Posted
Information overload is a common challenge facing Security Operations Centers (SOCs). Security analysts are bombarded with alerts of potential security events. Sifting through and prioritizing the most important events can take weeks, months, or even longer. Without the insight of threat intelligence and orchestrated processes to make sense of all the data coming through, analysts can waste valuable time slowly picking away at the problem while highly relevant and potentially harmful events go unaddressed.
This is where ThreatConnect’s Security Orchestration, Automation, and Response solution (SOAR) comes into play. ThreatConnect’s intelligence-driven approach to SOAR involves our Threat Intelligence Platform (TIP), Security Orchestration and Automation (SOA), and Incident Response Management (IRM). This approach delivers clear benefits:
- Reduces dwell time and time to respond to decrease the overall impact of an incident
- Increases staff productivity through templated workflows
- Creates a feedback loop that improves situational awareness and decision making
When using intelligence and orchestration together, situational awareness and historical data determine when and how a task should be done. Intelligence allows the process to be adaptive to the changing environment. This is the power behind a smarter SOAR solution.
Even for lower-level tasks like alerting and blocking, having relevant threat intel is important. You can automate detection and prevention tasks. Having multi-sourced, validated threat intel can help ensure that you are alerting and blocking on the right things. By eliminating false positives and using validated intelligence you are increasing the accuracy of the actions taken. This accuracy leads to confidence and improves speed and precision.
We also make it easy for SOCs to tailor prioritizations to their organization. With our intelligence-driven SOAR, SOCs can automatically curate their own scoring for IOC’s, threat groups, campaigns, and malware families based on relevance to their organization. For example:
- What techniques or motives do you care about?
- What are peers in your industry seeing?
Our ThreatAssess scoring and Collective Analytics Layer (CAL) analytics help aggregate and normalize all of that information so you know how to treat a piece of intelligence. This significantly shortens the time it takes to determine if you are dealing with a real incident that requires action by the incident response team.
At the end of the day, event prioritization is critical to a SOC’s ability to overcome the exponential increase in data and alerts. An intelligence-driven approach to SOAR, however, is the smarter approach to determining when and how a task should be done. Intelligence allows the process to be adaptive to the changing environment and ultimately allows you to strategically plan for a better program.