We’ve all been there. You’re supporting your organization’s security operations center (SOC) function, and the boss asks you to review a project plan for a new offering from another group internally, something planned to roll out later in the year. Maybe it’s even fast-tracked for release, so there’s some extra time pressure for you to review and sign off on behalf of the SOC. Will there be any impact to your organization’s security posture?
All too frequently, the answer is, “Yes.” And once again, you’re shaking your head when you think about how this could have been avoided “if only” you had been brought into the process earlier. Security sometimes has neither the proper mindshare nor the seat at the table at the beginning of projects like this – and as is the case with many things in the information security space, you don’t want to bolt-on a solution afterwards. Ideally, you want to build it in from the beginning.
When security is weaved in from the outset, the fabric you produce at the end of the project is stronger and safer. Yet we see that important security thread overlooked in project after project – X gets built, and it’s only later that Y comes to a head as a critical factor.
Believe it or not, information security *products* themselves sometimes suffer from the same shortcoming – an essential ingredient that should have been baked in all along is added later as a decorative garnish. In the security orchestration, automation and response (SOAR) space, that essential ingredient is a threat intelligence platform (TIP) capability.
Whether you are working with externally or internally sourced threat intel, many organizations struggle to translate that data into useable, actionable context for the SOC. A basket full of indicators of compromise (IoCs) swimming around in a mix of different formats, different ages, and different sources is hard enough to manage, and that’s even before you think about consolidating everything together to perform some flavor of automation. Automation which could quickly bring you additional context around the incidents you and your team are working.
And here is where the TIP + SOAR storylines meet. You want your threat intel capability to be fully integrated – and even stronger – to be an inherent part of your automation capability. One should flow into the other. But too many solutions stitch these two functions together after the fact, or worse yet, they make that your problem by forcing you to figure out how to integrate their SOAR solution with someone else’s TIP solution.
Today’s cybersecurity landscape is one where threats and efforts to counteract those threats are advancing in an accelerated way. Enterprises simply don’t have room for inefficiencies or inadequacies that require attention when it’s too late to be truly effective. Failing to integrate your TIP and SOAR strategies can lead to much more than an annoyance; it can lead to your SOC team being inundated with alerts from threat intelligence feeds that at best, wastes their precious time and at worst, causes analysts to miss an important threat indicator.
One of my favorite quotes from Douglas Hubbard’s How to Measure Anything books is, “If managers can’t identify a decision that could be affected by a proposed measurement and how it could change those decisions, then the measurement simply has no value.”
This thinking carries over cleanly into the world of threat intelligence – if you aren’t leveraging threat intelligence as part of your team’s decision-making process to constantly improve your response time and effectiveness, why are you ingesting those feeds in the first place? If your TIP isn’t innately part of your SOAR platform, are you really maximizing the potential benefit of those threat intelligence feeds, and the context they bring to help you make smarter decisions?
A TIP should not be an after-the-fact, bolted-on arm to your SOAR solution. Look for SOAR solutions which treat that TIP capability as the central player it is: an essential ingredient that was considered, spec’d out, and included at the beginning (not towards the end) of the design of the SOAR platform itself.
To learn how XDR technology can help mitigate cyberattacks through the use of threat intelligence and SOAR, tune into the recent webinar between IDG and Zulfikar Ramzan, Chief Product and Technology Officer at NetWitness, here.