Threat Intelligence is now a key resource for Security Operations Centers, yet operationalizing it remains a challenge. In this blog, Graham explores some of the most common challenges and how Corvil can help.
Attack techniques are becoming more evasive and more sophisticated. In response, Threat Intelligence, which provides proactive, tailored, evidence-based knowledge on cyber attackers and their TTP (tactics, techniques and procedures), has become commonplace as a key resource for Security Operations Centers (SOCs). It is estimated that by 2017, as much as 75% of large enterprises will receive customized Threat Intelligence.
This knowledge is typically provided in consumable forms, including Machine Readable Threat Intelligence (MRTI), yet many Security Operations teams I’ve spoke with recently are still struggling to effectively operationalize their MRTI. How can they most effectively put it to use to maximise their ability to detect and investigate attacks within their networks? Here’s the missing link: the comprehensive knowledge contained in MRTI needs to be coupled with comprehensive visibility of their internal networks and activity. Yet this integrated solution seems to continue to remain elusive for most. Let’s explore some of the challenges:
So how does Corvil help Security Operations teams boost the performance they get from their Threat Intelligence?
Corvil’s platform achieves comprehensive visibility through an agent-less, passive tap of the network, which it utilises to perform high-speed stream-based L2-L7 decoding, full packet capture and advanced real-time analytics. This visibility, combined with a flexible framework for MRTI ingestion (supporting a range of sources including those based on STIX & TAXII from the likes of FS-ISAC and others), offers superior, real-time, threat indicator detection. How? Glad you asked:
What about when threat indicators are detected and it’s time to investigate? A Security Analyst will have many open questions, each of which are challenging to answer: What's the full scope of this attack? — When did it start? — Who is patient zero? — Was any sensitive data compromised? Corvil helps with this too, reducing Mean Time to Resolution (MTTR) by providing Security Analysts with SIEM integrated, high definition visibility in the form of messages and packets (available for high speed search), from all observed activity associated with the relevant attack and impacted entities (hosts, users, data).
Check out this recent webinar covering our integration with iSIGHT Partners as an example of how Corvil can enable your SOC to maximise the effectiveness of its Threat Intelligence.
If you are ready to boost the performance you get from your Threat Intelligence, contact us to discuss next steps. Getting Corvil setup in your environment for an evaluation is quick and easy.