Many enterprise organizations have deployed some form of security information and event management (SIEM) to collect log data and correlate events across multiple systems. Despite an abundance of threat intelligence feeds, SIEM systems are primarily used for compliance reporting and alert notifications.
"It collects all of the log information, I click on a button, and it produces my monthly PC report or feeds my information into some dashboard showing what percentage of systems are patched or antivirus is up to date and so on," said John Pescatore, director at the SANS Institute, which offers threat intelligence through the SANS Internet Storm Center.
Most organizations lack the resources or maturity in their security platforms to take advantage of threat intelligence feeds, which can be difficult to keep up with. Any SIEM system that can integrate threat intelligence feeds should be configured to consume that data, however. Some technologies take it a step further by evaluating the threat information against internal vulnerability assessments, which allows for better prioritization of security controls.
"The newer SIEM products have added more capabilities, such as banging threat information against vulnerability information, and are doing a better job of more continuous monitoring," said Pescatore. "What are the latest threats and the vulnerabilities this week compared to last week?"
Some of the companies that offer higher levels of integration include AlienVault's Unified Security Management and Threat Intelligence based on Open Threat Exchange; McAfee's Global Threat Intelligence for Enterprise Security Manager; and Tenable Network Security, which has a partnership with Cyber Squared, a startup that offers crowdsourced threat intelligence through its ThreatConnect service. This type of integration enables organizations to put indicators in context to prioritize incidents; maintain historic knowledge of threats, related indicators and past incidents; and create threat profiles.
How do you figure out which threat data feeds are relevant to your organization? And how do you automate the processing of that information? You must first determine how to configure the SIEM to integrate threat information or whether a refresh or replacement technology may be needed to upgrade to these capabilities. Here's the process:
- Ensure that the capabilities exist to bring in threat intelligence information that is consistent with your architecture. "Process your own data first, and then overlay what everyone else knows on top of that," advises Cyber Squared CEO and founder Adam Vincent in his blog.
- Evaluating threat intelligence feeds is tricky. In addition to the SANS Internet Storm Center, the information is available from commercial feeds, ISACs and public-private collaborations. Some areas to consider include the number of entries, frequency, relevance to your IT environment, popularity and processing by the threat service provider, according to Anton Chuvakin, research director, Gartner IT security and risk management. See his blog, "On Comparing Threat Intelligence Feeds" for more on this topic.
How can you use this information to make decisions? Threat intelligence can be used for triage, incident response and threat assessment. Vendors and analysts commonly differentiate between strategic and tactical threat intelligence. On a tactical level, organizations can use threat intelligence feeds "as context for enriching alerts and other monitoring data," explained Chuvakin in his blog. Threat intelligence can also be used for "finding the full scope of an incident by linking local observables to the data feeds or 'pulling the thread' to find all compromised assets and attacker traces."
If your organization is at the point of refreshing its SIEM system or making a decision about a new SIEM product, looking at the system's capabilities -- in terms of whether it takes in threat information and correlates it against vulnerability assessments -- can help you make upgrade or replacement decisions.