Products and Solutions

How Useful Are Your Threat Intelligence Feeds?

May 12, 2021 | by Brian Robertson |
RSA blog post

In the constant battle against threats, up-to-the-minute threat intelligence (TI) is critical. TI can guide your security operations team toward better decisions, but those security operations teams are also the source of some of your best native TI.

We find that many operations teams have tools that are good at ingesting and leveraging TI, however they significantly lack the ability to provide guidance when it comes to utilizing that TI. There’s a difference between security tools that simply ingest TI and those that are smart enough to present information to security analysts in a way that they can use to make informed decisions that help during analysis, investigation and response.

How do Security Analysts Make Better Informed Decisions?

It is no secret that new and more sophisticated threats are emerging at a faster pace than ever before. However, new accompanying TI is also becoming available just as fast to help security analysts make better-informed decisions. Yet having all that intelligence available doesn’t make security analysts more effective, if they have no shared context between the incidents they are investigating and how TI is consumed.

The security tools they use must be able to accomplish the following:

  1. Present contextual TI to security analysts from where they are performing analysis, by linking TI and the cases together.
  2. Validate the trustworthiness of specific pieces of TI to determine which feeds offer high-quality intelligence. This enables security analysts to focus their time and efforts using the most accurate sources of relative intel.
  3. Deliver additional context around the artifacts or evidence within a case to quickly determine how critical the case is and if it is likely associated with a false positive.

Fortunately, there is a security orchestration and automation solution that can check all these boxes: NetWitness Orchestrator built on ThreatConnect version 6.1.

NetWitness Orchestrator Can Help

Since we introduced NetWitness Orchestrator almost two years ago, we have strived to empower security analysts with orchestration and automation capabilities to make better decisions while saving time, minimizing frustration and improving collaboration across the security operations team and technologies… all while ultimately driving down risk.

In our latest NetWitness Orchestrator release version 6.1, we are delivering key functionality that reinforces our ability to make your security operations work at peak performance.

1. Linking Cases and Intelligence

Analysts want to be able to understand if there are previous or open investigations related to the case they are currently working on. We now make it possible to see all cases that the team has investigated related to an adversary to understand if it’s something that has been seen before within the organization.

Users can understand relationships, whether defined by users or automatically made by NetWitness Orchestrator, across cases and intelligence within the system. This is done from the same page that the initial adversary analysis is executed, which saves time and frustration caused by constant context switches imposed by multiple screens and interfaces.

2. Report Cards Everywhere

Analysts want to be able to gauge the trustworthiness of a particular piece of TI. This requires the ability to determine which feeds are providing high-quality intelligence so that analysts can focus their time and effort on the most accurate sources. NetWitness Orchestrator delivers the ability to get immediate access to the information needed to make better strategic and tactical decisions during analysis or investigative processes. It can answer questions like:

With report cards everywhere, all users have access to the feed explorer that shows reliability and uniqueness for TI feeds. This helps evaluate the efficiency and accuracy of open and subscribed feeds, and uses that data to determine how to move forward with specific intelligence during the analysis or investigation process.

  • How often does this TI feed report a false positive?
  • How timely is this feed compared to other available feeds?
  • Does this feed provide a breadth of information that expands beyond a single topic?
  • Do the indicators in this feed tend to be more critical/malicious then others?
Image 1

Feed Explorer allows users to view information like reliability and uniqueness of particular feeds. You can click and drill down into more detail when needed.

3. Actionable Artifact Context

When looking at artifacts or evidence of a case, analysts need to understand additional context. Simply knowing it exists and that it is related to the case is not enough. Analysts may need to consider hundreds of artifacts of a case, making it difficult to understand which artifacts carry the most weight. NetWitness Orchestrator has expanded the amount of context provided when viewing case artifacts. Now security analysts are armed with the relevant TI they need to make more informed decisions by seeing which task added the artifacts, any crowd sourced details of the artifact, derived indicators, and much more. All artifacts are sorted so the most critical artifacts are presented at the top of the list.

Image 2

Users are presented additional context about a particular artifact directly from the case screen, allowing them to come to faster conclusions about the potential criticality of an investigation.

These new capabilities are designed to make security operations more efficient.  NetWitness Orchestrator merges TI and orchestration and automation into a single platform, empowering security analysts to fully exploit the value that vast TI the system provides.

###

For more information about NetWitness Orchestrator or to request a demo, click here

In our latest NetWitness Orchestrator release version 6.1, we are delivering key functionality that reinforces our ability to make your security operations work at peak performance.