The best offense is a good defense
Security analysts aren’t simply a part of your company. They’re part of a team. Every day, they battle against an intimidating opponent with a seemingly endless array of tools, malware and a team of malicious hackers on their side. At the end of each day, success is defined by a shutout: whether or not they blocked the bulk of those attacks, tackled the cyber threats that snuck past their first line of defense and executed effectively against their security strategy.
In many ways, a security operations center (SOC) team functions like a sports team. You have your tier 1 security analysts as your primary defenders, your tier 2 and tier 3 security analysts who can take the ball and run with it when you need to go on the offensive and your managers who are responsible for crafting a winning strategy and ultimately answering to all stakeholders. And like any successful sports team, the better that SOC teams understand their opponent, the better chance they have of winning.
In the world of sports, scouting reports provide valuable insight into opponents’ strengths and weaknesses. In the world of security, threat intelligence serves a similar role. Threat intelligence is complementary to the security intelligence that SOC teams collect from their own network and security tools, providing additional and often valuable insights into the who, what, where and why of cyberattacks. Threat intelligence feeds can be subscribed to or purchased from a variety of vendors and sources and may range from human-generated intelligence created by security experts to machine-generated telemetry data, social media intelligence or industry-specific intelligence.
Most enterprises use external threat intelligence to bolster their security efforts. In fact, it’s not uncommon for an enterprise to subscribe to dozens of different threat intelligence feeds. Yet having threat intelligence doesn’t automatically translate into a better defense. In fact, too much threat intelligence — or too little actionable threat intelligence — can have an adverse effect on SOC teams, generating more work as analysts react to false alerts and intelligence that isn’t relevant for their industry or organization.