How Useful Are Your Threat Intelligence Feeds?

Why Threat Intelligence Feeds Matter to Security Operations 

In the ongoing struggle against threats, current threat intelligence (TI) is essential. Threat intelligence can help inform your security operations team in making improved decisions, while those teams also provide valuable native cybersecurity threat intelligence. 

We observe that numerous operations teams possess tools adept at ingesting and utilizing threat intelligence feeds, but they considerably fall short in offering direction on how to apply that intelligence. There’s a distinction between security tools that merely consume threat intelligence and those that intelligently deliver information to security analysts in a manner that enables them to make informed choices during analysis, investigation, and response. 

How Security Analysts Make Better Informed Decisions Using Threat Intelligence 

It is no secret that more advanced and new threats are appearing at a quicker rate than ever before. Nonetheless, fresh supporting cyber threat intelligence is emerging rapidly as well to assist security analysts in making more informed choices. However, possessing all that intelligence does not enhance the effectiveness of security analysts if they lack a common context linking the incidents they are examining and the way threat intelligence feeds are utilized. 

This is where threat intelligence solutions and threat intelligence resources can either assist or obstruct. 

The security tools they employ need to be capable of achieving the following: 

• Present contextual threat intelligence to security analysts from where they are performing analysis by linking intelligence and cases together. 

• Validate the trustworthiness of specific pieces of threat intelligence to determine which feeds offer high-quality intelligence. This enables security analysts to focus their time and efforts on the most accurate threat intelligence services. 

• Deliver additional context around the artifacts or evidence within a case to quickly determine how critical the case is and if it is likely associated with a false positive. 

Fortunately, there is a security orchestration and automation solution that can check all these boxes: NetWitness Orchestrator built on Threat Connect version 6.1, functioning as a practical cyber threat intelligence platform inside security operations. 

How NetWitness Orchestrator Strengthens Threat Intelligence Operations 

Linking Cases and Intelligence for Better Context 

Since we introduced NetWitness Orchestrator almost two years ago, we have strived to empower security analysts with orchestration and automation capabilities to make better decisions while saving time, minimizing frustration, and improving collaboration across the security operations team and technologies, all while ultimately driving down risk. 

In the latest NetWitness Orchestrator release version 6.1, we are delivering key functionality that reinforces our ability to make threat intelligence solutions operational, not theoretical. 

Analysts want to understand whether there are previous or open investigations related to the case they are currently working on. NetWitness Orchestrator makes it possible to see all cases that the team has investigated related to an adversary, helping analysts determine whether the activity has been seen before within the organization. 

Users can understand relationships, whether defined by users or automatically generated, across cases and threat intelligence within the same system. This happens from the same page where adversary analysis is executed, reducing context switching and enabling analysts to apply threat intelligence feeds directly during investigations. 

 Measuring Trust with Threat Intelligence Report Cards 

Analysts want to gauge the trustworthiness of a particular piece of threat intelligence. This requires understanding which threat intelligence feeds consistently provide high-quality intelligence. 

NetWitness Orchestrator enables immediate access to feed reliability and uniqueness through report cards, helping analysts prioritize the most valuable threat intelligence tools and sources. 

It can answer questions like: 

• How often does this threat intelligence feed report a false positive? 

• How timely is this feed compared to others? 

• Does this feed provide broad cyber threat intelligence or only narrow indicators? 

• Do the indicators tend to be more critical or malicious than those from other feeds? 

With report cards available throughout the platform, analysts can objectively evaluate both open and subscribed threat intelligence services and make smarter decisions during analysis and investigation. 

Adding Actionable Context to Threat Artifacts 

When examining artifacts or evidence in a case, analysts need more than confirmation that something exists. They need actionable threat intelligence context. 

NetWitness Orchestrator expands the amount of context available when viewing artifacts by showing how they were added, crowd-sourced intelligence details, derived indicators, and related intelligence. Artifacts are sorted so that the most critical indicators appear first, helping analysts quickly apply cybersecurity threat intelligence where it matters most. 

Turning Threat Intelligence into Operational Value 

These capabilities are designed to make security operations more efficient. NetWitness Orchestrator merges threat intelligence, orchestration, and automation into a single threat intelligence platform, enabling analysts to fully exploit the value of vast threat intelligence feeds instead of being overwhelmed by them. 

For more information about NetWitness Orchestrator or to request a demo, click SOAR (Security Orchestration Automation Response).