Empowering Better Security Operations with Intelligence

The Möbius strip has several curious properties. A line drawn along the edge travels in a full circle to a point opposite the starting point. If continued, the line returns to the starting point, and is double the length of the original strip: this single continuous curve traverses the entire boundary¹. This process naturally creates a continuous feedback loop, much like threat intelligence and security operations should.

Using ThreatConnect’s security operations solutions, which combine Threat Intelligence (TIP) Platform and Security Orchestration, Automation and Response (SOAR) capabilities, enables you to make intelligence-driven operations a reality. ThreatConnect places intelligence at the core of the decision making process in security. As threat intelligence drives operational decision making, the result of those actions can be used to create or enhance existing threat intelligence which creates that feedback loop.

In ThreatConnect:

Intelligence ~ Exists to inform decisions for security operations, tactics, and strategy; and
Operations ~ Captures data on adversaries, attacks, & attempts that can be refined into intelligence.

Intelligence and operations as functions on the security team should be cyclical and symbiotic. Intelligence informs decisions for operations resulting in actions being taken based on those decisions. Those actions (such as cleanups, further investigations, or other mitigations) will beget data and information in the form of artifacts such as lists of targeted or affected assets, identified malware, network-based IOC’s, newly observed attack patterns, etc. These artifacts can be refined into intelligence that can thus inform decisions for future operations.

While some organizations do not have a formally defined intelligence function, the concept of using what you know about the threat-space to inform your operations should exist in all organizations. Regardless of whether an explicitly named threat intelligence analyst is on staff, the relationship between intelligence and operations is fundamental to driving better security outcomes.

Threat intelligence acts as a catalyst for taking an action or starting a process and informing how the process and decision making are done throughout. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.

When your threat intelligence is stored in a data model you’re familiar with and assigned appropriate threat scores to understand severity and relevance, you can set your processes to automatically adjust if the threat landscape changes.

Orchestration is facilitating human and automated processes by integrating multiple security tools and systems. It should be the connective tissue that facilitates efficiency and scale across people, processes, and technology. Orchestration informed by threat intelligence is more effective, resilient, and adaptive. It uses available relevant information on threats and information about your own environment to adjust and improve your processes dynamically.

Using threat intelligence and orchestration together, situational awareness and historical knowledge determine what and how processes should be handled. So you build this cyclical relationship. Threat intelligence allows the process to automatically adjust itself and helps you drive further decision making. You ultimately want to be able to observe what is happening in your environment and across the greater security landscape. With threat intelligence, you can. Taken one step further, threat intelligence allows you to cross reference what you observe with historical knowledge and situational awareness. This information provides insight that enables you to decide which action to take. And then, you can automate that action. Using threat intelligence to determine automation empowers you to be proactive in mitigating threats to your organization.

ThreatConnect’s SOAR Platform combines intelligence, orchestration and automation, analytics, and response into one place. It is the perfect technology to create your own single source of truth, enabling team members to assign each other tasks, work from the same data, and easily collaborate about the threats they are seeing. ThreatConnect can also become your system of record, because it stores every piece of threat data, all of the additional context added to it, and all of your processes in one place. Plus, the Platform enables automation by incorporating advanced orchestration capabilities (Playbooks), which allows you to connect to any other tool in your environment.

ThreatConnect changes the way security works by placing intelligence at the core of the decision making process. Our solutions unify security teams in response to intelligence and streamline and automate the work needed to act upon it.


¹https://en.wikipedia.org/wiki/M%C3%B6bius_strip

About the Author
ThreatConnect

ThreatConnect is the only security platform with comprehensive intelligence, analytics, automation, orchestration, and workflow capabilities native within a single solution. With ThreatConnect, you will be able to increase accuracy and efficiency, improve collaboration of teams and technology, strengthen business-security goal alignment, and build a single source of truth for your entire security team.