Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Justin Monti
Justin Monti
Connect Directly
E-Mail vvv

Improve Signal-to-Noise Ratio with 'Content Curation:' 5 Steps

By intelligently managing signatures, correlation rules, filters and searches, you can see where your security architecture falls down, and how your tools can better defend the network.

It’s a chaotic world for a security professional. The media is a flurry of messages about ransomware attacks and the latest malware. So-called "cyberthreat intelligence" comes in feeds that are a firehose of information that, more often than not, are more distracting than helpful. Unfortunately, as leaders, though not our intention, we sometimes focus on detection and alerts that prove to be irrelevant, and we sometimes unknowingly squander budget, time and occasionally the long-term success of our organizations when we succumb to threats that our security operations centers (SOC) should detect.

It’s time to get back to basics and remember the purpose of our tools and defenses: to protect the company mission. Yet many security teams focus on protecting assets and processes, under the mistaken belief that collecting an arsenal of data will help them do that. The problem here is two-fold. For one, more data doesn’t automatically give you more intelligence. If it’s more of the right data, then great, but frequently that’s not the case. Secondly, it is a widely held fallacy that security is the act of protecting IT systems from harm. In reality, IT is disposable; it’s the business mission that we actually want to protect.

Consider the following:

  • Outdated information and the false positives it yields. Let’s say you’ve got outdated indicators ringing alarm bells for a site that was compromised but has since been cleaned up. These historical indicators can send your team down rabbit holes, generating the kind of noise that can consume analyst processing power that could be better used to assess valid events.
  • Wasted effort on intel that requires tools you don’t have. If you’re getting file hashes for malicious files but don’t have the tech to see if the file hashes traverse your network or get written to one of your endpoints, what was accomplished? There’s also the wear and tear on your technology. No security tool has unlimited processing power. Each bit of content you load takes some resources and those resources are finite. Fill up with worthless content and you won’t have room for the good (read: bad) stuff.
  • Too much focus on irrelevant information. There’s no point in chasing every malware outbreak that comes down the pike, or expending effort on commodity, consumer-oriented malware floating around the Internet. The team’s time and skill should be dedicated to threats targeting your business. Consider malware that’s trying to steal Facebook credentials. To the extent that it’s affecting the company’s social media team, you might mitigate that risk, but if you try to protect every employee accessing personal Facebook accounts, that’s not a good allocation of resources.

Turning Data Dross into 'Content' Gold
The first step toward calming the chaos is to intelligently manage the "content" you are deploying into your security architecture. In this context, content refers to the signatures, correlation rules, filters, searches, and other security data that you create to enable detection or bring focus to activity that may indicate an attack or compromise. Dealing with a mass of data in its entirety is searching for a needle in a haystack. But curating that content and turning it into useful insights can help determine where your security architecture is falling down and how your tools can better protect and defend the network.

Here are five step to improve your signal-to-noise ratio with content curation:

1. Let use cases drive your SOC. Organize your monitoring, detection, and hunting activities around actual attack patterns and methods or objectives. Use-cases, such as email monitoring, provide structure and focus to SOC detection activities. Under each use-case are scenarios that describe more specific attacks or exploitation actions, for example, spear-phishing by impersonating high-profile users. Use-cases are selected and developed based on the risk-profile and threat-model of the organization.

2. Prioritize your content by relevance. You can’t watch every feed for every alert. Your content needs to be connected back to the use-case and meaning it has for your company. Not sure where to start? Purge anything outdated, review and tag content to use-case, collect the analyst feedback on the rest, and use that feedback to decide if content is yielding value or not. Content should be aligned to the most critical threats to your environment and linked back to the threat-intel reporting and use-case.

3. Find the context. Identifying malicious activity alone doesn’t mean much. You have to find the larger story around it, connecting the activity to the threat intel reporting and, understanding the nature and objectives of the attack — what is the target and what risk does that pose to the business. Often teams want to move fast on their data without first analyzing and vetting it, but in doing so they decrease the effectiveness of that data. There’s no shortage of feeds that can net your organization a load of indicators. However, if you act on data without context, you may limit your visibility into other related problems or the underlying source of the problems.

4. Empower the CISO. Too often CISOs lack access to the CIO’s trove of valuable data that security teams ultimately need if they want to start creating defensive security content. IT and security have to work hand-in-hand, with IT providing security the visibility needed to enable security content to effectively protect the network, all the while working together to understand assets on the network and how they’re connected.

5. Take a proactive stance. Imagine it’s flu season. Do you stock up on decongestants and Kleenex or do you go out and get a flu shot? The same principle applies to cybersecurity. Detecting exploitation is great, but proactive and preventative strategies are even better. Connecting threat intel to vulnerability allows you to assess your attack surface before an attack occurs. If you receive actionable information, if you know you’re vulnerable in a specific area, proactively reduce that attack surface.

Any organization that wants to streamline their overworked security architecture and employees must curate its intelligence content. By efficiently managing data with an approach that makes smarter use of their team’s time, tools, and expertise, SOC leaders can get better value from their tools and mount a stronger defense against cyber attacks.

Related Content:

Justin Monti has nearly 20 years of IT and information security experience in the private and public sector. Mr. Monti currently serves as chief technology officer of MKACyber where he is oversees technical security services delivery including security architecture, managed ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, improper validation of data may cause the system to write outside the intended buffer area, which may allow arbitrary code execution.
PUBLISHED: 2019-10-18
In Horner Automation Cscape 9.90 and prior, an improper input validation vulnerability has been identified that may be exploited by processing files lacking user input validation. This may allow an attacker to access information and remotely execute arbitrary code.
PUBLISHED: 2019-10-18
OpenWRT firmware version 18.06.4 is vulnerable to CSRF via wireless/radio0.network1, wireless/radio1.network1, firewall, firewall/zones, firewall/forwards, firewall/rules, network/wan, network/wan6, or network/lan under /cgi-bin/luci/admin/network/.
PUBLISHED: 2019-10-18
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Basic authentication is used for the authentication, making it possible to base64 decode the sniffed credentials and discover the username and pa...
PUBLISHED: 2019-10-18
** DISPUTED ** An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').pop...