IT teams are increasingly adopting security orchestration, automation and response (SOAR) tools to improve security operations’ efficiency. Often, when debating SOAR solutions, security personnel tend to focus on the automation and orchestration aspects. However, we find that some SOAR solutions fall short by not properly leveraging the vast amount of threat intelligence (TI) that is available. Open source threat feeds, subscribed threat feeds, abstracting data from blogs or research data, internally acquired threat intelligence and even crowdsourced intelligence can all be leveraged to guide security operations and train SOAR solutions to properly identify, prioritize, investigate and resolve potential incidents.
Applying TI to decision-making helps security teams become more predictive, empowering them to see the likeliest threats and use that visibility to prioritize how they’ll protect their organization. When a previously unseen threat presents itself, it places your security team in reactive mode. But if you’re only reacting, then security analysts are stuck playing a never-ending game of catch-up and clean-up.
When you start to introduce TI in a strategic way to a security program, it gives you a more holistic view of what’s happening outside your organization and allows you to map that external information to your organization’s own threat landscape.
Another way of putting it: finding TI about current threats, aggregating it, analyzing it, and using it to identify the most relevant threats is applicable to your business.
TI Applied to Orchestration and Automation for Incident Detection and Response
TI adds critical insights when you validate incidents. After an attack, security teams can be inundated with alerts: how do they determine which ones to focus on? If you look at how an analyst works through the alerts and incidents in their queue, almost all of them include indicators of compromise (IOCs) – IPs, domains, file hashes, etc.
Part of the process of identifying the nature and severity of any attack is understanding which of these indicators have been observed in relation to other known threats and threat actors. Analysts need rich, contextual intelligence built right into their process; having that information allows them to validate certain indicators, tag them for future incidents, and decide what responses can be automated. This saves analysts a huge amount of time, because they can move faster and with higher accuracy. What’s more, as analysts gain additional context on certain indicators, smart orchestration solutions can automatically feed this context back into the security team’s intelligence program, improving future detections and even automatically informing control infrastructure, such as firewalls, proxies, AV, etc. to automate future prevention.
In addition to helping analysts understand the TI context of a specific indicator, intelligent SOAR solutions also help security teams understand when an indicator may be related to other indicators that are used by the same threat, actor, or campaign. This means that analysts can expand their investigations beyond just what triggered the alert, and search – manually or automatically – for any observations of related, relevant indicators and behavior. This helps analysts more confidently uncover the entire scope of an attack.
TI makes NetWitness Orchestrator a smarter, better choice
Although most SOAR solutions talk about TI, the way that NetWitness Orchestrator uses this information is different in the market for a number of reasons. First and foremost, the richness of the intelligence in the platform evolved from prior TI platform capabilities, so the solution is built on a strong heritage and knowledge base.
TI loses value as it ages, so NetWitness Orchestrator continuously adapts its TI to reflect the dynamic nature of threats. Indicators, actors, and campaigns change constantly, and the solution aggregates emerging TI quickly and at scale, ensuring that the solution is using and learning from the most up-to-date and relevant information available.
Giving analysts the full picture is also an essential feature of NetWitness Orchestrator; accuracy and fully exposed context are critical here, since not all intelligence is created equal. For example, there may be an indicator as part of an investigation that has been tagged as suspicious – an analyst needs to understand not only the nature of the indicator but the context of how and who reported it in the first place.
With a robust, mature TI solution, analysts can begin automating threat hunting efforts based on known threat actors and campaigns. By closely tying intelligence to orchestration playbooks, the system can help sweep an environment for observations of behavior related to the system’s TI and surface high-value alerts and leads for analysts to chase down. NetWitness Orchestrator even automates workflows to remediate issues in the environment, escalates issues to IT ticketing systems, and implements preventative controls.
TI is a critical piece to the incident detection and response puzzle, but the way that TI is applied can vary from solution to solution. SOAR solutions will continue to evolve to better leverage TI throughout the incident response lifecycle in order to detect, properly prioritize incidents for investigation, and speed analysis and evidence collection – which ultimately equates to faster resolutions and more efficient security operations.