Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Justin Monti
Justin Monti
Connect Directly
E-Mail vvv

Improve Signal-to-Noise Ratio with 'Content Curation:' 5 Steps

By intelligently managing signatures, correlation rules, filters and searches, you can see where your security architecture falls down, and how your tools can better defend the network.

It’s a chaotic world for a security professional. The media is a flurry of messages about ransomware attacks and the latest malware. So-called "cyberthreat intelligence" comes in feeds that are a firehose of information that, more often than not, are more distracting than helpful. Unfortunately, as leaders, though not our intention, we sometimes focus on detection and alerts that prove to be irrelevant, and we sometimes unknowingly squander budget, time and occasionally the long-term success of our organizations when we succumb to threats that our security operations centers (SOC) should detect.

It’s time to get back to basics and remember the purpose of our tools and defenses: to protect the company mission. Yet many security teams focus on protecting assets and processes, under the mistaken belief that collecting an arsenal of data will help them do that. The problem here is two-fold. For one, more data doesn’t automatically give you more intelligence. If it’s more of the right data, then great, but frequently that’s not the case. Secondly, it is a widely held fallacy that security is the act of protecting IT systems from harm. In reality, IT is disposable; it’s the business mission that we actually want to protect.

Consider the following:

  • Outdated information and the false positives it yields. Let’s say you’ve got outdated indicators ringing alarm bells for a site that was compromised but has since been cleaned up. These historical indicators can send your team down rabbit holes, generating the kind of noise that can consume analyst processing power that could be better used to assess valid events.
  • Wasted effort on intel that requires tools you don’t have. If you’re getting file hashes for malicious files but don’t have the tech to see if the file hashes traverse your network or get written to one of your endpoints, what was accomplished? There’s also the wear and tear on your technology. No security tool has unlimited processing power. Each bit of content you load takes some resources and those resources are finite. Fill up with worthless content and you won’t have room for the good (read: bad) stuff.
  • Too much focus on irrelevant information. There’s no point in chasing every malware outbreak that comes down the pike, or expending effort on commodity, consumer-oriented malware floating around the Internet. The team’s time and skill should be dedicated to threats targeting your business. Consider malware that’s trying to steal Facebook credentials. To the extent that it’s affecting the company’s social media team, you might mitigate that risk, but if you try to protect every employee accessing personal Facebook accounts, that’s not a good allocation of resources.

Turning Data Dross into 'Content' Gold
The first step toward calming the chaos is to intelligently manage the "content" you are deploying into your security architecture. In this context, content refers to the signatures, correlation rules, filters, searches, and other security data that you create to enable detection or bring focus to activity that may indicate an attack or compromise. Dealing with a mass of data in its entirety is searching for a needle in a haystack. But curating that content and turning it into useful insights can help determine where your security architecture is falling down and how your tools can better protect and defend the network.

Here are five step to improve your signal-to-noise ratio with content curation:

1. Let use cases drive your SOC. Organize your monitoring, detection, and hunting activities around actual attack patterns and methods or objectives. Use-cases, such as email monitoring, provide structure and focus to SOC detection activities. Under each use-case are scenarios that describe more specific attacks or exploitation actions, for example, spear-phishing by impersonating high-profile users. Use-cases are selected and developed based on the risk-profile and threat-model of the organization.

2. Prioritize your content by relevance. You can’t watch every feed for every alert. Your content needs to be connected back to the use-case and meaning it has for your company. Not sure where to start? Purge anything outdated, review and tag content to use-case, collect the analyst feedback on the rest, and use that feedback to decide if content is yielding value or not. Content should be aligned to the most critical threats to your environment and linked back to the threat-intel reporting and use-case.

3. Find the context. Identifying malicious activity alone doesn’t mean much. You have to find the larger story around it, connecting the activity to the threat intel reporting and, understanding the nature and objectives of the attack — what is the target and what risk does that pose to the business. Often teams want to move fast on their data without first analyzing and vetting it, but in doing so they decrease the effectiveness of that data. There’s no shortage of feeds that can net your organization a load of indicators. However, if you act on data without context, you may limit your visibility into other related problems or the underlying source of the problems.

4. Empower the CISO. Too often CISOs lack access to the CIO’s trove of valuable data that security teams ultimately need if they want to start creating defensive security content. IT and security have to work hand-in-hand, with IT providing security the visibility needed to enable security content to effectively protect the network, all the while working together to understand assets on the network and how they’re connected.

5. Take a proactive stance. Imagine it’s flu season. Do you stock up on decongestants and Kleenex or do you go out and get a flu shot? The same principle applies to cybersecurity. Detecting exploitation is great, but proactive and preventative strategies are even better. Connecting threat intel to vulnerability allows you to assess your attack surface before an attack occurs. If you receive actionable information, if you know you’re vulnerable in a specific area, proactively reduce that attack surface.

Any organization that wants to streamline their overworked security architecture and employees must curate its intelligence content. By efficiently managing data with an approach that makes smarter use of their team’s time, tools, and expertise, SOC leaders can get better value from their tools and mount a stronger defense against cyber attacks.

Related Content:

Justin Monti has nearly 20 years of IT and information security experience in the private and public sector. Mr. Monti currently serves as chief technology officer of MKACyber where he is oversees technical security services delivery including security architecture, managed ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...