At iSIGHT Partners, we are often asked exactly how cyber threat intelligence benefits different groups within an IT organization. To answer those questions, we are publishing a series of posts on CTI use cases for the SOC Level 1 Analyst, the Incident Responder, the CISO, the Threat Intelligence Analyst, the NOC Analyst, and the team responsible for vulnerability and patch management. This is the first of two posts focusing on the SOC Level 1 Analyst. Read the Part 2 post here.
A Tough Job...
The Level 1 analysts in the Security Operations Center (SOC) have a tough job:
- Monitoring and triaging anywhere tens of thousands (or more) alerts and events from firewalls, secure web gateways, SIEMs and other security solutions.
- From this deluge of events and alerts, performing initial analysis to validate and prioritize the most important.
- Determining which alerts to escalate to the incident response (IR) team for in-depth analysis and remediation.
...and Nowhere to Hide
Unfortunately, failures in these tasks are very visible. If the SOC analyst misses key alerts there is nowhere to hide and no way to avoid blame. Such cases can become notorious.
In one unfortunate series of events, cybercriminals stealing credit card numbers from a luxury retailer generated 60,000 alerts over eight months before they were stopped. The reason for this failure, according to the luxury retailer's spokesperson? "These 60,000 entries...would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day."
And of course there is another notorious large retailer data breach, which produced alerts from activities that resulted in the loss of 40 million credit and debit card numbers. What could the retailer say? "Like any large company, each week here there are a vast number of technical events that take place and are logged...Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow up. With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different."
Nobody is going to be happy with the explanation/excuse "we got the alerts but we didn't think they were worth investigating."
Challenges: An Impossible Number of Alerts, Not Enough Information
SOC analysts must comb through anywhere from tens of thousands to millions of alerts and alarms daily to determine the most significant threats. They have to be very selective: according to one recent survey the average organization only has the resources to investigate 4% of alerts received.
And numbers aren't the entire story. SOC analysts typically don't have access to the types of information and context that would allow them to separate meaningful, relevant alerts and alarms from invalid, unreliable and irrelevant data.
Use Cases for Cyber Threat Intelligence
There are three primary use cases for SOC Level 1 analysts using Cyber threat intelligence:
- Machine-based prioritization, to automate the initial triage process at machine speed
- Performing alert and event triage, supplying the analysts with context and "situational awareness" so they can quickly decide which alerts and events to investigate first
- Performing alert and event analysis and validation, providing the analysts with threat data to determine which alerts and events are related to serious threats and need to be escalated to the incident response team
Read our Part 2 post, which examines exactly how cyber threat intelligence helps SOC Level 1 analysts with those three use cases.