There’s no doubt that an analyst’s ability to efficiently share curated threat intelligence has a significant impact on the success of their organization’s overall security operations. In fact, this capability is so important that removing barriers to sharing threat information is the first requirement outlined in the Executive Order issued by the White House on May 12, 2021.
Most organizations have more threat intelligence than they know what to do with, from a variety of sources – commercial, open source, government, industry sharing groups and security vendors. Bombarded by millions of threat data points every day, it can seem impossible to appreciate or realize the full value of third-party data.
Sometimes the hardest part of any project is getting started. But when it comes to strengthening your security operations program, the escalation of cyberattacks over the last few months have shown us there’s no time to waste. You need to make sure you’re leveraging threat intelligence throughout your security operations to understand your adversaries, strengthen defenses, and accelerate detection and response.
SIEMs have been around for decades, designed to replace manual log correlation to identify suspicious network activity by normalizing alerts across multiple technology vendors. SIEMs correlate massive amounts of data from the sensor grid (your internal security solutions, mission-critical applications and IT infrastructure). As organizations are looking at ways to mine through SIEM data to find threats and breaches, they are bringing in threat intelligence feeds to help.
For many years, cybersecurity professionals have talked about the OODA loop. Devised by Colonel John Boyd, it describes a decision-making cycle that fighter pilots apply in dog fights, and when mastered, allows them to outwit adversaries. The acronym stands for Observe, Orient, Decide and Act, and if you can go through this decision cycle faster than your adversary, you can defeat them.