Why orchestration and threat intelligence are a perfect match
Today’s adversaries are moving faster than ever before, and for organizations trying to protect themselves against advanced and evolving threats, speed is essential. But the reality is that security teams don’t necessarily have the time to manage and evaluate every single alert they receive while also completing their everyday tasks -- and even the most skilled teams are struggling to keep up.
Certain aspects of cybersecurity are just inherently slow, like copying and pasting information from one tool to another. And if security teams are focused on getting through these simple, repetitive, time consuming tasks, it’s no wonder they struggle to achieve the speed needed to outpace hackers. And, at worst, it can mean a threat falls through the cracks.
The security market has taken notice of this problem and responded with an emergence of orchestration tools that conduct automation of entire workflows across organizations' existing security tools. Automating certain repetitive tasks gives analysts time back into their day to focus on context and accuracy, instead of just speed, and the bandwidth to put an emphasis on other crucial activities, like proactively hunting for threats. Automation is the greatest force-multiplier for time savings. However, while orchestration enables teams to maximize their current resources, get more out of the tools they have, and do more with less, it also has its shortcomings if not deployed correctly.
Relying on completely automated security processes makes teams nervous, and it’s not without merit. What if incorrectly configured automation takes the wrong action, to disastrous effect? There are also security concerns, what if a hacker gains access to control the security automation and orchestration capability itself? These questions can be answered with human-in-the-loop approvals and strong platform security. But there are more mundane questions equally important to the efficacy of an automated security practice. Because the cybersecurity landscape changes quickly, they are often left wondering if the task they automated yesterday will still be relevant tomorrow. What if there is new information or intelligence related to this task that could affect how it should run? Are they really doing the most efficient thing at any given time? This very concern is what threat intelligence driven orchestration addresses.
The need for intelligence
While orchestration enables security teams to conduct defensive actions across technologies immediately, the ability to make the best and most informed decision, automatically, is still dependent on their full knowledge of the attack methodology. Threat intelligence provides this critical context that is essential to inform defenses and even predict the next attack. By coupling the power of orchestration with threat intelligence, such as observed threat attack patterns, malware, and tools used, an organization can determine what the next steps are and how a situation should be handled and have prepositioned automated responses ready for them.
Threat intelligence at its core is meant to inform security decisions, especially around operations, tactics, and strategy, by providing critical context. What tactics are used by a particular type of threat or even a specific threat actor? How can we interrupt their attack at different phases of the kill chain? What malware families are being used by threats that would target me and how might we detect them? Is an intrusion attempt specifically targeted or is our organization simply a target of opportunity? What are attackers motives?
With intelligence, organizations can observe what’s happening, both in their environment and in the greater security landscape, collect that information, and create a record of attack patterns. From there, they can act strategically be ensuring they have the appropriate defensive capabilities and skilled staff in place to detect and deny an attacker’s actions based on the level of risk they are willing to accept for their organization, informed by the understanding that threat intelligence has given them about the motives and capabilities of the adversaries in their threatspace. They can act tactically by creating automated playbooks staged to detect, deny, or disrupt an attacker’s actions across their security technology and involve the right teams to coordinate responses around that automation. They can also act operationally by feeding those playbooks with the latest information on relevant indicators of compromise (IoC), detection signatures, and relevant courses of action from internal and external threat intelligence sources. Threat intelligence driven orchestration allows the process to automatically adjust itself based on new information and intelligence, further driving informed decision making.
As more security teams look to orchestration tools to automate processes, it is essential that they incorporate threat intelligence as the driver of their security operations strategically and tactically, not just operationally with IoCs fed from external sources that are at best only sometimes relevant. While orchestration can continue to block where an adversary has been before, using threat intel holistically to continually inform orchestration enables teams to not only better defend themselves, but also become proactive as they can determine where the attacker will most likely go next. Threat intelligence driven orchestration is, without question, more effective, resilient, and adaptive, and enables organizations to build the strongest defense possible.
Andrew Pendergast is the VP of Product at ThreatConnect. Andy is a community respected analyst, innovator, and thought leader. He has more than 15 years of experience working in the Intelligence and Computer Network Defense Communities from within the U.S. DoD and Fortune 500 companies. He brings his passion for intelligence-led defense to his role as co-founder and VP of Product for ThreatConnect. Andy is a co-author of "The Diamond Model for Intrusion Analysis" -- the most comprehensive method upon which cyber intelligence is built. Andy is a veteran of the U.S. Army, holds a Diploma in Chinese Mandarin and a Bachelor of Science from Excelsior University.