Better Context Leads to Better Detections and Outcomes
Recently, several studies were conducted to illustrate the difficulty security professionals have in properly using threat intelligence in their companies. Most of the results from the investigations point to a need for quicker reaction times when it comes to implementing changes based on threat intelligence.
Threat intelligence is an essential tool to help organizations stay secure. Ensuring comprehensive intelligence requires a combination of vulnerability management, risk analysis, and incident response – and may require up to 10 data feeds for accurate results. While many agree that automation is the key to a successful Cyber Threat Intelligence (CTI) program, only 40% of practitioners indicate they have automation capabilities and usually these are larger enterprise security teams, which leaves a huge gap in the market for MSSP programs.
So, how do you get to a better contextual picture of the threat landscape from where you are now?
Do not underestimate the importance of return on investment for your programs.
The results of a recent Mandiant survey have demonstrated that most organizations do not exchange threat intelligence between departments often enough. It was discovered that, on average, conversations relating to Cybersecurity take place only every four or five weeks. Additionally, only 38% of security teams regularly distribute threat intelligence to the whole staff for risk awareness.
For security professionals, it is important to be aware that board meetings are usually dominated by sales, finance, and product teams. In order to gain recognition and prove their worth, threat intelligence professionals should incorporate intelligence that reduces risk for other stakeholders into their decision-making processes.
It’s more helpful if this goes beyond the SOC and to the revenue-generating business units. Business leaders want to see quantifiable risk reductions. They generally prefer storytelling through reports and briefs, not spreadsheets piled wide and high with data.
Build your defenses against the threats that are actually attacking your organization.
According to a recent Mandiant survey, 79% of respondents admitted to making purchasing decisions based on current attack trends and not based on what was actually targeting their industry or organization.
A solid threat landscape assessment from a managed service should provide industry trends and who is targeting your organization. The collection should come from closed groups, the dark web, open-source intelligence, news, and external telemetry. This can be a fantastic starting point for building an intelligence-driven approach to network defense.
If your team has the ability to analyze data from a variety of sources – such as IDS, firewalls, applications logs, etc. – you can get a better look at potential threats targeting your organization. Leverage this knowledge and resources to remain one step ahead in protecting yourself against malicious actors lurking online.
But for maximum protection consider an experienced managed service provider who can provide comprehensive insight into these malicious cyber-attackers.
Build the right automation and services for your workflows that show impact to stakeholders.
Automating meaningless IOCs or news alerts from 10 different feeds is not typically helpful. Ensuring data feeds are providing real-time vulnerability management alerts is essential for enterprise technologies. Simultaneously, it is important to notify which alerts are actively being exploited by threat actors. Investing in such measures would be a more meaningful investment.
Robust automated systems can help security teams effectively respond to threats. These systems leverage data points such as phishing emails and malicious domains. They also use threat and open-source intelligence to provide crucial information for a swift resolution.
You should be getting to a point where you can be answering questions such as:
- “Are these registrations associated with a single actor?”
- “Can you attribute this campaign to a specific individual or group?”
- “What can you identify about the owner of this email account (past and current
- “Is this account attributable to a specific person or group?”
From the Nisos Engineering Team:
At Nisos we have introduced our own platform to integrate with various data APIs and feeds in order to use platform analytics to learn user behavior and create automations. This platform can quickly learn the workflows of a diverse range of analysts to generate recommendations and automations based on data from multiple feeds. Automations that recognize patterns and validate data from several sources help analysts work more efficiently while maintaining incredibly high standards of investigative analysis.
Valuable data comes from a multitude of feeds, in many different data formats. APIs from 3rd party vendors and OS Feeds are consumed in various different ways. Automations enable data from these various APIs and feeds to be normalized, searchable, and cross-referenced. These automations help identify patterns and create second and third-level searches to surface more useful, relevant, and validated data about specific targets.
The key piece about automations is that they are not created to ever be a replacement for analysts. They are built to augment, create efficiencies and share workflows across a diverse range of intelligence practitioners to maximize the data and information they have at their fingertips.
As any threat intelligence practitioner knows, no feed has all the coverage and automation. Therefore, it matters where you can outsource to experts to avoid the “pyramid of pain”. This will enable your team to deal with internal stakeholders. That’s what will make your workflows work better.
Threat intelligence and cybersecurity can be challenging. Few understand the process, data, and outcomes until it’s too late therefore making simplicity very critical. Cybersecurity is often touted as an industry that remains resilient during economic downturns. However, fostering success requires individuals with not just technical aptitude but also sharp emotional intelligence to project complex concepts in ways that executives and the public can understand.
It is also important to have an understanding of the economics of cybersecurity. Such as how investments in cybersecurity infrastructure can provide tangible benefits, and how to assess the cost-benefit of various security solutions. Having the right tools and technology in place is essential, but they are only as effective as the people who use them. Return on investment calculations can explain how threat actors will cost more than it takes to defend.
Nisos is The Managed Intelligence Company™. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.
Table of Contents
Do not underestimate the importance of return on investment for your programs
Build your defenses against the threats that are actually attacking your organization
Build the right automation and services for your workflows that show impact to stakeholders