Enterprise security has changed. Advanced threats execute over time, with about 100 days passing between breach and detection. Security analysts now need visibility across traditional enterprise, cloud and industrial control systems environments. To detect and hunt for threats, enterprises typically use an army of point products and various threat intelligence feeds with the goal of helping analysts find and validate anomalous behavior across their networks. But analysts end up getting bombarded with false-positives and irrelevant alerts, slowing them down and distracting them from what’s most important to their business.
How is this the norm, and can anything be done to change it? Let’s break it down.
Commercial products apply a library of standard threat intel feeds to every organization they serve. Hypothetically speaking, if you’re an analyst whose private-sector business operates solely in the United States, you will still receive intel on a threat only targeting the Eastern European public sector. Consuming and managing that threat can waste valuable time — in a recent survey, 93 percent of SOC analysts reported being unable to triage all of the threats they receive. Conversely, another survey indicated nearly one third of the security professionals polled sometimes simply ignore alerts because of the frequency of false positives, which has its own set of implications.
Exacerbating this is the black-box approach most commercial and other third party threat intel sources take with rules. The inner workings of rules are typically invisible to analysts as their vendors write and tune them. This means analysts don’t know whether it is a small tweak that could increase the efficacy of a poorly performing rule, or a complete rewrite. They also don’t know if the lag time between third party intel creation and their implementation of it has compromised its usefulness, as attack techniques can change during that interval.
With the concept of “Bring Your Own Intelligence” — BYOI for short — analysts are able to customize their threat intel to focus on what’s important to their organization and filter out the rest. Commercial product data feeds can be complemented with intel from other sources like law enforcement and industry consortiums to boost their efficiency and speed.
BYOI also gives security teams visibility into the inner workings of rules, and when used in retrospection with historical data, BYOI can help them say with confidence whether threats have ever impacted the organization. Ultimately, BYOI enables more reliable threat detection and faster incident response, and makes the one-size-fits-all approach a thing of the past.
About Ramon Peypoch
A proven leader in the security industry, Ramon Peypoch is responsible for product strategy, development and market delivery. Prior to ProtectWise, he was Vice President, Web Protection at McAfee.