close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Step 2: Determine Threat Data Context & Relevance

How To Determine What Threat Data is Relevant To Your Organization

This is the second of a six-blog series that will address how to make the most of your cybersecurity program, especially if you have a small (or growing) team. In case you missed it, here's Step 1.

Step 1 covered gathering and correlating threat data. Now, in Step 2, we'll talk about why it is important to get the context behind the data so you can determine how relevant it is for your organization.

Cyber adversaries use unique tools, infrastructure, techniques, and processes. To better defend against these things, it is important to get all of the information you possibly can, to determine when something is an isolated incident or part of a larger pattern that needs more attention. Because you have to sift through countless threat indicators, notifications, and alerts, it is critical to be able to identify and focus on the few that will affect your organization.

To start gathering context behind data, it needs to be stored in one place. A platform ingests your threat data, normalizes it, indexes it, and stores it so it is instantly searchable, thus saving you hours of manually compiling the information.

This creates a threat repository for your organization, allowing you to retain the knowledge of your team. As your team grows and changes, the knowledge of the threats, and any additional information or context behind the threats, remains within the platform.

Enriching your threat data with any other information regarding the threat is the best way to determine how to address it. By searching for a particular indicator in a platform, you can instantly see what is already known. A platform gets information from threat feeds, communities, and other parts of your infrastructure. It shows you where the indicator has been seen in other sources, its threat rating, its geolocation data, domain resolutions and passive DNS data, any tags assigned to that indicator, any other indicators that are related to that indicator, and more.

The additional context provided by the platform saves you from having to manually compile this information, and also gives you access to data you may not have known you had. This information allows you to see the full scope of a threat, so you can connect the dots and make informed decisions about how to address it.

See you next time for Step 3. In the meantime, read our recent white paper:

ABOUT THE AUTHOR

As ThreatConnect’s Product Marketing Manager, Anna works closely with our engineering, product, and sales teams to ensure that the market is fully aware of our platform capabilities. Originally from Michigan, now a resident of Virginia, Anna will always be a Midwesterner at heart. She holds a B.S. in psychology from Canisius College (Buffalo), with a double minor in business and studio art.