Resolve to boost the performance of your Threat Intelligence

Threat Intelligence is now a key resource for Security Operations Centers, yet operationalizing it remains a challenge. In this blog, Graham explores some of the most common challenges and how Corvil can help.

Resolve to boost the performance of your Threat IntelligenceBy Graham Ahearne    14 January 2016      Thinking

Attack techniques are becoming more evasive and more sophisticated. In response, Threat Intelligence, which provides proactive, tailored, evidence-based knowledge on cyber attackers and their TTP (tactics, techniques and procedures), has become commonplace as a key resource for Security Operations Centers (SOCs). It is estimated that by 2017, as much as 75% of large enterprises will receive customized Threat Intelligence.

This knowledge is typically provided in consumable forms, including Machine Readable Threat Intelligence (MRTI), yet many Security Operations teams I’ve spoke with recently are still struggling to effectively operationalize their MRTI. How can they most effectively put it to use to maximise their ability to detect and investigate attacks within their networks? Here’s the missing link: the comprehensive knowledge contained in MRTI needs to be coupled with comprehensive visibility of their internal networks and activity. Yet this integrated solution seems to continue to remain elusive for most. Let’s explore some of the challenges:

  1. SIEM + MRTI: What evasive attacks might you be missing?
    Many security information and event management (SIEM) platforms offer the ability to ingest MRTI. But even today, the reality is most SIEMs depend primarily on security control generated logs/alerts (e.g. from Antivirus, Network IPS, Breach Detection Systems, etc) in order to create incidents. This means that if an attack manages to evade being detected by these security controls, there will never be corresponding logs/alerts that get sent to a SIEM for matching against its ingested MRTI source(s).

  2. Host-based agents + MRTI: Works great, for those hosts running an agent
    Agents deployed on hosts can provide granular visibility on how the processes and inner workings of those hosts are behaving. This makes for a powerful view against which to match MRTI indicators. That said, the reality is that ensuring all hosts on your network, are running the necessary agent, at any point in time, with the correct version and configuration is a massive challenge. This is especially true when we factor in the complications of BYOD, private clouds and public clouds.

So how does Corvil help Security Operations teams boost the performance they get from their Threat Intelligence?

Corvil’s platform achieves comprehensive visibility through an agent-less, passive tap of the network, which it utilises to perform high-speed stream-based L2-L7 decoding, full packet capture and advanced real-time analytics. This visibility, combined with a flexible framework for MRTI ingestion (supporting a range of sources including those based on STIX & TAXII from the likes of FS-ISAC and others), offers superior, real-time, threat indicator detection. How? Glad you asked:

  1. Matching threat indicators against every flow & every decoded message
    Corvil brings MRTI right down to the wire, literally. Corvil enables real-time matching of threat indicators at microsecond level resolution against every network flow (IP based) and every subsequent decoded message (application-level conversation based). These two approaches are critical as a complementary pair. For example, illicit encrypted SSH based communication is best detected at the flow level, whereas the likes of known bad TLS certificates or known suspicious domain names being looked up are best detected based on the decoded messages derived from the packet payload. In short, this approach leaves attackers with nowhere to hide—they must use the network at some point during their attack activity.

  2. Network visibility provides fast results and a key compliment to host-based visibility
    Corvil’s platform, by the nature of it passively tapping the network, is agent-less. This means it sees all network flows, even from hosts with no agent deployed. This enables the detection of threat indicators even from the likes of rogue hosts (uninvited guests) and hosts with mis-configured existing agents (or indeed, ones that may have been tampered with by attackers). Corvil’s platform therefore offers fast time-to-value and a key compliment to host-based agents. Best practice security continues to be defense in depth and the reality is that both network and host based vantage points have their benefits, but when combined they offer the most comprehensive visibility.

What about when threat indicators are detected and it’s time to investigate? A Security Analyst will have many open questions, each of which are challenging to answer: What's the full scope of this attack? — When did it start? — Who is patient zero? — Was any sensitive data compromised? Corvil helps with this too, reducing Mean Time to Resolution (MTTR) by providing Security Analysts with SIEM integrated, high definition visibility in the form of messages and packets (available for high speed search), from all observed activity associated with the relevant attack and impacted entities (hosts, users, data).

Check out this recent webinar covering our integration with iSIGHT Partners as an example of how Corvil can enable your SOC to maximise the effectiveness of its Threat Intelligence.

If you are ready to boost the performance you get from your Threat Intelligence, contact us to discuss next steps. Getting Corvil setup in your environment for an evaluation is quick and easy.

Resolve to boost the performance of your Threat Intelligence

Graham Ahearne, Director, Product Management, Corvil
Corvil safeguards business in a machine world. We see a future where all businesses trust digital machines to algorithmically conduct transactions on their behalf. For some businesses, this future is now.
@corvilinc

You might also be interested in...