Make Your Cybersecurity Program More Efficient Using ThreatConnect
This is the second in a series of blog posts about how organizations are utilizing the ThreatConnect platform. We're sharing stories of how customers are transforming their security programs using ThreatConnect.
How do I make my cybersecurity program more efficient?
It's a valid question that many organizations face. Regardless of size, industry and assets, most organizations have some combination of cybersecurity teams, solutions, and workflows but still struggle with manual processes, duplication of data and effort, and fragmented dissemination and communication between those teams and tools; which isn't necessarily a bad thing. Having compartmentalization, microsegmentation and separation of responsibilities can be seen as a wise tactical defense measure but can also come at a high cost.
The problem, however, is when communication breaks down.
A common occurrence across organizations that have implemented extensive cybersecurity programs is that their environment becomes complex, hard to coordinate and integrate, and difficult to manage. This results in duplication of effort and a slow, uncoordinated response to cyber threats. ThreatConnect allows an organization to orchestrate their information security processes and integrate and target their responses to cyber threats and attacks, saving time and resources to achieve a highly efficient and effective cyber defense.
In this post, we'll see how this affects St. Mungo's Hospital, one of the 300 largest in the 'known' world.
Introducing St. Mungo's Hospital for Magical Maladies and Injuries
St. Mungo's Hospital for Magical Maladies and Injuries is a well-known Global 2,000 Hospital & Healthcare company that has a dynamic and robust cybersecurity program. They have a big Defense Against the Dark Arts program (some would call it a Cybersecurity program), with a large SOC (Security Operations Center), and established IR (Incident Response), Vulnerability Management, and Risk Management teams; along with a small Threat Intelligence team. To address compliance, regulatory, and risk (financial, PII, and brand equity) concerns, they purchased quite a few tools and joined the NH-ISAC (National Health Information Sharing and Analysis Center) and DHS-CISCP (Cyber Information Sharing and Collaboration Program). The team uses Carbon Black, Maltego, Palo Alto, Splunk, Tenable, and VirusTotal.
Though St. Mungo's has teams running a variety of separate processes, this created major problems. While each team relied on each other for alerts, data and permissions, they suffered from massive duplication of effort, lack of understanding, relevance and confidence in the fidelity of the data being communicated, and wasted time tracking down which part of a process stalled. As well, each team was storing their data in different solutions, which meant a lot of time was spent cleaning house: digging out duplicated data, tracking down false positives and logging into multiple portals to investigate, analyze and act on the high volumes of alerts. Because of this, St. Mungo's struggled to prioritize alerts and data, act on them efficiently or effectively, and report on the effort to leadership.
Gringotts Bank shares intel with St. Mungo's. Because both organizations are members of the NH-ISAC and get targeted by similar threat actors, Gringotts suggested St. Mungo's investigate ThreatConnect to solve their challenges.
Once St. Mungo's implemented ThreatConnect, they were able to:
Organize knowledge by creating a system of record
Integrating their security solutions in ThreatConnect allowed St. Mungo's to gain visibility across the high volumes of security data and alerts, determine the relevance and reliability of that data, and create clear, automated processes to detect, triage, and remediate that data. Having a threat management system of record allowed St. Mungo's to reduce alert fatigue through active response: the ability to respond to attacks and incidents as they are detected within your environment. St. Mungo's achieved this with ThreatConnect by leveraging the records of how often an indicator is seen across sources and endpoints, how many false positives it has, and its risk ratings. St. Mungo's was able to automatically reduce duplication of their data and each team's efforts via memorialization of data, task creation, and designing automated workflows between teams and their security products.
Connect intelligence to vulnerabilities, controls, and risk
By integrating their vulnerability and risk management solutions in ThreatConnect, St. Mungo's can focus on more than just intelligence on threats. They are able to understand if they were susceptible to that threat, if it targeted them, and where their vulnerabilities were. St. Mungo's can now query vulnerability scan results in ThreatConnect, automatically create tasks, indicators, and attributes on matching results, and identify which machines are susceptible to specific indicators. This allows them to patch the vulnerabilities and automatically block those indicators in their firewalls and web filters, helping St. Mungo's visualize and prioritize threats, and enable them to leverage intel-driven remediation.
Orchestrate processes to distribute the knowledge across teams
With ThreatConnect's new orchestration feature, St. Mungo's can create automated and configurable playbooks (automated chains of events, triggered by events in a network) around the identification, analysis and remediation of threats and disseminate these across teams and the solutions they use. No more having to monitor and scramble to react to alerts. ThreatConnect has 'tasks' that allow insight into the work being done by teams, so St. Mungo's can incorporate the human element. Not all teams have the permissions to automatically block indicators on their firewalls which led St. Mungo's to create playbooks that wait for another team's approval before continuing its process. Because each Playbook records whenever it runs and provides a list of every action, St. Mungo's has a bird's-eye view of their current processes to be able to recognize deficiencies and create repeatable workflows.
By creating blueprints for streamlined processes across systems and teams, St. Mungo's can now implement efficiencies to proactively defend against the dark arts (or threats, in the Muggle world).
If you'd like to see what ThreatConnect can do for your cybersecurity program, get in touch with us and we will show you firsthand.