It’s a chaotic world for a security professional. The media is a flurry of messages about ransomware attacks and the latest malware. So-called "cyberthreat intelligence" comes in feeds that are a firehose of information that, more often than not, are more distracting than helpful. Unfortunately, as leaders, though not our intention, we sometimes focus on detection and alerts that prove to be irrelevant, and we sometimes unknowingly squander budget, time and occasionally the long-term success of our organizations when we succumb to threats that our security operations centers (SOC) should detect.
It’s time to get back to basics and remember the purpose of our tools and defenses: to protect the company mission. Yet many security teams focus on protecting assets and processes, under the mistaken belief that collecting an arsenal of data will help them do that. The problem here is two-fold. For one, more data doesn’t automatically give you more intelligence. If it’s more of the right data, then great, but frequently that’s not the case. Secondly, it is a widely held fallacy that security is the act of protecting IT systems from harm. In reality, IT is disposable; it’s the business mission that we actually want to protect.
Consider the following:
- Outdated information and the false positives it yields. Let’s say you’ve got outdated indicators ringing alarm bells for a site that was compromised but has since been cleaned up. These historical indicators can send your team down rabbit holes, generating the kind of noise that can consume analyst processing power that could be better used to assess valid events.
- Wasted effort on intel that requires tools you don’t have. If you’re getting file hashes for malicious files but don’t have the tech to see if the file hashes traverse your network or get written to one of your endpoints, what was accomplished? There’s also the wear and tear on your technology. No security tool has unlimited processing power. Each bit of content you load takes some resources and those resources are finite. Fill up with worthless content and you won’t have room for the good (read: bad) stuff.
- Too much focus on irrelevant information. There’s no point in chasing every malware outbreak that comes down the pike, or expending effort on commodity, consumer-oriented malware floating around the Internet. The team’s time and skill should be dedicated to threats targeting your business. Consider malware that’s trying to steal Facebook credentials. To the extent that it’s affecting the company’s social media team, you might mitigate that risk, but if you try to protect every employee accessing personal Facebook accounts, that’s not a good allocation of resources.
Turning Data Dross into 'Content' Gold
The first step toward calming the chaos is to intelligently manage the "content" you are deploying into your security architecture. In this context, content refers to the signatures, correlation rules, filters, searches, and other security data that you create to enable detection or bring focus to activity that may indicate an attack or compromise. Dealing with a mass of data in its entirety is searching for a needle in a haystack. But curating that content and turning it into useful insights can help determine where your security architecture is falling down and how your tools can better protect and defend the network.
Here are five step to improve your signal-to-noise ratio with content curation:
1. Let use cases drive your SOC. Organize your monitoring, detection, and hunting activities around actual attack patterns and methods or objectives. Use-cases, such as email monitoring, provide structure and focus to SOC detection activities. Under each use-case are scenarios that describe more specific attacks or exploitation actions, for example, spear-phishing by impersonating high-profile users. Use-cases are selected and developed based on the risk-profile and threat-model of the organization.
2. Prioritize your content by relevance. You can’t watch every feed for every alert. Your content needs to be connected back to the use-case and meaning it has for your company. Not sure where to start? Purge anything outdated, review and tag content to use-case, collect the analyst feedback on the rest, and use that feedback to decide if content is yielding value or not. Content should be aligned to the most critical threats to your environment and linked back to the threat-intel reporting and use-case.
3. Find the context. Identifying malicious activity alone doesn’t mean much. You have to find the larger story around it, connecting the activity to the threat intel reporting and, understanding the nature and objectives of the attack — what is the target and what risk does that pose to the business. Often teams want to move fast on their data without first analyzing and vetting it, but in doing so they decrease the effectiveness of that data. There’s no shortage of feeds that can net your organization a load of indicators. However, if you act on data without context, you may limit your visibility into other related problems or the underlying source of the problems.
4. Empower the CISO. Too often CISOs lack access to the CIO’s trove of valuable data that security teams ultimately need if they want to start creating defensive security content. IT and security have to work hand-in-hand, with IT providing security the visibility needed to enable security content to effectively protect the network, all the while working together to understand assets on the network and how they’re connected.
5. Take a proactive stance. Imagine it’s flu season. Do you stock up on decongestants and Kleenex or do you go out and get a flu shot? The same principle applies to cybersecurity. Detecting exploitation is great, but proactive and preventative strategies are even better. Connecting threat intel to vulnerability allows you to assess your attack surface before an attack occurs. If you receive actionable information, if you know you’re vulnerable in a specific area, proactively reduce that attack surface.
Any organization that wants to streamline their overworked security architecture and employees must curate its intelligence content. By efficiently managing data with an approach that makes smarter use of their team’s time, tools, and expertise, SOC leaders can get better value from their tools and mount a stronger defense against cyber attacks.