Cyber fusion -- what is it and why is it important for security? [Q&A]

Today's IT security teams face several key challenges. Tasked with combating the rising volume and frequency of sophisticated cyber threats, they are bombarded with a tsunami of alerts generated by countless security tools that deliver little context or value-add insight.

Effectively processing and analyzing all this data to identify actionable threat intelligence requires considerable time and effort.

In order to cope a growing number of organizations are now turning to cyber fusion platforms to enable enhanced inter-team collaboration and implement a collective defense strategy that goes beyond organizational boundaries and substantially improves security outcomes. We spoke to Anuj Goel, co-founder and CEO at Cyware, to learn more

BN: What exactly is cyber fusion?

AG: Fusion centers were initially developed by military intelligence agencies to promote collaboration across distributed operations through intelligence sharing; the concept is now gaining significant traction in the cybersecurity field.

It is a next-generation approach to cybersecurity that unifies all security functions such as threat intelligence, security automation, threat response, security orchestration and incident response. By bridging the gap between multiple teams through intelligence synthesis, cyber fusion enables integrated, collective and proactive defense that prevents threats before they happen. and collaborative threat hunting, detection, management, and response.

Enabling the automated ingestion of threat data from a variety of sources, a cyber fusion center supports the constant flow of threat intelligence between different teams and fortifies several security processes by connecting detection, centralized analysis and actioning workflows together. Featuring advanced security orchestration and automation (SOAR) capabilities, security teams are able to automate threat response workflows across cloud and on-premises environments in a highly integrated and collaborative manner that makes it possible to handle incident management much more efficiently and actively defend against threats in real-time.

With cyber fusion in play, security teams are able to:

• Automate the gathering of malware intelligence from internal (UEBA, SIEMS, antivirus, EDR tools, and IDS/IPS) and external sources (ISACs, ISAOs, CERTS, RSS feeds, commercial threat intelligence feed providers and more).
• Automatically undertake the centralized and real-time analysis of all threat intel, using a single unified console that makes it possible to connect the dots and rapidly disseminate threat intelligence, standardizing threat data so it is consumable, visible and actionable.
• Operationalize actionable and contextualized threat intelligence across their detection, analysis and response technologies, sharing threat intelligence between teams, tools and processes.
• Prioritize which assets, at an operational level, are most at risk of an identified threat and allocate resources accordingly. Using automated cross-functional workflows to drive security actions that reduce mean time to detect (MTTD) and mean time to respond (MTTR).

BN: How does cyber fusion work to address the challenges outlined?

AG: Sitting at the heart of an organization's security infrastructure, today's virtual cyber fusion centers (vCFCs) bring together the security tools, capabilities, and data security teams need to work collectively and seamlessly orchestrate threat responses across their security, engineering, and IT operations workflows in a highly efficient and automated way.

Bringing together several cornerstone security tools -- Threat Intelligence Platforms, Incident Response Platforms, Security Orchestration, Automation and Response and case management -- vCFCs deliver a clear view of current threats to all security functions, providing everyone with real-time access to a full spectrum of normalized, enriched and correlated data and logs. In addition, they significantly reduce the workload on security teams by automating the threat analysis process and only investigating alerts on threats that pose a genuine risk.

Also, by combining intelligence on malware, threat actors, vulnerabilities with internal telemetry and historical incidents, cyber fusion serves as the single, centralized repository for threat analysis, visibility, and actioning. This allows security teams to connect the dots between different threat elements and more effectively target threats hiding in their network, using actionable and contextual intelligence to improve the efficiency of overall security operations.

Irrespective of where they are located, security teams are also using cyber fusion to automate threat response workflows across cloud and on-premises environments and actively monitor assets by orchestrating existing security tools such as SIEM (security information and event management), IDS/IPS (Intrusion detection systems / intrusion prevention systems), IT/ITSM tools such as ticketing platforms, TIPs (threat intelligence platform), EDR (endpoint detection and response), and firewalls.

Providing a holistic view of the current threat environment, and covering every dimension of threat response, vCFCs make it possible to initiate comprehensive threat management workflows that reduce noise, false alarms, and response time with relevant threat intelligence ingestion and far superior data orchestration and workflow automation.

Finally, cyber fusion enables and boosts inter-team collaboration by automatically alerting the right stakeholders of relevant threats and changing scenarios in real-time via a sharing platform that supports a truly holistic and joined-up response. For instance, the vulnerability management team can share their expertise with the incident response team in containing a bug exploitation. Similarly, the threat hunting team can share their knowledge with the threat intelligence team about new threats on the horizon that can then be shared with the SOC and IR teams as actionable intelligence. These examples of inter-team collaboration can similarly be achieved throughout the entire security function and even extend to ITOps and DevOps. It is critical to effective and proactive security defense and is all made possible through cyber fusion.

BN: What practices should businesses focus on to build resilience against cyberattacks?

AG: Today's enterprises need to move beyond the human and financial resource wastage that results from the duplication of tools and effort and instead bring threat intelligence, incident response, threat hunting and other security operation teams under a single roof to enable streamlined collaboration. With cyber fusion in play, organizations will be able to collate threat data gathered from multiple sources and shape their cybersecurity strategy accordingly.

By taking advantage of cyber fusion's machine-to-machine data enrichment, analysis, internal dissemination, and actioning technologies, organizations will be able to initiate orchestrated flows of threat data and security actions across the stack that are powered by contextual threat intelligence.

This ability to share situational intelligence at speed and at a cross-sectoral level is the key for two reasons. Firstly, it enables security teams to engage in the co-development of mitigation strategies and feed relevant data into other security tools. It also enables teams to leverage shared actionable intelligence to automate responses -- such as blocking malicious IPs in firewalls or updating SIEM data -- with no need for manual intervention. All of which will significantly reduce the organization's mean time to detect (MTTD) and mean time to respond (MTTR) timeframes while making it easier to jointly conduct post-incident analysis and identify areas for improvement.

BN: How does the SOC need to change to achieve this?

AG: Today's SOCs need to go beyond reacting to alerts of events that have already happened and move towards a proactive defense strategy, to digest, action, and share threat intelligence in a way that makes it possible to prevent threats before they can cause harm.

More advanced than a traditional SOC, cyber fusion enhances detection tools by enriching their data and feeding these with enriched intel. It also incorporates a range of other capabilities -threat hunting, incident response, security automation and high-confidence actionable threat intelligence. All of which enables deep collaboration between IT operations, SecOps and DevOps that boosts overall readiness and response to threats.

The good news is that enterprises can evolve their SOC, initiating new capabilities in a modular manner to build up their cyber fusion capabilities. With the right vCFC platform in play, there will be no need to rip or replace any of their existing SOC infrastructure.

For many organizations the first step on the journey to cyber fusion begins with using the vCFC to integrate their security technology stack so they can orchestrate response processes across all security tools and functions. By automating processes and eliminating unnecessary human involvement, security teams will not only be able to respond to and contain threats faster. They will also have time to focus on more proactive and value-added tasks.
Having initiated orchestration built on solid, repeatable processes, organizations can next progress to deploying the comprehensive and focused threat intelligence and analysis sharing that will foster collaborations and collective defense actions between disparate teams against malware, vulnerabilities and threat actors affecting digital and human assets in real time.

Image credit: ArtemisDiana / depositphotos