Threat intelligence data is extremely valuable, but how do you effectively make use of it within your company?
TruSTAR recently sat down with two seasoned security analysts to dissect how they operationalize threat intelligence within their own organizations. Our panelists featured Troy Vennon, Cyber Threat Engineer at Columbus Collaboratory, and Mike V., Senior Incident Response Analyst at a Fortune 500 healthcare company.
Below we’ve edited and condensed some of the live Q&A that took place. To listen to the full discussion, scroll down or click here.
Kevin Menezes, Director of Customer Success at TruSTAR (KM): What are your favorite data sources and how do you operationalize intelligence throughout your SOC operations?
Troy Vennon, Director of Security Innovation at Columbus Collaboratory (TV): At Columbus Collaboratory, we steer and drive threat intelligence programs for our member companies. We assess them on the maturity and we create the infrastructure and capability for companies to consume intelligence and make it actionable.
We’ve seen threat intelligence teams with 1-2 people who take it upon themselves to leverage open-source feeds, RSS feeds, mailing lists, and popular websites to get a better understanding of what’s going on in the world. We’ve also seen highly sophisticated organizations who automate threat intel consumptions, operationalize it and all the information coming in, and correlate the activity. Mature organizations tend to use technology that has been around for a few years. Their ability to house, leverage and process every log source has an organizational focus.
Mike V., Senior Incident Response Analyst, Fortune 500 Healthcare Provider (MV): My team is on the smaller side, which I think many organizations relate to. We have an incident response team and work on threat and intelligence analysis. Overall, our organization is split into multiple areas within security. We have risk, privacy and data, engineering, architecture, operations, and identity. We are the escalation point from Tier 1 and handle these points from an operations perspective.
KM: Troy, you alluded to fully automating and operationalizing intelligence. Can you expand on that and tell us more about how your member companies incorporate threat intelligence into their workflow?
TV: Columbus Collaboratory companies favor high-fidelity sources like ISACs and ISAOs to enrich their own intelligence. They put a lot of trust into people they know personally and they know their abilities and things they’re investigating. Those relationships are hard to build, especially when you don’t meet them face-to-face. We’re good at facilitating collaboration and putting these people into rooms on a regular basis. It takes time for our member companies to build relationships and be comfortable with one another to the point where they want to share things they’re battling on a regular basis, in addition to discussing their regular practices. We want our member companies to be comfortable with the tools they’re using and know what’s good and bad about them.
MV: ISACs are also one of our higher fidelity sources. We’re part of the NH-ISAC and have an email list which has great questions being sent back and forth, though it’s not always effective outside of the manual process. High-fidelity sources are key to us. When we look at paid or close-source intelligence, it’s more of an enrichment source rather than a feed. The key is to try before you buy.
We also look at what happens internally. If you’re not timely ingesting data, forming responses, and turning it into an information dataset to build intelligence, then you’re missing out on the most critical data that you have. Everything outside that can enrich it and provide context.
KM: How do you automate threat intelligence and how do you share it with your team during an investigation?
TV: We think of threat intelligence as two separate workflows.
One is incident handling with event enrichment workflow, where you need to build some context to it. You check if it’s associated with malicious activity and whether it need to be escalated to Tier 2 or Tier 3. We see a number of ways to operationalize it. We’ve settled on TruSTAR as the tool we’re using to do this.
The second is discerning how you operationalize those external feeds, how you get it into your SIEM and how you think about developing custom correlations in your SIEM. This includes things like visualizations, graphs of observed traffic, etc. We see mature organizations leveraging machine learning and mass injection of threat intel into traffic.
MV: As consumers of TruSTAR we have the ability to push our finished intelligence into our SIEM (Splunk), and then take that data and automate our searches within our datasets and see where the hits are. Correlations trigger response activities. We’re looking at how we ingest and push data out in an automated fashion and how we leverage capabilities across our team to go out and gather data. We check how we’re positioned to protect ourselves against certain information.
KM: How do you escalate events from L1s to L3s? How is your team organized? What best practices help you move faster?
TV: We sat down to interview all member companies and security practitioners and asked, How can we redefine our security operations? We were interested in learning how we can leverage machine learning, data science, statistics, and analytics to readily deploy models and tools.
We understand there is a resource intensive process at the Tier 1 and Tier 2 level where there's high turnover and junior level SOC analysts move on and advance careers quickly. Collaboration provides value in tools and models that reduce alert fatigue and helps develop a workflow for useful items.
MV: For anything that’s escalated or if there’s a need for intelligence integration, we question whether they’re going through an initial triage. We have processes in place for when we’d need to escalate a process up the command chain or engage a third party.
The other component is the communications. We send out threat intelligence advisories to notify our peers. Those are escalations from an information perspective. Being agile in security isn’t so much about tools as it is about the process. This includes orchestration and automation, which is hard to enable if you don’t have processes in place. You take knowledge of the process and break it down further. These two things are key within SOC. We see high value in that.
We’re also looking to build micro-automations and integrations: understanding how a particular analyst works and how analysts can work better. With TruSTAR I pull information from an updated command line with a real list of APIs, push data back out, and look at how to enrich data. Then I run a full playbook to run full actions. There’s a lot an intelligence analyst can’t get to. So we leverage automation.
We’d like to thank Troy and Mike for their valuable insight!