A Weekend In Incident Response #4: How to Reduce the Noise of Cyber Threat Intelligence

Posted byDario Forte - 11th Nov 2016
reduce noise cyber threat intelligence

Is Cyber Threat Intelligence Still Useful?

The importance of information in business in today’s modern world is invaluable. But, in some cases, having large amounts of information coming your way can actually hurt your business. This holds true particularly for organizations that are constantly dealing with the risk of cyber attacks, and every piece of information that could help them prevent those attacks can be of great use to them. This is where cyber threat intelligence comes in, as one of the crucial aspects of developing an effective cyber defense strategy.

But, with so many feeds from various sources at their disposal, determining which information is relevant and credible and distinguishing it from the data that is not essential in regard to a potential cyber threat has become a major challenge for many cyber security professionals. As a result, being able to reduce the noise coming from the flurry of threat intelligence is now key to creating successful security operations.

Overwhelming Amount of Cyber Threat Information

A new study recently conducted by Ponemon Institute LLC, and sponsored by Anomali, reveals that the amount of threat intelligence that cyber security professionals deal with is overwhelming, preventing them from tackling incidents more efficiently.

The study, titled The Value of Threat Intelligence: A Study of North American and United Kingdom Companies, surveyed more than 1,000 professionals from the cyber security industry, with 70 percent of them saying that threat intelligence is often “too voluminous and/or complex to provide actionable intelligence”. This is a figure that should raise a concern, considering that almost half of the respondents (46%) said that incident responders rely on threat data during the incident response process. Furthermore, according to the study, there is too much data to really make sense of if enterprises have a limited resource staff of security operations center analysts or threat analysts.

SIEM Integration Vs IR Orchestration

Cyber security experts agree that in order to be able to use cyber threat intelligence data in an effective and productive way, there must be an SIEM integration in place. However, while 62% of those surveyed said they were aware of this necessity, as many as 64% of them stated that putting such integration in place takes a lot of time and resources, making it a tough feat.

In my corporate experience, the companies that are actually integrating SIEM with CTI, represent a minority. The main challenge of such lack of integration is the impossibility of valorizing the TI Feeds, during an incident. But, there is a new technology trend that addresses this exact problem. There are platforms that are capable of sitting on top of the SIEM, integrating multiple tools from different vendors, which is one of the biggest challenges that threat analysts are faced with. This approach is usually taken during the incident triage phase, it is not intended to be a SIEM replacement but can help SOC and CSIRTs to reduce reaction time and related noise. Such platform fits the Incident Response and SOC Orchestration space, featuring multiple integrations that are easy to use and configure and, nowadays, are probably the only way to reach a near real time- and money-saver incident response, filling the gap that is created when the data sources are originated by different vendors. Such platforms support SIEM integration and could represent a great solution for all entities that are trying to create a successful and affordable cyber defense, by effectively reducing the noise of threat intelligence.

In one of my next columns, I will introduce this paradigm, along with its main potentials in the world of Security Operations and Incident Response. In the meanwhile, you can follow me on our LinkedIn Page, by clicking here.