Organizations Are Using Threat Intelligence Platforms to Overcome Key Security Hurdles

Dealing with Big Data, Providing Context, Integration, and Fast Understanding of New Threats Are Among the Benefits TIPs Provide When industry analysts survey most security professionals these days, the common consensus is that it’s now harder to manage security operations than ever before. For example, a recent Enterprise Strategy Group (ESG) research study showed that some 63 percent of security pros say that the job is tougher today than it was two years ago. While there's no doubt that the variety and volume of threats keep on growing by the year, the question is whether or not it’s the complexity of the security problems that have risen precipitously, or whether something else is going on. I'd argue that it's mostly the latter, in that it’s not so much that the complexity has grown tremendously over this time so much as the “awareness” of already latent complexity has become more apparent. As the breadth of technologies and data available to modern cybersecurity organizations continues to proliferate, security strategists are finally getting enough visibility into their environments to start discovering gaps that have existed all along. But knowing where the deficiencies exist doesn’t always equate to being able to address them. These same security folks are also struggling to wrap their arms around what is possible to achieve by using the array of tools in their arsenals and the vast quantities of information available. Years ago in the security world, the common mantra was that security organizations “don't know what they don't know” due to deficiencies in monitoring and threat intelligence capabilities. Nowadays the opposite is true. They're flooded with data and they're starting to get a better sense of what they don't fully know or understand about adversarial activities in their environments. But this dawning self-awareness can be quite nerve-wracking as they ask themselves, “Now that I know, what should I do?” It can be daunting to make that jump from understanding to taking action—this is the process that many organizations struggle with when we talk about “operationalizing” threat intelligence. In security operations, it’s not enough to just know about an adversary via various threat feeds and other sources. To take action, threat intelligence needs to be deployed in real-time so that security tools and personnel can actually leverage it to run investigations, detect the presence of threats in their networks, respond faster, and continuously improve their security architectures. But there are a number of significant hurdles in running security operations that stand in the way of achieving those goals. This is where a robust threat intelligence platform (TIP) can add significant value to the security ecosystem. TIPs help security operations teams tackle some of the highest hurdles: Big Data Conundrum The first challenge is that the sheer volume of threat intelligence made available to security teams has blown up into a big data problem, one that can't be solved by just filtering out the feeds that are in use (which would defeat the purpose of acquiring varied and relevant feeds in the first place). Organizations can’t ingest a multi-million item, evolving threat indicator database into their security information and event manager (SIEM), which would not only be cost-prohibitive but also lead to the creation of unmanageable levels of false positives. This is where Anomali comes in. With a TIP doing the work on the front end, interesting, pre-curated threat “matches” can be integrated directly into the SIEM. These matches present inside users’ networks can then be handed off to downstream tools like the SIEM and SOAR, where SOC and threat analysts can take necessary actions to address them. The Analyst Context Gap Whether it’s experienced analysts who bring a broad base of knowledge and language about threats to the table, or very smart but green analysts who bring drive and curiosity to their work, every security analyst craves more context from their threat intelligence. Context about threats is what helps ops teams make connections between new threat intel reports and environmental conditions, and between different threat feeds and how they refer to the same threat actors and activities. A TIP can help speed up the process for analysts seeking to contextualize their intelligence. One of our proven features, Anomali Lens, makes it possible to overlay contextualized information from numerous threat intel sources on whatever threat bulletin or online research an analyst is currently reading, giving them a single view into what multiple sources are saying about a given threat. This includes synonyms for threat actors, their attack methods mapped according to MITRE ATT&CK’s TTPs, their motivations, and so on. It's a powerful tool that makes it possible for analysts at any level of experience to tap into information that would take them hours of manual research to surface up. Security Tooling Disconnect Threat intelligence integration is consistently one of the top requirements tracked by analysts when organizations develop their security operations architectures. In order to truly operationalize threat intelligence, security teams are increasingly realizing that they need to simplify and strengthen the integrations between their intelligence feeds and a wide range of security tools. Security automation depends on these integrations, which have to be easy enough for security teams that don’t have advanced developer skills. Anomali understands this principle, which is why we've built deep integrations with all the major SIEMs, next-gen firewalls, and a whole breadth of SOAR-related products. This is in addition to the very complimentary layer of automation built into our own tools. New Threats Whether it’s COVID-19, SolarWinds, or Russian influence ops, there is always going to be a new, major threat that emerges out of nowhere, which every security operations team will have to face. For anyone tasked with communicating security statuses across an organization, they know that they are nowadays expected to be as quick on their response as the headlines are to crop up. With access to a platform that enables users to manage the information available to them, team members can be more accurate about exactly how threats are impacting their organizations. Obviously, TIP is just one piece of the security stack necessary to overcome security operations' biggest challenges. However, the sooner organizations can start to tap into the power of these platforms, the easier that operations will feel even as the capabilities of threat adversaries grow. To learn more about how the Anomali TIP is addressing problems, watch: ESG SOAPA Interview With Hugh Njemanze of Anomali, <a href="https://www.youtube.com/watch?v=5H8D64enKQY">Part 1</a> and <a href="https://www.youtube.com/watch?v=k2sIDDco5xg">Part 2</a>. To help defend your organization against COVID-related threats, <a href="{page_4868}">download</a> our free, actionable threat intelligence. Want to know if your organization was impacted by the SolarWinds hack? Read: <a href="{page_5174}">Actionable Threat Intelligence Available for Sunburst Cyber Attacks on SolarWinds</a> For information about the ROI Anomali delivers, read: <a href="{page_4895}">ESG ROI Study: Economic Validation Report of the Anomali Threat Intelligence Platform</a>