2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Orchestration And Threat Intelligence – Engine And Fuel

android-icon-192x192.pngOrchestration And Threat Intelligence â Engine And Fuel>
CXO Insight Middle East
According to Gartnerâs Market Guide for Security Orchestration, Automation and Response (SOAR) Solutions, by year-end 2022, 30% of organisations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% in 2019. Playbooks help Incident Response (IR) teams accelerate response and mitigate risk, while freeing up expert resources to focus on higher value tasks which also helps with employee retention. An organisationâs Threat Intelligence practice has a different role â gathering external and internal threat and event data, normalising it for analysis, and automatically scoring and prioritising it based on organisation-specific parameters. Both orchestration tools and a threat intelligence platform serve the same high-level goal: Optimise peopleâs time so they can focus on areas where their intelligence, experience and skills are needed, and donât waste time on things that can be easily automated. What makes these tools even stronger is when they work together.

But if the orchestration tool works in concert with the threat intelligence solution, then the full playbook does not need to be executed each time. The threat intelligence platform remembers activity from the same malware family and campaign and recognises that it is an immediate and actual threat to the organisation and scores it accordingly at a 9 or 10. The playbook can be written to adjust processes based on scoring so, for example, a score of 7-10 may trigger automatic blocking. A score of 3 to 7 may send the file directly to the sandbox. Anything lower initiates the full playbook. The ability for playbooks to dynamically adjust based on scoring increases the efficiency of tools and teams.

Another aspect that improves when orchestration and threat intelligence work together, is reputation list management. It isnât the job of the orchestration tool to curate the reputation list which can become unwieldy very quickly. However, a threat intelligence platform tracks and stores threat and event data from all sources and groups and remembers what it has seen, which allows it to understand the lifecycle of the threat and when to cull the reputation list. Because information that is no longer relevant is removed, new information can be added without the risk of overloading the reputation list.
Link: https://www.cxoinsightme.com/opinions/orchestration-and-threat-intelligence-engine-and-fuel/

Categories:

Tags: