Five pointers for choosing a Threat Intelligence Platform
Article by ThreatQuotient APJC regional director, Anthony Stitt.
As the new financial year looms, companies are starting to identify the key strategic focus areas for the year ahead and the technology investments needed to deliver them. Given the aggressive cyber threat environment experienced over the past 18 months, cybersecurity investment is high on the list for many.
Increasingly, organisations are augmenting their Security Operations Centre (SOC) capabilities with threat intelligence teams to improve their incident response and threat hunting. Threat intelligence can lower organisational risk and help meet compliance demands. For example, ISO27002 recently added threat intelligence to the list of recommended controls. However, SOCs already have to manage a deluge of data from disparate sources. Adding threat intelligence challenges security operations unless it is managed effectively. The solution – a Threat Intelligence Platform (TIP).
A TIP serves as a central repository for all threat data and intelligence from internal and internal sources. TIP should deliver essential context around threats that helps the team understand the who, what, when, how and why of a threat. It should also help prioritise threats based on the parameters set by the organisation, filtering out noise so the resulting actions are clear.
A good TIP benefits a range of stakeholders, from the board aiming to understand the strategic risk to CISOs focusing on improving defence while staying on budget, and from security analysts collaborating more effectively to incident response teams benefiting from automated prioritisation of incidents.
Here are the five key areas that should be on your checklist as you evaluate TIPs:
Ability to consume structured and unstructured data
A TIP must be able to import data from every possible source – internal and external, proprietary and open source – and in every format, structured or unstructured. This includes data from the full ecosystem of modern security tools such as endpoint, network, and cloud detection and response. Where unstructured data, such as blogs and social media posts, is concerned, the platform must be able to parse and extract "de-fanged" or "neutered" data such as neutralising potentially risky URLs while leaving them readable by analysts.
The threat environment constantly changes, so the facility to create new custom connectors to ingest intelligence around new threats as they emerge is also key. So is the ability to define additional objects to fit specific use cases, allowing teams to tailor the platform to their preferred workflows.
Context is king!
Context allows teams to make sense of what the mass of indicators are telling and respond appropriately. Due to the importance of the supporting context, it is important to determine if the TIP vendor imports all the data and/or if they modify any of the data.
Modification can be helpful as a layer of normalisation is critical to deduplication efforts. However, normalisation and unification of data must be done while preserving context. Data feed normalisation helps consolidate analyst comments, better organise associated intelligence and effectively export one IOC in lieu of three IOCs, which makes for greater efficiency.
Scoring and prioritisation
The sheer volume of indicators published today means it is impossible - and indeed undesirable - to monitor them all. This makes scoring and prioritisation a key feature of an effective TIP. Teams need a mechanism to prioritise which indicators should be detected to investigate, blocked or disregarded as a non-threat.
Scoring is highly specific to the organisation and the team's mission and should not simply reflect vendor or community opinion. A progressive TIP will let you set your own scoring algorithm based on any piece of data in the system, making it a tailored and accurate threat management solution.
Multiple integration options
Integration with the full ecosystem of security tools is central to the value proposition of a TIP. The tighter the integration, the less manual work is required of analysts and the greater the efficiency of operations teams.
Uni-direction integration is a purely defensive strategy and is the most common integration, moving the automatically scored highest threats from the intelligence platform into the trenches of the organisation's sensor grid for detection and/or blocking.
The next wave of TIP integration is bi-directional, with data pushed out from and pulled back into the tool. Key use cases for bi-directional integration are SIEM or log repository, ticketing systems, vulnerability management solutions and SOAR solutions. These combine to drive efficiency, improve prioritisation and reduce incident response times, and vendors should offer software development kits (SDKs) and open APIs to facilitate powerful integrations.
Data-driven automation and investigations
For under-pressure security teams, automating repetitive, time-consuming, low-level tasks is essential. If a tool can combine this automation with the real-time data and context needed to empower analysts to investigate high impact, time-sensitive incidents, even better! Effectively, teams need a balance between automation and manual investigation, and the TIP should deliver that using a native, data-driven approach.
Beyond the technical considerations, organisations also need to evaluate business factors. For example, pricing is usually on a subscription and per-user licence basis based on the number of tactical users. However, a successful implementation should see more stakeholders realising the value of having access to the platform, so it is worth forecasting for access by teams such as risk management.
Integration is central to the TIP value proposition, and vendors should provide an SDK and open APIs to facilitate this, but some charge a fee per integration. This can significantly increase budgets when you consider the number of different tools you want to integrate, so it is vital to know this upfront. In addition, should the business undertake mergers or acquisitions, this will entail integrating the acquired company's tools into the TIP, which will have a financial implication if a fee is payable each time.
Finally, understand the cost implications of hosting the TIP on-premise or in the cloud. If you are evaluating a cloud-based service but know you will need to deploy a private cloud instance for compliance or privacy requirements, be sure to understand any additional costs and trade-offs in functionality/features. A TIP designed to run in the cloud often cannot offer full functionality on-premises.
The right Threat Intelligence Platform can dramatically boost the performance of the SOC, and selecting one should be a carefully researched and rigorous decision. As organisations aim to improve proactivity and embark on activities such as threat hunting while effectively prioritising response to incoming threats, a powerful TIP will allow them to get the most out of existing resources and maximise the return on historical investment in security tools.
Article by ThreatQuotient APJC regional director, Anthony Stitt.