. These include antimalware and data loss prevention software; upgrades to firewalls, routers, and switches; network access control solutions; data and network monitoring software; and many more.
However, the above solutions often do not communicate with each other after implementation, which creates challenges when it comes to decision making. This leads to an increase in risks to the organization.
An antimalware solution, for instance, might be able to detect malware, but it may not work with the organization’s network and access control solutions to isolate the infected machine or the organization’s firewall to block the IP address of the threat actor. Instead, organizations must rely on manual intervention, meaning that actualizing mitigation controls can take a great deal of time.
Take, for example, a financial institution. The sensitive data it handles might include:
◉ Client lists
◉ Customer credit card information
◉ The company’s banking details
◉ Pricing structures for various services
◉ Future product designs
◉ The organization’s expansion plans
The impacts of a security incident on that financial organization can include:
◉ Financial losses resulting from theft of banking information
◉ Financial losses resulting from business disruption
◉ High costs associated with ridding the network of threats
◉ Damage to reputation after telling customers their information was compromised
“You can get cybersecurity right 99% of the time, but adversaries only need to exploit the 1% to cause tremendous damage.”
The Evolution of Cybersecurity Models
The focus of cybersecurity when it comes to protecting business operations has shifted from the traditional risk management approach, which relies on perimeter and static assessment through grading on the Common Vulnerabilities and Exposures (CVE) system, to a framework of predictive threat intelligence, agile posture, and dynamic controls.
The deciding factor in whether an organization will be able to get back up and running after a security incident is its ability to recover very easily. This is directly proportional to operational readiness and time.
Historically, the definition of security has centered around the concepts of protection, detection, and response. Resilience, on the other hand, involves two other elements: identification and recovery. Being able to identify potential risks and plan out a recovery method is key to maintaining operational status as a business
Comparing Security Software Solutions
Security Information and Event Management (SIEM)
Every modern-day organization should have a security information and event management (SIEM) tool. SIEM software can be either proprietary or open source, depending on the company’s budget and needs.
SIEM tools have several core functionalities, in addition to many other crucial capabilities:
◉ Correlating logs
◉ Analyzing user behavior
◉ Performing forensics
◉ Monitoring file integrity
◉ Providing a dashboard for analyzing incidents
Incident responders may receive thousands of alerts each day from all devices connected to their organization’s SIEM solution. As a result, they often spend a large portion of their time engaged in detection, triage, and investigation.
A typical example could be seen in the case of a malicious IP scanning a target network. The analyst has to filter out false positives, analyze the details of the IP address (such as origin and reputation), and send the details to the firewall to block the IP based on that analysis.
The response time required to investigate alerts and filter out false positives reduces analysts’ productivity, leaving room for attackers to succeed in a potential threat scenario. Post-incident analysis of past breaches often finds that the SIEM detection time and the steps taken by analysts are predictive of the actions performed by various parties.
Security Orchestration Automation and Response (SOAR)
Security orchestration automation and response (SOAR) solutions came into play to solve the above challenge. SOAR systems detect, triage, respond and periodize throughout the full chain of threat intelligence.
Consider, for instance, a malware indicator of compromise in a network of about 200 endpoints. While a SIEM will be able to pick it up, investigating how many other machines are similarly affected and making decisions about whether to isolate them from the network usually has to be done manually.
Likewise, sending the malicious IP address that is acting as the malware’s command-and-control server to be blocked by the firewall is a further step. A SOAR solution automates all these processes by investigating and taking necessary action before sending an alert to the analyst, prompting them to examine the situation further.
Despite being misconstrued as a “plug-and-play” solution by many security personnel, SOAR platforms are still new technologies and are not yet capable of acting fully automatically. SOAR technology is not meant to replace all solutions in an organization. Instead, it enables security teams to make smart decisions in time to curb adversaries’ actions.
SOAR software works following a series of actions, known as a playbook, that is written by analysts and fine-tuned to fit the organization’s network and existing solutions. The process of writing a playbook can only be done by developing use cases as a continuous process.
Threat intelligence has various measures of success when a holistic viewpoint is taken that encompasses not only technology solutions but also the human element, especially threat intelligence analysts. An organization’s threat intelligence analysts consolidate all the architecture of collection, correlation, decision making, and post-implementation tactics to avoid future potential breaches.
How to Measure the Success of a Threat Intelligence Program
The table below provides a sample summary of key performance indicators, associated metrics, and possible success measurements.
Key Performance Indicator |
Metric |
Possible Measurements |
Workload |
- Total number of devices being monitored
- Total number of events
- Number of tickets assigned
|
- Number of devices
- Number of devices per analyst
- Number of events per analyst per day
- Proportion of assigned to unassigned tickets
|
Detection success |
- Number of events per device or application
- Mean time to detection
- Amount of false positives
|
- Number of events per device per day or month
- Number of events per application per day or month
- Number of false positives per day
- Time to detect (in hours, days, or months)
- False positives as a percentage of all alerts
|
Analyst skill |
- Time to resolution
- Event types resolved
|
- Average time to identify
- Average time to identify per technology
- Average time to identify per event type
- All event types resolved by analyst
|
Key risks |
- Number of events per application
- Number of events per user or account
- Number of events per device
- Vulnerabilities detected
|
- Number of events generated by application
- Number of events per user or account
- Number of events per device
- Vulnerabilities detected by vulnerability management tools
|
Why Successful Threat Intelligence Requires Management Support
An organization’s threat intelligence program can never be a success if there is no support from senior management. The involvement of key stakeholders, especially C-suite executives and the board of directors, can lead to risk reduction or even elimination in any organization.
The catalyst for achieving management buy-in is cybersecurity leaders who can communicate key requirements, as well as potential business risks if certain actions are not taken. This responsibility is shared by the chief information security officer, chief information officer, and risk information officer. Together, these three stakeholders’ insights can help ensure a secure and resilient organization.
Source: eccouncil.org