Posted
Orchestration informed by security intelligence from within your environment, and threat intelligence from a variety of external sources, is more effective, resilient, and adaptive. An intelligence-led approach will inform your strategy for orchestration in two key ways:
- Intelligence on an adversary’s capabilities, attack patterns, and intent will inform how you build and configure orchestration capabilities to defend your network better.
- Orchestration (Playbooks) can be built to be more adaptive to changing adversary capabilities, attack patterns, and infrastructure as both internal security intelligence and external threat intelligence is available. In some cases, this intelligence allows the process to automatically adjust itself and helps you drive further decision-making.
When using intelligence and orchestration together, situational awareness and historical data determine when and how a task should be done. Intelligence allows the process to be adaptive to the changing environment. And, using it allows you to strategically plan for a better program. When taking this idea of informed and adaptive orchestration, and practically applying it to security operations and incident response to dynamically solve problems, you’re introduced to Security Orchestration, Automation, and Response (SOAR).
Threat Intelligence Deconstructed
First, let’s talk about what threat intelligence (TI) really is. TI can be largely misunderstood as merely referring to Indicators of Compromise (IOCs) delivered via data feeds. These feeds are typically comprised of context-sparse information or data and have their place to support defensive operations, but they are far from a complete and accurate picture of what TI can be. Most IOC feeds are better characterized as information, not intelligence. Intelligence is not raw data and it is not merely information – it is knowledge of threats you can use to inform decisions and possibly allow prediction of future circumstances or events.
Intelligence fuels decision-making for taking action against a threat. Once you make contact with an adversary, you have an opportunity to collect information and store it as knowledge of their attack patterns. This can drive your knowledge of the adversary so you can block them better in the future. Knowledge of your adversaries allows you to ask better questions and find gaps in knowledge.
With threat intelligence, you go beyond knowledge to being able to predict where an adversary is likely to attack next. As a result, you can make decisions to defend against or mitigate an attack. So, as you begin to automate your processes, it is essential that you use threat intelligence to drive your decisions. Orchestration can continue to block where an adversary has been before, but using your threat intel to drive orchestration enables you to determine where the attacker will most likely go next — allowing you to become proactive.
Orchestration
Security orchestration is a coordination of multiple security tasks and decision points into an oftentimes complex process. It typically involves conditional logic to enable branched processes to enable connecting and integrating multiple security systems, applications, and teams together into streamlined workflows. It also correlates disparate data to help coordinate the right response. As a holistic solution security orchestration involves people, process, technology, and information.
Automation and orchestration have their limits when it comes to enabling speed and effectiveness at the same time. While automation can speed up a repetitive process and orchestration can automate decision making, often they can only do what you may call mundane tasks – those that require no intelligence.
Using orchestration to build an effective defense is still dependent on your knowledge of an attacker’s methodology, and your ability to detect or mitigate it. Adversaries are adaptive. If one route to their objective is blocked, they will try others. If narrowly implemented, your orchestrated processes can be circumvented by a clever or persistent adversary.
Orchestration + Intelligence
Orchestration informed by security and threat intelligence is more effective, resilient, and adaptive. It uses available relevant information on threats and information about your own environment to adjust and improve your processes dynamically.
Threat intelligence-driven orchestration goes a step further — it takes things like environment, situational awareness, and circumstances into account. Using threat intelligence and orchestration together, situational awareness and historical data determine when and how a task should be done. Threat intelligence allows the process to be adaptive to the changing environment. As threat intelligence drives your orchestrated actions, the result of those actions can be used to create or enhance existing threat intelligence. Thus, a feedback loop is created — threat intelligence drives orchestration, orchestration enhances threat intelligence.
You may be thinking that you already have both orchestration and threat intelligence covered in your current infrastructure; that threat Intelligence ‘feeds’ can be integrated with security operations tools. It’s not that simple, though.
By using one platform that includes threat intelligence and orchestration together, you create a system of insight, enabling:
- Alert, block, and quarantine based on relevant threat intel. Even for lower level tasks like alerting and blocking, having relevant threat intel is important. You can automate detection and prevention tasks. Having multi-sourced, validated threat intel can help ensure that you are alerting and blocking on the right things.
- Understand context and improve over time. When you automate tasks based on threat intelligence thresholds such as indicator scores, and memorialize all of that information, you can strategically look at your processes to determine how to improve.
- Increase your accuracy, confidence, and precision. Situational awareness and historical context is key to decision making. Working directly from threat intelligence allows you to work quicker and prevent attacks before they happen. The more you can automate up front, the more proactive you can be. By eliminating false positives and using validated intelligence you are increasing the accuracy of the actions taken. This accuracy leads to confidence and improves speed and precision.
- Adjust processes automatically as information and context changes. Intelligence-driven orchestration is data first, while security orchestration is action first. When your threat intelligence is stored in a data model (with threat scores), you can set your processes to automatically adjust if the threat landscape changes.
If you want to start aggregating and normalizing your threat data, you can do that in ThreatConnect. If you need to conduct deep threat analysis, you can do that in the Platform too. You can orchestrate tasks based on your stored threat intelligence. The ThreatConnect Platform is built to help you through the entire lifecycle of a threat — from aggregation, to analysis and prioritization, all the way through taking necessary action to defend your network. The ThreatConnect Platform was specifically designed to help organizations understand adversaries, automate workflows, and mitigate threats faster using threat intelligence.