Threat Intelligence, the Rocket Fuel for SOAR

Subha Rama

The world, as one scientist said, is one big data problem. Ask a security operations center (SOC) manager, and he/she would tell you why.

SOC experts deal with a variety of data – event and security-related data that is funneled through SIEMs, threat intelligence platforms, aggregated log management systems, workflow tools, automation/orchestration platforms, APIs, dashboards…the list is pretty long. So much data that barely 10% of it gets a second look. According to the Sans Institute’s 2019 SOC survey, 18% of SOCs use a manual process to sift, correlate, and extract intelligence from data. Another 44% use partial automation with substantial manual effort. Given that a mid-sized organization receives thousands of alerts in a week, this would require some heavy-lifting and a lot of resources. As SOCs are typically understaffed (averaging about 6-10 analysts for a 15,000-employee organization), many have resorted to outsourcing certain functions.

Enter Managed Security Service Providers (MSSPs).

Outsourcing Threat Intelligence

One of the most commonly outsourced SOC functions is threat intelligence. The top three priorities of a SOC are: A. Identifying the most recurring and targeted cyberattacks, B. Pinpointing the sources of such attacks, and C. Proactively blocking and preventing these attacks to ensure there is no risk to the customer’s business. This is easier said than done. If you are an MSSP customer, you know that there is no 100% guarantee that your provider will detect all impending threats or alert you in real-time even when a threat is detected. This is not because MSSPs lack the tools to do it. But the sheer volume of threats and the white noise generated by these tools make it practically impossible.

Most MSSPs use security, orchestration, automation, and response (SOAR) platforms for incident response. But then, a lot depends on what kind of data gets fed into SOAR so that they can improve the mean time to respond to these threats. Remember that not all of the threats identified by SOAR needs to be acted on. In fact, today there is a big gap between the volume of alerts that come in versus the value that organizations derive from it – mainly because there is very little context associated with the threat data. This is especially true of organizations that have a mixed infrastructure consisting of infrastructure as a service (IaaS) deployments.

FireMon Global Policy Controller Splunk Phantom

What Do MSSPs Need?

Current, in-depth visibility into the alignment of network defenses, in relation to underlying assets and known vulnerabilities. This is absolutely necessary if we are to address risk exposure and mitigate available attack paths. Basically, a tool or tools that would validate threats and feed contextual threat intelligence into SOAR systems. This would address one of the biggest gaps in network security operations – accurate, real-time visibility into all devices, endpoints, and users on their networks. And on top of this, have an automated process to revoke access rights to devices, users, and systems that can potentially turn malicious (or risk what happened with CapitalOne).

FireMon Automation – Adding Speed and Agility to MSSP Services

FireMon provides automated and real-time network security intelligence – by importing SOAR data to configure and model multiple risk scenarios, allocate threat scores to rank them, and translate business intent to allow the context of network assets and security policy to automatically determine and enforce necessary access. What does this mean? Simply that this removes the guesswork out of threat mitigation through the effective use of data, intelligence and automation.

The implications of such a solution for MSSPs are enormous. Firstly, this allows MSSPs to do threat identification, validation, and mitigation in real-time. Secondly, all this can be achieved with minimal human intervention. Enforce zero-touch policy and security configurations, saving valuable engineering resources. The value does not end with delivering reliable and actionable threat intelligence but also in combining it with automation to achieve efficiencies that are simply impossible through manual processes.

Learn More on How FireMon Gets it Done

On-Demand Webinar: Five Ways to Make Your SOAR Initiatives Take Flight
eBook: Security Automation 101: Change Management and the Complexity Gap
Whitepaper: Five Steps to Keep Network Security Enforcement Points Secure and Up-to-Date