Incidents of ransomware have been increasing and evolving steadily for years as financially motivated adversaries shift tactics when one is no longer profitable. Unfortunately, many organizations haven’t been able to adapt their security operations to keep up. Back in 2019, 60% of organizations told ESG that they experienced a ransomware attack that year, with 29% reporting that attacks happened at least on a weekly basis.
There’s no doubt that an analyst’s ability to efficiently share curated threat intelligence has a significant impact on the success of their organization’s overall security operations. In fact, this capability is so important that removing barriers to sharing threat information is the first requirement outlined in the Executive Order issued by the White House on May 12, 2021.
Most organizations have more threat intelligence than they know what to do with, from a variety of sources – commercial, open source, government, industry sharing groups and security vendors. Bombarded by millions of threat data points every day, it can seem impossible to appreciate or realize the full value of third-party data.
Sometimes the hardest part of any project is getting started. But when it comes to strengthening your security operations program, the escalation of cyberattacks over the last few months have shown us there’s no time to waste. You need to make sure you’re leveraging threat intelligence throughout your security operations to understand your adversaries, strengthen defenses, and accelerate detection and response.
SIEMs have been around for decades, designed to replace manual log correlation to identify suspicious network activity by normalizing alerts across multiple technology vendors. SIEMs correlate massive amounts of data from the sensor grid (your internal security solutions, mission-critical applications and IT infrastructure). As organizations are looking at ways to mine through SIEM data to find threats and breaches, they are bringing in threat intelligence feeds to help.
For many years, cybersecurity professionals have talked about the OODA loop. Devised by Colonel John Boyd, it describes a decision-making cycle that fighter pilots apply in dog fights, and when mastered, allows them to outwit adversaries. The acronym stands for Observe, Orient, Decide and Act, and if you can go through this decision cycle faster than your adversary, you can defeat them.
The new SANS 2021 Report: Top Skills Analysts Need to Master analyzes the need for organizations to invest in improving their security operations and identifies the skills analysts must master to support this initiative. Characterizing an analyst as essentially an investigator, the SANS report breaks the investigative process down into two primary areas: Investigative Tasks and Investigative Thinking.
As organizations continue to evolve their security operations maturity and the SOC increasingly focuses on detection and response, three capabilities are foundational for success – threat intelligence, integration and automation. In a recent webinar, “Evolution of CTI – Use Case in a Modern SOC,” ThreatQuotient’s Yann Le Borgne, together with Ben van Ditmars of Atos and Martin Ohl from McAfee tackle this topic.
We all know the security industry mantra: it’s not a matter of if, but when and how we’ll be attacked. Recent reports of intrusion activity increasing fourfold in the last two years and a raft of alerts warning of a rise in attacks on schools, hospitals and healthcare providers, and critical infrastructure companies during the global pandemic have only reinforced this.
