The Cyber5 Podcast
Scaling a Cyber Fusion Center Using Threat Intelligence
Episode 41 | March 17, 2021
In episode 41 of the Cyber5, we are joined by Director of Cyber Defense Integration at Thomson Reuters, Cliff Webster. Cliff discusses the functionality and scaling of cyber fusion centers and their integral part in reducing risk to all facets of the business.
Here are the 5 Topics We Cover in This Episode:
1) Differentiating a Cyber Fusion Center over a Security Operations Team: (01:59-07:16)
A cyber fusion center (CFC) is an evolution of the traditional security operations center (SOC). A SOC is mostly focused on reactive activities such as detection and incident response around detected malicious activity, whereas a CFC supplants the reactive detection mission with proactive activities such as new frameworks and identifying new threats before they hit an enterprise’s logs and firewalls to gain efficiencies of speed in responding. Creating connective tissue through technology and process is a unique function of a CFC. A key function that differentiates a CFC from a SOC is moving data and information between teams and business units in a way that reduces attacker dwell time. Critical security functions that overlap with IT and are important to come together are threat intelligence, threat hunting, vulnerability management, asset inventory, and red team.
2) Going Beyond Cyber Threat Intelligence: (07:16-09:03)
A SOC is generally focused on threats against the confidentiality, integrity, and availability of data, systems, and networks. A CFC typically evolves with the same focus initially. However, over time, with the processes and technologies in place, a CFC can tackle other security challenges such as third party risk and elements of physical security because inevitably, it will require integration of other data sources to be successful such as questionnaire information and entry/exit badging.
3) Critical Elements That Need to be in Place from a SOC: (09:03-14:20)
The core capabilities that need to be in place from a SOC to make the evolution to a CFC are the following: 1) Threat intelligence is the engine that makes a successful Cyber Fusion Center that can drive priorities in vulnerability management, red teaming, application security, and even larger business unit product security. 2) A SOC with a SIEM to do basic log aggregation 3) A threat hunting team that can identify and correlate hypotheses from the threat intelligence or red team. This usually comes with significant investment in technology and security stack to tailor hunts on threat actor behavior. Critical data and log sources internally are: 1) User access logs 2) Server logs 3) Endpoint and EDR logs 4) Threat intelligence feeds 5) firewall logs 6) VPN logs 7) internal netflow 8) Application logs 9) PCAP if available. A critical element of strategic growth plans within a CFC is the ability to acquire all these datasets and correlate them with a SIEM in a meaningful manner that gives actionable alerts when there is a problem.
4) Support from the Business Units and External Threat Hunting: (14:20-27:30)
Engaging with the business units is a critical part of data acquisition strategy not only for appropriate log aggregation and correlation but also to work through outputs from the CFC when a security event occurs. With regard to external threat hunting, there is no shortage of external telemetry that can be collected, but this should be prioritized after an organization knows its own internal environment first. For third party risk management, this is a fundamental intelligence problem many enterprises are grappling with due to the challenges of monitoring key vendors at any type of scale with any consistency.
5) Important Metrics for Cyber Fusion Centers: (27:30-37:00)
Mature security teams aspire to be data driven organizations, and thus metrics are critical to capture: 1) From an intelligence perspective, baselines are important to record as metrics of what can be detected in addition to identifying gaps 2) Intelligence leading to an accelerated patching cycle that closed visibility gaps 3) Informing security architecture decisions that lead to policy changes such as removing a remote access tool to measure reduction in time that a gap was visible 4) Number of intelligence products helped an organization understand an initial security incident data 5) Intelligence tippers lead to the discovery of a security event.