Let’s agree that many security products today perform some level of security automation and orchestration. However, they may only incorporate intelligence to trigger certain workflows, or to be used as enrichment for some context. Most likely, they do not enable adaption for future runs of their Playbooks or the creation of new intelligence as one of the outputs of the workflow itself. Some platforms allow for aggregation of external data feeds, creation of internal intelligence, and even have many connectors to defensive products for automation of detection and prevention with operational threat intelligence. This is a great first step.
But, organizations need a solution that focuses on getting the most value out of that intelligence by enabling cross-team coordination and orchestrating their workflows. When you have one platform that includes threat intelligence, orchestration, automation, and response together, you create a holistic system of insight.
Here are 6 reasons why applying threat intel to automation and orchestration is key:
- Alert, block, and quarantine based on relevant threat intel
Even for tasks like alerting and blocking, having relevant threat intelligence is important. Along with the ability to automate detection and prevention tasks, having multi-sourced, validated threat intel can help ensure that you are alerting and blocking on the right things.
- Increase your accuracy, confidence, and precision
Situational awareness and historical context is key to decision making. Working directly from threat intelligence allows you to work quicker and prevent attacks before they happen. The more you can automate up front, the more proactive you can be. By eliminating false positives and using validated intelligence you are increasing the accuracy of the actions taken. This accuracy leads to confidence and improves speed and precision.
- Understand context and improve over time
When you automate tasks based on threat intelligence thresholds such as indicator scores, and memorialize all of that information, you can strategically look at your processes to determine how to improve.
- Orchestrate with more confidence
Applying in-platform analytical processes to external threat intelligence allows for more accurate and less false positive prone alerting, blocking, and quarantine actions. It’s not as simple as being able to ingest lots of threat intel feeds or take action from a shared Indicator of Compromise. Its making sense of them at scale with adaptable scoring and contextualization to know what action to take, if any, based off of it.
- Internal intelligence creation from security operations and response
Your own team and data is the best source of intelligence you will ever have. Capture the insights, artifacts, and sightings from operations and response engagements that can be immediately refined into intelligence in the form of new IOCs, adversary tactics and techniques, and knowledge of gaps in your security.
- Adjust processes automatically as information and context changes
Intelligence-driven orchestration is data first, while security orchestration is action first. When your orchestration capabilities are fully adaptable to new threat capabilities, tactics, techniques, and infrastructure as its available from structured threat intelligence, your processes automatically adjust as the threat landscape changes.