Threat Intelligence Is Growing — Here's How SOCs Can Keep Up

Timely, comprehensive threat intelligence is a significant component of any good cybersecurity strategy. It helps organizations understand what their threats are, where their vulnerabilities lie, and what strategies they can use to harden their defenses.

However, threat intel is also a rapidly growing industry. Projected to reach $4.93 billion by the end of this year, the global threat intel market is also expected to grow more than 20% annually, reaching $18.11 billion by 2030. And while this is positive news for the strength of cyber defenses everywhere, it also translates into an enormous amount of threat intel signals for security operations center (SOC) teams to track. 

As more companies advance along their digital transformation journeys, SOC teams need a way to connect disparate data from across the enterprise to create a comprehensive view of their attack surface. More importantly, SOCs must be able to sort through this mountain of information to rapidly surface relevant insights at the speed of defense. 

SOC Challenges and Solutions

Like many security teams, SOCs are under an enormous amount of pressure to keep pace with the ever-changing tactics of cybercriminals. We're seeing a bend of increasingly frequent and sophisticated cyberattacks, so SOCs must operate around the clock to remain vigilant in the face of these threats. Last year, Microsoft identified a 130% increase in ransomware attacks and blocked 70 billion email and identity threats. These numbers underscore the scale of the challenges and the absolutely daunting responsibility that SOCs face.

Security signals from open source threat intel, threat intel feeds, and in-house analysis enable SOCs to stay current about threat groups and infrastructure risks so they can protect against the latest attack vectors. Comprehensive threat intel also plays a significant role in proactively identifying and addressing system or process vulnerabilities before malicious actors have a chance to exploit them.

But it's not just the actions of cybercriminals that are straining SOC resources. That same 130% increase in ransomware attacks translated into more than 10,000 alerts every day for SOCs. More broadly, Microsoft Security synthesizes 65 trillion daily security signals from across the global threat landscape. And while we deploy more than 8,000 security researchers, analysts, and threat hunters to analyze this information, it's impossible for human efforts alone to sufficiently monitor and act on this level of data. More advanced technology solutions are needed.

Unified extended detection and response (XDR) and security information and event management (SIEM) can help. Bolstered by advanced artificial intelligence (AI) and machine-learning (ML) algorithms, XDR and SIEM provide SOCs with end-to-end threat visibility across the entire enterprise. These solutions work by automatically correlating and prioritizing security alerts across identities, endpoints, applications, email, the Internet of Things (IoT), infrastructure, and cloud platforms. This, in turn, allows SOCs to focus their efforts on preventing, detecting, and responding to threats rather than sifting through raw data. Furthermore, internal XDR and SIEM inputs can be combined with third-party threat intel to inform future ML models. 

Threat activity may be growing, but existing security solutions are evolving in kind. By leveraging solutions like unified XDR and SIEM, SOC teams and their counterparts can better keep pace with the emergence of new threat intel and react quickly to create digital environments for all.

Read more Partner Perspectives from Microsoft Security.