5 Critical Questions on Threat Intelligence and SecOps

Brandon Hoffman, Netenrich CISO, was a panelist in the recently completed Information Systems Security Association International (ISSA) webinar entitled “The Steak and the Sizzle: Threat Intel, SecOps, and Cyber Fundamentals.”  

“So, we talk steak and sizzle here, I might be concerned with something that seems really sexy, that’s getting a lot of press, but it has nothing to do with the business. Why waste my time on it? I’m not going to deliver anything of value if I focus on unrelated threats.” — Brian Kime, Senior Analyst at Forrester Research.

Moderated by Brandon, the panel featured Brian Kime, senior analyst at Forrester Research, John Bambenek, President at Bambenek Consulting, and Sean Cordero, founder at Cloud Watchmen. They shared their thoughts around key priorities – the need to take a risk-based approach focused on security fundamentals over the allure of following current “trendy” security technologies.

High interest in our talk led us to share the webinar. So, if you’ve missed it – no worries! We’ve got the full video for you below.

Here are 5 critical questions around threat intelligence and security operations (SecOps) discussed in the webinar.

1. What are the main capabilities of threat intelligence?

The world of threat intelligence can be challenging. Security teams are overwhelmed by alerts and data deluge as they can’t find effective ways to dissect data and apply the insights towards remediation. As threat intelligence covers both physical and cyber domains, here are the top capabilities needed to do threat intelligence effectively.

1. Tracking cyber threats: Can you track new cyber threats as they appear and spread across the internet? It’s critical to understand and learn about the latest adversary campaigns, tools, tactics and techniques being used.
2. Vulnerability intelligence: Prioritizing which vulnerabilities to patch first is a tremendous pain for most organizations. Vulnerability assessments help prioritize which issues to remediate by focusing on critical compromises likely to be exploited in the near future.
3. Brand exposure: One of the main components of threat intelligence concerns your brand. The task of finding where your brand may be compromised is important and can lead to serious problems. It’s imperative to protect your company from credential breaches, social media and domain spoofing attacks targeted at exploiting your brand and people.

2. How important is contextualization and prioritization when it comes to cyber threats?

Threat intelligence is way more than just IOC feeds. There’s an overall dissatisfaction in the accuracy of IOC feeds monitoring hash values, IP addresses and domain names. Many of the current IOC feed solutions lack the depth to show the breadth of potential issues.

To improve threat discovery and analysis, we need to broaden our scope to look for malicious network activities and identify underlying issues with a lasting impact. Detecting and preventing such activities can help build a more resilient cybersecurity program.

Scale is another important consideration especially with the rise and load of attacks on a daily basis. Organizations are unable to keep up with the increased volume of phishing and COVID-related intrusions. Businesses are struggling to consume all the intelligence gathered from raw data and make sense of it. They lack the expertise of using threat data to make faster and better response decisions.

3. What threat intelligence is most important to your business? 

Expanding your threat intelligence program helps you understand what threats are most important and how you can deliver higher value to the business.

To start, build connections with the key stakeholders and understand their role in the business. Focus on getting to know business processes, learn the types of data being collected from customers, and proprietary information that needs to be protected. The error in creating intelligence requirements without deep knowledge about the business can make it hard to conceptualize the threats that are most important.

4. Do you need specialized staff to properly use threat intelligence? 

Getting value out of your threat intelligence solutions depends on your unique IT and cloud environments. It’s important to understand where your risks are and overall risk posture. For example, several small construction firms were compromised by a strategic adversary, who then sent phishing emails to a bunch of electric utilities. To better track the chain of attacks, you can work with technology vendors or service providers who offer these threat intelligence capabilities regardless, if you were part of the initial attack.

Another option to consider is to build your own internal threat intelligence capability especially if state-sponsored threat actors are constantly in your networks or you have specific needs. Most threat intelligence tools can integrate into your security operations. Also invest in a dedicated security and threat analyst internal team to oversee your SecOps work.

5. How to integrate threat intelligence and security operations (SecOps)? 

Start with your security experts or SOC team. Focus on your frontline analysts who are constantly triaging new threats and events. They have an incredible task to do with limited information to take remediation actions. Organizations also need to invest in the right tools, hire experienced analysts and even, bring in outside managed security services to enhance their overall operations.

Security sensors tend to detect too many things that are of low value and don’t really mean a lot. Threat intel can help a SOC filter these low value issues and focus on things that are more relevant for the business. To build true threat hunting capabilities you need to move away from retroactive IOC detections such as querying for IP addresses and domain names. Threat hunting requires more involvement than running Splunk queries for a handful of IP addresses – which should ideally be automated. 

Prioritizing and acting on the right issues is the difference between reducing actual business risk and wasting people’s time. There’s no point going after something because it’s in the press or seems fancy. Threat intelligence must help security operations cut through the noise and be more diligent.