How to Supercharge Your SOC with Threat Intelligence

Search Close

Account Information

Reset password

An email has been sent to you with instructions on how to reset your password.

Back to TechRepublic

Welcome to TechRepublic!

By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.

You will also receive a complimentary subscription to TechRepublic's News and Special Offers newsletter and the Top Story of the Day newsletter. You may unsubscribe from these newsletters at any time.

All fields are required. Username must be unique. Password must be a minimum of 6 characters and have any 3 of the 4 items: a number (0 through 9), a special character (such as !, $, #, %), an uppercase character (A through Z) or a lowercase (a through z) character (no spaces).

Threat intelligence has potential to transform an organization’s security posture; however, it’s often too complex and costly for many security teams to implement and use. The staff and skills needed to run intelligence-led investigations can be substantial for even the largest organizations — and often out of reach for smaller ones.

By Bart Lenaerts-Bergmans, Senior Product Marketing Manager, Threat Intelligence, CrowdStrike

Businesses spanning all sizes and verticals are familiar with the challenges of responding to security incidents. These difficulties are growing, largely driven by three factors: an overload of security data stemming from an abundance of tools and larger attack surface; the pressure of time caused by fast-moving adversaries; and a global shortage of skilled security employees.

Threat intelligence can help security operations center (SOC) teams face these challenges. Intelligence data is different from security data because it offers new context on the who, why and how behind a security alert. It gives meaning to each alert that an analyst works on, helping them to prioritize which alerts to handle first and understand detailed insights on the attacker, motivation and methods.

The questions many SOC teams have are: How can they apply timely relevant threat intelligence, and how can they put this information in front of every team member in their daily workflow? What is the best way to efficiently operationalize threat intelligence? How much effort will it take to integrate threat intelligence into the existing workflow?

It takes investment and dedication to mature an organization’s threat intelligence capabilities. While time, resources and data quality can be common issues along the way, there are other obstacles that can impede progress in operationalizing threat intelligence:

Fragmented intelligence data hinders SOC effectiveness. Demand for threat intelligence is quickly growing across multiple SOC functions and business asset owners: The Forrester Wave™: External Threat Intelligence Services, Q1 2021 and Forrester Analytics’ Business Technographics ® survey found security decision-makers subscribe to an average of 7.5 commercial external threat intelligence services — up from an average of 4.2 in 2018. There is a growing number of use cases for threat data, which come from different stakeholders across the business and drive up the number of feeds implemented. Because these use cases aim to solve different problems, they may lead to disconnected SOC initiatives and lower overall SOC effectiveness as threat management objectives are broad and lack focus.

Poor data quality can heighten risk. While it is easy to find threat feeds to implement, the timeliness and specific purpose of the indicators provided may not be relevant to your organization. This can create a false sense of risk and even heighten risk as businesses look at past threats generated by adversaries not actively targeting their industry, geographic region or organization.

Lack of expertise impedes observability. Indicators alone don’t tell the full story. Getting the full picture of an attack, including the adversary’s motivation or global attack behaviors, requires a strong, complementary data collection that eliminates blind spots, plus analytic processes leveraging this data to support attribution. Observability, which measures how well attackers’ capabilities can be inferred from their external behavior, must come into play. Few organizations have the knowledge and expertise needed to generate internally collected data that provides full observability. As a result, they won’t have a complete end-to-end view of the threat actor.

Time-to-value and cost of homegrown automation can be pricey and time consuming. The process of analyzing, extracting and integrating intelligence feeds takes time and effort. For teams overloaded with security tools, the additional complexity and management required to implement and maintain these integrations may not be feasible. Homegrown automation takes time that organizations may not have the resources or patience for. Because the workload is greater than their capacity, all they can do is triage and react.

A Different Approach to Automating Threat Intelligence

SOC teams using threat intelligence must understand the context of a potential threat. Intelligence collection should not be measured by volume, but by its ability to provide views that illustrate the actor, attack type, common tactics, post-breach activity, attack infrastructure and applicable threat surfaces.

To do this, threat intelligence must rely on a broad and deep collection of sources: events from enterprise telemetry, in-depth file analysis, incident forensics, threat hunt results, dark web collection, open-source intelligence, and human intelligence derived from adversarial pursuits. Combined, this data can help security teams achieve 360-degree observability of the threat.

While there is certainly no shortage of security information or tools, the constant switching between disparate tools and dashboards is distracting to analysts and prolongs threat evaluation and investigation. Threat intelligence must be integrated into the SOC’s daily workflow and, more importantly, be available as soon as new evidence is discovered. Having the latest information immediately at hand and integrated reduces the time and complexity of investigation and remediation efforts.

To address the issues holding security teams back from operationalizing threat intelligence, seek an automated threat intelligence solution that enables your security team to pivot from endpoint detection to the most recent data on today’s attackers and their motivations and tradecraft.

Today’s attackers are studying businesses, creating victim profiles long before they try to attack networks. They are aware of enterprise security technologies and weaknesses, who is on the IT staff, and what technical questions employees are asking on IT forums. By using threat intelligence to gain knowledge about the adversary, you can adjust cyber defenses and turn the tables on them before they attack.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Innovation

Gartner identifies 25 emerging technologies in its 2022 hype cycle

The technologies could enable immersive experiences, accelerated AI automation and optimized technologist delivery in the next two to 10 years, according to the firm.

ERP analytics — Image: BillionPhotos.com/Adobe Stock

CXO

Top 10 ERP vendors 2022

Are you an IT manager or executive trying to make the case for a new ERP vendor? Compare the top ERP software solutions with our list today.

Image: Apple. At WWDC 2022, Apple announced the planned release of the next version of its Mac operating system, macOS Ventura, for the fall of 2022.

Software

macOS 13 Ventura cheat sheet: Complete guide for 2022

Learn about the new features available with macOS 13 and how to download and install the latest version of Apple’s flagship operating system.

shopping cart full of electronics and tech in front of a phone with the text Online Sale Limited Time Offer to the right — Image: elenabsl/Adobe Stock

Software

Top TechRepublic Academy training courses and software offerings of 2022

Get great deals on developer and Linux training courses, Microsoft Office licenses and more through these TechRepublic Academy offerings.

Cloud

Multicloud explained: A cheat sheet

This comprehensive guide covers the use of services from multiple cloud vendors, including the benefits businesses gain and the challenges IT teams face when using multicloud.

Recruiting a Scrum Master with the right combination of technical expertise and experience will require a comprehensive screening process. This hiring kit provides a customizable framework your business can use to find, recruit and ultimately hire the right person for the job. This hiring kit from TechRepublic Premium includes a job description, sample interview questions ...

Knowing the terminology associated with Web 3.0 is going to be vital to every IT administrator, developer, network engineer, manager and decision maker in business. This quick glossary will introduce and explain concepts and terms vital to understanding Web 3.0 and the technology that drives and supports it.

How to Supercharge Your SOC with Threat Intelligence