By Anthony Perridge

Cyber threat intelligence is now being used by organisations of all sizes across industries and geographies. In fact, 85% of respondents to the 2021 SANS Cyber Threat Intelligence (CTI) Survey report they are producing or consuming intelligence with the remaining 15% planning to. More notably, for the first time the number of respondents without plans to consume or produce intelligence was 0%, down from 5.5% in 2020. But there is still much work to be done. A case in point, months after the SolarWinds Orion security breach, 63% of organisations surveyed remain highly concerned, 60% of those directly impacted are still trying to determine if they were breached, and 16% of organisations are still wondering if they were even impacted. Few organisations have matured their security operations (SecOps) to the point where they have integrated a complete CTI practice.

At ThreatQuotient, our mission is to advise and support our customers as they plan to enhance their SecOps by integrating a CTI practice at the core. Having worked on these projects for the past several years, we’ve seen that many of our customers rely on Managed Security Service Providers (MSSPs) or Managed Detection and Response (MDR) for the detection component of their SecOps, setting up processes and serving as tier-1 and tier-2 SOC analysts. These SOC contracts are generally signed for a minimum three-year period with the SOC service definitions and associated SLAs remaining fairly static during this period. While these contracts may specify the need for continuous enhancement, it can be extremely difficult to make significant changes and update SLAs once the contract is in place.

This limitation has become even more problematic given the year of dramatic disruption every customer has experienced. Almost 20% of respondents told SANS that the pandemic has changed how they use threat intelligence due to a rise in phishing and ransomware attacks and work-from-home threats. Moreover, the recent rise of worldwide supply chain attacks has been a real game changer for defenders. However, strategic shifts to mature your SecOps and evolve your use of threat intelligence by implementing a CTI practice are difficult to achieve if you’re outside a contract renewal window. That’s why it’s critical for customers to think ahead about their SecOps maturity needs and work with their MSSP/MDR at contract renewal or during the RFP process to synchronise SecOps process evolutions. It’s the only way to ensure you’ll be able to onboard a CTI platform when you’re ready and gain the benefit of threat intelligence sharing, orchestration and collaboration.

Based on our experience helping customers navigate this situation, here are some of the keys to global project success when leveraging a SOC MSSP/MDR contract process.

Don’t let the window close: The time is now to move from being reactive to anticipatory

Disruptions are a fact of life, and threat actors will continue to take advantage of them. A CTI platform allows you to take a proactive, and even anticipatory, approach to security operations by profiling not only the attack, but attackers who rapidly change their tools, techniques and procedures (TTPs) to evade defensive technologies. With intelligence-based workflows, security operators can then use these insights into adversaries and how they are evolving to enrich internal surveillance, focusing on high priority and relevant threats and minimising alerts that are just noise or are false positives. Security teams can strengthen defenses by automatically sending relevant threat intelligence directly to the sensor grid, SIEM, logs, and ticketing systems, to proactively protect the organisation from future threats. In such a set-up, the customer SecOps teams can create detection policies in real-time and actively collaborate with the MSSP/MDR to perform crisis management when a new, massive threat appears.

CTI serves and is fed by all four functions of your SecOps

Security operations typically consist of four main functions: the defense team, risk management, the SOC for detection, and the incident response team (Figure 1). With a CTI platform, you can leverage threat intelligence across these functions to better understand your adversaries and their tactics, techniques and procedures (TTPs) so you can strengthen defenses, mitigate risk, and accelerate detection and response in a homogeneous and efficient way. As tools and teams in each of these four areas gather additional threat data, learnings and observations, they can feed that information into your CTI platform to create an organizational memory. Intelligence is automatically reevaluated and reprioritised based on this new information, so the CTI practice continues to improve by leveraging trusted and timely information that helps accelerate the right actions and allows real threat data-driven orchestration across all SecOps tools.

A CTI practice requires some modifications to all four functions, including the SOC MSSP/MDR contract

When you introduce a CTI practice into the core of your security operations (Figure 2), every function must adapt to work with a CTI platform in order to benefit from collaboration and communication (SIEM, SOAR, EDR, etc.). Some service providers are able to accelerate the process because they offer a CTI capability as part of their practice. For others, a bit more work needs to be done to their processes and SLAs to ensure successful onboarding of a CTI platform. In either case, modifications are simpler and faster when initiated at contract time. Otherwise, you risk missing out on the full value a CTI practice can bring to your business.

The CTI practice can be activated when you are ready

If you are working with an MSSP/MDR that already has a CTI practice offering, they can provide a CTI platform for your environment and over time transfer the skills to run the CTI practice to your team. Should you decide to have the service provider continue to run the CTI practice for you, the threat memory is yours and remains on your site for reuse to continue to improve prevention, blocking and global analytics. This is the implementation model we have seen the most in the past 12 months, but it’s early days and service providers are working together with their customer SecOps teams to optimise the path forward. If the MSSP/MDR doesn’t have a CTI practice offering (unlikely nowadays), look for a CTI platform that leverages a flexible data model and supports open intelligence sharing standards to ensure efficient and effective connectivity and communication. The goal is to be “CTI practice ready”, even if you aren’t ready to activate the program right away.

The escalation of cyberattacks over the last few months has shown us there’s no time to waste in maturing your SecOps program. A reactive security posture, where you are in a cycle of detect and respond only, is not a viable option anymore. You need to make sure you’re leveraging threat intelligence throughout your security operations to understand your adversaries, strengthen defenses, and accelerate detection and response by turning your SecOps into an anticipatory program. When you work with your SOC MSSP/MDR at contract time, you remain in control of the timeline and aren’t forced to wait another three years for the next contract negotiation cycle to gain the full value of a CTI practice and platform.