The SIEM is the Pan, the TIP is the Kitchen, Or: 5 Ways TIPs Can Enhance Your SIEM
New infosec tools are popping up as fast as one would expect given the explosive growth of the market. Many of these tools are important weapons in your security arsenal: but how do you make sense of which ones can best protect your organization?
It might be tempting to look for a one-size-fits all solution. At first glance, a reputable SIEM [security information and event management (system)] looks like such a silver bullet: SIEMs are among the most versatile tools available for empowering your security organization.
You might even say that they're the one analysis tool you can't live without: and for many applications, you're right. However, with the rapidity of the market, you don't need just one tool: you need a place to manage all your tools.
Let me explain.
I'm a gadget geek and I love to cook. That makes my kitchen a natural habitat for exploring new and exciting tools and tchotchkes: immersion circulators, custom-cut aluminum slabs for baking, titanium sporks - the list goes on.
However, if I could have only one tool in my kitchen, it wouldn't be some mighty new blender or a truffle slicer: it would be a tried-and-true cast iron frying pan. Without going into the science of what makes cast iron pans so great, here's just a taste of what you can do with one:
- Braise short ribs
- Roast a whole chicken with sides
- Kill orcs (https://www.youtube.com/watch?v=aqsxL9Nuz0Q)
- Cook an entire Sunday roast (including the Yorkshire pudding)
The list goes on. There's very little that can't be done with just a cast iron pan, know-how, and elbow grease.
Jack-of-All-Trades, Master of None
Of course, if I'm cooking for a crowd, using only one little pan is going to force me to work much harder (and leave my guests in a lurch). I can make a soup in a cast iron pan, but the texture will much better if I use a blender, too. And if I want everything served at the same time - a complete meal - I need multiple tools all working together.
The SIEM Is the Pan, The TIP Is the Kitchen
SIEMs are powerful. They are versatile. Like the cast iron frying pan, you can cook up an entire security meal in one. Proper Threat Intelligence Platforms (TIPs) are like a kitchen: they're "potential spaces" that let you bring together multiple tools into one place to create a scrumptious and hearty intelligence buffet. SIEMs and cast iron pans can be your favorite tools, but they truly shine when supported by other tools in a fully-equipped kitchen or Threat Intelligence Platform.
SIEM and Threat Intelligence: Five Ways TIPs Can Enhance Your SIEM
1. Evaluate Intel Feeds
SIEMs are designed to aggregate data - among other features - including threat intelligence feeds. However, threat intelligence feeds vary in quality and in application, which generally makes them problematic for real-time event flow and response. You might end up paying for a premium feed that provides accurate but irrelevant information, so doesn't detect a single threat on your network, or worse, you might spend time chasing false positives that come from otherwise reputable feeds.
If a SIEM and threat intelligence are working together, with the help of a cybersecurity platform, you should be able to compare the intel your feeds are bringing in against the in-network information that your SIEM is aggregating (from your firewall, endpoints, etc.). Using this information, you can identify which feeds are most applicable to your environment. TIPs also let you keep a record of false positives, so you can assign a level of confidence to incoming feeds and prioritize your response appropriately.
TIPs also take incoming feeds beyond the "raw data" level by enriching the incoming intel with additional integration and sources, like reverse WHOIS and passive DNS, which gives the intel valuable context.
2. Share Intel & Collaborate
Uniting a SIEM and threat intelligence, using a cybersecurity platform, you can take the data coming in from your feeds and your SIEM and make it easily sharable: whether within your organization or across the broader intelligence community, such as an ISAC or ISAO.
Many SIEMs let you package and send threat intel, but TIPs are built from the ground up to enable the kind of sharing that's necessary when combating advanced threats, allowing analysts and other experts to collaborate on response and protection without getting buried in log data.
3. Retrospective Analysis
SIEMs tend to be very focused on the here-and-now, which makes sense: you're concerned with what's happening on your network in the moment, and responding with high immediacy. However, many threat feeds contain indicators that aren't currently of concern, but were associated with adversaries weeks or even months ago. Using your SIEM to store this information means that valuable, current intel can be lost in the noise. A threat intelligence platform can be used as a holding area for this important historical threat data, freeing up your SIEM to focus on the present.
No one wants to be an armchair analyst: sitting there watching logs pour in and responding in kind. You want to get out there and hunt. The best defense is a good offense! Your TIP should not just aggregate, it should allow for proactive analysis by pivoting outside of known IOC's and threat information to new or related intelligence to add intelligence and context. Tools like our DomainTools enabled Track feature, passive DNS integrations, VirusTotal YARA hunting, OpenDNS Investigate integration, and our many other automated data services allow you to investigate and discover intelligence relevant to the threats you are researching beyond what the feeds are providing you.
5. Create a Culture of Proactivity
The bottom line is that, if you're uncovering a threat the first time through a feed then it's probably too late. You need to foster a culture of proactivity where analysts have the tools they need to monitor and track threats before they can attack you. Whether a "hoodie hacker" or a multinational APT, at the other end of the wire is a real and fallible person who is more than just an IP or a file hash. A good analyst can put the pieces of the puzzle together and protect your network but only if properly armed.
A TIP helps create this culture of proactivity by integrating with the right tools and by organizing information as real world threats, incidents, and victim assets as opposed to just indicators and logs. A proper TIP encourages analysts to compile data and monitor it in ways that can be responded to, for example by modeling adversaries and tracking them, so that newly developed adversary infrastructure can be identified and dealt with immediately.
The Threat Intelligence Chef
To sum up, a SIEM - like a cast iron frying pan - is the absolute number one choice of a driven, effective analyst. However, remember that a SIEM can cook up the best meal when it's supplemented with other powerful tools in the "kitchen." A threat intelligence platform is the ideal cooking workspace for an analyst to bring all of those tools and data together.